fix: misp-standalone - compose self-sufficient without .env (catalog_try compatible)
Related / cross-repo: #198, range42/range42-playbooks#115
Problem
range42-context catalog-try docker/admin/misp-standalone fails while
range42-context catalog-try docker/admin/nextcloud works. Investigation shows
the misp-standalone docker-compose.yml has two brittlenesses that the
nextcloud compose does not :
env_file: .env declared on 3 services (db, misp, provisioner).
In scalar form this is a hard dependency : docker compose up exits
immediately with env file .env not found if .env is missing or if
the catalog_try framework's seed step (.env.example -> .env) fails
silently (dotfile copy edge case, partial pre-existing .env, etc.).- Two bare
${VAR} substitutions without :-default :
- line 9
${DB_ROOT_PASSWORD}
- line 12
${MISP_DB_PASSWORD}
If the seed produces an .env missing either key, MariaDB starts with
empty MYSQL_ROOT_PASSWORD, refuses to boot, cascades to misp service
never reaching service_healthy -> port 443 never binds -> catalog_try
smoke timeout.
By contrast nextcloud/compose.yml has zero env_file: directives and
13/13 ${VAR} substitutions carry a :-default, so the stack boots even
with no .env at all.
Fix
Align misp-standalone with nextcloud's tolerance contract (without dropping
the env_file workflow which is still the primary way operators supply
real secrets) :
- Mark
env_file: .env as optional via compose v2.24+ list form on the
3 services (db, misp, provisioner) :
env_file:
- path: .env
required: false
- Add
:-default to the 2 bare substitutions, with values matching
.env.example to keep behavior identical whether .env is present
or not :
${DB_ROOT_PASSWORD} -> ${DB_ROOT_PASSWORD:-changeme_db_root_password}${MISP_DB_PASSWORD} -> ${MISP_DB_PASSWORD:-changeme_db_password}
- Align MISP_VERSION default skew :
misp service had latest on both
build arg (line 60) AND image tag (line 61) while provisioner already
used v2.5.37 on its build arg (line 93). Standardize misp service to
v2.5.37 on both (matches .env.example MISP_VERSION=v2.5.37 + matches
provisioner). All 3 services now build + tag the same image consistently.
Files
03_container_layer/docker/admin/misp-standalone/docker-compose.yml
(7 line insertions, 4 deletions ; 3 logical changes : env_file optional
on 3 services, :-default on 2 DB password vars, MISP_VERSION skew
aligned to v2.5.37 on misp service)
Why defaults from .env.example
Defaults are the EXACT placeholder values shipped in .env.example. The
intent : behavior is identical whether .env exists or not (catalog_try
sandbox) or whether .env overrides them (bundle / production deploy).
Operators who want strong creds populate .env as documented in the
catalog's misp-standalone README.
fix: misp-standalone - compose self-sufficient without .env (catalog_try compatible)
Problem
range42-context catalog-try docker/admin/misp-standalonefails whilerange42-context catalog-try docker/admin/nextcloudworks. Investigation showsthe misp-standalone
docker-compose.ymlhas two brittlenesses that thenextcloud compose does not :
env_file: .envdeclared on 3 services (db,misp,provisioner).In scalar form this is a hard dependency :
docker compose upexitsimmediately with
env file .env not foundif.envis missing or ifthe catalog_try framework's seed step (
.env.example->.env) failssilently (dotfile copy edge case, partial pre-existing
.env, etc.).${VAR}substitutions without:-default:${DB_ROOT_PASSWORD}${MISP_DB_PASSWORD}If the seed produces an
.envmissing either key, MariaDB starts withempty
MYSQL_ROOT_PASSWORD, refuses to boot, cascades to misp servicenever reaching
service_healthy-> port 443 never binds -> catalog_trysmoke timeout.
By contrast
nextcloud/compose.ymlhas zeroenv_file:directives and13/13
${VAR}substitutions carry a:-default, so the stack boots evenwith no
.envat all.Fix
Align misp-standalone with nextcloud's tolerance contract (without dropping
the
env_fileworkflow which is still the primary way operators supplyreal secrets) :
env_file: .envas optional via compose v2.24+ list form on the3 services (
db,misp,provisioner) ::-defaultto the 2 bare substitutions, with values matching.env.exampleto keep behavior identical whether.envis presentor not :
${DB_ROOT_PASSWORD}->${DB_ROOT_PASSWORD:-changeme_db_root_password}${MISP_DB_PASSWORD}->${MISP_DB_PASSWORD:-changeme_db_password}mispservice hadlateston bothbuild arg (line 60) AND image tag (line 61) while
provisioneralreadyused
v2.5.37on its build arg (line 93). Standardize misp service tov2.5.37on both (matches.env.exampleMISP_VERSION=v2.5.37 + matchesprovisioner). All 3 services now build + tag the same image consistently.
Files
03_container_layer/docker/admin/misp-standalone/docker-compose.yml(7 line insertions, 4 deletions ; 3 logical changes : env_file optional
on 3 services,
:-defaulton 2 DB password vars, MISP_VERSION skewaligned to v2.5.37 on misp service)
Why defaults from .env.example
Defaults are the EXACT placeholder values shipped in
.env.example. Theintent : behavior is identical whether
.envexists or not (catalog_trysandbox) or whether
.envoverrides them (bundle / production deploy).Operators who want strong creds populate
.envas documented in thecatalog's misp-standalone README.