initial attempt at multiarch

docker · pcaskey · Dec 18, 2023 · Aug 12, 2021 · Aug 12, 2021 · Aug 16, 2022
commit 4801f7f9c7776ac078b0f01f4b893c4aaf1883cf
diff --git a/Dockerfile b/Dockerfile
@@ -6,11 +6,11 @@ FROM rockylinux/rockylinux:8.6
 #
 ##tomcat \
 ENV TOMCAT_MAJOR=9 \
-    TOMCAT_VERSION=9.0.65 \
+    TOMCAT_VERSION=9.0.68 \
 ##shib-idp \
     VERSION=4.2.1 \
 ##TIER \
-    TIERVERSION=20220815_rocky8 \
+    TIERVERSION=20221101_rocky8_multiarch_dev \
 #################### \
 #### OTHER VARS #### \
 #################### \
@@ -71,8 +71,8 @@ RUN update-ca-trust extract
 
 # Install Corretto Java JDK
 #Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-11-ug/downloads-list.html
-ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-11-x64-linux-jdk.rpm
-ARG CORRETTO_RPM=amazon-corretto-11-x64-linux-jdk.rpm
+ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-11-aarch64-linux-jdk.rpm
+ARG CORRETTO_RPM=amazon-corretto-11-aarch64-linux-jdk.rpm
 COPY container_files/java-corretto/corretto-signing-key.pub .
 RUN curl -O -L $CORRETTO_URL_PERM \
     && rpm --import corretto-signing-key.pub \
@@ -81,42 +81,6 @@ RUN curl -O -L $CORRETTO_URL_PERM \
     && rm -r corretto-signing-key.pub $CORRETTO_RPM
 ENV JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto
 
-# To use Zulu Java:
-#RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems \
-#	&& curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo \
-#	&& yum -y install zulu-8 && alternatives --install /usr/bin/java java $JAVA_HOME/bin/java 200000
-#install Zulu JCE
-#RUN curl -o /tmp/ZuluJCEPolicies.zip https://cdn.azul.com/zcek/bin/ZuluJCEPolicies.zip \
-#	&& cd /tmp && unzip -oj ZuluJCEPolicies.zip ZuluJCEPolicies/local_policy.jar -d $JAVA_HOME/lib/jvm/zulu-8/jre/lib/security/ \
-#	&& unzip -oj ZuluJCEPolicies.zip ZuluJCEPolicies/US_export_policy.jar -d $JAVA_HOME/lib/jvm/zulu-8/jre/lib/security/ \
-#	&& rm -rf /tmp/ZuluJCEPolicies.zip
-#ENV JAVA_HOME=/usr \
-
-# To use Oracle java/JCE:
-#
-#ENV JAVA_VERSION=8u171 \
-#    BUILD_VERSION=b11 \
-#    JAVA_BUNDLE_ID=512cd62ec5174c3487ac17c61aaa89e8 \
-#
-# Uncomment the following commands to download the Oracle JDK to your Shibboleth IDP image.  
-#     ==> By uncommenting these next 6 lines, you agree to the Oracle Binary Code License Agreement for Java SE (http://www.oracle.com/technetwork/java/javase/terms/license/index.html)
-# RUN wget -nv --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/$JAVA_VERSION-$BUILD_VERSION/$JAVA_BUNDLE_ID/jdk-$JAVA_VERSION-linux-x64.rpm" -O /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \
-#     yum -y install /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \
-#     rm -f /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \
-#     alternatives --install /usr/bin/java jar $JAVA_HOME/bin/java 200000 && \
-#     alternatives --install /usr/bin/javaws javaws $JAVA_HOME/bin/javaws 200000 && \
-#     alternatives --install /usr/bin/javac javac $JAVA_HOME/bin/javac 200000
-
-# For Oracle Java, also uncomment the following commands to download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.  
-#     ==> By uncommenting these next 7 lines, you agree to the Oracle Binary Code License Agreement for Java SE Platform Products (http://www.oracle.com/technetwork/java/javase/terms/license/index.html)
-# RUN wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" \
-#     http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip \
-#     && echo "f3020a3922efd6626c2fff45695d527f34a8020e938a49292561f18ad1320b59  jce_policy-8.zip" | sha256sum -c - \
-#     && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/local_policy.jar -d $JAVA_HOME/jre/lib/security/ \
-#     && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/US_export_policy.jar -d $JAVA_HOME/jre/lib/security/ \
-#     && rm jce_policy-8.zip \
-#     && chmod -R 640 $JAVA_HOME/jre/lib/security/
-
 # Copy IdP installer properties file(s)
 ADD container_files/idp/idp.installer.properties container_files/idp/idp.merge.properties container_files/idp/ldap.merge.properties /tmp/
 
