Skip to content

Commit 2f65596

Browse files
author
Marius Benthin
committed
refactor: review feedback
1 parent 46a9d91 commit 2f65596

8 files changed

Lines changed: 177 additions & 259 deletions

File tree

.github/workflows/build.yml

Lines changed: 2 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -18,15 +18,6 @@ jobs:
1818
contents: read
1919
packages: write
2020

21-
strategy:
22-
matrix:
23-
include:
24-
- thor_version: "10"
25-
tag: thor10
26-
extra_tags: latest
27-
- thor_version: "11"
28-
tag: thor11
29-
3021
steps:
3122
- name: Checkout repository
3223
uses: actions/checkout@v4
@@ -44,16 +35,14 @@ jobs:
4435
with:
4536
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
4637
tags: |
47-
type=raw,value=${{ matrix.tag }},enable={{is_default_branch}}
48-
type=raw,value=${{ matrix.extra_tags }},enable=${{ matrix.extra_tags != '' && github.ref_name == github.event.repository.default_branch }}
49-
type=sha,prefix=sha-${{ matrix.tag }}-
38+
type=raw,value=latest,enable={{is_default_branch}}
39+
type=sha,prefix=sha-
5040
5141
- name: Build and push image
5242
uses: docker/build-push-action@v6
5343
with:
5444
context: .
5545
file: Containerfile
56-
build-args: THOR_VERSION=${{ matrix.thor_version }}
5746
push: true
5847
tags: ${{ steps.meta.outputs.tags }}
5948
labels: ${{ steps.meta.outputs.labels }}

Containerfile

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -24,10 +24,8 @@ RUN mkdir -p \
2424
adduser -S -H -D -g "Thunderstorm User" thunderstorm && \
2525
chown -R thunderstorm "$TEMP_DIR" "$TARGET_DIR"
2626

27-
# copy version-specific entrypoint script
28-
ARG THOR_VERSION
29-
RUN test -n "$THOR_VERSION" || (echo "THOR_VERSION is required!" && false)
30-
COPY entrypoint.thor${THOR_VERSION}.sh /entrypoint.sh
27+
# copy unified entrypoint script
28+
COPY entrypoint.sh /entrypoint.sh
3129
RUN chmod +x /entrypoint.sh
3230

3331
USER thunderstorm

README.md

Lines changed: 32 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -1,86 +1,69 @@
1-
# Deploy Thunderstorm in a Container Environment
1+
# Deploy Thunderstorm as a Container
22

3-
Many companies rely on the containerization of services to increase economic and technical efficiency. Customers which use containerization need to create images that make the services available as containers. In this guide, we provide you with the necessary requirements and templates to run Thunderstorm as a container.
3+
[THOR Thunderstorm](https://www.nextron-systems.com/thor-thunderstorm/) is a web service that lets you scan files with our compromise assessment tool THOR through a Web-API. This guide provides a base [container image](https://github.com/NextronSystems/thunderstorm-deployment/pkgs/container/thunderstorm-deployment) and a [Docker Compose template](https://raw.githubusercontent.com/NextronSystems/thunderstorm-deployment/master/docker-compose.yml) so you can run Thunderstorm as a container with just providing your contract token.
44

5-
## Quick Start
65

7-
Thunderstorm is a web service which allows you to scan files with our compromise assessment tool THOR through a Web-API. Ready-to-use base images are published to the GitHub Container Registry and only require your contract token to run.
6+
## Quick-Start
87

