metasploit-framework/Dockerfile

FROM ruby:3.1.4-alpine3.18 AS builder
LABEL maintainer="Rapid7"

ARG BUNDLER_CONFIG_ARGS="set no-cache 'true' set system 'true' set without 'development test coverage'"
ARG BUNDLER_FORCE_CLEAN="true"
ENV APP_HOME=/usr/src/metasploit-framework
ENV TOOLS_HOME=/usr/src/tools
ENV BUNDLE_IGNORE_MESSAGES="true"
WORKDIR $APP_HOME

COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME/
COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb
COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb
COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb

RUN apk add --no-cache \
      autoconf \
      bash \
      bison \
      build-base \
      curl \
      ruby-dev \
      openssl-dev \
      readline-dev \
      sqlite-dev \
      postgresql-dev \
      libpcap-dev \
      libxml2-dev \
      libxslt-dev \
      yaml-dev \
      zlib-dev \
      ncurses-dev \
      git \
      go \
    && echo "gem: --no-document" > /etc/gemrc \
    && gem update --system \
    && bundle config $BUNDLER_CONFIG_ARGS \
    && bundle install --jobs=8 \
    && if [ "${BUNDLER_FORCE_CLEAN}" == "true" ]; then \
         bundle clean --force; \
       fi \
    # temp fix for https://github.com/bundler/bundler/issues/6680
    && rm -rf /usr/local/bundle/cache \
    # needed so non root users can read content of the bundle
    && chmod -R a+r /usr/local/bundle

ENV GO111MODULE=off
RUN mkdir -p $TOOLS_HOME/bin && \
    cd $TOOLS_HOME/bin && \
    curl -O https://dl.google.com/go/go1.21.1.src.tar.gz && \
    tar -zxf go1.21.1.src.tar.gz && \
    rm go1.21.1.src.tar.gz && \
    cd go/src && \
    ./make.bash

FROM ruby:3.1.4-alpine3.18
LABEL maintainer="Rapid7"
ARG TARGETARCH

ENV APP_HOME=/usr/src/metasploit-framework
ENV TOOLS_HOME=/usr/src/tools
ENV NMAP_PRIVILEGED=""
ENV METASPLOIT_GROUP=metasploit

# used for the copy command
RUN addgroup -S $METASPLOIT_GROUP

RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs \
    postgresql-libs python3 py3-pip ncurses libcap su-exec alpine-sdk \
    openssl-dev nasm
RUN\
    if [ "${TARGETARCH}" = "arm64" ];\
	then apk add --no-cache gcc musl-dev python3-dev libffi-dev gcompat;\
    else apk add --no-cache mingw-w64-gcc;\
    fi


RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)

COPY --from=builder /usr/local/bundle /usr/local/bundle
RUN chown -R root:metasploit /usr/local/bundle
COPY . $APP_HOME/
COPY --from=builder $TOOLS_HOME $TOOLS_HOME
RUN chown -R root:metasploit $APP_HOME/
RUN chmod 664 $APP_HOME/Gemfile.lock
RUN gem update --system
RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
RUN curl -L -O https://raw.githubusercontent.com/pypa/get-pip/f84b65709d4b20221b7dbee900dbf9985a81b5d4/public/get-pip.py && python3 get-pip.py && rm get-pip.py
RUN pip install impacket
RUN pip install requests

ENV GOPATH=$TOOLS_HOME/go
ENV GOROOT=$TOOLS_HOME/bin/go
ENV PATH=${PATH}:${GOPATH}/bin:${GOROOT}/bin

WORKDIR $APP_HOME

# we need this entrypoint to dynamically create a user
# matching the hosts UID and GID so we can mount something
# from the users home directory. If the IDs don't match
# it results in access denied errors.
ENTRYPOINT ["docker/entrypoint.sh"]

