Skip to content

Dockerfile is unable to create the image with modsecurity #735

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Ziemowit opened this issue Dec 21, 2022 · 7 comments
Open

Dockerfile is unable to create the image with modsecurity #735

Ziemowit opened this issue Dec 21, 2022 · 7 comments

Comments

@Ziemowit
Copy link

When trying to build the nginx image with modsecurity I am getting:

debconf: delaying package configuration, since apt-utils is not installed
Fetched 14.4 MB in 5s (2925 kB/s)
Selecting previously unselected package libssl-dev:amd64.
(Reading database ... 19708 files and directories currently installed.)
Preparing to unpack .../00-libssl-dev_1.1.1n-0+deb11u3_amd64.deb ...
Unpacking libssl-dev:amd64 (1.1.1n-0+deb11u3) ...
Selecting previously unselected package libpcre2-16-0:amd64.
Preparing to unpack .../01-libpcre2-16-0_10.36-2+deb11u1_amd64.deb ...
Unpacking libpcre2-16-0:amd64 (10.36-2+deb11u1) ...
Selecting previously unselected package libpcre2-32-0:amd64.
Preparing to unpack .../02-libpcre2-32-0_10.36-2+deb11u1_amd64.deb ...
Unpacking libpcre2-32-0:amd64 (10.36-2+deb11u1) ...
Selecting previously unselected package libpcre2-posix2:amd64.
Preparing to unpack .../03-libpcre2-posix2_10.36-2+deb11u1_amd64.deb ...
Unpacking libpcre2-posix2:amd64 (10.36-2+deb11u1) ...
Selecting previously unselected package libpcre2-dev:amd64.
Preparing to unpack .../04-libpcre2-dev_10.36-2+deb11u1_amd64.deb ...
Unpacking libpcre2-dev:amd64 (10.36-2+deb11u1) ...
Selecting previously unselected package zlib1g-dev:amd64.
Preparing to unpack .../05-zlib1g-dev_1%3a1.2.11.dfsg-2+deb11u2_amd64.deb ...
Unpacking zlib1g-dev:amd64 (1:1.2.11.dfsg-2+deb11u2) ...
Selecting previously unselected package icu-devtools.
Preparing to unpack .../06-icu-devtools_67.1-7_amd64.deb ...
Unpacking icu-devtools (67.1-7) ...
Selecting previously unselected package libicu-dev:amd64.
Preparing to unpack .../07-libicu-dev_67.1-7_amd64.deb ...
Unpacking libicu-dev:amd64 (67.1-7) ...
Selecting previously unselected package libxml2-dev:amd64.
Preparing to unpack .../08-libxml2-dev_2.9.10+dfsg-6.7+deb11u3_amd64.deb ...
Unpacking libxml2-dev:amd64 (2.9.10+dfsg-6.7+deb11u3) ...
Selecting previously unselected package libyajl2:amd64.
Preparing to unpack .../09-libyajl2_2.1.0-3_amd64.deb ...
Unpacking libyajl2:amd64 (2.1.0-3) ...
Selecting previously unselected package libyajl-dev:amd64.
Preparing to unpack .../10-libyajl-dev_2.1.0-3_amd64.deb ...
Unpacking libyajl-dev:amd64 (2.1.0-3) ...
Selecting previously unselected package libcurl4-openssl-dev:amd64.
Preparing to unpack .../11-libcurl4-openssl-dev_7.74.0-1.3+deb11u3_amd64.deb ...
Unpacking libcurl4-openssl-dev:amd64 (7.74.0-1.3+deb11u3) ...
Selecting previously unselected package patchelf.
Preparing to unpack .../12-patchelf_0.12-1_amd64.deb ...
Unpacking patchelf (0.12-1) ...
Setting up libyajl2:amd64 (2.1.0-3) ...
Setting up libpcre2-16-0:amd64 (10.36-2+deb11u1) ...
Setting up libpcre2-32-0:amd64 (10.36-2+deb11u1) ...
Setting up libcurl4-openssl-dev:amd64 (7.74.0-1.3+deb11u3) ...
Setting up libssl-dev:amd64 (1.1.1n-0+deb11u3) ...
Setting up icu-devtools (67.1-7) ...
Setting up libpcre2-posix2:amd64 (10.36-2+deb11u1) ...
Setting up libyajl-dev:amd64 (2.1.0-3) ...
Setting up zlib1g-dev:amd64 (1:1.2.11.dfsg-2+deb11u2) ...
Setting up patchelf (0.12-1) ...
Setting up libicu-dev:amd64 (67.1-7) ...
Setting up libpcre2-dev:amd64 (10.36-2+deb11u1) ...
Setting up libxml2-dev:amd64 (2.9.10+dfsg-6.7+deb11u3) ...
Setting up nginx-module-modsecurity-build-deps (1.23.3+1.0.3-1~bullseye) ...
Processing triggers for man-db (2.9.4-2) ...
Processing triggers for libc-bin (2.31-13+deb11u5) ...
+ make module-modsecurity BASE_VERSION=1.23.3 NGINX_VERSION=1.23.3
===> Building nginx-module-modsecurity package
 dpkg-buildpackage -us -uc -ui
dpkg-buildpackage: info: source package nginx-module-modsecurity
dpkg-buildpackage: info: source version 1.23.3+1.0.3-1~bullseye
dpkg-buildpackage: info: source distribution bullseye
dpkg-buildpackage: info: source changed by Nginx Packaging <[email protected]>
 dpkg-source --before-build .
dpkg-buildpackage: info: host architecture amd64
 debian/rules clean
dh_testdir
dh_testroot
dh_clean
rm -rf /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-*
find /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3 -maxdepth 1 -size 0 -delete
 dpkg-source -b .
dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: building nginx-module-modsecurity using existing ./nginx-module-modsecurity_1.23.3+1.0.3.orig.tar.gz
dpkg-source: info: building nginx-module-modsecurity in nginx-module-modsecurity_1.23.3+1.0.3-1~bullseye.debian.tar.xz
dpkg-source: info: building nginx-module-modsecurity in nginx-module-modsecurity_1.23.3+1.0.3-1~bullseye.dsc
 debian/rules build
dh_testdir
mkdir -p /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx
cp -Pa /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/auto /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/
cp -Pa /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/conf /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/
if ! test -e /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/configure ; then ln -s /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/auto/configure /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/configure ; fi
cp -Pa /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/configure /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/
