From c3839aa8fb3fccbff9c679b30d0dcb7a209f207a Mon Sep 17 00:00:00 2001
From: Tim Evens <tievens@cisco.com>
Date: Fri, 28 Jan 2022 15:12:01 -0800
Subject: [PATCH] Security fixes, issues resolved, and more

* Upgrades to all containers
* Resolves #7, resolves #6, resolves #2
* Compose changed to use versions instead of latest
* OBMP containers now use a version tag instead of build numbers
---
 collector/Dockerfile      |  8 ++++----
 collector/scripts/install |  2 +-
 dev-image/Dockerfile      |  4 ++--
 docker-compose.yml        | 12 ++++++------
 postgres/Dockerfile       |  8 ++++----
 psql-app/Dockerfile       | 10 +++++-----
 psql-app/scripts/run      | 33 ++++++++++++++-------------------
 7 files changed, 36 insertions(+), 41 deletions(-)

diff --git a/collector/Dockerfile b/collector/Dockerfile
index 1b633a2..13a8fd9 100644
--- a/collector/Dockerfile
+++ b/collector/Dockerfile
@@ -1,6 +1,6 @@
 # Collector: openbmp/collector
 #
-#  Copyright (c) 2021 Cisco Systems, Inc. and Tim Evens.  All rights reserved.
+#  Copyright (c) 2021-2022 Cisco Systems, Inc. and Tim Evens.  All rights reserved.
 #
 # Author: Tim Evens <tim@openbmp.org>
 #
@@ -15,8 +15,8 @@
 #
 #   Example docker build:
 #     tar -cL -C ../../ ./obmp-collector ./obmp-docker/collector \
-#           | docker build --build-arg BUILD_NUMBER=50 \
-#                 -f obmp-docker/collector/Dockerfile -t openbmp/collector:build-50 -
+#           | docker build --build-arg VERSION=2.0.1 \
+#                 -f obmp-docker/collector/Dockerfile -t openbmp/collector:2.0.1 -
 #
 
 # -----------------------------------------------
@@ -43,7 +43,7 @@ FROM debian:bullseye-slim
 ADD obmp-docker/collector/scripts/install /tmp/
 ADD obmp-docker/collector/scripts/run /usr/sbin/
 
-ARG BUILD_NUMBER=0
+ARG VERSION=0
 
 # Copy files from previous stages
 COPY --from=build /usr/bin/openbmpd /usr/bin/
diff --git a/collector/scripts/install b/collector/scripts/install
index c2a3138..3b8f13c 100755
--- a/collector/scripts/install
+++ b/collector/scripts/install
@@ -6,7 +6,7 @@
 # Author: Tim Evens <tim@openbmp.org>
 
 # Add build details
-touch /usr/local/build-${BUILD_NUMBER}
+touch /usr/local/version-${VERSION}
 
 #
 # Defaults
diff --git a/dev-image/Dockerfile b/dev-image/Dockerfile
index e6bacf2..8076d04 100644
--- a/dev-image/Dockerfile
+++ b/dev-image/Dockerfile
@@ -1,7 +1,7 @@
 # Development build container: openbmp/dev-image
 #
-#  Copyright (c) 2021 Cisco Systems, Inc. and others.  All rights reserved.
-#  Copyright (c) 2021 Tim Evens.  All rights reserved.
+#  Copyright (c) 2021-2022 Cisco Systems, Inc. and others.  All rights reserved.
+#  Copyright (c) 2021-2022 Tim Evens.  All rights reserved.
 #
 #  Container used to build the OpenBMP components
 #
diff --git a/docker-compose.yml b/docker-compose.yml
index cc34188..1a5ede4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,7 +5,7 @@ services:
   zookeeper:
     restart: unless-stopped
     container_name: obmp-zookeeper
-    image: confluentinc/cp-zookeeper:6.0.2
+    image: confluentinc/cp-zookeeper:7.0.1
     volumes:
       - ${OBMP_DATA_ROOT}/zk-data:/var/lib/zookeeper/data
       - ${OBMP_DATA_ROOT}/zk-log:/var/lib/zookeeper/log
@@ -16,7 +16,7 @@ services:
   kafka:
     restart: unless-stopped
     container_name: obmp-kafka
-    image: confluentinc/cp-kafka:6.0.2
+    image: confluentinc/cp-kafka:7.0.1
 