CMD ["./msfconsole", "-r", "docker/msfconsole.rc", "-y", "$APP_HOME/config/database.yml"]
Update docker ruby version to 3.1 2023-11-24 00:16:25 +01:00			`FROM ruby:3.1.4-alpine3.18 AS builder`
more docker work 2017-11-28 21:35:20 +01:00			`LABEL maintainer="Rapid7"`
Dockerfile and Docker Compose for Metasploit Adds a basic Dockerfile and docker-compose config. `docker-compose.yml` adds a named volume for postgres so data should persist. `$HOME/.msf4` will be mounted to `/root/.msf4` by default. port 4444 is exposed by default Basic Usage: docker/bin/msfconsole docker/bin/msfvenom 2016-07-18 20:38:57 +02:00
Fix BUNDLER_CONFIG_ARGS variable mismatch in Dockerfile Previous version of Dockerfile used `set clean 'true'`. However, this no longer works with "newer" versions of Ruby gems (rubygems/rubygems#3271), which now requires a force option when cleaning system gems. Since there is no way to set the force flag through config, a new ARG (BUNDLER_FORCE_CLEAN) is used to provide the option of whether to run bundle clean --force on system gems. 2024-02-15 19:16:42 +01:00			`ARG BUNDLER_CONFIG_ARGS="set no-cache 'true' set system 'true' set without 'development test coverage'"`
			`ARG BUNDLER_FORCE_CLEAN="true"`
change docker root exec 2018-10-21 22:30:01 +02:00			`ENV APP_HOME=/usr/src/metasploit-framework`
add automation cache creation When new modules are committed, automation needs to rebuild the cache. The scripts provided here will utilize the public docker container to rebuild the cache json file. One drawback to this approach is that if new dependencies for external modules are added the container must be up to date in dockerhub before the rebuild occurs. Ideas on a better way to do this without needing to build the docker container in each automation run would be appreciated. 2021-03-09 00:33:32 +01:00			`ENV TOOLS_HOME=/usr/src/tools`
more docker work 2017-11-28 21:35:20 +01:00			`ENV BUNDLE_IGNORE_MESSAGES="true"`
Dockerfile and Docker Compose for Metasploit Adds a basic Dockerfile and docker-compose config. `docker-compose.yml` adds a named volume for postgres so data should persist. `$HOME/.msf4` will be mounted to `/root/.msf4` by default. port 4444 is exposed by default Basic Usage: docker/bin/msfconsole docker/bin/msfvenom 2016-07-18 20:38:57 +02:00			`WORKDIR $APP_HOME`

change docker root exec 2018-10-21 22:30:01 +02:00			`COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME/`
more docker work 2017-11-28 21:35:20 +01:00			`COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb`
			`COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb`
			`COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb`
Dockerfile and Docker Compose for Metasploit Adds a basic Dockerfile and docker-compose config. `docker-compose.yml` adds a named volume for postgres so data should persist. `$HOME/.msf4` will be mounted to `/root/.msf4` by default. port 4444 is exposed by default Basic Usage: docker/bin/msfconsole docker/bin/msfvenom 2016-07-18 20:38:57 +02:00
Dockerfile: Use Multi-Stage Build 2018-10-04 01:54:35 +02:00			`RUN apk add --no-cache \`
more docker work 2017-04-22 02:10:00 +02:00			`autoconf \`
add automation cache creation When new modules are committed, automation needs to rebuild the cache. The scripts provided here will utilize the public docker container to rebuild the cache json file. One drawback to this approach is that if new dependencies for external modules are added the container must be up to date in dockerhub before the rebuild occurs. Ideas on a better way to do this without needing to build the docker container in each automation run would be appreciated. 2021-03-09 00:33:32 +01:00			`bash \`
more docker work 2017-04-22 02:10:00 +02:00			`bison \`
			`build-base \`
add automation cache creation When new modules are committed, automation needs to rebuild the cache. The scripts provided here will utilize the public docker container to rebuild the cache json file. One drawback to this approach is that if new dependencies for external modules are added the container must be up to date in dockerhub before the rebuild occurs. Ideas on a better way to do this without needing to build the docker container in each automation run would be appreciated. 2021-03-09 00:33:32 +01:00			`curl \`
more docker work 2017-04-22 02:10:00 +02:00			`ruby-dev \`
update to ruby 2.6.1 and alpine 3.9 2019-02-05 17:57:38 +01:00			`openssl-dev \`
more docker work 2017-04-22 02:10:00 +02:00			`readline-dev \`
			`sqlite-dev \`
			`postgresql-dev \`
			`libpcap-dev \`
			`libxml2-dev \`
			`libxslt-dev \`
			`yaml-dev \`
			`zlib-dev \`
			`ncurses-dev \`
git is really needed in docker too 2017-07-17 16:41:47 +02:00			`git \`
updated Dockerfile for arm architectures 2023-12-08 15:43:40 +01:00			`go \`
lock rubygems version for Docker image Latest rubygems release for 3.1.0 vendors bundler 2.1.0 creating compatibilty issues. Lock for now until all relates issues can be addressed. 2019-12-16 17:05:07 +01:00			`&& echo "gem: --no-document" > /etc/gemrc \`
updates Dockerfile for bundler 2 support 2020-10-02 19:56:38 +02:00			`&& gem update --system \`
Fix BUNDLER_CONFIG_ARGS variable mismatch in Dockerfile Previous version of Dockerfile used `set clean 'true'`. However, this no longer works with "newer" versions of Ruby gems (rubygems/rubygems#3271), which now requires a force option when cleaning system gems. Since there is no way to set the force flag through config, a new ARG (BUNDLER_FORCE_CLEAN) is used to provide the option of whether to run bundle clean --force on system gems. 2024-02-15 19:16:42 +01:00			`&& bundle config $BUNDLER_CONFIG_ARGS \`
bump default ruby version to 2.7.2 updates Docker container to 2.7.2 Warnings for python2 support [abound](https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.12.0). ``` DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support pip 21.0 will remove support for this functionality. ``` 2020-10-20 17:38:08 +02:00			`&& bundle install --jobs=8 \`
Fix BUNDLER_CONFIG_ARGS variable mismatch in Dockerfile Previous version of Dockerfile used `set clean 'true'`. However, this no longer works with "newer" versions of Ruby gems (rubygems/rubygems#3271), which now requires a force option when cleaning system gems. Since there is no way to set the force flag through config, a new ARG (BUNDLER_FORCE_CLEAN) is used to provide the option of whether to run bundle clean --force on system gems. 2024-02-15 19:16:42 +01:00			`&& if [ "${BUNDLER_FORCE_CLEAN}" == "true" ]; then \`
			`bundle clean --force; \`
			`fi \`
remove bundle cache after install 2018-10-04 13:23:55 +02:00			`# temp fix for https://github.com/bundler/bundler/issues/6680`
reduce docker image size 2018-10-04 16:21:46 +02:00			`&& rm -rf /usr/local/bundle/cache \`
			`# needed so non root users can read content of the bundle`
			`&& chmod -R a+r /usr/local/bundle`

