From 248d5a219340442964abb711a3173e8e98d16541 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 29 Jul 2024 22:00:34 -0400 Subject: [PATCH 1/2] Sprinkle some log statements in inject-and-push Just to help users see what's going on. --- task/buildah-oci-ta/0.1/buildah-oci-ta.yaml | 7 ++++++- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 7 ++++++- task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml | 7 ++++++- task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml | 7 ++++++- task/buildah-remote/0.1/buildah-remote.yaml | 7 ++++++- task/buildah-remote/0.2/buildah-remote.yaml | 7 ++++++- task/buildah/0.1/buildah.yaml | 7 ++++++- task/buildah/0.2/buildah.yaml | 7 ++++++- 8 files changed, 48 insertions(+), 8 deletions(-) diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index 6a1f035ba..74cf5fe91 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -538,10 +538,14 @@ spec: - mountPath: /var/lib/containers name: varlibcontainers script: | + echo "Inspecting $IMAGE to find its base image name and digest" base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) + container=$(buildah from --pull-never $IMAGE) + echo "Injecting sbom files into /root/buildinfo/content_manifests/ of $IMAGE" buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + echo "Re-applying base image annotations and labels" buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() @@ -549,6 +553,7 @@ spec: BUILDAH_ARGS+=("--squash") fi + echo "Committing that change..." buildah commit "${BUILDAH_ARGS[@]}" $container $IMAGE status=-1 @@ -557,7 +562,7 @@ spec: for run in $(seq 1 $max_run); do status=0 [ "$run" -gt 1 ] && sleep $sleep_sec - echo "Pushing sbom image to registry" + echo "Pushing modified image with sboms included in the filesystem back to the registry at $IMAGE" buildah push \ --tls-verify=$TLSVERIFY \ --digestfile /var/workdir/image-digest $IMAGE \ diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 3b452f957..040c10a9e 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -539,10 +539,14 @@ spec: script: | #!/bin/bash set -e + echo "Inspecting $IMAGE to find its base image name and digest" base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) + container=$(buildah from --pull-never $IMAGE) + echo "Injecting sbom files into /root/buildinfo/content_manifests/ of $IMAGE" buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + echo "Re-applying base image annotations and labels" buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() @@ -550,6 +554,7 @@ spec: BUILDAH_ARGS+=("--squash") fi + echo "Committing that change..." buildah commit "${BUILDAH_ARGS[@]}" $container $IMAGE status=-1 @@ -558,7 +563,7 @@ spec: for run in $(seq 1 $max_run); do status=0 [ "$run" -gt 1 ] && sleep $sleep_sec - echo "Pushing sbom image to registry" + echo "Pushing modified image with sboms included in the filesystem back to the registry at $IMAGE" buildah push \ --tls-verify=$TLSVERIFY \ --digestfile /var/workdir/image-digest $IMAGE \ diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index e640942ca..71569512c 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -609,10 +609,14 @@ spec: image: quay.io/konflux-ci/buildah:latest@sha256:3fe211715717eca9eca1f19d326e19dd052c92fc6eb4f2434d8f903fe5b9aeb7 name: inject-sbom-and-push script: | + echo "Inspecting $IMAGE to find its base image name and digest" base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) + container=$(buildah from --pull-never $IMAGE) + echo "Injecting sbom files into /root/buildinfo/content_manifests/ of $IMAGE" buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + echo "Re-applying base image annotations and labels" buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() @@ -620,6 +624,7 @@ spec: BUILDAH_ARGS+=("--squash") fi + echo "Committing that change..." buildah commit "${BUILDAH_ARGS[@]}" $container $IMAGE status=-1 @@ -628,7 +633,7 @@ spec: for run in $(seq 1 $max_run); do status=0 [ "$run" -gt 1 ] && sleep $sleep_sec - echo "Pushing sbom image to registry" + echo "Pushing modified image with sboms included in the filesystem back to the registry at $IMAGE" buildah push \ --tls-verify=$TLSVERIFY \ --digestfile /var/workdir/image-digest $IMAGE \ diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 4518418ca..b72d5383f 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -610,10 +610,14 @@ spec: script: | #!/bin/bash set -e + echo "Inspecting $IMAGE to find its base image name and digest" base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) + container=$(buildah from --pull-never $IMAGE) + echo "Injecting sbom files into /root/buildinfo/content_manifests/ of $IMAGE" buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + echo "Re-applying base image annotations and labels" buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() @@ -621,6 +625,7 @@ spec: BUILDAH_ARGS+=("--squash") fi + echo "Committing that change..." buildah commit "${BUILDAH_ARGS[@]}" $container $IMAGE status=-1 @@ -629,7 +634,7 @@ spec: for run in $(seq 1 $max_run); do status=0 [ "$run" -gt 1 ] && sleep $sleep_sec - echo "Pushing sbom image to registry" + echo "Pushing modified image with sboms included in the filesystem back to the registry at $IMAGE" buildah push \ --tls-verify=$TLSVERIFY \ --digestfile /var/workdir/image-digest $IMAGE \ diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index d85001733..d57dd06ac 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -606,10 +606,14 @@ spec: echo "WARNING: provided deprecated BUILDER_IMAGE parameter has no effect." fi + echo "Inspecting $IMAGE to find its base image name and digest" base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) + container=$(buildah from --pull-never $IMAGE) + echo "Injecting sbom files into /root/buildinfo/content_manifests/ of $IMAGE" buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + echo "Re-applying base image annotations and labels" buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() @@ -617,6 +621,7 @@ spec: BUILDAH_ARGS+=("--squash") fi + echo "Committing that change..." buildah commit "${BUILDAH_ARGS[@]}" $container $IMAGE status=-1 @@ -625,7 +630,7 @@ spec: for run in $(seq 1 $max_run); do status=0 [ "$run" -gt 1 ] && sleep $sleep_sec - echo "Pushing sbom image to registry" + echo "Pushing modified image with sboms included in the filesystem back to the registry at $IMAGE" buildah push \ --tls-verify=$TLSVERIFY \ --digestfile $(workspaces.source.path)/image-digest $IMAGE \ diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 2145728f9..58e3ab327 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -592,10 +592,14 @@ spec: script: | #!/bin/bash set -e + echo "Inspecting $IMAGE to find its base image name and digest" base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) + container=$(buildah from --pull-never $IMAGE) + echo "Injecting sbom files into /root/buildinfo/content_manifests/ of $IMAGE" buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + echo "Re-applying base image annotations and labels" buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() @@ -603,6 +607,7 @@ spec: BUILDAH_ARGS+=("--squash") fi + echo "Committing that change..." buildah commit "${BUILDAH_ARGS[@]}" $container $IMAGE status=-1 @@ -611,7 +616,7 @@ spec: for run in $(seq 1 $max_run); do status=0 [ "$run" -gt 1 ] && sleep $sleep_sec - echo "Pushing sbom image to registry" + echo "Pushing modified image with sboms included in the filesystem back to the registry at $IMAGE" buildah push \ --tls-verify=$TLSVERIFY \ --digestfile $(workspaces.source.path)/image-digest $IMAGE \ diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index 792a33855..1958a7c64 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -502,10 +502,14 @@ spec: echo "WARNING: provided deprecated BUILDER_IMAGE parameter has no effect." fi + echo "Inspecting $IMAGE to find its base image name and digest" base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) + container=$(buildah from --pull-never $IMAGE) + echo "Injecting sbom files into /root/buildinfo/content_manifests/ of $IMAGE" buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + echo "Re-applying base image annotations and labels" buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() @@ -513,6 +517,7 @@ spec: BUILDAH_ARGS+=("--squash") fi + echo "Committing that change..." buildah commit "${BUILDAH_ARGS[@]}" $container $IMAGE status=-1 @@ -521,7 +526,7 @@ spec: for run in $(seq 1 $max_run); do status=0 [ "$run" -gt 1 ] && sleep $sleep_sec - echo "Pushing sbom image to registry" + echo "Pushing modified image with sboms included in the filesystem back to the registry at $IMAGE" buildah push \ --tls-verify=$TLSVERIFY \ --digestfile $(workspaces.source.path)/image-digest $IMAGE \ diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 8498b2571..e7c1ddec7 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -488,10 +488,14 @@ spec: script: | #!