     # Change the mount point to where you want to store Kafka data.
     #   Normally 80GB or more
@@ -48,7 +48,7 @@ services:
   grafana:
     restart: unless-stopped
     container_name: obmp-grafana
-    image: grafana/grafana:latest
+    image: grafana/grafana:8.3.4
     ports:
       - 3000:3000
     volumes:
@@ -63,7 +63,7 @@ services:
   psql:
     restart: unless-stopped
     container_name: obmp-psql
-    image: openbmp/postgres:latest
+    image: openbmp/postgres:2.0.1
     ports:
       - 5432:5432
     volumes:
@@ -78,7 +78,7 @@ services:
   collector:
     restart: unless-stopped
     container_name: obmp-collector
-    image: openbmp/collector:latest
+    image: openbmp/collector:2.0.1
     sysctls:
       - net.ipv4.tcp_keepalive_intvl=30
       - net.ipv4.tcp_keepalive_probes=5
@@ -93,7 +93,7 @@ services:
   psql-app:
     restart: unless-stopped
     container_name: obmp-psql-app
-    image: openbmp/psql-app:latest
+    image: openbmp/psql-app:2.0.1
     sysctls:
       - net.ipv4.tcp_keepalive_intvl=30
       - net.ipv4.tcp_keepalive_probes=5
diff --git a/postgres/Dockerfile b/postgres/Dockerfile
index e4d7a7d..6d190ca 100644
--- a/postgres/Dockerfile
+++ b/postgres/Dockerfile
@@ -1,18 +1,18 @@
 # Postgres Container
 #
-#  Copyright (c) 2021 Cisco Systems, Inc. and Tim Evens.  All rights reserved.
+#  Copyright (c) 2021-2022 Cisco Systems, Inc. and Tim Evens.  All rights reserved.
 #
 #  Build:
-#       docker build -t openbmp/postgres:build-NNN .
+#       docker build -t openbmp/postgres:2.0.1 .
 #
 #  Run:
 #       docker run --rm -it -p 5432:5432 \
 #              -e POSTGRES_PASSWORD=openbmp \
 #              -e POSTGRES_USER=openbmp \
 #              -e POSTGRES_DB=openbmp \
-#              openbmp/postgres:build-NNN
+#              openbmp/postgres:2.0.1
 
-FROM timescale/timescaledb:2.1.0-pg13
+FROM timescale/timescaledb:2.5.1-pg14
 
 # Current/working dir
 VOLUME ["/ws"]
diff --git a/psql-app/Dockerfile b/psql-app/Dockerfile
index 2973d01..a8018ef 100644
--- a/psql-app/Dockerfile
+++ b/psql-app/Dockerfile
@@ -1,6 +1,6 @@
 # Postgres Backend: openbmp/psql-consumer
 #
-# Copyright (c) 2021 Cisco Systems, Inc. and Tim Evens.  All rights reserved.
+# Copyright (c) 2021-2022 Cisco Systems, Inc. and Tim Evens.  All rights reserved.
 #
 # Author: Tim Evens <tim@openbmp.org>
 #
@@ -13,15 +13,15 @@
 #
 #   Example docker build:
 #     tar -cL -C ../../ ./obmp-psql ./obmp-docker/psql-app ./obmp-java-api-message \
-#           | docker build --build-arg BUILD_NUMBER=50 \
-#                 -f obmp-docker/psql-app/Dockerfile -t openbmp/psql-app:build-50 -
+#           | docker build --build-arg VERSION=2.0.1 \
+#                 -f obmp-docker/psql-app/Dockerfile -t openbmp/psql-app:2.0.1 -
 
 # -----------------------------------------------
 # stage: Build
 # -----------------------------------------------
 FROM openbmp/dev-image:latest AS build
 
-ARG BUILD_NUMBER=0
+ARG VERSION=0.0.0
 
 # Proxy servers
 #ENV http_proxy http://proxy:80
@@ -67,7 +67,7 @@ EXPOSE 9005
 WORKDIR /tmp
 
 # Base setup tasks
-RUN touch /usr/local/build-${BUILD_NUMBER} \
+RUN touch /usr/local/version-${VERSION} \
     && chmod 755 /usr/local/openbmp/*.py
 
 #----------------------------------
diff --git a/psql-app/scripts/run b/psql-app/scripts/run
index 104ed2a..a175050 100755
--- a/psql-app/scripts/run
+++ b/psql-app/scripts/run
@@ -1,7 +1,7 @@
 #!/bin/bash
 # Postgres Backend: Run script
 #
-#  Copyright (c) 2021 Cisco Systems, Inc. and Tim Evens.  All rights reserved.
+#  Copyright (c) 2021-2022 Cisco Systems, Inc. and Tim Evens.  All rights reserved.
 #
 # Author: Tim Evens <tim@evensweb.com>
 #
@@ -12,6 +12,8 @@ export POSTGRES_PASSWORD=${POSTGRES_PASSWORD:="openbmp"}
 export POSTGRES_HOST=${POSTGRES_HOST:="127.0.0.1"}
 export POSTGRES_PORT=${POSTGRES_PORT:="5432"}
 export POSTGRES_DB=${POSTGRES_DB:="openbmp"}
+export POSTGRES_SSL_ENABLE=${POSTGRES_SSL_ENABLE:="port"}
+export POSTGRES_SSL_MODE=${POSTGRES_SSL_MODE:="required"}
 export MEM=${MEM:="1"}                          # mem in gigabytes
 export PGCONNECT_TIMEOUT=15
 