@@ -190,7 +154,7 @@ RUN mkdir -p /etc/supervisor/conf.d && chmod +x /opt/tier/setenv.sh \
 RUN sed -i '/session    required   pam_loginuid.so/c\#session    required   pam_loginuid.so' /etc/pam.d/crond
 
 #upgrade pip to remove sec vuln
-RUN pip3 install --upgrade pip
+#RUN pip3 install --upgrade pip
 
 # Expose the port tomcat will be serving on
 EXPOSE 443

diff --git a/Jenkinsfile b/Jenkinsfile
@@ -1,133 +1,127 @@
-// Licensed to the University Corporation for Advanced Internet Development,
-// Inc. (UCAID) under one or more contributor license agreements.  See the
-// NOTICE file distributed with this work for additional information regarding
-// copyright ownership. The UCAID licenses this file to You under the Apache
-// License, Version 2.0 (the "License"); you may not use this file except in
-// compliance with the License.  You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-//distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-node('docker') {
 
-  stage 'Checkout'
+pipeline {
+    agent { node { label 'docker-multi-arch' } }
+    environment { 
+        maintainer = "t"
+        imagename = 's'
+        tag = 'l'
+        DOCKERHUBPW=credentials('tieradmin-dockerhub-pw')
 
-    checkout scm
-
-  stage 'Acquire util files'
-
-    sh 'mkdir -p tmp && mkdir -p bin'
-    dir('tmp'){
-      git([ url: "https://github.internet2.edu/docker/util.git",
-          credentialsId: "jenkins-github-access-token" ])
-      sh 'rm -rf ../bin/*'
-      sh 'mv ./bin/* ../bin/.'
-    }
-    sh 'rm -rf tmp'
-
-  stage 'Setting build context'
-
-    def maintainer = maintainer()
-    def previous_maintainer = previous_maintainer()
-    def imagename = imagename()
-    def tag
-
-    // Tag images created on master branch with 'latest'
-    if(env.BRANCH_NAME == "master"){
-      tag = "latest"
-    }else{
-      tag = env.BRANCH_NAME
     }
+    stages {
+        stage('Setting build context') {
+            steps {
+                script {
+                    maintainer = maintain()
+                    imagename = imagename()
+                    if(env.BRANCH_NAME == "master") {
+                       tag = "latest"
+                    } else {
+                       tag = env.BRANCH_NAME
+                    }
+                    if(!imagename){
+                        echo "You must define an imagename in common.bash"
+                        currentBuild.result = 'FAILURE'
+                     }
+                    sh 'mkdir -p tmp && mkdir -p bin'
+                    dir('tmp'){
+                      git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ])
+                      sh 'rm -rf ../bin/*'
+                      sh 'mv ./bin/* ../bin/.'
+                    }
+                    // Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing.
+                    // We don't care if there are more 'tag' assignments there. The latest one wins.
+                    sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash"
+                }  
+             }
+        }    
+        stage('Clean') {
+            steps {
+                script {
+                   try{
+                     sh 'bin/destroy.sh >> debug'
+                   } catch(error) {
+                     def error_details = readFile('./debug');
+                     def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     handleError(message)
+                   }
+                }
+            }
+        } 
+        stage('Build') {
+            steps {
+                script {
+                  try{
+                        sh 'docker login -u tieradmin -p $DOCKERHUBPW'
+                        // fails if already exists
+                        // sh 'docker buildx create --use --name multiarch --append'
+                        sh 'docker buildx inspect --bootstrap'
+                        sh 'docker buildx ls'
+                        sh 'docker buildx build --platform linux/amd64 -t shib-idp  .'
+                        sh 'docker buildx build --platform linux/arm64 -t shib-idp:arm64 .'
+                        sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t i2incommon/shib-idp:$tag ."
+                        // test the environment 
+                        // sh 'cd test-compose && ./compose.sh'
+                        // bring down after testing
+                        // sh 'cd test-compose && docker-compose down'
+                  } catch(error) {
+                     def error_details = readFile('./debug');
+                      def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     handleError(message)
+                  }
+                }
+            }
+        }
+        stage('Test') {
+            steps {
+                script {
+                   try {
+                     // sh 'bin/test.sh 2>&1 | tee debug ; test ${PIPESTATUS[0]} -eq 0'
+                     echo "Skipping tests for now"
+                   } catch (error) {
+                     def error_details = readFile('./debug')
+                     def message = "BUILD ERROR: There was a problem testing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     handleError(message)
+                   } 
+                }    
+             }
+        }
 
