Merge pull request #1 from docker/4.5.0-rocky9.6

4.5.0 rocky9.6

.gitignore

@@ -0,0 +1 @@
+.idea/**

Dockerfile

@@ -0,0 +1,51 @@
+# COMANAGE #
+FROM i2incommon/comanage-base:latest
+
+ARG COMANAGE_REGISTRY_VERSION
+ENV COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION:-develop}
+
+ARG COMANAGE_REGISTRY_SRC_URL
+ENV COMANAGE_REGISTRY_SRC_URL=https://github.com/Internet2/comanage-registry/archive/${COMANAGE_REGISTRY_VERSION}.tar.gz
+
+LABEL comanage_registry_version=${COMANAGE_REGISTRY_VERSION}
+LABEL comanage_registry_src_url=${COMANAGE_REGISTRY_SRC_URL}
+
+ARG COMANAGE_REGISTRY_DIR
+ENV COMANAGE_REGISTRY_DIR=${COMANAGE_REGISTRY_DIR:-/srv/comanage-registry}
+
+RUN yum -y update && yum -y install \
+        busybox \
+        && yum clean -y all
+
+WORKDIR "$COMANAGE_REGISTRY_DIR"
+
+RUN mkdir -p "${COMANAGE_REGISTRY_DIR}" \
+        && wget -O comanage.tar.gz ${COMANAGE_REGISTRY_SRC_URL} \
+        && tar -zxf comanage.tar.gz -C ${COMANAGE_REGISTRY_DIR} --strip-components=1 \
+        && rm -f comanage.tar.gz \
+        && rm -rf ${COMANAGE_REGISTRY_DIR}/app/tmp \
+        && cp -r ${COMANAGE_REGISTRY_DIR}/app/tmp.dist ${COMANAGE_REGISTRY_DIR}/app/tmp \
+        && chown -R apache:apache ${COMANAGE_REGISTRY_DIR}/app/tmp \
+        && cd ${COMANAGE_REGISTRY_DIR}/local \
+        && ln -s ${COMANAGE_REGISTRY_DIR}/app/tmp tmp \
+        && chown -h apache:apache ${COMANAGE_REGISTRY_DIR}/local/tmp \
+        && cd /var/www/html \
+        && ln -s ${COMANAGE_REGISTRY_DIR}/app/webroot registry
+
+COPY --chown=root:root slashRoot/etc/crontab /etc/crontab
+COPY --chown=root:root slashRoot/srv/comanage-registry/local/crontab /srv/comanage-registry/local/crontab
+COPY --chown=root:root slashRoot/etc/ldap/ldap.conf /etc/ldap/ldap.conf
+COPY slashRoot/usr/local/lib/comanage_utils.sh /usr/local/lib/
+
+RUN chmod +x /usr/local/lib/comanage_utils.sh
+
+RUN /usr/bin/crontab -u apache /srv/comanage-registry/local/crontab \
+      && /usr/sbin/usermod --shell /bin/bash apache \
+      && touch /etc/default/locale
+
+COPY slashRoot/usr/local/bin/docker-comanage-cron-entrypoint /usr/local/bin/
+
+ENTRYPOINT ["docker-comanage-cron-entrypoint"]
+
+CMD ["/usr/sbin/crond", "-n"]
+

