stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
47168fec38bd7b9326d02ae646904641e7451c6c
git.stella-ops.org/ops/devops/docker/base-image-guidelines.md
StellaOps Bot 885ce86af4
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
feat: Add VEX Lens CI and Load Testing Plan 
- Introduced a comprehensive CI job structure for VEX Lens, including build, test, linting, and load testing.
- Defined load test parameters and SLOs for VEX Lens API and Issuer Directory.
- Created Grafana dashboards and alerting mechanisms for monitoring API performance and error rates.
- Established offline posture guidelines for CI jobs and load testing.

feat: Implement deterministic projection verification script

- Added `verify_projection.sh` script for verifying the integrity of projection exports against expected hashes.
- Ensured robust error handling for missing files and hash mismatches.

feat: Develop Vuln Explorer CI and Ops Plan

- Created CI jobs for Vuln Explorer, including build, test, and replay verification.
- Implemented backup and disaster recovery strategies for MongoDB and Redis.
- Established Merkle anchoring verification and automation for ledger projector.

feat: Introduce EventEnvelopeHasher for hashing event envelopes

- Implemented `EventEnvelopeHasher` to compute SHA256 hashes for event envelopes.

feat: Add Risk Store and Dashboard components

- Developed `RiskStore` for managing risk data and state.
- Created `RiskDashboardComponent` for displaying risk profiles with filtering capabilities.
- Implemented unit tests for `RiskStore` and `RiskDashboardComponent`.

feat: Enhance Vulnerability Detail Component

- Developed `VulnerabilityDetailComponent` for displaying detailed information about vulnerabilities.
- Implemented error handling for missing vulnerability IDs and loading failures.
2025-12-02 07:18:28 +02:00

3.7 KiB
Raw Blame History

Docker hardening blueprint (DOCKER-44-001)

Use this template for core services (API, Console, Orchestrator, Task Runner, Concelier, Excititor, Policy, Notify, Export, AdvisoryAI).

The reusable multi-stage scaffold lives at ops/devops/docker/Dockerfile.hardened.template and expects:

  • .NET 10 SDK/runtime images provided via offline mirror (SDK_IMAGE / RUNTIME_IMAGE).
  • APP_PROJECT path to the service csproj.
  • healthcheck.sh copied from ops/devops/docker/ (already referenced by the template).

Copy the template next to the service and set build args in CI (per-service matrix) to avoid maintaining divergent Dockerfiles.

# syntax=docker/dockerfile:1.7
ARG SDK_IMAGE=mcr.microsoft.com/dotnet/sdk:10.0-bookworm-slim
ARG RUNTIME_IMAGE=mcr.microsoft.com/dotnet/aspnet:10.0-bookworm-slim
ARG APP_PROJECT=src/Service/Service.csproj
ARG CONFIGURATION=Release
ARG APP_USER=stella
ARG APP_UID=10001
ARG APP_GID=10001
ARG APP_PORT=8080

FROM ${SDK_IMAGE} AS build
ENV DOTNET_CLI_TELEMETRY_OPTOUT=1 DOTNET_NOLOGO=1 SOURCE_DATE_EPOCH=1704067200
WORKDIR /src
COPY . .
RUN dotnet restore ${APP_PROJECT} --packages /src/local-nugets && \
    dotnet publish ${APP_PROJECT} -c ${CONFIGURATION} -o /app/publish /p:UseAppHost=true /p:PublishTrimmed=false

FROM ${RUNTIME_IMAGE} AS runtime
RUN groupadd -r -g ${APP_GID} ${APP_USER} && \
    useradd -r -u ${APP_UID} -g ${APP_GID} -d /var/lib/${APP_USER} ${APP_USER}
WORKDIR /app
COPY --from=build --chown=${APP_UID}:${APP_GID} /app/publish/ ./
COPY --chown=${APP_UID}:${APP_GID} ops/devops/docker/healthcheck.sh /usr/local/bin/healthcheck.sh
ENV ASPNETCORE_URLS=http://+:${APP_PORT} \
    DOTNET_EnableDiagnostics=0 \
    DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 \
    COMPlus_EnableDiagnostics=0
USER ${APP_UID}:${APP_GID}
EXPOSE ${APP_PORT}
HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 CMD /usr/local/bin/healthcheck.sh
RUN chmod 500 /app && find /app -maxdepth 1 -type f -exec chmod 400 {} \; && find /app -maxdepth 1 -type d -exec chmod 500 {} \;
ENTRYPOINT ["./StellaOps.Service"]

Build stage (per service) should:

  • Use mcr.microsoft.com/dotnet/sdk:10.0-bookworm-slim (or mirror) with DOTNET_CLI_TELEMETRY_OPTOUT=1.
  • Restore from local-nugets/ (offline) and run dotnet publish -c Release -o /app/out.
  • Set SOURCE_DATE_EPOCH to freeze timestamps.

Required checks:

  • No root user in final image.
  • CAP_NET_RAW dropped (default with non-root).
  • Read-only rootfs enforced at deploy time (securityContext.readOnlyRootFilesystem: true in Helm/Compose).
  • Health endpoints exposed: /health/liveness, /health/readiness, /version, /metrics.
  • Image SBOM generated (syft) in pipeline; attach cosign attestations (see DOCKER-44-002).

SBOM & attestation helper (DOCKER-44-002):

  • Script: ops/devops/docker/sbom_attest.sh <image> [out-dir] [cosign-key]
  • Emits SPDX (*.spdx.json) and CycloneDX (*.cdx.json) with SOURCE_DATE_EPOCH pinned for reproducibility.
  • Attaches both as cosign attestations (--type spdx / --type cyclonedx); supports keyless when COSIGN_EXPERIMENTAL=1 or explicit PEM key.
  • Integrate in CI after image build/push; keep registry creds offline-friendly (use local registry mirror during air-gapped builds).

Health endpoint verification (DOCKER-44-003):

  • Script: ops/devops/docker/verify_health_endpoints.sh <image> [port] spins container, checks /health/liveness, /health/readiness, /version, /metrics, and warns if /capabilities.merge is not false (for Concelier/Excititor).
  • Run in CI after publishing the image; requires docker and curl (or wget).
  • Endpoint contract and ASP.NET wiring examples live in ops/devops/docker/health-endpoints.md; service owners should copy the snippet and ensure readiness checks cover DB/cache/bus.