mrva/mrva-docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix container configuration for working deployment

Browse Source 
Combined changes to get containers working:
- Updated to Ubuntu 24.04 LTS
- Reset compose network config to known working state
- Updated container data loading instructions and script
- Changed DB loader to upload all DBs (not just random sample)
- Added Lima VM configuration for Docker with full control
- Improved job submission to running compose setup
This commit is contained in:
michael hohn
2025-11-25 15:25:24 -08:00
committed by =michael hohn
parent 38f5c46f58
commit c9840aabbd
4 changed files with 47 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
README.org
View File

@@ -69,16 +69,18 @@
Initial manifest in k8s/
* Lima VM for running Docker with full control
* Lima VM or linux native for running Docker with full control
Docker Desktop restricts low-level control, especially for tracing inter-container
network traffic. To regain full visibility and system-level access, we run Docker
inside a Lima VM instead.
inside a Lima VM (on mac) or on native linux instead.
** lima vm setup
#+BEGIN_SRC sh
# on mac
brew install lima
# see https://lima-vm.io/docs/installation/ for linux options
# create
# Create a vm
cd ~/work-gh/mrva/mrva-docker/lima
limactl create --name=ubu ubu-docker.yaml
@@ -87,12 +89,18 @@
limactl start ubu
limactl shell ubu
# in vm
# In vm or linux host
sudo apt-get update
sudo apt-get install docker.io
sudo systemctl enable --now docker
sudo systemctl restart docker
sudo usermod -aG docker hohn
newgrp docker
sudo apt install docker-compose
# on linux
ln -s /home/hohn/work-gh /home/hohn.linux/
# on mac:
ln -s /Users/hohn/work-gh /home/hohn.linux/
sudo apt-get install ngrep golang-go tshark postgresql-client-common
@@ -104,30 +112,26 @@
#
#* Build the containers
#
# enter vm (on mac)
limactl shell ubu
cd ~/work-gh/mrva/mrva-docker/containers/ghmrva/
docker build -t client-ghmrva-container:0.4.0 .
cd ~/work-gh/mrva/mrva-docker/containers/vscode/
docker build -t code-server-initialized:0.4.0 .
# *slow* in vm with shared folders
cd ~/work-gh/mrva/mrva-docker/containers/hepc &&\
rm -fR ./mrvahepc && cp -r ../../../mrvahepc .
docker build -t mrva-hepc-container:0.4.0 -f Dockerfile .
cd ~/work-gh/mrva/mrva-docker/containers/server/
docker build -t mrva-server:0.4.0 .
cd ~/work-gh/mrva/mrva-docker/containers/agent/
docker build -t mrva-agent:0.4.0 .
#
#* Start the containers
cd ~/work-gh/mrva/mrva-docker/
@@ -137,13 +141,21 @@
docker-compose -f docker-compose-demo.yml up
#
#* Populate the db container if needed.
# Note: this requires
# /Users/hohn/work-gh/mrva/mrva-open-source-download ,
# a large tree not part of this repository.
#
cd ~/work-gh/mrva/mrvacommander/client/qldbtools && uv sync
uv run bin/mc-db-populate-minio < scratch/db-info-3.csv
#* update the binaries in a running container
#** compile server locally
cd /Users/hohn/work-gh/mrva/mrvaserver
cd ~/work-gh/mrva/mrvaserver
go build
# Copy the new binary
cd /Users/hohn/work-gh/mrva/mrvaserver
cd ~/work-gh/mrva/mrvaserver
docker cp mrvaserver mrva-server:/usr/local/bin/mrvaserver
# Restart the binary
@@ -151,11 +163,11 @@
#** recompile agent
# compile locally
cd /Users/hohn/work-gh/mrva/mrvaagent
cd ~/work-gh/mrva/mrvaagent
go build
# Copy the new binary
cd /Users/hohn/work-gh/mrva/mrvaagent
cd ~/work-gh/mrva/mrvaagent
docker cp mrvaagent mrva-agent:/usr/local/bin/mrvaagent
# Restart the binary
@@ -163,13 +175,13 @@
#** gh-mrva
# compile locally
cd /Users/hohn/work-gh/mrva/gh-mrva
cd ~/work-gh/mrva/gh-mrva
go mod edit -replace="github.com/GitHubSecurityLab/gh-mrva=/Users/hohn/work-gh/mrva/gh-mrva"
go mod tidy
GOOS=linux GOARCH=arm64 go build
# Copy the new binary
cd /Users/hohn/work-gh/mrva/gh-mrva
cd ~/work-gh/mrva/gh-mrva
docker cp gh-mrva mrva-ghmrva:/usr/local/bin/gh-mrva
#+END_SRC
@@ -261,6 +273,9 @@
# strace -f -tt -s 200 -e trace=connect,sendto,recvfrom -p 824 -o /tmp/strace-extensionhost.log
#+END_SRC
* TODO For distribution, use single fat container or vm
The container configuration is only preparation for k8s deployment. For local
use, a vm or "fat" docker container is sufficientr
* TODO lima vm
** intro
When dealing with a highly stateful, evolving system, development workflows that
@@ -443,14 +458,14 @@
- server
#+BEGIN_SRC sh
#* Cross-compile locally
cd /Users/hohn/work-gh/mrva/mrvaserver
cd ~/work-gh/mrva/mrvaserver
make msla
#* check for running containers
docker ps --format "table {{.ID}}\t{{.Image}}\t{{.Names}}"
#* Copy the new binary
cd /Users/hohn/work-gh/mrva/mrvaserver
cd ~/work-gh/mrva/mrvaserver
docker cp mrvaserver mrva-server:/usr/local/bin/mrvaserver
#* Restart the binary
@@ -460,14 +475,14 @@
- agent
#+BEGIN_SRC sh
#* Cross-compile locally
cd /Users/hohn/work-gh/mrva/mrvaagent
cd ~/work-gh/mrva/mrvaagent
make mala
#* Look for the agent's name in the process table
docker ps --format "table {{.ID}}\t{{.Image}}\t{{.Names}}"
#* Copy the new binary
cd /Users/hohn/work-gh/mrva/mrvaagent
cd ~/work-gh/mrva/mrvaagent
docker cp mrvaagent mrva-agent:/usr/local/bin/mrvaagent
#* Restart the binary
@@ -477,7 +492,7 @@
- gh-mrva
#+BEGIN_SRC sh
#* Cross-compile locally
cd /Users/hohn/work-gh/mrva/gh-mrva
cd ~/work-gh/mrva/gh-mrva
go mod edit -replace="github.com/GitHubSecurityLab/gh-mrva=/Users/hohn/work-gh/mrva/gh-mrva"
go mod tidy
GOOS=linux GOARCH=arm64 go build
@@ -486,7 +501,7 @@
docker ps --format "table {{.ID}}\t{{.Image}}\t{{.Names}}"
#* Copy the new binary
cd /Users/hohn/work-gh/mrva/gh-mrva
cd ~/work-gh/mrva/gh-mrva
docker cp gh-mrva mrva-ghmrva:/usr/local/bin/gh-mrva
#+END_SRC