Alpine 3.12 - Support ended 5 months and 2 weeks ago (01 May 2022) Update to 3.15 - Support ends in 1 year (01 Nov 2023). 2022-10-14 21:07:57 +02:00			`ENV GO111MODULE=off`
add automation cache creation When new modules are committed, automation needs to rebuild the cache. The scripts provided here will utilize the public docker container to rebuild the cache json file. One drawback to this approach is that if new dependencies for external modules are added the container must be up to date in dockerhub before the rebuild occurs. Ideas on a better way to do this without needing to build the docker container in each automation run would be appreciated. 2021-03-09 00:33:32 +01:00			`RUN mkdir -p $TOOLS_HOME/bin && \`
			`cd $TOOLS_HOME/bin && \`
Update docker depdendency versions 2023-09-11 16:15:52 +02:00			`curl -O https://dl.google.com/go/go1.21.1.src.tar.gz && \`
			`tar -zxf go1.21.1.src.tar.gz && \`
			`rm go1.21.1.src.tar.gz && \`
add automation cache creation When new modules are committed, automation needs to rebuild the cache. The scripts provided here will utilize the public docker container to rebuild the cache json file. One drawback to this approach is that if new dependencies for external modules are added the container must be up to date in dockerhub before the rebuild occurs. Ideas on a better way to do this without needing to build the docker container in each automation run would be appreciated. 2021-03-09 00:33:32 +01:00			`cd go/src && \`
			`./make.bash`
Dockerfile: Use Multi-Stage Build 2018-10-04 01:54:35 +02:00
updated Dockerfile for arm architectures 2023-12-08 15:43:40 +01:00			`FROM ruby:3.1.4-alpine3.18`
Dockerfile: Use Multi-Stage Build 2018-10-04 01:54:35 +02:00			`LABEL maintainer="Rapid7"`
updated Dockerfile for arm architectures 2023-12-08 15:43:40 +01:00			`ARG TARGETARCH`
Dockerfile: Use Multi-Stage Build 2018-10-04 01:54:35 +02:00
change docker root exec 2018-10-21 22:30:01 +02:00			`ENV APP_HOME=/usr/src/metasploit-framework`
add automation cache creation When new modules are committed, automation needs to rebuild the cache. The scripts provided here will utilize the public docker container to rebuild the cache json file. One drawback to this approach is that if new dependencies for external modules are added the container must be up to date in dockerhub before the rebuild occurs. Ideas on a better way to do this without needing to build the docker container in each automation run would be appreciated. 2021-03-09 00:33:32 +01:00			`ENV TOOLS_HOME=/usr/src/tools`
Dockerfile: Use Multi-Stage Build 2018-10-04 01:54:35 +02:00			`ENV NMAP_PRIVILEGED=""`
change docker root exec 2018-10-21 22:30:01 +02:00			`ENV METASPLOIT_GROUP=metasploit`
Dockerfile: Use Multi-Stage Build 2018-10-04 01:54:35 +02:00
change docker root exec 2018-10-21 22:30:01 +02:00			`# used for the copy command`
			`RUN addgroup -S $METASPLOIT_GROUP`
Dockerfile: Use Multi-Stage Build 2018-10-04 01:54:35 +02:00
Dockerfile for arm64 and amd64 using multi-stage build 2023-12-06 13:56:51 +01:00			`RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs \`
			`postgresql-libs python3 py3-pip ncurses libcap su-exec alpine-sdk \`
updated Dockerfile for arm architectures 2023-12-08 15:43:40 +01:00			`openssl-dev nasm`
			`RUN\`
			`if [ "${TARGETARCH}" = "arm64" ];\`
			`then apk add --no-cache gcc musl-dev python3-dev libffi-dev gcompat;\`
			`else apk add --no-cache mingw-w64-gcc;\`
			`fi`
Dockerfile for arm64 and amd64 using multi-stage build 2023-12-06 13:56:51 +01:00