cp -Pa /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/contrib /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/
if test -e /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/man ; then  cp -Pa /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/man /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/ ; fi
if test -e /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/docs ; then cp -Pa /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/docs /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/ ; fi
cp -Pa /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/src /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/
test -d /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/extra && cp -Pa /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/extra /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/
touch config.env.nginx
dh_testdir
cd /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/extra/modsecurity-82f75dc0ce134c639df6c33bd610519bd4e90e42 && rm -rf others/libinjection && ln -s ../../libinjection others/libinjection && rm -rf test/test-cases/secrules-language-tests && ln -s ../../../secrules-language-tests test/test-cases/secrules-language-tests && rm -rf bindings/python && ln -s ../../modsecurity-python-bindings bindings/python && ./build.sh && ./configure --prefix /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/extra/modsecurity-82f75dc0ce134c639df6c33bd610519bd4e90e42/local --without-lmdb --without-lua && /usr/bin/make -j8 install && /usr/bin/make check-TESTS
libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'build'.
libtoolize: copying file 'build/libtool.m4'
libtoolize: copying file 'build/ltoptions.m4'
libtoolize: copying file 'build/ltsugar.m4'
libtoolize: copying file 'build/ltversion.m4'
libtoolize: copying file 'build/lt~obsolete.m4'
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
configure.ac:50: installing './ar-lib'
configure.ac:50: installing './compile'
configure.ac:147: installing './config.guess'
configure.ac:147: installing './config.sub'
configure.ac:45: installing './install-sh'
configure.ac:45: installing './missing'
parallel-tests: installing './test-driver'
examples/multiprocess_c/Makefile.am: installing './depcomp'
configure.ac: installing './ylwrap'
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for g++... g++
checking whether the C++ compiler works... yes
checking for C++ compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of g++... gcc3
checking for gcc... gcc
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking for ar... ar
checking the archiver (ar) interface... ar
checking whether make sets $(MAKE)... (cached) yes
./configure: line 4854: PKG_PROG_PKG_CONFIG: command not found
configure: Nothing about YAJL was informed during the configure phase. Trying to detect it on the platform...
configure: YAJL library was not found
configure: Nothing about GeoIP was informed during the configure phase. Trying to detect it on the platform...
configure: GeoIP library was not found
configure: Nothing about MaxMind was informed during the configure phase. Trying to detect it on the platform...
configure: MaxMind library was not found
configure: Support for LMDB was disabled by the utilization of --without-lmdb or --with-lmdb=no
*** LOOKING AT PATH:  /usr/lib
*** LOOKING AT PATH:  /usr/local/lib
*** LOOKING AT PATH:  /usr/local/fuzzy
*** LOOKING AT PATH:  /usr/local/libfuzzy
*** LOOKING AT PATH:  /usr/local
*** LOOKING AT PATH:  /opt
*** LOOKING AT PATH:  /usr
*** LOOKING AT PATH:  /usr/lib64
*** LOOKING AT PATH:  /opt/local
configure: SSDEEP library was not found
configure: Support for LUA was disabled by the utilization of --without-lua or --with-lua=no
checking for libcurl config script... /usr/bin/curl-config
configure: curl VERSION: 7.74.0 
configure: curl LDADD: 
checking if libcurl is at least v... yes, 7.74.0 
checking if libcurl is linked with gnutls... no
configure: using curl v7.74.0 
checking for libxml2 config script... /usr/bin/xml2-config
configure: xml VERSION: 2.9.10
configure: xml CFLAGS: -I/usr/include/libxml2 -DWITH_LIBXML2
configure: xml LDADD: -lxml2
checking if libxml2 is at least v2.6.29... yes, 2.9.10
configure: using libxml2 v2.9.10
checking for libpcre config script... no
configure: *** pcre library not found.
configure: error: pcre library is required
make: *** [debian/rules:47: config.pre.nginx] Error 1
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
debuild: fatal error at line 1182:
dpkg-buildpackage -us -uc -ui failed
real 11.56
user 9.26
sys 0.99
make: *** [Makefile:212: module-modsecurity] Error 29
+ find ../../ -maxdepth 1 -mindepth 1 -type f -name *.deb -exec mv -v {} /tmp/packages/ ;
+ BUILT_MODULES= modsecurity
+ echo BUILT_MODULES=" modsecurity"
Removing intermediate container 0918959076b8
 ---> b5913a1bceaa
Step 6/8 : FROM nginx:mainline
 ---> 3964ce7b8458
Step 7/8 : COPY --from=builder /tmp/packages /tmp/packages
 ---> Using cache
 ---> cf0e8f23aa50
Step 8/8 : RUN set -ex     && apt update     && . /tmp/packages/modules.env     && for module in $BUILT_MODULES; do            apt install --no-install-suggests --no-install-recommends -y /tmp/packages/nginx-module-${module}_${NGINX_VERSION}*.deb;        done     && rm -rf /tmp/packages     && rm -rf /var/lib/apt/lists/
 ---> Running in 7a94ab2f5292
+ apt update

