Skip to content

Commit

Permalink
initial attempt at multiarch
Browse files Browse the repository at this point in the history
  • Loading branch information
@pcaskey
pcaskey committed Nov 2, 2022
1 parent 4481172 commit 4801f7f
Show file tree
Hide file tree
Showing 2 changed files with 122 additions and 163 deletions.
46 changes: 5 additions & 41 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,11 @@ FROM rockylinux/rockylinux:8.6
#
##tomcat \
ENV TOMCAT_MAJOR=9 \
TOMCAT_VERSION=9.0.65 \
TOMCAT_VERSION=9.0.68 \
##shib-idp \
VERSION=4.2.1 \
##TIER \
TIERVERSION=20220815_rocky8 \
TIERVERSION=20221101_rocky8_multiarch_dev \
#################### \
#### OTHER VARS #### \
#################### \
Expand Down Expand Up @@ -71,8 +71,8 @@ RUN update-ca-trust extract

# Install Corretto Java JDK
#Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-11-ug/downloads-list.html
ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-11-x64-linux-jdk.rpm
ARG CORRETTO_RPM=amazon-corretto-11-x64-linux-jdk.rpm
ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-11-aarch64-linux-jdk.rpm
ARG CORRETTO_RPM=amazon-corretto-11-aarch64-linux-jdk.rpm
COPY container_files/java-corretto/corretto-signing-key.pub .
RUN curl -O -L $CORRETTO_URL_PERM \
&& rpm --import corretto-signing-key.pub \
Expand All @@ -81,42 +81,6 @@ RUN curl -O -L $CORRETTO_URL_PERM \
&& rm -r corretto-signing-key.pub $CORRETTO_RPM
ENV JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto

# To use Zulu Java:
#RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems \
# && curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo \
# && yum -y install zulu-8 && alternatives --install /usr/bin/java java $JAVA_HOME/bin/java 200000
#install Zulu JCE
#RUN curl -o /tmp/ZuluJCEPolicies.zip https://cdn.azul.com/zcek/bin/ZuluJCEPolicies.zip \
# && cd /tmp && unzip -oj ZuluJCEPolicies.zip ZuluJCEPolicies/local_policy.jar -d $JAVA_HOME/lib/jvm/zulu-8/jre/lib/security/ \
# && unzip -oj ZuluJCEPolicies.zip ZuluJCEPolicies/US_export_policy.jar -d $JAVA_HOME/lib/jvm/zulu-8/jre/lib/security/ \
# && rm -rf /tmp/ZuluJCEPolicies.zip
#ENV JAVA_HOME=/usr \

# To use Oracle java/JCE:
#
#ENV JAVA_VERSION=8u171 \
# BUILD_VERSION=b11 \
# JAVA_BUNDLE_ID=512cd62ec5174c3487ac17c61aaa89e8 \
#
# Uncomment the following commands to download the Oracle JDK to your Shibboleth IDP image.
# ==> By uncommenting these next 6 lines, you agree to the Oracle Binary Code License Agreement for Java SE (http://www.oracle.com/technetwork/java/javase/terms/license/index.html)
# RUN wget -nv --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/$JAVA_VERSION-$BUILD_VERSION/$JAVA_BUNDLE_ID/jdk-$JAVA_VERSION-linux-x64.rpm" -O /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \
# yum -y install /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \
# rm -f /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \
# alternatives --install /usr/bin/java jar $JAVA_HOME/bin/java 200000 && \
# alternatives --install /usr/bin/javaws javaws $JAVA_HOME/bin/javaws 200000 && \
# alternatives --install /usr/bin/javac javac $JAVA_HOME/bin/javac 200000

# For Oracle Java, also uncomment the following commands to download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.
# ==> By uncommenting these next 7 lines, you agree to the Oracle Binary Code License Agreement for Java SE Platform Products (http://www.oracle.com/technetwork/java/javase/terms/license/index.html)
# RUN wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" \
# http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip \
# && echo "f3020a3922efd6626c2fff45695d527f34a8020e938a49292561f18ad1320b59 jce_policy-8.zip" | sha256sum -c - \
# && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/local_policy.jar -d $JAVA_HOME/jre/lib/security/ \
# && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/US_export_policy.jar -d $JAVA_HOME/jre/lib/security/ \
# && rm jce_policy-8.zip \
# && chmod -R 640 $JAVA_HOME/jre/lib/security/

# Copy IdP installer properties file(s)
ADD container_files/idp/idp.installer.properties container_files/idp/idp.merge.properties container_files/idp/ldap.merge.properties /tmp/

Expand Down Expand Up @@ -190,7 +154,7 @@ RUN mkdir -p /etc/supervisor/conf.d && chmod +x /opt/tier/setenv.sh \
RUN sed -i '/session required pam_loginuid.so/c\#session required pam_loginuid.so' /etc/pam.d/crond

#upgrade pip to remove sec vuln
RUN pip3 install --upgrade pip
#RUN pip3 install --upgrade pip