9-
### Contract Token
10-
11-
The contract token is used to download the THOR binaries on first container start. You can find it in the [Nextron Portal](https://portal.nextron-systems.com/ui/contracts/contracts) under *Contracts & Licenses → Contracts → Actions → cloud icon → THOR Download Token*.
12-
13-
<img src="images/contract_token.png" alt="Contract Token location in Nextron Portal" width="500">
14-
15-
---
16-
17-
18-
Two versions are available:
19-
20-
| Version | Image tag | Compose file | Default port |
21-
|---|---|---|---|
22-
| THOR 10.7 (stable) | `:thor10` | `docker-compose.thor10.yml` | 8080 |
23-
| THOR 11 (techpreview) | `:thor11` | `docker-compose.thor11.yml` | 8000 |
24-
25-
### THOR 10.7
26-
27-
1. Download the compose file
8+
1. Download the [Docker Compose](https://raw.githubusercontent.com/NextronSystems/thunderstorm-deployment/master/docker-compose.yml) file
289

2910
```
30-
curl -O https://raw.githubusercontent.com/NextronSystems/thunderstorm-deployment/master/docker-compose.thor10.yml
11+
curl -O https://raw.githubusercontent.com/NextronSystems/thunderstorm-deployment/master/docker-compose.yml
3112
```
3213

33-
2. Start the service with your contract token
34-
35-
```
36-
CONTRACT_TOKEN=<CONTRACT_TOKEN> docker compose -f docker-compose.thor10.yml up -d
37-
```
14+
2. Get a contract token from the [Nextron Portal](https://portal.nextron-systems.com/ui/contracts/contracts) (see [Contract-Token](#contract-token))
3815

39-
### THOR 11
40-
41-
1. Download the compose file
16+
3. Start the service with your contract token
4217

4318
```
44-
curl -O https://raw.githubusercontent.com/NextronSystems/thunderstorm-deployment/master/docker-compose.thor11.yml
19+
CONTRACT_TOKEN=<CONTRACT_TOKEN> docker compose up -d
4520
```
4621

47-
2. Start the service with your contract token
22+
Thunderstorm is exposed on port **8080** by default.
4823

49-
```
50-
CONTRACT_TOKEN=<CONTRACT_TOKEN> docker compose -f docker-compose.thor11.yml up -d
51-
```
24+
## Contract-Token
5225

53-
On first start, Thunderstorm downloads the THOR binaries using your `CONTRACT_TOKEN` (your non-host-based Thunderstorm license) and persists them in a Docker volume so subsequent restarts are instant. THOR signatures are updated automatically on every start.
26+
Deploying Thunderstorm as a container requires a **non-host-based** Thunderstorm license.
5427

55-
Each compose file contains commented environment variables for all available configuration options.
28+
On first start, the container uses your contract token to download the THOR binaries and persists them in a Docker volume so subsequent restarts are instant. You can omit the contract token afterwards as long as the volume exists.
5629

57-
## Signature Updates
30+
A contract token can be retrieved from the [Nextron Portal](https://portal.nextron-systems.com/ui/contracts/contracts) under *Contracts & Licenses → Contracts → Actions → cloud icon → THOR Download Token*.
5831

59-
On every container start, THOR signatures are updated automatically. For THOR 11, signatures are additionally refreshed periodically while running (every 24 hours by default, configurable via `SIGNATURE_UPDATE_INTERVAL`).
32+
<img src="images/contract_token.png" alt="Contract Token location in Nextron Portal" width="500">
6033

61-
### Rolling Deployment
34+
## Tech-Preview
6235

63-
If you are running a single Thunderstorm instance, you may want to use a Rolling Deployment to prevent a downtime of your Thunderstorm service. A Rolling Deployment spawns a new container and stops the old one after ensuring that the new one is healthy and ready to accept requests. The configuration differs between container management systems such as Kubernetes, Docker or Docker Swarm.
36+
If you want to use the techpreview channel (currently THOR 11) you need to set `TECHPREVIEW=1`. If it is omitted it will downgrade to the stable channel again.
6437

65-
For Docker we recommend `start-first` as value for `deploy.update_config.order`, as configured in both compose files.
38+
The compose file contains commented environment variables for all available configuration options. Some options only apply to specific THOR major versions, for example, `SIGNATURE_UPDATE_INTERVAL` is only available for THOR 11.
6639