Dockerfile: Use Multi-Stage Build 2018-10-04 01:54:35 +02:00
add caps to ruby 2017-04-27 10:55:03 +02:00			`RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)`
more docker work 2017-11-28 21:35:20 +01:00			`RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)`
add caps to ruby 2017-04-27 10:55:03 +02:00
fix compatibility with --chown flag with COPY 2019-09-10 06:02:26 +02:00			`COPY --from=builder /usr/local/bundle /usr/local/bundle`
			`RUN chown -R root:metasploit /usr/local/bundle`
			`COPY . $APP_HOME/`
add automation cache creation When new modules are committed, automation needs to rebuild the cache. The scripts provided here will utilize the public docker container to rebuild the cache json file. One drawback to this approach is that if new dependencies for external modules are added the container must be up to date in dockerhub before the rebuild occurs. Ideas on a better way to do this without needing to build the docker container in each automation run would be appreciated. 2021-03-09 00:33:32 +01:00			`COPY --from=builder $TOOLS_HOME $TOOLS_HOME`
fix compatibility with --chown flag with COPY 2019-09-10 06:02:26 +02:00			`RUN chown -R root:metasploit $APP_HOME/`
fix permissions bug Gemfile.lock There was an error while trying to write to /usr/src/metasploit-framework/Gemfile.lock. It is likely that you need to grant write permissions for that path. 2019-09-09 12:59:19 +02:00			`RUN chmod 664 $APP_HOME/Gemfile.lock`
update rubygems and bundler in final container 2020-10-02 22:52:02 +02:00			`RUN gem update --system`
change docker root exec 2018-10-21 22:30:01 +02:00			`RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml`
Remove python2 from docker setup 2023-08-03 21:17:36 +02:00			`RUN curl -L -O https://raw.githubusercontent.com/pypa/get-pip/f84b65709d4b20221b7dbee900dbf9985a81b5d4/public/get-pip.py && python3 get-pip.py && rm get-pip.py`
Dockerfile for arm64 and amd64 using multi-stage build 2023-12-06 13:56:51 +01:00			`RUN pip install impacket`
updated Dockerfile for arm architectures 2023-12-08 15:43:40 +01:00			`RUN pip install requests`
add automation cache creation When new modules are committed, automation needs to rebuild the cache. The scripts provided here will utilize the public docker container to rebuild the cache json file. One drawback to this approach is that if new dependencies for external modules are added the container must be up to date in dockerhub before the rebuild occurs. Ideas on a better way to do this without needing to build the docker container in each automation run would be appreciated. 2021-03-09 00:33:32 +01:00
			`ENV GOPATH=$TOOLS_HOME/go`
			`ENV GOROOT=$TOOLS_HOME/bin/go`
adjustment to rebuild module cache as a tool 2021-09-01 16:13:56 +02:00			`ENV PATH=${PATH}:${GOPATH}/bin:${GOROOT}/bin`
change docker root exec 2018-10-21 22:30:01 +02:00
reduce docker image size 2018-10-04 16:21:46 +02:00			`WORKDIR $APP_HOME`
change docker root exec 2018-10-21 22:30:01 +02:00
another approach 2018-02-17 20:12:35 +01:00			`# we need this entrypoint to dynamically create a user`
			`# matching the hosts UID and GID so we can mount something`
			`# from the users home directory. If the IDs don't match`
change docker root exec 2018-10-21 22:30:01 +02:00			`# it results in access denied errors.`
another approach 2018-02-17 20:12:35 +01:00			`ENTRYPOINT ["docker/entrypoint.sh"]`

change docker root exec 2018-10-21 22:30:01 +02:00			`CMD ["./msfconsole", "-r", "docker/msfconsole.rc", "-y", "$APP_HOME/config/database.yml"]`