/bin/bash set -e + echo "Inspecting $IMAGE to find its base image name and digest" base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) + container=$(buildah from --pull-never $IMAGE) + echo "Injecting sbom files into /root/buildinfo/content_manifests/ of $IMAGE" buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + echo "Re-applying base image annotations and labels" buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() @@ -499,6 +503,7 @@ spec: BUILDAH_ARGS+=("--squash") fi + echo "Committing that change..." buildah commit "${BUILDAH_ARGS[@]}" $container $IMAGE status=-1 @@ -507,7 +512,7 @@ spec: for run in $(seq 1 $max_run); do status=0 [ "$run" -gt 1 ] && sleep $sleep_sec - echo "Pushing sbom image to registry" + echo "Pushing modified image with sboms included in the filesystem back to the registry at $IMAGE" buildah push \ --tls-verify=$TLSVERIFY \ --digestfile $(workspaces.source.path)/image-digest $IMAGE \ From 5bd7b3dd325cbf8b2e9c37e61696847c5ad631ab Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 30 Jul 2024 15:41:48 -0400 Subject: [PATCH 2/2] Correct log statement No labels are being applied here. Co-authored-by: Adam Cmiel --- task/buildah-oci-ta/0.1/buildah-oci-ta.yaml | 2 +- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 2 +- task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml | 2 +- task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml | 2 +- task/buildah-remote/0.1/buildah-remote.yaml | 2 +- task/buildah-remote/0.2/buildah-remote.yaml | 2 +- task/buildah/0.1/buildah.yaml | 2 +- task/buildah/0.2/buildah.yaml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index 74cf5fe91..21d4f152c 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -545,7 +545,7 @@ spec: container=$(buildah from --pull-never $IMAGE) echo "Injecting sbom files into /root/buildinfo/content_manifests/ of $IMAGE" buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ - echo "Re-applying base image annotations and labels" + echo "Re-applying base image annotations" buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 040c10a9e..5de700e38 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -546,7 +546,7 @@ spec: container=$(buildah from --pull-never $IMAGE) echo "Injecting sbom files into /root/buildinfo/content_manifests/ of $IMAGE" buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ - echo "Re-applying base image annotations and labels" + echo "Re-applying base image annotations" buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index 71569512c..841a237e5 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -616,7 +616,7 @@ spec: container=$(buildah from --pull-never $IMAGE) echo "Injecting sbom files into /root/buildinfo/content_manifests/ of $IMAGE" buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ - echo "Re-applying base image annotations and labels" + echo "Re-applying base image annotations" buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index b72d5383f..d9a41f40b 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -617,7 +617,7 @@ spec: container=$(buildah from --pull-never $IMAGE) echo "Injecting sbom files into /root/buildinfo/content_manifests/ of $IMAGE" buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ - echo "Re-applying base image annotations and labels" + echo "Re-applying base image annotations" buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index d57dd06ac..4d0582a26 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -613,7 +613,7 @@ spec: container=$(buildah from --pull-never $IMAGE) echo "Injecting sbom files into /root/buildinfo/content_manifests/ of $IMAGE" buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ - echo "Re-applying base image annotations and labels" + echo "Re-applying base image annotations" buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 58e3ab327..2ad0dd486 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -599,7 +599,7 @@ spec: container=$(buildah from --pull-never $IMAGE) echo "Injecting sbom files into /root/buildinfo/content_manifests/ of $IMAGE" buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ - echo "Re-applying base image annotations and labels" + echo "Re-applying base image annotations" buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index 1958a7c64..dbd4be538 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -509,7 +509,7 @@ spec: container=$(buildah from --pull-never $IMAGE) echo "Injecting sbom files into /root/buildinfo/content_manifests/ of $IMAGE" buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ - echo "Re-applying base image annotations and labels" + echo "Re-applying base image annotations" buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index e7c1ddec7..af11cceab 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -495,7 +495,7 @@ spec: container=$(buildah from --pull-never $IMAGE) echo "Injecting sbom files into /root/buildinfo/content_manifests/ of $IMAGE" buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ - echo "Re-applying base image annotations and labels" + echo "Re-applying base image annotations" buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=()