67-
### Multiple Replicas
40+
## Signature Updates
6841

69-
If you want to deploy multiple Thunderstorm instances, we recommend to distribute the requests equally using a load-balancer such as [Traefik](https://traefik.io/traefik) or [Nginx](https://nginx.org).
42+
On every container start, THOR signatures are updated automatically. You can enforce a signature update by restarting the service with a brief downtime:
43+
```
44+
docker compose up -d --force-recreate
45+
```
7046

71-
## Passing Additional Arguments
47+
If a brief downtime is not acceptable, you may want to consider a Docker Swarm setup with start-first update config or use the [techpreview channel](#tech-preview) (currently THOR 11) which allows you to update signatures periodically while running. By default, THOR 11 updates signatures every 24 hours but it can be customized via `SIGNATURE_UPDATE_INTERVAL` environment variable.
7248

73-
Any argument supported by Thunderstorm or THOR can be passed via the `THUNDERSTORM_ARGS` and `THOR_ARGS` environment variables in the compose file. This means new parameters released in future versions are available immediately without any changes to the image or entrypoint.
49+
## Additional Arguments
7450

75-
For example, to forward scan results to a remote SIEM (THOR 11):
51+
If you need to customize the THOR scan behavior, you can pass additional arguments via `THOR_ARGS` environment variable. For example, to forward scan results to a remote SIEM:
7652

7753
```yaml
7854
environment:
7955
THOR_ARGS: "--remote-log splunk.intern:514:DEFAULT:TCP --remote-log elastic.intern:1514:JSON:TCP"
8056
```
8157
58+
A full list of all supported arguments can be derived from the THOR binary using `./thor-linux-64 --fullhelp`.
59+
8260
## Security
8361

8462
The communication between a client and the Thunderstorm service could involve sensitive files. Therefore, we highly recommend to encrypt the traffic using TLS by mounting the certificate and private key via the built-in secrets functionality of Docker or Kubernetes into the container. In addition, you need to specify the file path to the TLS certificate and private key in the environment variables `TLS_CERT` and `TLS_KEY`.
8563

8664
Out of the box, Thunderstorm API is unauthenticated and does not support authentication providers at the moment. If you require an authentication layer, we suggest to use a proxy middleware which delegates the authentication to an external provider such as [Microsoft Entra ID](https://www.microsoft.com/de-de/security/business/identity-access/microsoft-entra-id).
65+
66+
## Limitations
67+
68+
### Load-Balancing
69+
Thunderstorm allows you to send **asynchronous requests** and poll the results using an ID. Currently, Thunderstorm instances do not share their results with each other. If you run multiple Thunderstorm containers behind a load-balancer and request the results of an async request, you may not get the result from the correct Thunderstorm instance. We recommend to use async requests in combination with remote logging only in a load-balancer setup.

