Merge pull request #23 from siemens/develop

Develop

README.md

@@ -35,18 +35,28 @@ First, ensure that you have the Docker _compose_ plugin v2 installed. For Debian
 users it is strongly recommended to install docker-ce instead of docker.io
 packages, as these are updated on a regular basis.
 
+To expose service TCP port 5001 only on localhost:
+
 ```bash
 wget -q --no-cache -O - \
-  https://github.com/siemens/edgeshark/raw/main/deployments/wget/docker-compose.yaml \
+  https://github.com/siemens/edgeshark/raw/main/deployments/wget/docker-compose-localhost.yaml \
   | docker compose -f - up
 ```
 
-Finally, visit http://localhost:5001 and start looking around your container
-host virtual networking.
+To expose service TCP port 5001 to remote clients:
+
+```bash
+wget -q --no-cache -O - \
+  https://github.com/siemens/edgeshark/raw/main/deployments/wget/docker-compose.yaml \
+  | docker compose -f - up
+```
 
 > ⚠ This quick start deployment will **expose TCP port 5001** also to clients
 > external to your host. Make sure to have proper network protection in place.
 
+Finally, visit http://localhost:5001 and start looking around your container
+host virtual networking.
+
 If you want to live capture traffic using Wireshark, please [download the csharg
 extcap plugin](https://github.com/siemens/cshargextcap/releases) for the
 OS/distribution and install it. 

deployments/industrial-edge/app/edgeshark/docker-compose.yml

@@ -1,7 +1,7 @@
 version: '2.4'
 services:
   gostwire:
-    image: 'ghcr.io/siemens/ghostwire:2.1.12'
+    image: 'ghcr.io/siemens/ghostwire:2.1.15'
     read_only: true
     mem_limit: 48mb
     restart: unless-stopped
@@ -34,7 +34,7 @@ services:
       - './publish/:/publish/'
       - './cfg-data/:/cfg-data/'
   edgeshark:
-    image: 'ghcr.io/siemens/packetflix:0.9.3'
+    image: 'ghcr.io/siemens/packetflix:0.9.4'
     mem_limit: 32mb
     read_only: true
     restart: unless-stopped