9
bin/ma.send-request
View File

@@ -59,19 +59,20 @@ eof
# Submit the MRVA job with the first query
cd ~/work-gh/mrva/gh-mrva/
gh-mrva submit --language cpp --session mirva-session-4577 \
gh-mrva submit --language cpp --session mirva-session-4789 \
--list mirva-list \
--query ~/work-gh/mrva/gh-mrva/FlatBuffersFunc.ql
# Check the status of the submitted session
gh-mrva status --session mirva-session-4577
gh-mrva status --session mirva-session-4789
# Download SARIF files and databases if there are results. For the current
# query / database combination there are zero result hence no downloads
cd ~/work-gh/mrva/gh-mrva/
gh-mrva download --session mirva-session-4577 \
gh-mrva download --session mirva-session-4789 \
--download-dbs \
--output-dir mirva-session-4577
--output-dir mirva-session-4789
#* Set up QLPack for the next query

12
docker-compose-demo.yml
View File

@@ -39,12 +39,9 @@ services:
# ./containers/ghmrva/Dockerfile
container_name: mrva-ghmrva
image: client-ghmrva-container:0.4.0
# network_mode: "service:server" # Share the 'server' network namespace
networks:
- mrva-net
network_mode: "service:server" # Share the 'server' network namespace
environment:
- SERVER_URL=http://server:8080
- MRVA_SERVER_URL=http://server:8080
- SERVER_URL=http://localhost:8080 # 'localhost' now refers to 'server'
code-server:
# ./containers/vscode/Dockerfile
@@ -114,8 +111,7 @@ services:
SERVER_PORT: "8080"
networks:
- backend
- mrva-net
postgres:
image: postgres:15
container_name: mrva-postgres
@@ -148,8 +144,6 @@ services:
networks:
backend:
driver: bridge
mrva-net:
driver: bridge
volumes:
pgdata:

2
lima/ubu-docker.yaml
View File

@@ -5,7 +5,7 @@ memory: "32GiB"
disk: "64GiB"
images:
- location: "https://cloud-images.ubuntu.com/releases/25.04/release/ubuntu-25.04-server-cloudimg-arm64.img"
- location: "https://cloud-images.ubuntu.com/releases/24.04/release/ubuntu-24.04-server-cloudimg-arm64.img"
arch: "aarch64"
mounts: