merge 3.4.1 03082024 rocky8 multiarch

Dockerfile

@@ -1,16 +1,16 @@
-FROM centos:centos7
+FROM --platform=$TARGETPLATFORM rockylinux:8.9
 
 # Define args and set a default value
 ARG maintainer=tier
 ARG imagename=shibboleth_sp
 ARG version=3.4.1
-ARG TIERVERSION=20230612
+ARG TIERVERSION=20240308-Rocky8-MA
 
 MAINTAINER $maintainer
 LABEL Vendor="Internet2"
 LABEL ImageType="Base"
 LABEL ImageName=$imagename
-LABEL ImageOS=centos7
+LABEL ImageOS=rocky8
 LABEL Version=$version
 
 LABEL Build docker build --rm --tag $maintainer/$imagename .
@@ -23,16 +23,20 @@ RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \
     && echo "NETWORKING=yes" > /etc/sysconfig/network
 
 RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=nodocs epel-release && yum -y update && \
-    yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man vim rsyslog cron httpd mod_ssl dos2unix cronie supervisor && \
+    yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man vim rsyslog httpd mod_ssl dos2unix cronie supervisor && \
     yum clean all
 
 #install shibboleth, cleanup httpd
 COPY container_files/shibboleth/shibboleth.repo /etc/yum.repos.d/security:shibboleth.repo
-RUN yum -y install shibboleth-$version-\*.x86_64 \
+RUN yum -y install shibboleth-$version-\* \
       && yum clean all
 
 ADD ./container_files/httpd/*.conf /etc/httpd/conf.d/
 ADD ./container_files/shibboleth/* /etc/shibboleth/
+
+RUN openssl req -new -nodes -newkey rsa:2048 -subj "/commonName=localhost.localdomain" -batch -keyout /etc/pki/tls/private/localhost.key -out localhost.csr
+RUN openssl x509 -req -days 1825 -in localhost.csr -signkey /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt
+
 RUN sed -i '/^[[:space:]]*CustomLog/s/^/#/' /etc/httpd/conf/httpd.conf
 
 # add a basic page to shibb's default protected directory

Jenkinsfile

@@ -1,122 +1,186 @@
-node('docker') {
 
-  stage 'Checkout'
+pipeline {
+    agent { node { label 'docker-multi-arch' } }
+    environment { 
+        maintainer = "t"
+        imagename = 's'
+        tag = 'l'
+        DOCKERHUBPW=credentials('tieradmin-dockerhub-pw')
 
