diff --git a/Dockerfile b/Dockerfile index 3ec969d..d4f53b3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,11 +6,11 @@ FROM rockylinux/rockylinux:8.6 # ##tomcat \ ENV TOMCAT_MAJOR=9 \ - TOMCAT_VERSION=9.0.65 \ + TOMCAT_VERSION=9.0.68 \ ##shib-idp \ VERSION=4.2.1 \ ##TIER \ - TIERVERSION=20220815_rocky8 \ + TIERVERSION=20221101_rocky8_multiarch_dev \ #################### \ #### OTHER VARS #### \ #################### \ @@ -71,8 +71,8 @@ RUN update-ca-trust extract # Install Corretto Java JDK #Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-11-ug/downloads-list.html -ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-11-x64-linux-jdk.rpm -ARG CORRETTO_RPM=amazon-corretto-11-x64-linux-jdk.rpm +ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-11-aarch64-linux-jdk.rpm +ARG CORRETTO_RPM=amazon-corretto-11-aarch64-linux-jdk.rpm COPY container_files/java-corretto/corretto-signing-key.pub . RUN curl -O -L $CORRETTO_URL_PERM \ && rpm --import corretto-signing-key.pub \ @@ -81,42 +81,6 @@ RUN curl -O -L $CORRETTO_URL_PERM \ && rm -r corretto-signing-key.pub $CORRETTO_RPM ENV JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto -# To use Zulu Java: -#RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems \ -# && curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo \ -# && yum -y install zulu-8 && alternatives --install /usr/bin/java java $JAVA_HOME/bin/java 200000 -#install Zulu JCE -#RUN curl -o /tmp/ZuluJCEPolicies.zip https://cdn.azul.com/zcek/bin/ZuluJCEPolicies.zip \ -# && cd /tmp && unzip -oj ZuluJCEPolicies.zip ZuluJCEPolicies/local_policy.jar -d $JAVA_HOME/lib/jvm/zulu-8/jre/lib/security/ \ -# && unzip -oj ZuluJCEPolicies.zip ZuluJCEPolicies/US_export_policy.jar -d $JAVA_HOME/lib/jvm/zulu-8/jre/lib/security/ \ -# && rm -rf /tmp/ZuluJCEPolicies.zip -#ENV JAVA_HOME=/usr \ - -# To use Oracle java/JCE: -# -#ENV JAVA_VERSION=8u171 \ -# BUILD_VERSION=b11 \ -# JAVA_BUNDLE_ID=512cd62ec5174c3487ac17c61aaa89e8 \ -# -# Uncomment the following commands to download the Oracle JDK to your Shibboleth IDP image. -# ==> By uncommenting these next 6 lines, you agree to the Oracle Binary Code License Agreement for Java SE (http://www.oracle.com/technetwork/java/javase/terms/license/index.html) -# RUN wget -nv --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/$JAVA_VERSION-$BUILD_VERSION/$JAVA_BUNDLE_ID/jdk-$JAVA_VERSION-linux-x64.rpm" -O /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \ -# yum -y install /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \ -# rm -f /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \ -# alternatives --install /usr/bin/java jar $JAVA_HOME/bin/java 200000 && \ -# alternatives --install /usr/bin/javaws javaws $JAVA_HOME/bin/javaws 200000 && \ -# alternatives --install /usr/bin/javac javac $JAVA_HOME/bin/javac 200000 - -# For Oracle Java, also uncomment the following commands to download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. -# ==> By uncommenting these next 7 lines, you agree to the Oracle Binary Code License Agreement for Java SE Platform Products (http://www.oracle.com/technetwork/java/javase/terms/license/index.html) -# RUN wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" \ -# http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip \ -# && echo "f3020a3922efd6626c2fff45695d527f34a8020e938a49292561f18ad1320b59 jce_policy-8.zip" | sha256sum -c - \ -# && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/local_policy.jar -d $JAVA_HOME/jre/lib/security/ \ -# && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/US_export_policy.jar -d $JAVA_HOME/jre/lib/security/ \ -# && rm jce_policy-8.zip \ -# && chmod -R 640 $JAVA_HOME/jre/lib/security/ - # Copy IdP installer properties file(s) ADD container_files/idp/idp.installer.properties container_files/idp/idp.merge.properties container_files/idp/ldap.merge.properties /tmp/ @@ -190,7 +154,7 @@ RUN mkdir -p /etc/supervisor/conf.d && chmod +x /opt/tier/setenv.sh \ RUN sed -i '/session required pam_loginuid.so/c\#session required pam_loginuid.so' /etc/pam.d/crond #upgrade pip to remove sec vuln -RUN pip3 install --upgrade pip +#RUN pip3 install --upgrade pip # Expose the port tomcat will be serving on EXPOSE 443 diff --git a/Jenkinsfile b/Jenkinsfile index ea74171..20644dd 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,133 +1,127 @@ -// Licensed to the University Corporation for Advanced Internet Development, -// Inc. (UCAID) under one or more contributor license agreements. See the -// NOTICE file distributed with this work for additional information regarding -// copyright ownership. The UCAID licenses this file to You under the Apache -// License, Version 2.0 (the "License"); you may not use this file except in -// compliance with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -node('docker') { - stage 'Checkout' +pipeline { + agent { node { label 'docker-multi-arch' } } + environment { + maintainer = "t" + imagename = 's' + tag = 'l' + DOCKERHUBPW=credentials('tieradmin-dockerhub-pw') - checkout scm - - stage 'Acquire util files' - - sh 'mkdir -p tmp && mkdir -p bin' - dir('tmp'){ - git([ url: "https://github.internet2.edu/docker/util.git", - credentialsId: "jenkins-github-access-token" ]) - sh 'rm -rf ../bin/*' - sh 'mv ./bin/* ../bin/.' - } - sh 'rm -rf tmp' - - stage 