stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat: Implement Filesystem and MongoDB provenance writers for PackRun execution context
Some checks failed
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details

Browse Source 
- Added `FilesystemPackRunProvenanceWriter` to write provenance manifests to the filesystem.
- Introduced `MongoPackRunArtifactReader` to read artifacts from MongoDB.
- Created `MongoPackRunProvenanceWriter` to store provenance manifests in MongoDB.
- Developed unit tests for filesystem and MongoDB provenance writers.
- Established `ITimelineEventStore` and `ITimelineIngestionService` interfaces for timeline event handling.
- Implemented `TimelineIngestionService` to validate and persist timeline events with hashing.
- Created PostgreSQL schema and migration scripts for timeline indexing.
- Added dependency injection support for timeline indexer services.
- Developed tests for timeline ingestion and schema validation.
This commit is contained in:
StellaOps Bot
2025-11-30 15:38:14 +02:00
parent 8f54ffa203
commit 17d45a6d30
276 changed files with 8618 additions and 688 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
ops/devops/airgap/compose-egress-guard.sh Normal file
View File

@@ -0,0 +1,54 @@
#!/usr/bin/env bash
# Enforce deny-all egress for a Docker/Compose project using DOCKER-USER chain.
# Usage: COMPOSE_PROJECT=stella ./compose-egress-guard.sh
# Optional env: ALLOW_RFC1918=true to allow east-west traffic inside 10/172/192 ranges.
set -euo pipefail
PROJECT=${COMPOSE_PROJECT:-stella}
ALLOW_RFC1918=${ALLOW_RFC1918:-true}
NETWORK=${COMPOSE_NETWORK:-${PROJECT}_default}
chain=STELLAOPS_SEALED_${PROJECT^^}
ipset_name=${PROJECT}_cidrs
insert_accept() {
local dest=$1
iptables -C DOCKER-USER -d "$dest" -j ACCEPT 2>/dev/null || iptables -I DOCKER-USER -d "$dest" -j ACCEPT
}
# 1) Ensure DOCKER-USER exists
iptables -nL DOCKER-USER >/dev/null 2>&1 || iptables -N DOCKER-USER
# 2) Create dedicated chain per project for clarity
iptables -nL "$chain" >/dev/null 2>&1 || iptables -N "$chain"
# 2b) Populate ipset with compose network CIDRs (if available)
if command -v ipset >/dev/null; then
ipset list "$ipset_name" >/dev/null 2>&1 || ipset create "$ipset_name" hash:net -exist
cidrs=$(docker network inspect "$NETWORK" -f '{{range .IPAM.Config}}{{.Subnet}} {{end}}')
for cidr in $cidrs; do
ipset add "$ipset_name" "$cidr" 2>/dev/null || true
done
fi
# 3) Allow loopback and optional RFC1918 intra-cluster ranges, then drop everything else
insert_accept 127.0.0.0/8
if [[ "$ALLOW_RFC1918" == "true" ]]; then
insert_accept 10.0.0.0/8
insert_accept 172.16.0.0/12
insert_accept 192.168.0.0/16
fi
iptables -C "$chain" -j DROP 2>/dev/null || iptables -A "$chain" -j DROP
# 4) Hook chain into DOCKER-USER for containers in this project network
iptables -C DOCKER-USER -m addrtype --src-type LOCAL -j RETURN 2>/dev/null || true
if command -v ipset >/dev/null && ipset list "$ipset_name" >/dev/null 2>&1; then
iptables -C DOCKER-USER -m set --match-set "$ipset_name" dst -j "$chain" 2>/dev/null || iptables -I DOCKER-USER -m set --match-set "$ipset_name" dst -j "$chain"
else
# Fallback: match by destination subnet from docker inspect (first subnet only)
first_cidr=$(docker network inspect "$NETWORK" -f '{{(index .IPAM.Config 0).Subnet}}')
iptables -C DOCKER-USER -d "$first_cidr" -j "$chain" 2>/dev/null || iptables -I DOCKER-USER -d "$first_cidr" -j "$chain"
fi
echo "Applied compose egress guard via DOCKER-USER -> $chain" >&2
iptables -vnL "$chain"