-    checkout scm
-
-  stage 'Acquire util'
-
-    sh 'mkdir -p tmp'
-    dir('tmp'){
-      git([ url: "https://github.internet2.edu/docker/util.git",
-          credentialsId: "jenkins-github-access-token" ])
-      sh 'ls'
-      sh 'rm -rf ../bin/windows/'
-      sh 'mv bin/* ../bin/.'
-    }
-  stage 'Setting build context'
-
-    def maintainer = maintainer()
-    def previous_maintainer = previous_maintainer()
-    def imagename = imagename()
-    def tag
-
-    // Tag images created on master branch with 'latest'
-    if(env.BRANCH_NAME == "master"){
-      tag = "latest"
-    }else{
-      tag = env.BRANCH_NAME
     }
-
-    if(!imagename){
-      echo "You must define an imagename in common.bash"
-      currentBuild.result = 'FAILURE'
-     }
-     if(maintainer){
-      echo "Building ${imagename}:${tag} for ${maintainer}"
-     }
-
-  stage 'Build'
-    try{
-      sh 'bin/rebuild.sh &> debug'
-    } catch(error) {
-      def error_details = readFile('./debug');
-      def message = "BUILD ERROR: There was a problem building the shibboleth-sp image. \n\n ${error_details}"
-      sh "rm -f ./debug"
-      handleError(message)
-    }
-  stage 'Start container'
-
-    sh 'bin/ci-run.sh'
-
-  stage 'Tests'
-
-    try{
-      sh 'bin/test.sh &> debug'
-    } catch(error) {
-      def error_details = readFile('./debug');
-      def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}"
-      sh "rm -f ./debug"
-      handleError(message)
+    stages {
+        stage('Setting build context') {
+            steps {
+                script {
+                    maintainer = maintain()
+                    imagename = imagename()
+                    if(env.BRANCH_NAME == "master") {
+                       tag = "latest"
+                    } else {
+                       tag = env.BRANCH_NAME
+                    }
+                    if(!imagename){
+                        echo "You must define an imagename in common.bash"
+                        currentBuild.result = 'FAILURE'
+                     }
+                    sh 'mkdir -p tmp && mkdir -p bin'
+                    dir('tmp'){
+                      git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ])
+                      sh 'rm -rf ../bin/*'
+                      sh 'mv ./bin/* ../bin/.'
+                    }
+                    // Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing.
+                    // We don't care if there are more 'tag' assignments there. The latest one wins.
+                    sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash"
+                }  
+             }
+        }    
+        stage('Clean') {
+            steps {
+                script {
+                   try{
+                     sh 'bin/destroy.sh >> debug'
+                   } catch(error) {
+                     def error_details = readFile('./debug');
+                     def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     handleError(message)
+                   }
+                }
+            }
+        } 
+        stage('Build') {
+            steps {
+                script {
+                  try{
+                        sh 'docker login -u tieradmin -p $DOCKERHUBPW'
+                        // fails if already exists
+                        // sh 'docker buildx create --use --name multiarch --append'
+                        sh 'docker buildx inspect --bootstrap'
+                        sh 'docker buildx ls'
+                        sh "docker buildx build --platform linux/amd64 -t ${imagename}_${tag} --load ."
+                        sh "docker buildx build --platform linux/arm64 -t ${imagename}_${tag}:arm64 --load ."
+                  } catch(error) {
+                     def error_details = readFile('./debug');
+                      def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     handleError(message)
+                  }
+                }
+            }
+        }
+        stage('Test') {
+            steps {
+                script {
+                   try {
+                     echo "Starting tests..."
+                     sh 'bats tests'
+                     // echo "Skipping tests for now"
+                   } catch (error) {
+                     def error_details = readFile('./debug')
+                     def message = "BUILD ERROR: There was a problem testing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     handleError(message)
+                   } 
+                }    
+             }
+        }
+        stage('Scan') {
+            steps {
+                script {
+                   try {
+                         echo "Starting security scan..."
+                         // Install trivy and HTML template
+                         sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1'
+                         sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'
+
+                         // Scan container for all vulnerability levels
+                         echo "Scanning for all vulnerabilities..."
+                         sh 'mkdir -p reports'
+                         sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}"
+                         sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64"
+                         publishHTML target : [
+                             allowMissing: true,
+                             alwaysLinkToLastBuild: true,
+                             keepAll: true,
+                             reportDir: 'reports',
+                             reportFiles: 'container-scan.html',
+                             reportName: 'Security Scan',
+                             reportTitles: 'Security Scan'
+                          ]
+                         publishHTML target : [
+                             allowMissing: true,
+                             alwaysLinkToLastBuild: true,
+                             keepAll: true,
+                             reportDir: 'reports',
+                             reportFiles: 'container-scan-arm.html',
+                             reportName: 'Security Scan (ARM)',
+                             reportTitles: 'Security Scan (ARM)'
+                          ]
+                         // Scan again and fail on CRITICAL vulns
+                         //below can be temporarily commented to prevent build from failing
+                         echo "Scanning for CRITICAL vulnerabilities only (fatal)..."
+                         sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}"
+                         sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64"
+                         //echo "Skipping scan for CRITICAL vulnerabilities (temporary)..."
+                   } catch(error) {
+                           def error_details = readFile('./debug');
+                           def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}"
+                           sh "rm -f ./debug"
+                           handleError(message)
+                   }
+                }
+            }
+        }
+        stage('Push') {
+            steps {
+                script {
+                        sh 'docker login -u tieradmin -p $DOCKERHUBPW'
+                        // fails if already exists
+                        // sh 'docker buildx create --use --name multiarch --append'
+                        sh 'docker buildx inspect --bootstrap'
+                        sh 'docker buildx ls'
+                        echo "Pushing image to dockerhub..."
+                        sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t ${maintainer}/${imagename}:${tag} ."
+                 }
+            }
+        }
+        stage('Cleanup') {
+            steps {
+                script {
+                   try{
+		     echo "Cleaning up artifacts from the build..."
+                     sh 'tests/cleanup.sh'
+                   } catch(error) {
+                     def error_details = readFile('./debug');
+                     def message = "BUILD ERROR: There was a problem with cleanup of the image. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     handleError(message)
+                   }
+                }
+            }
+        }
+        stage('Notify') {
+            steps{
+                echo "$maintainer"
+                slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
+            }
+        }
     }
-
-  stage 'Scan'
-
-    try {
-          // Install trivy and HTML template
-          sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.31.1'
-          sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'
-
-          // Scan container for all vulnerability levels
-          sh 'mkdir -p reports'
-          sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${maintainer}/${imagename}:latest"
-          publishHTML target : [
-              allowMissing: true,
-              alwaysLinkToLastBuild: true,
-              keepAll: true,
-              reportDir: 'reports',
-              reportFiles: 'container-scan.html',
-              reportName: 'Security Scan',
-              reportTitles: 'Security Scan'
-          ]
-
-          // Scan again and fail on CRITICAL vulns
-          sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${maintainer}/${imagename}:latest"
-    } catch(error) {
-      def error_details = readFile('./debug');
-      def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}"
-      sh "rm -f ./debug"
-      handleError(message)
+    post { 
+        always { 
+            echo 'Done Building.'
+        }
+        failure {
+            // slackSend color: 'good', message: "Build failed"
+            handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.")
+        }
     }
-
-  stage 'Stop container'
-
-    sh 'bin/ci-stop.sh'
-
-  stage 'Push'
-    docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-$previous_maintainer") {
-          def baseImg = docker.build("$maintainer/$imagename", "--no-cache .")
-          baseImg.push("$tag")
-    }
-
-    docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-$previous_maintainer") {
-          def altImg = docker.build("$previous_maintainer/$imagename", "--no-cache .")
-          altImg.push("$tag")
-    }
-
-
-  stage 'Notify'
-
-    slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
 }
 
-def maintainer() {
-  def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
-  matcher ? matcher[0][1] : 'tier'
-}
 
-def previous_maintainer() {
-  def matcher = readFile('common.bash') =~ 'previous_maintainer="(.+)"'
+def maintain() {
+  def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
   matcher ? matcher[0][1] : 'tier'
 }
 
@@ -129,5 +193,7 @@ def handleError(String message){
   echo "${message}"
   currentBuild.setResult("FAILED")
   slackSend color: 'danger', message: "${message}"
+  //step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true])
   sh 'exit 1'
 }
+

container_files/shibboleth/shibboleth.repo

@@ -1,8 +1,8 @@
 [shibboleth]
-name=Shibboleth (CentOS_7)
+name=Shibboleth (rockylinux8)
 # Please report any problems to https://shibboleth.atlassian.net/jira
 type=rpm-md
-mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_7
+mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/rockylinux8
 gpgcheck=1
 gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
         https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key