@@ -152,23 +154,12 @@ MAILTO=""
 # Update peer update counts
 */30 * * * *    root   . /usr/local/openbmp/pg_profile && psql -c "select update_peer_update_counts(1800)"
 
-# Update origin stats
-21 * * * *	root  . /usr/local/openbmp/pg_profile && psql -c "select update_global_ip_rib();"
+# Update global rib
+*/5 * * * *	root  . /usr/local/openbmp/pg_profile && psql -c "select update_global_ip_rib('5 minute');"
+
+# Update origin stats
+21 * * * *	root  . /usr/local/openbmp/pg_profile && psql -c "select update_origin_stats('1 hour');"
 
-# Purge time series data that is older than desired retention
-0 * */3 * *     root  . /usr/local/openbmp/pg_profile && psql -c "SELECT drop_chunks('peer_event_log', interval $POSTGRES_DROP_peer_event_log);"
-1 * */3 * *     root  . /usr/local/openbmp/pg_profile && psql -c "SELECT drop_chunks('stat_reports', interval $POSTGRES_DROP_stat_reports);"
-2 * */3 * *     root  . /usr/local/openbmp/pg_profile && psql -c "SELECT drop_chunks('ip_rib_log', interval $POSTGRES_DROP_ip_rib_log);"
-3 * */3 * *     root  . /usr/local/openbmp/pg_profile && psql -c "SELECT drop_chunks('alerts', interval $POSTGRES_DROP_alerts);"
-4 * */3 * *     root  . /usr/local/openbmp/pg_profile && psql -c "SELECT drop_chunks('ls_nodes_log', interval $POSTGRES_DROP_ls_nodes_log);"
-5 * */3 * *     root  . /usr/local/openbmp/pg_profile && psql -c "SELECT drop_chunks('ls_links_log', interval $POSTGRES_DROP_ls_links_log);"
-6 * */3 * *     root  . /usr/local/openbmp/pg_profile && psql -c "SELECT drop_chunks('ls_prefixes_log', interval $POSTGRES_DROP_ls_prefixes_log);"
-7 * */3 * *     root  . /usr/local/openbmp/pg_profile && psql -c "SELECT drop_chunks('stats_chg_byprefix', interval $POSTGRES_DROP_stats_chg_byprefix);"
-8 * */3 * *     root  . /usr/local/openbmp/pg_profile && psql -c "SELECT drop_chunks('stats_chg_byasn', interval $POSTGRES_DROP_stats_chg_byasn);"
-9 * */3 * *     root  . /usr/local/openbmp/pg_profile && psql -c "SELECT drop_chunks('stats_chg_bypeer', interval $POSTGRES_DROP_stats_chg_bypeer);"
-10 * */3 * *     root  . /usr/local/openbmp/pg_profile && psql -c "SELECT drop_chunks('stats_ip_origins', interval $POSTGRES_DROP_stats_ip_origins);"
-11 * */3 * *     root  . /usr/local/openbmp/pg_profile && psql -c "SELECT drop_chunks('stats_peer_rib', interval $POSTGRES_DROP_stats_peer_rib);"
-12 * */3 * *     root  . /usr/local/openbmp/pg_profile && psql -c "SELECT drop_chunks('stats_peer_update_counts', interval $POSTGRES_DROP_stats_peer_update_counts);"
 
 SETVAR
 
@@ -193,8 +184,12 @@ run_consumer() {
 
          # Update configuration
         sed -i -e "s/\([ ]*bootstrap.servers:\)\(.*\)/\1 \"${KAFKA_FQDN}\"/" /config/obmp-psql.yml
-        sed -i -e "s/\([ ]*host[ ]*:\)\(.*\)/\1 \"${POSTGRES_HOST}\"/" /config/obmp-psql.yml
-
+        sed -i -e "s/\([ ]*host[ ]*:\)\(.*\)/\1 \"${POSTGRES_HOST}:${POSTGRES_PORT}\"/" /config/obmp-psql.yml
+        sed -i -e "s/\([ ]*username[ ]*:\)\(.*\)/\1 \"${POSTGRES_USER}\"/" /config/obmp-psql.yml
+        sed -i -e "s/\([ ]*password[ ]*:\)\(.*\)/\1 \"${POSTGRES_PASSWORD}\"/" /config/obmp-psql.yml
+        sed -i -e "s/\([ ]*db_name[ ]*:\)\(.*\)/\1 \"${POSTGRES_DB}\"/" /config/obmp-psql.yml
+        sed -i -e "s/\([ ]*ssl_enable[ ]*:\)\(.*\)/\1 \"${POSTGRES_SSL_ENABLE}\"/" /config/obmp-psql.yml
+        sed -i -e "s/\([ ]*ssl_mode[ ]*:\)\(.*\)/\1 \"${POSTGRES_SSL_MODE}\"/" /config/obmp-psql.yml
     fi
 
     if [[ $MEM -gt 20 ]]; then