Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge pull request #23 from docker/3.4.1_03082024_rocky8_multiarch
merge 3.4.1 03082024 rocky8 multiarch
  • Loading branch information
pcaskey committed Mar 8, 2024
2 parents fd22425 + 8ee61bc commit 8f49c37
Show file tree
Hide file tree
Showing 7 changed files with 216 additions and 221 deletions.
14 changes: 9 additions & 5 deletions Dockerfile
@@ -1,16 +1,16 @@
FROM centos:centos7
FROM --platform=$TARGETPLATFORM rockylinux:8.9

# Define args and set a default value
ARG maintainer=tier
ARG imagename=shibboleth_sp
ARG version=3.4.1
ARG TIERVERSION=20230612
ARG TIERVERSION=20240308-Rocky8-MA

MAINTAINER $maintainer
LABEL Vendor="Internet2"
LABEL ImageType="Base"
LABEL ImageName=$imagename
LABEL ImageOS=centos7
LABEL ImageOS=rocky8
LABEL Version=$version

LABEL Build docker build --rm --tag $maintainer/$imagename .
Expand All @@ -23,16 +23,20 @@ RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \
&& echo "NETWORKING=yes" > /etc/sysconfig/network

RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=nodocs epel-release && yum -y update && \
yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man vim rsyslog cron httpd mod_ssl dos2unix cronie supervisor && \
yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man vim rsyslog httpd mod_ssl dos2unix cronie supervisor && \
yum clean all

#install shibboleth, cleanup httpd
COPY container_files/shibboleth/shibboleth.repo /etc/yum.repos.d/security:shibboleth.repo
RUN yum -y install shibboleth-$version-\*.x86_64 \
RUN yum -y install shibboleth-$version-\* \
&& yum clean all

ADD ./container_files/httpd/*.conf /etc/httpd/conf.d/
ADD ./container_files/shibboleth/* /etc/shibboleth/

RUN openssl req -new -nodes -newkey rsa:2048 -subj "/commonName=localhost.localdomain" -batch -keyout /etc/pki/tls/private/localhost.key -out localhost.csr
RUN openssl x509 -req -days 1825 -in localhost.csr -signkey /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt

RUN sed -i '/^[[:space:]]*CustomLog/s/^/#/' /etc/httpd/conf/httpd.conf

# add a basic page to shibb's default protected directory
Expand Down
288 changes: 177 additions & 111 deletions Jenkinsfile
@@ -1,122 +1,186 @@
node('docker') {

stage 'Checkout'
pipeline {
agent { node { label 'docker-multi-arch' } }
environment {
maintainer = "t"
imagename = 's'
tag = 'l'
DOCKERHUBPW=credentials('tieradmin-dockerhub-pw')

checkout scm

stage 'Acquire util'

sh 'mkdir -p tmp'
dir('tmp'){
git([ url: "https://github.internet2.edu/docker/util.git",
credentialsId: "jenkins-github-access-token" ])
sh 'ls'
sh 'rm -rf ../bin/windows/'
sh 'mv bin/* ../bin/.'
}
stage 'Setting build context'

def maintainer = maintainer()
def previous_maintainer = previous_maintainer()
def imagename = imagename()
def tag

// Tag images created on master branch with 'latest'
if(env.BRANCH_NAME == "master"){
tag = "latest"
}else{
tag = env.BRANCH_NAME
}

if(!imagename){
echo "You must define an imagename in common.bash"
currentBuild.result = 'FAILURE'
}
if(maintainer){
echo "Building ${imagename}:${tag} for ${maintainer}"
}

stage 'Build'
try{
sh 'bin/rebuild.sh &> debug'
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem building the shibboleth-sp image. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
stage 'Start container'

sh 'bin/ci-run.sh'

stage 'Tests'

