Akeso icon indicating copy to clipboard operation
Akeso copied to clipboard

Published 20 hours ago verified publisher icon ameserole

Akeso challenge/framework setup help questions

Open pjeyaraj opened this issue 6 years ago • 9 comments

@ameserole Have a couple of questions using Akeso - Secure Coding/Config framework:

I spinned off gitlab instance and git-runner with docker executer on two different server instances per the doc and it is working and tested.

While creating a challenge (say for e.g. Java SpringBoot web app) as part of the .gitlab-ci.yml script job stages that I added it runs build, test gradle tasks to make sure the code compiles and tests passes, when those jobs are completed it runs build_image job.

The build_image job builds docker image and runs the app inside the gitlab-runner's docker. I'm running docker:stable inside git-lab runner as shown in the job below

build_image: stage: build_image image: docker:stable services: - docker:dind variables: DOCKER_HOST: tcp://docker:2375/ DOCKER_DRIVER: overlay2 before_script: - apk add --no-cache py-pip - pip install docker-compose - docker info script: - docker build -t xyz/java-webapp:latest . - docker run -p 8080:8080 xyz/java-webapp:latest

The plan is to run deploy job after the above to kick off the tests/entry.sh script where it calls tests/queue.py to run the backend service. deploy: stage: deploy script: - ". tests/entry.sh"

Framework questions:

  1. With the above setup and when each users forks the challenge repo they get to run the app in their own build process. So they can fix the code and submit. Is that how the framework works ? or Do I need to create a docker image and run it on the git-runner server instance ?
  2. How to gracefully end the docker instance if it get kicked off as part of the .gitlab-ci.yml and runs within .gitlab-ci.yml script and user commits ? Do I need to shutdown after the response from queue.py from backend ? I'm unable to find the information in the document could you let me know if I'm missing anything.

Repo questions:

  1. The demo site mentioned is not up at https://ctf.tamu.edu/
  2. Do we have the challenge code for the shell, maze, ApacheDirectoryTraversal examples ? or is that only for testing purpose ? I see the service and attacker in the repo but not the challenge code for the above.

pjeyaraj avatar Sep 10 '18 15:09 pjeyaraj

With the above setup and when each users forks the challenge repo they get to run the app in their own build process. So they can fix the code and submit. Is that how the framework works ?
That is the general idea. It uses Gitlab's CI/CD to automate the build and testing process. https://docs.gitlab.com/ee/ci/

Do I need to create a docker image and run it on the git-runner server instance ?
Gitlab's CI/CD takes care of this process. You can either pull an image from a docker hub like how we did it for TAMUctf (https://github.com/ameserole/Akeso/blob/master/examples/example_.gitlab-ci.yml#L1) or you can build an image locally on the worker server and pass it in a couple different ways (https://docs.gitlab.com/ee/ci/docker/using_docker_images.html)

How to gracefully end the docker instance if it get kicked off as part of the .gitlab-ci.yml and runs within .gitlab-ci.yml script and user commits ?
Gitlab's CI/CD process takes care of this for you. Once the tests finish or time out it will automatically spin down the container.

Do I need to shutdown after the response from queue.py from backend ? No

The demo site mentioned is not up at https://ctf.tamu.edu/
Unfortunately we ran out of money to keep the past CTF up. I'm looking at hosting a separate challenge server just for this though.

Do we have the challenge code for the shell, maze, ApacheDirectoryTraversal examples ? or is that only for testing purpose ?
I haven't uploaded it. I'll do that sometime in the next day or two.

ameserole avatar Sep 10 '18 16:09 ameserole

With the above setup and when each users forks the challenge repo they get to run the app in their own build process. So they can fix the code and submit. Is that how the framework works ? That is the general idea. It uses Gitlab's CI/CD to automate the build and testing process. https://docs.gitlab.com/ee/ci/

Do I need to create a docker image and run it on the git-runner server instance ? Gitlab's CI/CD takes care of this process. You can either pull an image from a docker hub like how we did it for TAMUctf (https://github.com/ameserole/Akeso/blob/master/examples/example_.gitlab-ci.yml#L1) or you can build an image locally on the worker server and pass it in a couple different ways (https://docs.gitlab.com/ee/ci/docker/using_docker_images.html)

How to gracefully end the docker instance if it get kicked off as part of the .gitlab-ci.yml and runs within .gitlab-ci.yml script and user commits ? Gitlab's CI/CD process takes care of this for you. Once the tests finish or time out it will automatically spin down the container.