Jenkinsfile

@@ -0,0 +1,211 @@
+
+pipeline {
+    agent { node { label 'docker-multi-arch' } }
+    environment {
+        maintainer = "t"
+        imagename = 's'
+        tag = 'l'
+        comanage_version = 'develop'
+        DOCKERHUBPW=credentials('tieradmin-dockerhub-pw')
+        BUILDVERSION = sh(script: "echo `date +%s`", returnStdout: true).trim()
+    }
+    stages {
+        stage('Setting build context') {
+            steps {
+                script {
+                    maintainer = maintain()
+                    imagename = imagename()
+                    comanage_version = comanage_version()
+                    if(env.BRANCH_NAME == "main") {
+                       tag = "latest"
+                    } else {
+//                        tag = "${env.BRANCH_NAME.toLowerCase()}-${BUILDVERSION.toLowerCase()}"
+                       tag = "${env.BRANCH_NAME.toLowerCase()}"
+                    }
+                    if(!imagename){
+                        echo "You must define an image name in common.bash"
+                        currentBuild.result = 'FAILURE'
+                     }
+                    echo "Building tag: ${tag}"
+                    sh 'mkdir -p tmp && mkdir -p bin'
+                    dir('tmp'){
+                      git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ])
+                      sh 'rm -rf ../bin/*'
+                      sh 'mv ./bin/* ../bin/.'
+                    }
+                    // Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing.
+                    // We don't care if there are more 'tag' assignments there. The latest one wins.
+                    sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash"
+                }
+             }
+        }
+        stage('Clean') {
+            steps {
+                script {
+                   try{
+                     sh 'bin/destroy.sh >> debug'
+                   } catch(error) {
+                     def error_details = readFile('./debug');
+                     def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     handleError(message)
+                   }
+                }
+            }
+        }
+        stage('Build') {
+            steps {
+                script {
+                  try{
+                    sh "./jenkins/build.sh ${imagename} ${tag} ${comanage_version} $DOCKERHUBPW"
+                  } catch(error) {
+                     def error_details = readFile('./debug');
+                     def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     sh "rm -f ./farm.txt"
+                     handleError(message)
+                  }
+                }
+            }
+        }
+        stage('Test') {
+            steps {
+                script {
+                   try {
+                     echo "Starting tests..."
+                     //sh 'bats tests'
+                     echo "Skipping tests for now"
+                   } catch (error) {
+                     def error_details = readFile('./debug')
+                     def message = "BUILD ERROR: There was a problem testing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     handleError(message)
+                   }
+                }
+             }
+        }
+        stage('Scan') {
+            steps {
+                script {
+                   try {
+                         echo "Starting security scan..."
+                         // Install trivy and HTML template
+                         sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.62.1'
+                         sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'
+
+                         // Scan container for all vulnerability levels
+                         echo "Scanning for all vulnerabilities..."
+                         sh 'mkdir -p reports'
+                         // Scan both for os and libraries
+                         // Trivy Database update issue
+                         // https://github.com/aquasecurity/trivy/discussions/7538
+                         sh "trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --ignore-unfixed --pkg-types os,library --severity CRITICAL,HIGH --no-progress --scanners vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}"
+                         sh "trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --ignore-unfixed --pkg-types os,library --severity CRITICAL,HIGH --no-progress --scanners vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64"
+                         publishHTML target : [
+                             allowMissing: true,
+                             alwaysLinkToLastBuild: true,
+                             keepAll: true,
+                             reportDir: 'reports',
+                             reportFiles: 'container-scan.html',
+                             reportName: 'Security Scan',
+                             reportTitles: 'Security Scan'
+                          ]
+                         publishHTML target : [
+                             allowMissing: true,
+                             alwaysLinkToLastBuild: true,
+                             keepAll: true,
+                             reportDir: 'reports',
+                             reportFiles: 'container-scan-arm.html',
+                             reportName: 'Security Scan (ARM)',
+                             reportTitles: 'Security Scan (ARM)'
+                          ]
+                         // Scan again and fail on CRITICAL vulns
+                         echo "Scanning for CRITICAL vulnerabilities only (fatal)..."
+                         // Scan both for os and libraries
+                         sh "trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --ignore-unfixed --pkg-types os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}"
+                         sh "trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --ignore-unfixed --pkg-types os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64"
+                   } catch(error) {
+                           def error_details = readFile('./debug');
+                           def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}"
+                           sh "rm -f ./debug"
+                           handleError(message)
+                   }
+                }
+            }
+        }
+        stage('Push') {
+            steps {
+                script {
+                  try{
+                    sh "docker login -u tieradmin -p $DOCKERHUBPW"
+                    sh "docker buildx inspect --bootstrap"
+                    sh "echo 'Pushing image to dockerhub...'"
+                    sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t ${maintainer}/${imagename}:${tag} --build-arg=\"COMANAGE_REGISTRY_VERSION=${comanage_version}\" ."
+                  } catch(error) {
+                     def error_details = readFile('./debug');
+                     def message = "BUILD ERROR: There was a problem pushing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     sh "rm -f ./farm.txt"
+                     handleError(message)
+                  }
+                }
+            }
+        }
+        stage('Cleanup') {
+            steps {
+                script {
+                   try{
+                     echo "Cleaning up artifacts from the build..."
+                     sh "./jenkins/cleanup.sh ${imagename} ${tag}"
+                   } catch(error) {
+                     def error_details = readFile('./debug');
+                     def message = "BUILD ERROR: There was a problem with cleanup of the image. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     sh "rm -f ./farm.txt"
+                     handleError(message)
+                   }
+                }
+            }
+        }
+        stage('Notify') {
+            steps{
+                echo "$maintainer"
+                slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
+            }
+        }
+    }
+    post {
+        always {
+            echo 'Done Building.'
+        }
+        failure {
+            slackSend color: 'good', message: "Build failed"
+            handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.")
+        }
+    }
+}
+
+
+def maintain() {
+  def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
+  matcher ? matcher[0][1] : 'tier'
+}
+
+def imagename() {
+  def matcher = readFile('common.bash') =~ 'imagename="(.+)"'
+  matcher ? matcher[0][1] : null
+}
+
+def comanage_version() {
+  def matcher = readFile('common.bash') =~ 'comanage_version="(.+)"'
+  matcher ? matcher[0][1] : null
+}
+
+def handleError(String message){
+  echo "${message}"
+  currentBuild.setResult("FAILED")
+  slackSend color: 'danger', message: "${message}"
+  step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true])
+  sh 'exit 1'
+}
+