deployments/wget/docker-compose-localhost.yaml

@@ -0,0 +1,94 @@
+# requires docker compose plugin (=v2)
+#
+# wget -q --no-cache -O - https://github.com/siemens/edgeshark/raw/main/deployments/wget/docker-compose.yaml | docker compose -f - up
+name: 'edgeshark'
+services:
+    gostwire:
+        image: 'ghcr.io/siemens/ghostwire'
+        pull_policy: always
+        restart: 'unless-stopped'
+        read_only: true
+        entrypoint:
+        - "/gostwire"
+        - "--http=[::]:5000"
+        - "--brand=Edgeshark"
+        - "--brandicon=PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCA2LjM1IDYuMzUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PHBhdGggZD0iTTUuNzMgNC41M2EuNC40IDAgMDEtLjA2LS4xMmwtLjAyLS4wNC0uMDMuMDNjLS4wNi4xMS0uMDcuMTItLjEuMS0uMDEtLjAyIDAtLjAzLjAzLS4xbC4wNi0uMS4wNC0uMDVjLjAzIDAgLjA0LjAxLjA2LjA5bC4wNC4xMmMuMDMuMDUuMDMuMDcgMCAuMDhoLS4wMnptLS43NS0uMDZjLS4wMi0uMDEtLjAxLS4wMy4wMS0uMDUuMDMtLjAyLjA1LS4wNi4wOC0uMTQuMDMtLjA4LjA1LS4xLjA4LS4wN2wuMDIuMDdjLjAyLjEuMDMuMTIuMDUuMTMuMDUuMDIuMDQuMDctLjAxLjA3LS4wNCAwLS4wNi0uMDMtLjA5LS4xMiAwLS4wMi0uMDEgMC0uMDQuMDRhLjM2LjM2IDAgMDEtLjA0LjA3Yy0uMDIuMDItLjA1LjAyLS4wNiAwem0tLjQ4LS4wM2MtLjAxLS4wMSAwLS4wMy4wMS0uMDZsLjA3LS4xM2MuMDYtLjEuMDctLjEzLjEtLjEyLjAyLjAyLjAzLjA0LjA0LjEuMDEuMDguMDIuMTEuMDQuMTR2LjA0Yy0uMDEuMDItLjA0LjAyLS4wNiAwbC0uMDMtLjEtLjAxLS4wNS0uMDYuMDlhLjQ2LjQ2IDAgMDEtLjA1LjA4Yy0uMDIuMDItLjA0LjAyLS4wNSAwem0uMDgtLjc1YS4wNS4wNSAwIDAxLS4wMS0uMDRMNC41IDMuNWwtLjAyLS4wNGguMDNjLjAzLS4wMi4wMy0uMDEuMDguMDdsLjAzLjA1LjA3LS4xM2MwLS4wMyAwLS4wMy4wMi0uMDQuMDMgMCAuMDQgMCAuMDQuMDJhLjYuNiAwIDAxLS4xMi4yNmMtLjAzLjAyLS4wMy4wMi0uMDUgMHptLjU0LS4xYy0uMDEtLjAyLS4wMi0uMDMtLjAyLS4wOGEuNDQuNDQgMCAwMC0uMDMtLjA4Yy0uMDItLjA1LS4wMi0uMDggMC0uMDguMDUtLjAxLjA2IDAgLjA2LjA0bC4wMy4wOGMuMDIgMCAuMDYtLjA4LjA3LS4xMmwuMDEtLjAyLjA2LS4wMS0uMTIuMjZoLS4wNnptLjQ3LS4wOGwtLjAyLS4wOWEuNTUuNTUgMCAwMC0uMDItLjEyYzAtLjAyIDAtLjAyLjAyLS4wMmguMDNsLjAyLjExdi4wM2MuMDEgMCAuMDQtLjAzLjA2LS4wN2wuMDUtLjA5Yy4wMi0uMDIuMDYtLjAyLjA2IDBsLS4xNC4yNWMtLjAxLjAxLS4wNS4wMi0uMDYgMHptLS43Ni0uNDFjLS4wNi0uMDMtLjA4LS4xNC0uMDUtLjJsLjA0LS4wM2MuMDMtLjAyLjAzLS4wMi4wNy0uMDIuMDYgMCAuMDkuMDEuMTIuMDUuMDMuMDUuMDIuMTItLjAzLjE2LS4wNS4wNS0uMS4wNi0uMTUuMDR6bS4zNS0uMDVBLjEzLjEzIDAgMDE1LjE0IDNsLS4wMS0uMDVjMC0uMDQgMC0uMDUuMDYtLjFsLjA2LS4wMmMuMDcgMCAuMTEuMDUuMS4xMmwtLjAxLjA2Yy0uMDQuMDQtLjEyLjA1LS4xNi4wM3oiLz48cGF0aCBkPSJNMy44NCA1LjQ4Yy0uMTctLjIxLS4wNC0uNS0uMDYtLjc0LjA1LS44My4xLTEuNjYuMDctMi41LjE3LS4xNC40NC4wOC41OS0uMDItLjIyLS4xMy0uNTQtLjEzLS44LS4xNC0uMTQuMDktLjUuMDItLjUuMTcuMi4wOC41My0uMTUuNjQuMDItLjAxLjgxLS4wMyAxLjYyLS4xIDIuNDItLjA1LjIzLjA3LjU2LS4xNC43MmE5LjUxIDkuNTEgMCAwMS0uNjYtLjUzYy4xMy0uMDQuMzItLjQuMS0uMi0uMjEuMjItLjUxLjI3LS43OS4zNS0uMTIuMDgtLjU0LjEyLS4zMi0uMTEuMi0uMjIuNDUtLjQyLjUtLjcyLS4xMy0uMTItLjEuMy0uMjUuMDgtLjIzLS4xNi0uNDMtLjM1LS42Ny0uNS0uMjEuMTItLjQ1LjIzLS43LjI5LS4xNy4xLS42MS4xNC0uMzItLjE0LjItLjIuNDMtLjQyLjQtLjcyLjAzLS4zMS0uMDgtLjYxLS4yLS44OWEyLjA3IDIuMDcgMCAwMC0uNDMtLjY0Yy0uMTgtLjE2LS4wMi0uMy4xNi0uMTkuMzcuMTcuNy40Ljk4LjcuMDkuMTcuMTMuNC4zNi4yNS40NC0uMDguOS0uMSAxLjM0LS4yMS4xMy0uMy4wNC0uNjQtLjEyLS45MSAwLS4xNy0uNDItLjM4LS4yMi0uNDYuMzguMS43Ny4yMyAxLjA4LjQ4LjMyLjE5LjY0LjQ1LjY5Ljg0LjEuMTguNS4xMi43MS4xOS4zMy4wNC42Ni4wOSAxIC4wOS4xNS4xMi0uMDguNDcgMCAuNjgtLjA4LjE1LS40LjA3LS41OS4xNC0uMTIuMTMtLjE0LjQzLS4xNS42NC0uMDUuMTUuMTguNDguMDYuNWExLjQgMS40IDAgMDEwLTEuMWMtLjItLjA2LS4zMy4wNi0uNTMuMDQtLjIzLjA0LS40NS4xLS42OC4xMi0uMTMuMi0uMjMuNTQtLjA2Ljc1LjEzLjE5LjMuMi40OC4yLjE4LjAzLjM2LjA1LjU1LjA0LjE4LS4wMS4zNi4wNy41Mi4wNS4yLjAxLjEuNC4wNy41Mi0uMzguMDctLjc2LjE2LTEuMTQuMjUtLjMuMDQtLjU4LjE0LS44Ny4xOXptLjQyLS4zOGMuMDgtLjEuMDItLjU0LS4wNC0uMjQgMCAuMDYtLjEuMy4wNC4yNHptLjU4LS4xYy4wOS0uMTItLjA0LS40Mi0uMDctLjE0LS4wMi4wNi0uMDIuMi4wNy4xNHptLjU2LS4wNmMuMTItLjE0LS4wOC0uMzQtLjA4LS4wOC0uMDEuMDQuMDIuMTMuMDguMDh6bS0yLjE3LS42Yy4wMy0uMjUuMDItLjUyLjA2LS43OS4wMi0uMjUuMDUtLjUgMC0uNzUtLjA5LjItLjAzLjQ4LS4wOS43LS4wMi4yOC0uMDguNTctLjA0Ljg1LjAyLjAyLjA1LjAyLjA3IDB6bS0uNjctLjI3Yy4wOS0uMy4wNy0uNjMuMDgtLjk0LS4wMS0uMTIuMDEtLjQ3LS4xLS40LjAzLjQzLjAzLjg4LS4wNiAxLjMyIDAgLjAzLjA1LjA1LjA4LjAyem0tLjYtLjVjLjEtLjI0LjE0LS41My4xLS43OS0uMTQgMC0uMDMuMzYtLjEuNS4wMS4wNi0uMTMuMzIgMCAuM3ptLS40My0uMmMuMDQtLjE2LjE1LS41IDAtLjU3LjA1LjE4LS4xMi40NS0uMDMuNThsLjAzLS4wMXptMy40My0uMjJjLjIyLS4xMyAwLS42Ni0uMjItLjM1LS4xLjE1IDAgLjQyLjIyLjM1em0uMzQtLjA2Yy4yOCAwIC4xOC0uNTMtLjA5LS4zNC0uMTIuMDctLjEyLjQyLjA5LjM0em0uNDQtLjAxYy0uMDEtLjEuMTItLjM4LS4wMS0uNC0uMDIuMS0uMTcuNDEgMCAuNHptLTEuMjYtLjAyYzAtLjEzLjAyLS41NS0uMTQtLjUuMDguMTItLjAyLjUxLjE0LjV6Ii8+PHBhdGggZD0iTTUuNTMgMy4yN2wtLjI1LjAzYS41Ny41NyAwIDAxLS4xMy4yNGwtLjA2LS4yLS4zNy4wNGMwIC4xLS4wMy4xOS0uMS4yOGwtLjEzLS4yNC0uMjIuMDNzLS4xNS4yOC0uMTUuNDYuMDcuNDYuMzcuNTNoLjAzbC4xNS0uMjUuMDguMjguMjUuMDIuMTItLjJjLjA1LjEuMS4yLjEyLjJsLjMuMDJ2LS4wOHMtLjEyLS4yNS0uMTItLjM5Yy0uMDItLjI3LjExLS43Ny4xMS0uNzd6IiBmaWxsLW9wYWNpdHk9Ii41Ii8+PC9zdmc+"
+        user: "65534"
+        # In order to set only exactly a specific set of capabilities without
+        # any additional Docker container default capabilities, we need to drop
+        # "all" capabilities. Regardless of the order (there ain't one) of YAML
+        # dictionary keys, Docker carries out dropping all capabilities first,
+        # and only then adds capabilities. See also:
+        # https://stackoverflow.com/a/63219871.
+        cap_drop:
+            - ALL
+        cap_add:
+            - CAP_SYS_ADMIN       # change namespaces
+            - CAP_SYS_CHROOT      # change mount namespaces
+            - CAP_SYS_PTRACE      # access nsfs namespace information
+            - CAP_DAC_READ_SEARCH # access/scan /proc/[$PID]/fd itself
+            - CAP_DAC_OVERRIDE    # access container engine unix domain sockets without being rude, erm, root.
+            - CAP_NET_RAW         # pingin' 'round
+            - CAP_NET_ADMIN       # 'nuff tables
+        security_opt:
+            # The default Docker container AppArmor profile blocks namespace
+            # discovery, due to reading from /proc/$PID/ns/* is considered to be
+            # ptrace read/ready operations.