try{
sh 'bin/test.sh &> debug'
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
stages {
stage('Setting build context') {
steps {
script {
maintainer = maintain()
imagename = imagename()
if(env.BRANCH_NAME == "master") {
tag = "latest"
} else {
tag = env.BRANCH_NAME
}
if(!imagename){
echo "You must define an imagename in common.bash"
currentBuild.result = 'FAILURE'
}
sh 'mkdir -p tmp && mkdir -p bin'
dir('tmp'){
git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ])
sh 'rm -rf ../bin/*'
sh 'mv ./bin/* ../bin/.'
}
// Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing.
// We don't care if there are more 'tag' assignments there. The latest one wins.
sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash"
}
}
}
stage('Clean') {
steps {
script {
try{
sh 'bin/destroy.sh >> debug'
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
}
}
}
stage('Build') {
steps {
script {
try{
sh 'docker login -u tieradmin -p $DOCKERHUBPW'
// fails if already exists
// sh 'docker buildx create --use --name multiarch --append'
sh 'docker buildx inspect --bootstrap'
sh 'docker buildx ls'
sh "docker buildx build --platform linux/amd64 -t ${imagename}_${tag} --load ."
sh "docker buildx build --platform linux/arm64 -t ${imagename}_${tag}:arm64 --load ."
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
}
}
}
stage('Test') {
steps {
script {
try {
echo "Starting tests..."
sh 'bats tests'
// echo "Skipping tests for now"
} catch (error) {
def error_details = readFile('./debug')
def message = "BUILD ERROR: There was a problem testing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
}
}
}
stage('Scan') {
steps {
script {
try {
echo "Starting security scan..."
// Install trivy and HTML template
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1'
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'

// Scan container for all vulnerability levels
echo "Scanning for all vulnerabilities..."
sh 'mkdir -p reports'
sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}"
sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64"
publishHTML target : [
allowMissing: true,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: 'container-scan.html',
reportName: 'Security Scan',
reportTitles: 'Security Scan'
]
publishHTML target : [
allowMissing: true,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: 'container-scan-arm.html',
reportName: 'Security Scan (ARM)',
reportTitles: 'Security Scan (ARM)'
]
// Scan again and fail on CRITICAL vulns
//below can be temporarily commented to prevent build from failing
echo "Scanning for CRITICAL vulnerabilities only (fatal)..."
sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}"
sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64"
//echo "Skipping scan for CRITICAL vulnerabilities (temporary)..."
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
}
}
}
stage('Push') {
steps {
script {
sh 'docker login -u tieradmin -p $DOCKERHUBPW'
// fails if already exists
// sh 'docker buildx create --use --name multiarch --append'
sh 'docker buildx inspect --bootstrap'
sh 'docker buildx ls'
echo "Pushing image to dockerhub..."
sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t ${maintainer}/${imagename}:${tag} ."
}
}
}
stage('Cleanup') {
steps {
script {
try{
echo "Cleaning up artifacts from the build..."
sh 'tests/cleanup.sh'
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem with cleanup of the image. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
}
}
}
stage('Notify') {
steps{
echo "$maintainer"
slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
}
}
}

stage 'Scan'

try {
// Install trivy and HTML template
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.31.1'
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'

// Scan container for all vulnerability levels
sh 'mkdir -p reports'
sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${maintainer}/${imagename}:latest"
publishHTML target : [
allowMissing: true,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: 'container-scan.html',
reportName: 'Security Scan',
reportTitles: 'Security Scan'
]

// Scan again and fail on CRITICAL vulns
sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${maintainer}/${imagename}:latest"
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
post {
always {
echo 'Done Building.'
}
failure {
// slackSend color: 'good', message: "Build failed"
handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.")
}
}

stage 'Stop container'

sh 'bin/ci-stop.sh'

stage 'Push'
docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") {
def baseImg = docker.build("$maintainer/$imagename", "--no-cache .")
baseImg.push("$tag")
}

docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") {
def altImg = docker.build("$previous_maintainer/$imagename", "--no-cache .")
altImg.push("$tag")
}


stage 'Notify'

slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
}

def maintainer() {
def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
matcher ? matcher[0][1] : 'tier'
}

def previous_maintainer() {
def matcher = readFile('common.bash') =~ 'previous_maintainer="(.+)"'
def maintain() {
def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
matcher ? matcher[0][1] : 'tier'
}

Expand All @@ -129,5 +193,7 @@ def handleError(String message){
echo "${message}"
currentBuild.setResult("FAILED")
slackSend color: 'danger', message: "${message}"
//step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true])
sh 'exit 1'
}

4 changes: 2 additions & 2 deletions container_files/shibboleth/shibboleth.repo
@@ -1,8 +1,8 @@
[shibboleth]
name=Shibboleth (CentOS_7)
name=Shibboleth (rockylinux8)
# Please report any problems to https://shibboleth.atlassian.net/jira
type=rpm-md
mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_7
mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/rockylinux8
gpgcheck=1
gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key
Expand Down

0 comments on commit 8f49c37

Please sign in to comment.