common.bash

@@ -0,0 +1,3 @@
+maintainer="i2incommon"
+imagename="comanage-registry-cron"
+comanage_version="4.5.0"

jenkins/build.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+IMAGENAME=$1
+TAG=$2
+COMANAGE_REGISTRY_VERSION=$3
+DOCKERHUBPW=$4
+SUB=multiarch
+
+echo "image name: ${IMAGENAME}"
+echo "tag name: ${TAG}"
+echo "comanage registry version: ${COMANAGE_REGISTRY_VERSION}"
+
+docker login -u tieradmin -p $DOCKERHUBPW
+# NOTE: docker buildx ls when ran using backticks, returns the
+#       output of a plain ls run. If we do the flow below we get
+#       the expected output
+docker buildx ls |  awk '{if (NR>1) {print $1}}' > farm.txt
+# Preview the farm.txt file
+echo `cat farm.txt`
+# Parse the farm.txt file
+DOCKER_FARMS=`cat farm.txt`
+# Now remove the temporary file
+rm -f farm.txt
+
+if [[ "$DOCKER_FARMS" == *"$SUB"* ]]; then
+  echo "Farm multiarch exists"
+else
+  docker buildx create --use --name multiarch --append
+fi
+
+docker buildx inspect --bootstrap
+docker buildx build --no-cache --platform linux/amd64 -t "${IMAGENAME}"_"${TAG}" --build-arg COMANAGE_REGISTRY_VERSION="${COMANAGE_REGISTRY_VERSION}" --load .
+docker buildx build --no-cache --platform linux/arm64 -t "${IMAGENAME}"_"${TAG}":arm64 --build-arg COMANAGE_REGISTRY_VERSION="${COMANAGE_REGISTRY_VERSION}" --load .

jenkins/cleanup.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+IMAGENAME=$1
+TAG=$2
+SUB=multiarch
+
+docker buildx ls |  awk '{if (NR>1) {print $1}}' > farm.txt
+# Preview the farm.txt file
+echo `cat farm.txt`
+# Parse the farm.txt file
+DOCKER_FARMS=`cat farm.txt`
+# Now remove the temporary file
+rm -f farm.txt
+
+if [[ "$DOCKER_FARMS" == *"$SUB"* ]]; then
+  echo "Farm multiarch exists"
+else
+  docker buildx create --use --name multiarch --append
+fi
+
+echo 'list docker processes'
+docker ps --all
+echo 'list all the docker images'
+docker image ls
+echo 'remove the amd64 docker image'
+docker rmi ${IMAGENAME}_${TAG} --force
+echo 'remove the arm64 docker image'
+docker rmi ${IMAGENAME}_${TAG}:arm64 --force
+
+echo "Remove all dangling images"
+docker image prune -a --force
+echo "Clear the build cache"
+docker buildx prune --force
+echo 'list all the docker images'
+docker image ls

slashRoot/etc/crontab

@@ -0,0 +1,3 @@
+SHELL=/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+MAILTO=""

slashRoot/etc/ldap/ldap.conf

@@ -0,0 +1 @@
+TLS_CACERT /etc/ssl/certs/ca-certificates.crt

slashRoot/srv/comanage-registry/local/crontab

@@ -0,0 +1,14 @@
+SHELL=/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+MAILTO=""
+# Run Expiration Policies for CO 1 once a day at 1:00 AM
+0 1 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.Expire -s --coid 1
+
+# Run Synchronize Org Identity Sources for CO 1 once a day at 1:00 AM
+0 1 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.Sync -s --coid 1
+
+# Run Validate Group Member for CO 1 once a day at 1:00 AM
+0 1 * * * cd /srv/comanage-registry/app && ./Console/cake job CoreJob.ValidateGroupMember -s --coid 1
+
+# Run queued jobs for CO 1 every 5 minutes
+0-59/5 * * * * cd /srv/comanage-registry/app && ./Console/cake job -q -r -c 1

slashRoot/usr/local/bin/docker-comanage-cron-entrypoint

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# COmanage Registry Dockerfile entrypoint
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+source /usr/local/lib/comanage_utils.sh
+
+comanage_utils::exec_cron "$@"