'Setting build context' - - def maintainer = maintainer() - def previous_maintainer = previous_maintainer() - def imagename = imagename() - def tag - - // Tag images created on master branch with 'latest' - if(env.BRANCH_NAME == "master"){ - tag = "latest" - }else{ - tag = env.BRANCH_NAME } + stages { + stage('Setting build context') { + steps { + script { + maintainer = maintain() + imagename = imagename() + if(env.BRANCH_NAME == "master") { + tag = "latest" + } else { + tag = env.BRANCH_NAME + } + if(!imagename){ + echo "You must define an imagename in common.bash" + currentBuild.result = 'FAILURE' + } + sh 'mkdir -p tmp && mkdir -p bin' + dir('tmp'){ + git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ]) + sh 'rm -rf ../bin/*' + sh 'mv ./bin/* ../bin/.' + } + // Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing. + // We don't care if there are more 'tag' assignments there. The latest one wins. + sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash" + } + } + } + stage('Clean') { + steps { + script { + try{ + sh 'bin/destroy.sh >> debug' + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Build') { + steps { + script { + try{ + sh 'docker login -u tieradmin -p $DOCKERHUBPW' + // fails if already exists + // sh 'docker buildx create --use --name multiarch --append' + sh 'docker buildx inspect --bootstrap' + sh 'docker buildx ls' + sh 'docker buildx build --platform linux/amd64 -t shib-idp .' + sh 'docker buildx build --platform linux/arm64 -t shib-idp:arm64 .' + sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t i2incommon/shib-idp:$tag ." + // test the environment + // sh 'cd test-compose && ./compose.sh' + // bring down after testing + // sh 'cd test-compose && docker-compose down' + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Test') { + steps { + script { + try { + // sh 'bin/test.sh 2>&1 | tee debug ; test ${PIPESTATUS[0]} -eq 0' + echo "Skipping tests for now" + } catch (error) { + def error_details = readFile('./debug') + def message = "BUILD ERROR: There was a problem testing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } - if(!imagename){ - echo "You must define an imagename in common.bash" - currentBuild.result = 'FAILURE' - } - if(maintainer){ - echo "Building ${imagename}:${tag} for ${maintainer}" - } - - stage 'Build' - - try{ - sh 'bin/rebuild.sh &> debug' - } catch(error) { - def error_details = readFile('./debug'); - def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}" - sh "rm -f ./debug" - handleError(message) + stage('Push') { + steps { + script { + // statically defining jenkins credential value dockerhub-tier + docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-tier") { + // baseImg.push("$tag") + echo "already pushed to Dockerhub" + } + } + } + } + stage('Notify') { + steps{ + echo "$maintainer" + slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub" + } + } } - - stage 'Test' - - try { - sh 'bin/test.sh 2>&1 | tee debug ; test ${PIPESTATUS[0]} -eq 0' - } catch (error) { - def error_details = readFile('./debug') - def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}" - sh "rm -f ./debug" - handleError(message) - } - - stage 'Scan' - - try { - // Install trivy and HTML template - sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.31.1' - sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl' - - // Scan container for all vulnerability levels - sh 'mkdir -p reports' - sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${maintainer}/${imagename}:latest" - publishHTML target : [ - allowMissing: true, - alwaysLinkToLastBuild: true, - keepAll: true, - reportDir: 'reports', - reportFiles: 'container-scan.html', - reportName: 'Security Scan', - reportTitles: 'Security Scan' - ] - - // Scan again and fail on CRITICAL vulns - //sh 'trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${maintainer}/${imagename}:latest' - } catch(error) { - def error_details = readFile('./debug'); - def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}" - sh "rm -f ./debug" - handleError(message) + post { + always { + echo 'Done Building.' + } + failure { + // slackSend color: 'good', message: "Build failed" + handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.") + } } - - stage 'Push' - - docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") { - def baseImg = docker.build("$maintainer/$imagename") - baseImg.push("$tag") - } - - docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") { - def altImg = docker.build("$previous_maintainer/$imagename") - altImg.push("$tag") - } - - stage 'Notify' - - slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub" - } -def maintainer() { - def matcher = readFile('common.bash') =~ 'maintainer="(.+)"' - matcher ? matcher[0][1] : 'i2incommon' -} -def previous_maintainer() { - def matcher = readFile('common.bash') =~ 'previous_maintainer="(.+)"' +def maintain() { + def matcher = readFile('common.bash') =~ 'maintainer="(.+)"' matcher ? matcher[0][1] : 'tier' } @@ -139,7 +133,8 @@ def imagename() { def handleError(String message){ echo "${message}" currentBuild.setResult("FAILED") - slackSend color: 'danger', message: "${message} (<${env.BUILD_URL}|Open>)" + slackSend color: 'danger', message: "${message}" + //step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true]) sh 'exit 1' }