Do I need to shutdown after the response from queue.py from backend ? No

The demo site mentioned is not up at https://ctf.tamu.edu/ Unfortunately we ran out of money to keep the past CTF up. I'm looking at hosting a separate challenge server just for this though.

Do we have the challenge code for the shell, maze, ApacheDirectoryTraversal examples ? or is that only for testing purpose ? I haven't uploaded it. I'll do that sometime in the next day or two.

pjeyaraj avatar Sep 11 '18 16:09 pjeyaraj

@ameserole Thank you for your comments. Got stuck at building docker and running the image within .gitlab-ci.yml script.

Do I need to run docker in docker to build the docker image of the webapp within .gitlab-ci.yml ? Otherwise I ran into docker: command not found issue by simply running docker build -t WebApp:test . which reads a Dockerfile from project repo. If I have to do docker-in-docker then I need to setup local docker registry and do docker login -u and use docker stable image to run docker commands. Is that how it works ? Will then the app be running within docker in docker.

These are the stages

stages:
  - build # compile app with maven, gradle or make tools
  - docker_build # build docker image of the app and run at port 80
  - test # run tests/entry.sh script to kick of queue.py

pjeyaraj avatar Sep 11 '18 16:09 pjeyaraj

You shouldn't have to do Docker in Docker.

What you can do is:

  1. Build app on gitlab runner server
  2. Build docker image on gitlab runner server
  3. In the .gitlab_ci.yml put the line image: WebApp/test:latest or image: WebApp/test (I don't remember which one will work) at the top of the file. This will make it so the gitlab runner uses the docker image that you built locally. You may have to modify the configuration to look locally first though. (https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
  4. Add the lines:
test:
  script:
    - "./tests/entry.sh"

for the tests

ameserole avatar Sep 11 '18 17:09 ameserole

@ameserole I get all steps except 2 where we need to build docker image for each users forked code base upon their code commits and run the test script. I can have the DockerFile within the repo and to kick off the docker build or run within .gitlab-ci.yml I need docker container (docker-in-docker), I guess.

pjeyaraj avatar Sep 11 '18 19:09 pjeyaraj

I think there is some confusion on how Gitlab's CI/CD workflow works with Docker.
All of the commands defined in the .gitlab-ci.yml run inside either the default image passed to the gitlab runners or the image defined at the top of the file. What this allows you to do is build as much of the WebApp as possible before running the challenge as possible. Then in your entry.sh file you add the last steps needed to get the App working with the user's modified code. For example here is the Dockerfile I used for the NodeJS Maze challenge from TAMUctf: https://github.com/ameserole/Akeso/blob/master/examples/challenges/Maze/Dockerfile This copies all of the necessary files and installs all of the necessary dependencies. This is the container that the .gitlab-ci.yml file is ran inside of. This is the one from the Maze challenge: https://github.com/ameserole/Akeso/blob/master/examples/challenges/Maze/.gitlab-ci.yml Finally the entry.sh file starts the node app and kicks off the testing for the app: https://github.com/ameserole/Akeso/blob/master/examples/challenges/Maze/tests/entry.sh
This means that you should not have to build the desired container inside of the gitlab runner container because the gitlab runner container will already be the your prebuilt challenge container. All you have to add is the final steps to kick off the service with the users code and push the necessary info onto the testing queue for the challenge to get tested.

ameserole avatar Sep 12 '18 13:09 ameserole

@ameserole I was able to get past the docker image issue within gitlab runner job. I'll look into service check fail on my end. Thanks.

pjeyaraj avatar Sep 13 '18 14:09 pjeyaraj

No problem, let me know if you keep on running into issues! Thanks for helping point out areas of my documentation that I can improve as well. I'll probably keep this issue open so that anyone else who stumbles by can read it as well.

ameserole avatar Sep 13 '18 20:09 ameserole

@ameserole I got it working end to end. Next I'll try with the example challenges you posted. Thanks.

pjeyaraj avatar Sep 13 '18 20:09 pjeyaraj