Dockerfile.thecrowler

# Build stage (using golang:1.23.4)
FROM golang@sha256:9a31ef0803e6afdf564edc8ba4b4e17caed22a0b1ecd2c55e3c8fdd8d8f68f98 AS builder

RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*
RUN apk add --no-cache bash

WORKDIR /app

COPY ./cmd ./cmd
COPY ./pkg ./pkg
COPY ./services ./services
COPY ./go.mod .
COPY ./go.sum .
COPY ./main.go .
COPY ./config.yaml .
COPY ./autobuild.sh .
COPY ./schemas/ ./schemas
COPY ./rules/ ./rules
COPY ./plugins/ ./plugins
COPY ./support/ ./support

# Ensure the script has correct permissions and check its presence
RUN chmod +x autobuild.sh
RUN ls -la

# Run the build script using shell
RUN bash ./autobuild.sh

# Run stage (using alpine:3.20)
#FROM alpine@sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a
FROM alpine@sha256:77726ef6b57ddf65bb551896826ec38bc3e53f75cdde31354fbffb4f25238ebd
WORKDIR /app

# Install necessary packages
RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*
RUN apk add --no-cache openjdk11-jre-headless
RUN apk add --no-cache bind-tools
RUN apk add --no-cache nmap nmap-scripts shadow sudo libcap

# Create a non-root user for running crowler
RUN adduser -D crowler

# Create a special user for running nmap
RUN addgroup -S scannergroup && \
    adduser -S scanner -G scannergroup

# Set up sudoers to allow crowler user to run nmap as scanner with no password
RUN echo "crowler ALL=(ALL) NOPASSWD: /usr/bin/sudo -u scanner /usr/bin/nmap" > /etc/sudoers.d/crowler && \
    echo "scanner ALL=(ALL) NOPASSWD: /usr/bin/nmap" > /etc/sudoers.d/scanner && \
    echo "Defaults:crowler !requiretty" >> /etc/sudoers.d/crowler

# Set capabilities on nmap
RUN setcap cap_net_raw,cap_net_admin=eip /usr/bin/nmap

# Create chroot environment for scanner user
RUN mkdir -p /chroot/home/scanner

# Create chroot environment for scanner user
#RUN mkdir -p /chroot/bin && \
#    mkdir -p /chroot/lib && \
#    mkdir -p /chroot/lib64 && \
#    mkdir -p /chroot/usr/bin && \
#    mkdir -p /chroot/usr/lib && \
#    mkdir -p /chroot/etc && \
#    mkdir -p /chroot/dev && \
#    mkdir -p /chroot/proc && \
#    mkdir -p /chroot/results && \
#    cp -v /bin/busybox /chroot/bin/busybox && \
#    ln -s busybox /chroot/bin/sh && \
#    ln -s busybox /chroot/bin/sudo && \
#    cp -v /usr/bin/nmap /chroot/usr/bin/ && \
#    cp -v /etc/sudoers /chroot/etc/ && \
#    cp -v /etc/passwd /chroot/etc/ && \
#    cp -v /etc/group /chroot/etc/ && \
#    cp -v /etc/resolv.conf /chroot/etc/ && \
#    mknod -m 666 /chroot/dev/null c 1 3 && \
#    mknod -m 666 /chroot/dev/zero c 1 5

# Ensure the results directory is accessible
RUN mkdir -p /results && \
    chmod 777 /results && \
    ln -s /results /chroot/results

# Set up permissions for scanner user
RUN chown -R scanner:scannergroup /chroot/home/scanner

COPY --from=builder /app/bin/thecrowler /app/
COPY --from=builder /app/bin/healthCheck /app/
COPY --from=builder /app/config.yaml /app/
COPY --from=builder /app/schemas /app/schemas
COPY --from=builder /app/rules /app/rules
COPY --from=builder /app/plugins /app/plugins
COPY --from=builder /app/support /app/support

# Ensure the executable is runnable
RUN chmod +x thecrowler
RUN chmod +x healthCheck

# Create the data directory and ensure correct permissions
RUN mkdir -p /app/data/images && chown -R crowler:crowler /app

USER crowler

# Expose port 8081 to the outside world
EXPOSE 8081

# Command to run the executable
CMD ["./thecrowler"]