+            - apparmor:unconfined
+        # Essential since we need full PID view.
+        pid: 'host'
+        cgroup: host
+        networks:
+            99-ghost-in-da-edge:
+                priority: 100
+
+    edgeshark:
+        image: 'ghcr.io/siemens/packetflix'
+        pull_policy: 'always'
+        read_only: true
+        restart: 'unless-stopped'
+        entrypoint:
+        - "/packetflix"
+        - "--port=5001"
+        - "--discovery-service=gostwire.ghost-in-da-edge"
+        - "--gw-port=5000"
+        - "--proxy-discovery"
+
+        ports:
+        - "127.0.0.1:5001:5001"
+
+        # Run as non-root user (baked into the meta data of the image anyway).
+        user: "65534"
+
+        # In order to set only exactly a specific set of capabilities without
+        # any additional Docker container default capabilities, we need to drop
+        # "all" capabilities. Regardless of the order (there ain't one) of YAML
+        # dictionary keys, Docker carries out dropping all capabilities first,
+        # and only then adds capabilities. See also:
+        # https://stackoverflow.com/a/63219871.
+        cap_drop:
+            - ALL
+        cap_add:
+            - CAP_SYS_ADMIN     # change namespaces
+            - CAP_SYS_CHROOT    # change mount namespaces
+            - CAP_SYS_PTRACE    # access nsfs namespace information
+            - CAP_NET_ADMIN     # allow dumpcap to control promisc. mode
+            - CAP_NET_RAW       # capture raw packets, and not that totally burnt stuff
+        security_opt:
+            # The default Docker container AppArmor profile blocks namespace
+            # discovery, due to reading from /proc/$PID/ns/* is considered to be
+            # ptrace read/ready operations.
+            - apparmor:unconfined
+
+        # Essential since we need full PID view.
+        pid: 'host'
+
+        networks:
+            99-ghost-in-da-edge:
+                priority: 100
+
+networks:
+    99-ghost-in-da-edge:
+        name: ghost-in-da-edge
+        internal: false
+

docs/getting-started.md

@@ -28,13 +28,22 @@ Edgeshark services:
 
 ```bash
 wget -q --no-cache -O - \
-  https://github.com/siemens/edgeshark/raw/main/deployments/wget/docker-compose.yaml \
+  https://github.com/siemens/edgeshark/raw/main/deployments/wget/docker-compose-localhost.yaml \
   | docker compose -f - up
 ```
 
 Finally, visit http://localhost:5001 and start looking around your container
 host virtual networking.
 
+In case you need to expose service TCP port 5001 to external clients then copy,
+paste, and execute this command instead:
+
+```bash
+wget -q --no-cache -O - \
+  https://github.com/siemens/edgeshark/raw/main/deployments/wget/docker-compose.yaml \
+  | docker compose -f - up
+```
+
 > [!WARNING] This quick start deployment will **expose TCP port 5001** also to
 > clients external to your host. Make sure to have proper network protection in
 > place.