docker-compose.thor11.yml

Lines changed: 0 additions & 67 deletions
This file was deleted.
Lines changed: 33 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -1,61 +1,52 @@
11
services:
22
thunderstorm:
3-
image: ghcr.io/nextronsystems/thunderstorm-deployment:thor10
4-
build:
5-
context: .
6-
dockerfile: Containerfile
7-
args:
8-
THOR_VERSION: "10"
3+
image: ghcr.io/nextronsystems/thunderstorm-deployment:latest
94
ports:
105
- "${PORT:-8080}:8080"
116
environment:
12-
# Required: your non-host-based Thunderstorm contract token
7+
# Required on initial startup: your non-host-based Thunderstorm contract token
138
CONTRACT_TOKEN: "${CONTRACT_TOKEN}"
14-
# Optional: TLS certificate and private key paths (mounted via secrets)
15-
# TLS_CERT: "/run/secrets/tls_cert"
16-
# TLS_KEY: "/run/secrets/tls_key"
9+
# Optional: upgrade to THOR techpreview channel
10+
# TECHPREVIEW: "true"
1711
# Optional: result cache size (default: 250000)
1812
# RESULT_CACHE_SIZE: "250000"
19-
# Optional: sample persistence - "all", "malicious", or "none" (default: none)
20-
# STORE_SAMPLES: "none"
21-
# Optional: reserve THOR threads for synchronous requests only
22-
# SYNC_ONLY_THREADS: ""
23-
# Optional: only scan using YARA signatures, disables programmatic checks, STIX, Sigma and IOCs
24-
# PURE_YARA: "true"
2513
# Optional: enforce maximum file size for all file types including registry hives and log files
2614
# FORCE_MAX_FILE_SIZE: "true"
27-
# Optional: write text log to the logs volume (uncomment volume below)
15+
# Optional: write log to the logs volume (uncomment volume below)
2816
# LOG_ENABLED: "true"
29-
# Optional: additional Thunderstorm arguments (e.g. "--server-new-param value")
17+
# Optional: TLS certificate and private key paths (mounted via secrets)
18+
# TLS_CERT: "/run/secrets/tls_cert"
19+
# TLS_KEY: "/run/secrets/tls_key"
20+
# Optional: only scan using YARA signatures, disables programmatic checks, STIX, Sigma and IOCs
21+
# PURE_YARA: "true"
22+
# Optional: download YARA Forge community signatures on startup - ruleset: core, extended, full (not quality-assured by Nextron)
23+
# YARA_FORGE: "full"
24+
# Optional: additional Thunderstorm arguments
3025
# THUNDERSTORM_ARGS: ""
3126
# Optional: additional THOR arguments
3227
# THOR_ARGS: ""
28+
#
29+
# --- THOR 10 only ---
30+
# Optional: sample persistence - "all", "malicious", or "none" (default: none)
31+
# STORE_SAMPLES: "none"
32+
# Optional: reserve THOR threads for synchronous requests only
33+
# SYNC_ONLY_THREADS: ""
34+
#
35+
# --- THOR 11 only ---
36+
# Optional: minimum score for storing samples (default: 200)
37+
# STORE_SAMPLES_SCORE: "200"
38+
# Optional: hours between signature updates (default: 24)
39+
# SIGNATURE_UPDATE_INTERVAL: "24"
40+
# Optional: upload queue size warning threshold (default: 50000)
41+
# QUEUE_WARN_SIZE: "50000"
42+
# Optional: enable VFS directory mirroring uploaded files per host (also uncomment volume below)
43+
# VFS_ENABLED: "true"
3344
volumes:
45+
# Persist Thor binaries and other artifacts across restarts
46+
- thunderstorm:/opt/nextron/thunderstorm
3447
# Optional: mount TLS certificate and private key (uncomment TLS_CERT/TLS_KEY above as well)
3548
# - ./tls_cert:/run/secrets/tls_cert:ro
36-
# - ./tls_key:/run/secrets/tls_key:ro
37-
# Persist Thor binaries and other artifacts across restarts
38-
- thor10-data:/opt/nextron/thunderstorm
39-
- thor10-config:/opt/nextron/thunderstorm/config
40-
- thor10-samples:/tmp/thunderstorm/uploads
41-
- thor10-plugins:/opt/nextron/thunderstorm/plugins
42-
- thor10-signatures:/opt/nextron/thunderstorm/signatures
43-
- thor10-custom-signatures:/opt/nextron/thunderstorm/custom-signatures
44-
# Optional: write text log to volume (uncomment LOG_ENABLED above as well)
45-
# - thor10-logs:/tmp/thunderstorm/logs
46-
deploy:
47-
replicas: 1
48-
update_config:
49-
order: start-first
50-
restart_policy:
51-
condition: on-failure
49+
# - ./tls_key:/run/secrets/tls_key:ro#
5250

5351
volumes:
54-
thor10-data:
55-
thor10-config:
56-
thor10-samples:
57-
thor10-plugins:
58-
thor10-signatures:
59-
thor10-custom-signatures:
60-
# Optional: write text log to volume
61-
# thor10-logs:
52+
thunderstorm:

0 commit comments

Comments
 (0)