-    if(!imagename){
-      echo "You must define an imagename in common.bash"
-      currentBuild.result = 'FAILURE'
-     }
-     if(maintainer){
-      echo "Building ${imagename}:${tag} for ${maintainer}"
-     }
-
-  stage 'Build'
-
-    try{
-      sh 'bin/rebuild.sh &> debug'
-    } catch(error) {
-      def error_details = readFile('./debug');
-      def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}"
-      sh "rm -f ./debug"
-      handleError(message)
+        stage('Push') {
+            steps {
+                script {
+                        // statically defining jenkins credential value dockerhub-tier
+                        docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-tier") {
+                          // baseImg.push("$tag")
+                          echo "already pushed to Dockerhub"
+                        }
+                  }
+            }
+        }
+        stage('Notify') {
+            steps{
+                echo "$maintainer"
+                slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
+            }
+        }
     }
-
-  stage 'Test'
-
-    try {
-      sh 'bin/test.sh 2>&1 | tee debug ; test ${PIPESTATUS[0]} -eq 0'
-    } catch (error) {
-      def error_details = readFile('./debug')
-      def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}"
-      sh "rm -f ./debug"
-      handleError(message)
-    } 
-
-  stage 'Scan'
-
-    try {
-          // Install trivy and HTML template
-          sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.31.1'
-          sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'
-
-          // Scan container for all vulnerability levels
-          sh 'mkdir -p reports'
-          sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${maintainer}/${imagename}:latest"
-          publishHTML target : [
-              allowMissing: true,
-              alwaysLinkToLastBuild: true,
-              keepAll: true,
-              reportDir: 'reports',
-              reportFiles: 'container-scan.html',
-              reportName: 'Security Scan',
-              reportTitles: 'Security Scan'
-          ]
-
-          // Scan again and fail on CRITICAL vulns
-          //sh 'trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${maintainer}/${imagename}:latest'
-    } catch(error) {
-      def error_details = readFile('./debug');
-      def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}"
-      sh "rm -f ./debug"
-      handleError(message)
+    post { 
+        always { 
+            echo 'Done Building.'
+        }
+        failure {
+            // slackSend color: 'good', message: "Build failed"
+            handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.")
+        }
     }
-
-  stage 'Push'
-
-    docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-$previous_maintainer") {
-          def baseImg = docker.build("$maintainer/$imagename")
-          baseImg.push("$tag")
-    }
-
-    docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-$previous_maintainer") {
-          def altImg = docker.build("$previous_maintainer/$imagename")
-          altImg.push("$tag")
-    }
-
-  stage 'Notify'
-
-    slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
-
 }
 
-def maintainer() {
-  def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
-  matcher ? matcher[0][1] : 'i2incommon'
-}
 
-def previous_maintainer() {
-  def matcher = readFile('common.bash') =~ 'previous_maintainer="(.+)"'
+def maintain() {
+  def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
   matcher ? matcher[0][1] : 'tier'
 }
 
@@ -139,7 +133,8 @@ def imagename() {
 def handleError(String message){
   echo "${message}"
   currentBuild.setResult("FAILED")
-  slackSend color: 'danger', message: "${message} (<${env.BUILD_URL}|Open>)"
+  slackSend color: 'danger', message: "${message}"
+  //step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true])
   sh 'exit 1'
 }