diff --git a/README.md b/README.md index 062e2df..59a56dd 100644 --- a/README.md +++ b/README.md @@ -35,18 +35,28 @@ First, ensure that you have the Docker _compose_ plugin v2 installed. For Debian users it is strongly recommended to install docker-ce instead of docker.io packages, as these are updated on a regular basis. +To expose service TCP port 5001 only on localhost: + ```bash wget -q --no-cache -O - \ - https://github.com/siemens/edgeshark/raw/main/deployments/wget/docker-compose.yaml \ + https://github.com/siemens/edgeshark/raw/main/deployments/wget/docker-compose-localhost.yaml \ | docker compose -f - up ``` -Finally, visit http://localhost:5001 and start looking around your container -host virtual networking. +To expose service TCP port 5001 to remote clients: + +```bash +wget -q --no-cache -O - \ + https://github.com/siemens/edgeshark/raw/main/deployments/wget/docker-compose.yaml \ + | docker compose -f - up +``` > ⚠ This quick start deployment will **expose TCP port 5001** also to clients > external to your host. Make sure to have proper network protection in place. +Finally, visit http://localhost:5001 and start looking around your container +host virtual networking. + If you want to live capture traffic using Wireshark, please [download the csharg extcap plugin](https://github.com/siemens/cshargextcap/releases) for the OS/distribution and install it. diff --git a/deployments/industrial-edge/app/edgeshark/docker-compose.yml b/deployments/industrial-edge/app/edgeshark/docker-compose.yml index a37a534..083da05 100644 --- a/deployments/industrial-edge/app/edgeshark/docker-compose.yml +++ b/deployments/industrial-edge/app/edgeshark/docker-compose.yml @@ -1,7 +1,7 @@ version: '2.4' services: gostwire: - image: 'ghcr.io/siemens/ghostwire:2.1.12' + image: 'ghcr.io/siemens/ghostwire:2.1.15' read_only: true mem_limit: 48mb restart: unless-stopped @@ -34,7 +34,7 @@ services: - './publish/:/publish/' - './cfg-data/:/cfg-data/' edgeshark: - image: 'ghcr.io/siemens/packetflix:0.9.3' + image: 'ghcr.io/siemens/packetflix:0.9.4' mem_limit: 32mb read_only: true restart: unless-stopped diff --git a/deployments/wget/docker-compose-localhost.yaml b/deployments/wget/docker-compose-localhost.yaml new file mode 100644 index 0000000..9ac1a86 --- /dev/null +++ b/deployments/wget/docker-compose-localhost.yaml @@ -0,0 +1,94 @@ +# requires docker compose plugin (=v2) +# +# wget -q --no-cache -O - https://github.com/siemens/edgeshark/raw/main/deployments/wget/docker-compose.yaml | docker compose -f - up +name: 'edgeshark' +services: + gostwire: + image: 'ghcr.io/siemens/ghostwire' + pull_policy: always + restart: 'unless-stopped' + read_only: true + entrypoint: + - "/gostwire" + - "--http=[::]:5000" + - "--brand=Edgeshark" + - "--brandicon=PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCA2LjM1IDYuMzUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PHBhdGggZD0iTTUuNzMgNC41M2EuNC40IDAgMDEtLjA2LS4xMmwtLjAyLS4wNC0uMDMuMDNjLS4wNi4xMS0uMDcuMTItLjEuMS0uMDEtLjAyIDAtLjAzLjAzLS4xbC4wNi0uMS4wNC0uMDVjLjAzIDAgLjA0LjAxLjA2LjA5bC4wNC4xMmMuMDMuMDUuMDMuMDcgMCAuMDhoLS4wMnptLS43NS0uMDZjLS4wMi0uMDEtLjAxLS4wMy4wMS0uMDUuMDMtLjAyLjA1LS4wNi4wOC0uMTQuMDMtLjA4LjA1LS4xLjA4LS4wN2wuMDIuMDdjLjAyLjEuMDMuMTIuMDUuMTMuMDUuMDIuMDQuMDctLjAxLjA3LS4wNCAwLS4wNi0uMDMtLjA5LS4xMiAwLS4wMi0uMDEgMC0uMDQuMDRhLjM2LjM2IDAgMDEtLjA0LjA3Yy0uMDIuMDItLjA1LjAyLS4wNiAwem0tLjQ4LS4wM2MtLjAxLS4wMSAwLS4wMy4wMS0uMDZsLjA3LS4xM2MuMDYtLjEuMDctLjEzLjEtLjEyLjAyLjAyLjAzLjA0LjA0LjEuMDEuMDguMDIuMTEuMDQuMTR2LjA0Yy0uMDEuMDItLjA0LjAyLS4wNiAwbC0uMDMtLjEtLjAxLS4wNS0uMDYuMDlhLjQ2LjQ2IDAgMDEtLjA1LjA4Yy0uMDIuMDItLjA0LjAyLS4wNSAwem0uMDgtLjc1YS4wNS4wNSAwIDAxLS4wMS0uMDRMNC41IDMuNWwtLjAyLS4wNGguMDNjLjAzLS4wMi4wMy0uMDEuMDguMDdsLjAzLjA1LjA3LS4xM2MwLS4wMyAwLS4wMy4wMi0uMDQuMDMgMCAuMDQgMCAuMDQuMDJhLjYuNiAwIDAxLS4xMi4yNmMtLjAzLjAyLS4wMy4wMi0uMDUgMHptLjU0LS4xYy0uMDEtLjAyLS4wMi0uMDMtLjAyLS4wOGEuNDQuNDQgMCAwMC0uMDMtLjA4Yy0uMDItLjA1LS4wMi0uMDggMC0uMDguMDUtLjAxLjA2IDAgLjA2LjA0bC4wMy4wOGMuMDIgMCAuMDYtLjA4LjA3LS4xMmwuMDEtLjAyLjA2LS4wMS0uMTIuMjZoLS4wNnptLjQ3LS4wOGwtLjAyLS4wOWEuNTUuNTUgMCAwMC0uMDItLjEyYzAtLjAyIDAtLjAyLjAyLS4wMmguMDNsLjAyLjExdi4wM2MuMDEgMCAuMDQtLjAzLjA2LS4wN2wuMDUtLjA5Yy4wMi0uMDIuMDYtLjAyLjA2IDBsLS4xNC4yNWMtLjAxLjAxLS4wNS4wMi0uMDYgMHptLS43Ni0uNDFjLS4wNi0uMDMtLjA4LS4xNC0uMDUtLjJsLjA0LS4wM2MuMDMtLjAyLjAzLS4wMi4wNy0uMDIuMDYgMCAuMDkuMDEuMTIuMDUuMDMuMDUuMDIuMTItLjAzLjE2LS4wNS4wNS0uMS4wNi0uMTUuMDR6bS4zNS0uMDVBLjEzLjEzIDAgMDE1LjE0IDNsLS4wMS0uMDVjMC0uMDQgMC0uMDUuMDYtLjFsLjA2LS4wMmMuMDcgMCAuMTEuMDUuMS4xMmwtLjAxLjA2Yy0uMDQuMDQtLjEyLjA1LS4xNi4wM3oiLz48cGF0aCBkPSJNMy44NCA1LjQ4Yy0uMTctLjIxLS4wNC0uNS0uMDYtLjc0LjA1LS44My4xLTEuNjYuMDctMi41LjE3LS4xNC40NC4wOC41OS0uMDItLjIyLS4xMy0uNTQtLjEzLS44LS4xNC0uMTQuMDktLjUuMDItLjUuMTcuMi4wOC41My0uMTUuNjQuMDItLjAxLjgxLS4wMyAxLjYyLS4xIDIuNDItLjA1LjIzLjA3LjU2LS4xNC43MmE5LjUxIDkuNTEgMCAwMS0uNjYtLjUzYy4xMy0uMDQuMzItLjQuMS0uMi0uMjEuMjItLjUxLjI3LS43OS4zNS0uMTIuMDgtLjU0LjEyLS4zMi0uMTEuMi0uMjIuNDUtLjQyLjUtLjcyLS4xMy0uMTItLjEuMy0uMjUuMDgtLjIzLS4xNi0uNDMtLjM1LS42Ny0uNS0uMjEuMTItLjQ1LjIzLS43LjI5LS4xNy4xLS42MS4xNC0uMzItLjE0LjItLjIuNDMtLjQyLjQtLjcyLjAzLS4zMS0uMDgtLjYxLS4yLS44OWEyLjA3IDIuMDcgMCAwMC0uNDMtLjY0Yy0uMTgtLjE2LS4wMi0uMy4xNi0uMTkuMzcuMTcuNy40Ljk4LjcuMDkuMTcuMTMuNC4zNi4yNS40NC0uMDguOS0uMSAxLjM0LS4yMS4xMy0uMy4wNC0uNjQtLjEyLS45MSAwLS4xNy0uNDItLjM4LS4yMi0uNDYuMzguMS43Ny4yMyAxLjA4LjQ4LjMyLjE5LjY0LjQ1LjY5Ljg0LjEuMTguNS4xMi43MS4xOS4zMy4wNC42Ni4wOSAxIC4wOS4xNS4xMi0uMDguNDcgMCAuNjgtLjA4LjE1LS40LjA3LS41OS4xNC0uMTIuMTMtLjE0LjQzLS4xNS42NC0uMDUuMTUuMTguNDguMDYuNWExLjQgMS40IDAgMDEwLTEuMWMtLjItLjA2LS4zMy4wNi0uNTMuMDQtLjIzLjA0LS40NS4xLS42OC4xMi0uMTMuMi0uMjMuNTQtLjA2Ljc1LjEzLjE5LjMuMi40OC4yLjE4LjAzLjM2LjA1LjU1LjA0LjE4LS4wMS4zNi4wNy41Mi4wNS4yLjAxLjEuNC4wNy41Mi0uMzguMDctLjc2LjE2LTEuMTQuMjUtLjMuMDQtLjU4LjE0LS44Ny4xOXptLjQyLS4zOGMuMDgtLjEuMDItLjU0LS4wNC0uMjQgMCAuMDYtLjEuMy4wNC4yNHptLjU4LS4xYy4wOS0uMTItLjA0LS40Mi0uMDctLjE0LS4wMi4wNi0uMDIuMi4wNy4xNHptLjU2LS4wNmMuMTItLjE0LS4wOC0uMzQtLjA4LS4wOC0uMDEuMDQuMDIuMTMuMDguMDh6bS0yLjE3LS42Yy4wMy0uMjUuMDItLjUyLjA2LS43OS4wMi0uMjUuMDUtLjUgMC0uNzUtLjA5LjItLjAzLjQ4LS4wOS43LS4wMi4yOC0uMDguNTctLjA0Ljg1LjAyLjAyLjA1LjAyLjA3IDB6bS0uNjctLjI3Yy4wOS0uMy4wNy0uNjMuMDgtLjk0LS4wMS0uMTIuMDEtLjQ3LS4xLS40LjAzLjQzLjAzLjg4LS4wNiAxLjMyIDAgLjAzLjA1LjA1LjA4LjAyem0tLjYtLjVjLjEtLjI0LjE0LS41My4xLS43OS0uMTQgMC0uMDMuMzYtLjEuNS4wMS4wNi0uMTMuMzIgMCAuM3ptLS40My0uMmMuMDQtLjE2LjE1LS41IDAtLjU3LjA1LjE4LS4xMi40NS0uMDMuNThsLjAzLS4wMXptMy40My0uMjJjLjIyLS4xMyAwLS42Ni0uMjItLjM1LS4xLjE1IDAgLjQyLjIyLjM1em0uMzQtLjA2Yy4yOCAwIC4xOC0uNTMtLjA5LS4zNC0uMTIuMDctLjEyLjQyLjA5LjM0em0uNDQtLjAxYy0uMDEtLjEuMTItLjM4LS4wMS0uNC0uMDIuMS0uMTcuNDEgMCAuNHptLTEuMjYtLjAyYzAtLjEzLjAyLS41NS0uMTQtLjUuMDguMTItLjAyLjUxLjE0LjV6Ii8+PHBhdGggZD0iTTUuNTMgMy4yN2wtLjI1LjAzYS41Ny41NyAwIDAxLS4xMy4yNGwtLjA2LS4yLS4zNy4wNGMwIC4xLS4wMy4xOS0uMS4yOGwtLjEzLS4yNC0uMjIuMDNzLS4xNS4yOC0uMTUuNDYuMDcuNDYuMzcuNTNoLjAzbC4xNS0uMjUuMDguMjguMjUuMDIuMTItLjJjLjA1LjEuMS4yLjEyLjJsLjMuMDJ2LS4wOHMtLjEyLS4yNS0uMTItLjM5Yy0uMDItLjI3LjExLS43Ny4xMS0uNzd6IiBmaWxsLW9wYWNpdHk9Ii41Ii8+PC9zdmc+" + user: "65534" + # In order to set only exactly a specific set of capabilities without + # any additional Docker container default capabilities, we need to drop + # "all" capabilities. Regardless of the order (there ain't one) of YAML + # dictionary keys, Docker carries out dropping all capabilities first, + # and only then adds capabilities. See also: + # https://stackoverflow.com/a/63219871. + cap_drop: + - ALL + cap_add: + - CAP_SYS_ADMIN # change namespaces + - CAP_SYS_CHROOT # change mount namespaces + - CAP_SYS_PTRACE # access nsfs namespace information + - CAP_DAC_READ_SEARCH # access/scan /proc/[$PID]/fd itself + - CAP_DAC_OVERRIDE # access container engine unix domain sockets without being rude, erm, root. + - CAP_NET_RAW # pingin' 'round + - CAP_NET_ADMIN # 'nuff tables + security_opt: + # The default Docker container AppArmor profile blocks namespace + # discovery, due to reading from /proc/$PID/ns/* is considered to be + # ptrace read/ready operations. + - apparmor:unconfined + # Essential since we need full PID view. + pid: 'host' + cgroup: host + networks: + 99-ghost-in-da-edge: + priority: 100 + + edgeshark: + image: 'ghcr.io/siemens/packetflix' + pull_policy: 'always' + read_only: true + restart: 'unless-stopped' + entrypoint: + - "/packetflix" + - "--port=5001" + - "--discovery-service=gostwire.ghost-in-da-edge" + - "--gw-port=5000" + - "--proxy-discovery" + + ports: + - "127.0.0.1:5001:5001" + + # Run as non-root user (baked into the meta data of the image anyway). + user: "65534" + + # In order to set only exactly a specific set of capabilities without + # any additional Docker container default capabilities, we need to drop + # "all" capabilities. Regardless of the order (there ain't one) of YAML + # dictionary keys, Docker carries out dropping all capabilities first, + # and only then adds capabilities. See also: + # https://stackoverflow.com/a/63219871. + cap_drop: + - ALL + cap_add: + - CAP_SYS_ADMIN # change namespaces + - CAP_SYS_CHROOT # change mount namespaces + - CAP_SYS_PTRACE # access nsfs namespace information + - CAP_NET_ADMIN # allow dumpcap to control promisc. mode + - CAP_NET_RAW # capture raw packets, and not that totally burnt stuff + security_opt: + # The default Docker container AppArmor profile blocks namespace + # discovery, due to reading from /proc/$PID/ns/* is considered to be + # ptrace read/ready operations. + - apparmor:unconfined + + # Essential since we need full PID view. + pid: 'host' + + networks: + 99-ghost-in-da-edge: + priority: 100 + +networks: + 99-ghost-in-da-edge: + name: ghost-in-da-edge + internal: false + diff --git a/docs/getting-started.md b/docs/getting-started.md index 00372c9..b5151b1 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -28,13 +28,22 @@ Edgeshark services: ```bash wget -q --no-cache -O - \ - https://github.com/siemens/edgeshark/raw/main/deployments/wget/docker-compose.yaml \ + https://github.com/siemens/edgeshark/raw/main/deployments/wget/docker-compose-localhost.yaml \ | docker compose -f - up ``` Finally, visit http://localhost:5001 and start looking around your container host virtual networking. +In case you need to expose service TCP port 5001 to external clients then copy, +paste, and execute this command instead: + +```bash +wget -q --no-cache -O - \ + https://github.com/siemens/edgeshark/raw/main/deployments/wget/docker-compose.yaml \ + | docker compose -f - up +``` + > [!WARNING] This quick start deployment will **expose TCP port 5001** also to > clients external to your host. Make sure to have proper network protection in > place.