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:4 http://deb.debian.org/debian bullseye/main amd64 Packages [8183 kB]
Get:5 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [210 kB]
Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [14.6 kB]
Fetched 8616 kB in 4s (2357 kB/s)
Reading package lists...
Building dependency tree...
Reading state information...
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
+ . /tmp/packages/modules.env
+ BUILT_MODULES= modsecurity
+ apt install --no-install-suggests --no-install-recommends -y /tmp/packages/nginx-module-modsecurity_1.23.3*.deb

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Reading package lists...
E: Unsupported file /tmp/packages/nginx-module-modsecurity_1.23.3*.deb given on commandline
The command '/bin/sh -c set -ex     && apt update     && . /tmp/packages/modules.env     && for module in $BUILT_MODULES; do            apt install --no-install-suggests --no-install-recommends -y /tmp/packages/nginx-module-${module}_${NGINX_VERSION}*.deb;        done     && rm -rf /tmp/packages     && rm -rf /var/lib/apt/lists/' returned a non-zero code: 100

Should I change something in provided Dockerfile to make it work? Or it is an issue?

@Ziemowit Ziemowit changed the title Dockerfile is unable to create the image Dockerfile is unable to create the image with modsecurity Dec 21, 2022
@thresheek
Copy link
Member

Hi @Ziemowit !

This looks like a bug in modsecurity module packaging, with regards to wrong build dependencies. I'll work on fixing it.

Thank you!

@thresheek
Copy link
Member

As a temporary workaround you can apply a following patch:

diff --git a/modules/Dockerfile b/modules/Dockerfile
index 1cce673..9747d68 100644
--- a/modules/Dockerfile
+++ b/modules/Dockerfile
@@ -15,7 +15,7 @@ RUN set -ex \
     && apt install -y --no-install-suggests --no-install-recommends \
                 patch make wget mercurial devscripts debhelper dpkg-dev \
                 quilt lsb-release build-essential libxml2-utils xsltproc \
-                equivs git g++ libparse-recdescent-perl \
+                equivs git g++ libparse-recdescent-perl libpcre3-dev \
     && XSLSCRIPT_SHA512="f7194c5198daeab9b3b0c3aebf006922c7df1d345d454bd8474489ff2eb6b4bf8e2ffe442489a45d1aab80da6ecebe0097759a1e12cc26b5f0613d05b7c09ffa *stdin" \
     && wget -O /tmp/xslscript.pl https://hg.nginx.org/xslscript/raw-file/01dc9ba12e1b/xslscript.pl \
     && if [ "$(cat /tmp/xslscript.pl | openssl sha512 -r)" = "$XSLSCRIPT_SHA512" ]; then \

@thresheek
Copy link
Member

For what it's worth, the underlying issue is fixed in the current master branch in modsecurity: owasp-modsecurity/ModSecurity@791964a

So upgrading modsecurity to when they release a new version will automatically fix that for us too without the need of the aforementioned workaround.

@Ziemowit
Copy link
Author

Ziemowit commented Jan 3, 2023

Thank you for a quick action!

@Ziemowit
Copy link
Author

Ziemowit commented Jan 4, 2023

Ok, so to finish installation of modsec after successful build as I understand I need to provide my own files:

  1. File /etc/nginx/nginx.conf

with load_module /etc/nginx/modules/ngx_http_modsecurity_module.so; line.

  1. File with servers & locations definitions
server {
    ...
    modsecurity             on;
    modsecurity_rules_file  /etc/nginx/modsec/modsecurity.conf;

    location / {
      ....
    }
}

Am I correct?

@thresheek
Copy link
Member

Hi @Ziemowit, yes that's correct.

@unbaiat
Copy link

unbaiat commented Mar 28, 2024

sed -i 's/libparse-recdescent-perl \/libparse-recdescent-perl libpcre3-dev \/' Dockerfile

ps. yes, I know. but it ain't stupid if it works

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants