Update UBI Hardening images to include mpm and a MATLAB installation …

…archive
mathworks-ref-arch · Sep 12, 2024 · f251ec6 · f251ec6
1 parent 6835663
commit f251ec6
Show file tree

Hide file tree

Showing 6 changed files with 112 additions and 10 deletions.
diff --git a/.github/workflows/build-and-publish-ubi-hardening-extras.yml b/.github/workflows/build-and-publish-ubi-hardening-extras.yml
@@ -15,7 +15,6 @@ on:
 
 env:
   BASE_IMAGE: almalinux-base
-  OS_TAG: ubi9.4
 
 jobs:
   build-base-image:
@@ -55,8 +54,13 @@ jobs:
       packages: write
 
     strategy:
+      fail-fast: false
       matrix:
         package: [icewm, novnc, tigervnc, xterm]
+        tag: [ubi9.4]
+        include:
+          - package: matlab
+            tag: R2024b
 
     env:
       IMAGE_NAME: ghcr.io/${{ github.repository }}/ubi-hardening-extras/${{ matrix.package }}
@@ -84,14 +88,18 @@ jobs:
           docker load --input /tmp/${{ env.BASE_IMAGE }}.tar
           docker image ls -a
 
+      - name: Make image save location
+        run: |
+          mkdir -p /tmp/new
+
       # Build the package Docker image locally to retrieve the new signature.
       # We will only push to GHCR if the new package SHA-256 is different from the latest one.
       - name: Build new UBI package Docker image to file system
         uses: docker/build-push-action@v5
         with:
           context: ./ubi-hardening-extras/${{ matrix.package }}
           build-args: BASE_IMAGE=${{ env.BASE_IMAGE }}
-          outputs: type=local,dest=/tmp/new/
+          outputs: type=tar,dest=/tmp/new/${{ matrix.package }}.tar
           push: false
 
       - name: Login to GitHub Container registry
@@ -107,14 +115,14 @@ jobs:
         id: pull_latest
         continue-on-error: true
         run: |
-          docker pull ${{ env.IMAGE_NAME }}:${{ env.OS_TAG }}
+          docker pull ${{ env.IMAGE_NAME }}:${{ matrix.tag }}
 
       - name: Extract signature and version from latest Docker image
         id: extract
         run: |
           # Extract signature and version files from latest docker image if pull was succesful.
           if [[ ${{ steps.pull_latest.outcome }} == 'success' ]]; then
-            VERSION=$(bash ./ubi-hardening-extras/workflow/extract_metadata.sh ${{ env.IMAGE_NAME }}:${{ env.OS_TAG }})
+            VERSION=$(bash ./ubi-hardening-extras/workflow/extract_metadata.sh ${{ env.IMAGE_NAME }}:${{ matrix.tag }})
             echo -e "${{ env.GREEN }}>> Found ${{ env.IMAGE_NAME }} version ${VERSION}.${{ env.NC }}"
             NEXT_VERSION=$(bash ./ubi-hardening-extras/workflow/increment_version.sh ${VERSION})
           else
@@ -127,7 +135,8 @@ jobs:
         id: check
         run: |
           # Compare the SHA-256 signature of the latest published package versus the new build
-          STATUS=$(cmp --silent /tmp/latest/*.sha256 /tmp/new/*.sha256; echo $?)
+          (cd /tmp/new && mkdir image-layers && tar -xf ${{ matrix.package }}.tar -C image-layers)
+          STATUS=$(cmp --silent /tmp/latest/*.sha256 /tmp/new/image-layers/*.sha256; echo $?)
           if [[ "${STATUS}" == '0' ]]; then
             echo -e "${{ env.GREEN }}>> ${{ matrix.package }} has not changed, nothing to do.${{ env.NC }}"
           else
@@ -147,8 +156,8 @@ jobs:
             BASE_IMAGE=${{ env.BASE_IMAGE }}
             VERSION=${{ steps.extract.outputs.next_version }}
           tags: |
-            ${{ env.IMAGE_NAME }}:${{ env.OS_TAG }}
-            ${{ env.IMAGE_NAME }}:${{ steps.extract.outputs.next_version }}-${{ env.OS_TAG }}
+            ${{ env.IMAGE_NAME }}:${{ matrix.tag }}
+            ${{ env.IMAGE_NAME }}:${{ steps.extract.outputs.next_version }}-${{ matrix.tag }}
 
       - name: Set up Python 3
         if: ${{ steps.check.outputs.is_identical != '0' }}
@@ -167,7 +176,7 @@ jobs:
         if: ${{ steps.check.outputs.is_identical != '0' }}
         working-directory: ubi-hardening-extras/tests
         env:
-          IMAGE_UNDER_TEST: ${{ env.IMAGE_NAME }}:${{ env.OS_TAG }}
+          IMAGE_UNDER_TEST: ${{ env.IMAGE_NAME }}:${{ matrix.tag }}
         run: python -m unittest ${{ matrix.package }}/*.py
 
