From 35675866ee2025b40191c80e412720ddfeeb59a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
Date: Thu, 9 May 2019 14:12:02 +0200
Subject: [PATCH] Build our own HAproxy docker image
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The HAproxy docker image we were using is no longer maintained (hasn't been
for years), but is built upon Alpine Linux which has a big security leak:
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0782

The security leak is fixed in this build of the docker image, but we should
move to something else (lke Træfik).
---
 docker/docker-compose.yml |  5 ++++-
 docker/haproxy/Dockerfile |  5 +++++
 docker/haproxy/build.sh   | 10 ++++++++++
 3 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 docker/haproxy/Dockerfile
 create mode 100755 docker/haproxy/build.sh

diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 6063592..2b2327c 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -32,6 +32,7 @@ services:
         max-file:            "20"
 
   elastic:
+    # This image is defined in blender-cloud/docker/elastic
     image:                   armadillica/elasticsearch:6.1.1
     container_name:          elastic
     restart:                 always
@@ -62,6 +63,7 @@ services:
         max-file:            "20"
 
   kibana:
+    # This image is defined in blender-cloud/docker/elastic
     image:                   armadillica/kibana:6.1.1
     container_name:          kibana
     restart:                 always
@@ -158,7 +160,8 @@ services:
       - /data/letsencrypt:/data/letsencrypt
 
   haproxy:
-    image:                   dockercloud/haproxy:1.5.3
+    # This image is defined in blender-cloud/docker/haproxy
+    image:                   armadillica/haproxy:1.6.7
     container_name:          haproxy
     restart:                 always
     ports:
diff --git a/docker/haproxy/Dockerfile b/docker/haproxy/Dockerfile
new file mode 100644
index 0000000..16f11d6
--- /dev/null
+++ b/docker/haproxy/Dockerfile
@@ -0,0 +1,5 @@
+FROM dockercloud/haproxy:1.6.7
+LABEL maintainer="Sybren A. Stüvel <sybren@blender.studio>"
+
+# Fix https://talosintelligence.com/vulnerability_reports/TALOS-2019-0782
+RUN sed 's/root::/root:!:/' -i /etc/shadow
diff --git a/docker/haproxy/build.sh b/docker/haproxy/build.sh
new file mode 100755
index 0000000..a6d2992
--- /dev/null
+++ b/docker/haproxy/build.sh
@@ -0,0 +1,10 @@
+#!/bin/bash -e
+
+# When updating this, also update the version in Dockerfile
+VERSION=1.6.7
+
+docker build -t armadillica/haproxy:${VERSION} .
+docker tag armadillica/haproxy:${VERSION} armadillica/haproxy:latest
+
+echo "Done, built armadillica/haproxy:${VERSION}"
+echo "Also tagged as armadillica/haproxy:latest"