# Expose the port tomcat will be serving on
EXPOSE 443
Expand Down
239 changes: 117 additions & 122 deletions Jenkinsfile
View file
Original file line number Diff line number Diff line change
@@ -1,133 +1,127 @@
// Licensed to the University Corporation for Advanced Internet Development,
// Inc. (UCAID) under one or more contributor license agreements. See the
// NOTICE file distributed with this work for additional information regarding
// copyright ownership. The UCAID licenses this file to You under the Apache
// License, Version 2.0 (the "License"); you may not use this file except in
// compliance with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
//distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
node('docker') {

stage 'Checkout'
pipeline {
agent { node { label 'docker-multi-arch' } }
environment {
maintainer = "t"
imagename = 's'
tag = 'l'
DOCKERHUBPW=credentials('tieradmin-dockerhub-pw')

checkout scm

stage 'Acquire util files'

sh 'mkdir -p tmp && mkdir -p bin'
dir('tmp'){
git([ url: "https://github.internet2.edu/docker/util.git",
credentialsId: "jenkins-github-access-token" ])
sh 'rm -rf ../bin/*'
sh 'mv ./bin/* ../bin/.'
}
sh 'rm -rf tmp'

stage 'Setting build context'

def maintainer = maintainer()
def previous_maintainer = previous_maintainer()
def imagename = imagename()
def tag

// Tag images created on master branch with 'latest'
if(env.BRANCH_NAME == "master"){
tag = "latest"
}else{
tag = env.BRANCH_NAME
}
stages {
stage('Setting build context') {
steps {
script {
maintainer = maintain()
imagename = imagename()
if(env.BRANCH_NAME == "master") {
tag = "latest"
} else {
tag = env.BRANCH_NAME
}
if(!imagename){
echo "You must define an imagename in common.bash"
currentBuild.result = 'FAILURE'
}
sh 'mkdir -p tmp && mkdir -p bin'
dir('tmp'){
git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ])
sh 'rm -rf ../bin/*'
sh 'mv ./bin/* ../bin/.'
}
// Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing.
// We don't care if there are more 'tag' assignments there. The latest one wins.
sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash"
}
}
}
stage('Clean') {
steps {
script {
try{
sh 'bin/destroy.sh >> debug'
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
}
}
}
stage('Build') {
steps {
script {
try{
sh 'docker login -u tieradmin -p $DOCKERHUBPW'
// fails if already exists
// sh 'docker buildx create --use --name multiarch --append'
sh 'docker buildx inspect --bootstrap'
sh 'docker buildx ls'
sh 'docker buildx build --platform linux/amd64 -t shib-idp .'
sh 'docker buildx build --platform linux/arm64 -t shib-idp:arm64 .'
sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t i2incommon/shib-idp:$tag ."
// test the environment
// sh 'cd test-compose && ./compose.sh'
// bring down after testing
// sh 'cd test-compose && docker-compose down'
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
}
}
}
stage('Test') {
steps {
script {
try {
// sh 'bin/test.sh 2>&1 | tee debug ; test ${PIPESTATUS[0]} -eq 0'
echo "Skipping tests for now"
} catch (error) {
def error_details = readFile('./debug')
def message = "BUILD ERROR: There was a problem testing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
}
}
}

if(!imagename){
echo "You must define an imagename in common.bash"
currentBuild.result = 'FAILURE'
}
if(maintainer){
echo "Building ${imagename}:${tag} for ${maintainer}"
}

stage 'Build'

try{
sh 'bin/rebuild.sh &> debug'
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
stage('Push') {
steps {
script {
// statically defining jenkins credential value dockerhub-tier
docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-tier") {
// baseImg.push("$tag")
echo "already pushed to Dockerhub"
}
}
}
}
stage('Notify') {
steps{
echo "$maintainer"
slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
}
}
}

stage 'Test'

try {
sh 'bin/test.sh 2>&1 | tee debug ; test ${PIPESTATUS[0]} -eq 0'
} catch (error) {
def error_details = readFile('./debug')
def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}

stage 'Scan'

try {
// Install trivy and HTML template
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.31.1'
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'

// Scan container for all vulnerability levels
sh 'mkdir -p reports'
sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${maintainer}/${imagename}:latest"
publishHTML target : [
allowMissing: true,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: 'container-scan.html',
reportName: 'Security Scan',
reportTitles: 'Security Scan'
]

// Scan again and fail on CRITICAL vulns
//sh 'trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${maintainer}/${imagename}:latest'
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
post {
always {
echo 'Done Building.'
}
failure {
// slackSend color: 'good', message: "Build failed"
handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.")
}
}

stage 'Push'

docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") {
def baseImg = docker.build("$maintainer/$imagename")
baseImg.push("$tag")
}

docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") {
def altImg = docker.build("$previous_maintainer/$imagename")
altImg.push("$tag")
}

stage 'Notify'

slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"

}

def maintainer() {
def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
matcher ? matcher[0][1] : 'i2incommon'
}

def previous_maintainer() {
def matcher = readFile('common.bash') =~ 'previous_maintainer="(.+)"'
def maintain() {
def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
matcher ? matcher[0][1] : 'tier'
}

Expand All @@ -139,7 +133,8 @@ def imagename() {
def handleError(String message){
echo "${message}"
currentBuild.setResult("FAILED")
slackSend color: 'danger', message: "${message} (<${env.BUILD_URL}|Open>)"
slackSend color: 'danger', message: "${message}"
//step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true])
sh 'exit 1'
}

0 comments on commit 4801f7f

Please sign in to comment.