       # Push the package Docker image built in the "Build Docker image for UBI packages" step to GHCR 

diff --git a/ubi-hardening-extras/matlab/Dockerfile b/ubi-hardening-extras/matlab/Dockerfile
@@ -0,0 +1,46 @@
+# Copyright 2024 The MathWorks, Inc.
+ARG BASE_IMAGE
+
+ARG MPM_DOWNLOAD_DESTINATION="/usr/local/src"
+
+ARG MATLAB_RELEASE=R2024b
+
+ARG LOCATION_ROOT=/tmp/deps
+
+FROM ${BASE_IMAGE} as matlab-download
+
+ARG LOCATION_ROOT
+ARG MATLAB_RELEASE
+ARG MPM_DOWNLOAD_DESTINATION
+
+ARG DNF="dnf --disableplugin subscription-manager --assumeyes"
+RUN ${DNF} update && \
+    ${DNF} install ca-certificates wget
+
+RUN wget -q https://www.mathworks.com/mpm/glnxa64/mpm && \
+    chmod +x mpm && \
+    ./mpm download \
+    --release=${MATLAB_RELEASE} \
+    --destination=${MPM_DOWNLOAD_DESTINATION} \
+    --products MATLAB \
+    || (echo "MPM Download Failure. See below for more information:" && cat /tmp/mathworks_root.log && false)
+
+ARG VERSION=v1.x
+
+RUN mkdir -p ${LOCATION_ROOT} && \
+    sha256sum ${MPM_DOWNLOAD_DESTINATION}/ProductFilesInfo.xml > ${LOCATION_ROOT}/matlab.sha256 && \
+    echo "${VERSION}" > ${LOCATION_ROOT}/matlab.version
+
+# Move MPM and the installation files to a scratch image
+FROM scratch
+
+LABEL maintainer="The MathWorks, Inc."
+
+# Declare build arguments to use at the current build stage.
+ARG MPM_DOWNLOAD_DESTINATION
+ARG LOCATION_ROOT
+
+COPY --from=matlab-download ${MPM_DOWNLOAD_DESTINATION} /
+COPY --from=matlab-download mpm /mpm
+COPY --from=matlab-download ${LOCATION_ROOT}/*.sha256 /
+COPY --from=matlab-download ${LOCATION_ROOT}/*.version /
diff --git a/ubi-hardening-extras/tests/matlab/matlab_test.py b/ubi-hardening-extras/tests/matlab/matlab_test.py
@@ -0,0 +1,25 @@
+# Copyright 2024 The MathWorks, Inc.
+
+"""
+Module for testing the "matlab" image
+"""
+
+from utils import basetest
+import unittest
+
+
+class MATLABTest(basetest.TestCase):
+    """
+    Test class to build a Docker image from the "matlab" one and test the resulting image
+    """
+    dockerfile = "Dockerfile.matlab"
+
+    def test_matlab_present(self):
+        """Test that MATLAB is installed and available"""
+        self.assertTrue(self.host.exists(command="matlab"))
+
+
+##################################################################################
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/ubi-hardening-extras/tests/utils/Dockerfile b/ubi-hardening-extras/tests/utils/Dockerfile
@@ -2,7 +2,7 @@
 
 ARG BASE_REGISTRY=redhat
 ARG BASE_IMAGE=ubi9
-ARG BASE_TAG=9.3
+ARG BASE_TAG=9.4
 ARG IMAGE_UNDER_TEST
 
 FROM ${IMAGE_UNDER_TEST} AS image-under-test

diff --git a/ubi-hardening-extras/tests/utils/Dockerfile.matlab b/ubi-hardening-extras/tests/utils/Dockerfile.matlab
@@ -0,0 +1,22 @@
+# Copyright 2023-2024 The MathWorks, Inc.
+
+ARG BASE_REGISTRY=redhat
+ARG BASE_IMAGE=ubi9
+ARG BASE_TAG=9.4
+ARG IMAGE_UNDER_TEST=matlab
+
+FROM ${IMAGE_UNDER_TEST} AS image-under-test
+
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+
+ARG MATLAB_INSTALL_LOCATION=/opt/matlab
+
+COPY --from=image-under-test / /matlab-archive
+
+RUN /matlab-archive/mpm install \
+    --source=/matlab-archive/archives \
+    --destination=${MATLAB_INSTALL_LOCATION} \
+    --products MATLAB \
+    || (echo "MPM Installation Failure. See below for more information:" && cat /tmp/mathworks_root.log && false) \
+    && rm -rf /tmp/mathworks_root.log \
+    && ln -s ${MATLAB_INSTALL_LOCATION}/bin/matlab /usr/local/bin/matlab
diff --git a/ubi-hardening-extras/tests/utils/Dockerfile.novnc b/ubi-hardening-extras/tests/utils/Dockerfile.novnc
@@ -2,7 +2,7 @@
 
 ARG BASE_REGISTRY=redhat
 ARG BASE_IMAGE=ubi9
-ARG BASE_TAG=9.3
+ARG BASE_TAG=9.4
 ARG IMAGE_UNDER_TEST=novnc
 
 FROM ${IMAGE_UNDER_TEST} AS image-under-test