diff --git a/.github/workflows/build-and-publish-ubi-hardening-extras.yml b/.github/workflows/build-and-publish-ubi-hardening-extras.yml index 2b89346..2aaf65f 100644 --- a/.github/workflows/build-and-publish-ubi-hardening-extras.yml +++ b/.github/workflows/build-and-publish-ubi-hardening-extras.yml @@ -15,7 +15,6 @@ on: env: BASE_IMAGE: almalinux-base - OS_TAG: ubi9.4 jobs: build-base-image: @@ -55,8 +54,13 @@ jobs: packages: write strategy: + fail-fast: false matrix: package: [icewm, novnc, tigervnc, xterm] + tag: [ubi9.4] + include: + - package: matlab + tag: R2024b env: IMAGE_NAME: ghcr.io/${{ github.repository }}/ubi-hardening-extras/${{ matrix.package }} @@ -84,6 +88,10 @@ jobs: docker load --input /tmp/${{ env.BASE_IMAGE }}.tar docker image ls -a + - name: Make image save location + run: | + mkdir -p /tmp/new + # Build the package Docker image locally to retrieve the new signature. # We will only push to GHCR if the new package SHA-256 is different from the latest one. - name: Build new UBI package Docker image to file system @@ -91,7 +99,7 @@ jobs: with: context: ./ubi-hardening-extras/${{ matrix.package }} build-args: BASE_IMAGE=${{ env.BASE_IMAGE }} - outputs: type=local,dest=/tmp/new/ + outputs: type=tar,dest=/tmp/new/${{ matrix.package }}.tar push: false - name: Login to GitHub Container registry @@ -107,14 +115,14 @@ jobs: id: pull_latest continue-on-error: true run: | - docker pull ${{ env.IMAGE_NAME }}:${{ env.OS_TAG }} + docker pull ${{ env.IMAGE_NAME }}:${{ matrix.tag }} - name: Extract signature and version from latest Docker image id: extract run: | # Extract signature and version files from latest docker image if pull was succesful. if [[ ${{ steps.pull_latest.outcome }} == 'success' ]]; then - VERSION=$(bash ./ubi-hardening-extras/workflow/extract_metadata.sh ${{ env.IMAGE_NAME }}:${{ env.OS_TAG }}) + VERSION=$(bash ./ubi-hardening-extras/workflow/extract_metadata.sh ${{ env.IMAGE_NAME }}:${{ matrix.tag }}) echo -e "${{ env.GREEN }}>> Found ${{ env.IMAGE_NAME }} version ${VERSION}.${{ env.NC }}" NEXT_VERSION=$(bash ./ubi-hardening-extras/workflow/increment_version.sh ${VERSION}) else @@ -127,7 +135,8 @@ jobs: id: check run: | # Compare the SHA-256 signature of the latest published package versus the new build - STATUS=$(cmp --silent /tmp/latest/*.sha256 /tmp/new/*.sha256; echo $?) + (cd /tmp/new && mkdir image-layers && tar -xf ${{ matrix.package }}.tar -C image-layers) + STATUS=$(cmp --silent /tmp/latest/*.sha256 /tmp/new/image-layers/*.sha256; echo $?) if [[ "${STATUS}" == '0' ]]; then echo -e "${{ env.GREEN }}>> ${{ matrix.package }} has not changed, nothing to do.${{ env.NC }}" else @@ -147,8 +156,8 @@ jobs: BASE_IMAGE=${{ env.BASE_IMAGE }} VERSION=${{ steps.extract.outputs.next_version }} tags: | - ${{ env.IMAGE_NAME }}:${{ env.OS_TAG }} - ${{ env.IMAGE_NAME }}:${{ steps.extract.outputs.next_version }}-${{ env.OS_TAG }} + ${{ env.IMAGE_NAME }}:${{ matrix.tag }} + ${{ env.IMAGE_NAME }}:${{ steps.extract.outputs.next_version }}-${{ matrix.tag }} - name: Set up Python 3 if: ${{ steps.check.outputs.is_identical != '0' }} @@ -167,7 +176,7 @@ jobs: if: ${{ steps.check.outputs.is_identical != '0' }} working-directory: ubi-hardening-extras/tests env: - IMAGE_UNDER_TEST: ${{ env.IMAGE_NAME }}:${{ env.OS_TAG }} + IMAGE_UNDER_TEST: ${{ env.IMAGE_NAME }}:${{ matrix.tag }} run: python -m unittest ${{ matrix.package }}/*.py # Push the package Docker image built in the "Build Docker image for UBI packages" step to GHCR diff --git a/ubi-hardening-extras/matlab/Dockerfile b/ubi-hardening-extras/matlab/Dockerfile new file mode 100644 index 0000000..763688b --- /dev/null +++ b/ubi-hardening-extras/matlab/Dockerfile @@ -0,0 +1,46 @@ +# Copyright 2024 The MathWorks, Inc. +ARG BASE_IMAGE + +ARG MPM_DOWNLOAD_DESTINATION="/usr/local/src" + +ARG MATLAB_RELEASE=R2024b + +ARG LOCATION_ROOT=/tmp/deps + +FROM ${BASE_IMAGE} as matlab-download + +ARG LOCATION_ROOT +ARG MATLAB_RELEASE +ARG MPM_DOWNLOAD_DESTINATION + +ARG DNF="dnf --disableplugin subscription-manager --assumeyes" +RUN ${DNF} update && \ + ${DNF} install ca-certificates wget + +RUN wget -q https://www.mathworks.com/mpm/glnxa64/mpm && \ + chmod +x mpm && \ + ./mpm download \ + --release=${MATLAB_RELEASE} \ + --destination=${MPM_DOWNLOAD_DESTINATION} \ + --products MATLAB \ + || (echo "MPM Download Failure. See below for more information:" && cat /tmp/mathworks_root.log && false) + +ARG VERSION=v1.x + +RUN mkdir -p ${LOCATION_ROOT} && \ + sha256sum ${MPM_DOWNLOAD_DESTINATION}/ProductFilesInfo.xml > ${LOCATION_ROOT}/matlab.sha256 && \ + echo "${VERSION}" > ${LOCATION_ROOT}/matlab.version + +# Move MPM and the installation files to a scratch image +FROM scratch + +LABEL maintainer="The MathWorks, Inc." + +# Declare build arguments to use at the current build stage. +ARG MPM_DOWNLOAD_DESTINATION +ARG LOCATION_ROOT + +COPY --from=matlab-download ${MPM_DOWNLOAD_DESTINATION} / +COPY --from=matlab-download mpm /mpm +COPY --from=matlab-download ${LOCATION_ROOT}/*.sha256 / +COPY --from=matlab-download ${LOCATION_ROOT}/*.version / diff --git a/ubi-hardening-extras/tests/matlab/matlab_test.py b/ubi-hardening-extras/tests/matlab/matlab_test.py new file mode 100644 index 0000000..ee5c4dd --- /dev/null +++ b/ubi-hardening-extras/tests/matlab/matlab_test.py @@ -0,0 +1,25 @@ +# Copyright 2024 The MathWorks, Inc. + +""" +Module for testing the "matlab" image +""" + +from utils import basetest +import unittest + + +class MATLABTest(basetest.TestCase): + """ + Test class to build a Docker image from the "matlab" one and test the resulting image + """ + dockerfile = "Dockerfile.matlab" + + def test_matlab_present(self): + """Test that MATLAB is installed and available""" + self.assertTrue(self.host.exists(command="matlab")) + + +################################################################################## + +if __name__ == "__main__": + unittest.main() diff --git a/ubi-hardening-extras/tests/utils/Dockerfile b/ubi-hardening-extras/tests/utils/Dockerfile index 32188ef..76239fd 100644 --- a/ubi-hardening-extras/tests/utils/Dockerfile +++ b/ubi-hardening-extras/tests/utils/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_REGISTRY=redhat ARG BASE_IMAGE=ubi9 -ARG BASE_TAG=9.3 +ARG BASE_TAG=9.4 ARG IMAGE_UNDER_TEST FROM ${IMAGE_UNDER_TEST} AS image-under-test diff --git a/ubi-hardening-extras/tests/utils/Dockerfile.matlab b/ubi-hardening-extras/tests/utils/Dockerfile.matlab new file mode 100644 index 0000000..4d5b721 --- /dev/null +++ b/ubi-hardening-extras/tests/utils/Dockerfile.matlab @@ -0,0 +1,22 @@ +# Copyright 2023-2024 The MathWorks, Inc. + +ARG BASE_REGISTRY=redhat +ARG BASE_IMAGE=ubi9 +ARG BASE_TAG=9.4 +ARG IMAGE_UNDER_TEST=matlab + +FROM ${IMAGE_UNDER_TEST} AS image-under-test + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +ARG MATLAB_INSTALL_LOCATION=/opt/matlab + +COPY --from=image-under-test / /matlab-archive + +RUN /matlab-archive/mpm install \ + --source=/matlab-archive/archives \ + --destination=${MATLAB_INSTALL_LOCATION} \ + --products MATLAB \ + || (echo "MPM Installation Failure. See below for more information:" && cat /tmp/mathworks_root.log && false) \ + && rm -rf /tmp/mathworks_root.log \ + && ln -s ${MATLAB_INSTALL_LOCATION}/bin/matlab /usr/local/bin/matlab diff --git a/ubi-hardening-extras/tests/utils/Dockerfile.novnc b/ubi-hardening-extras/tests/utils/Dockerfile.novnc index 4125965..4abcbaa 100644 --- a/ubi-hardening-extras/tests/utils/Dockerfile.novnc +++ b/ubi-hardening-extras/tests/utils/Dockerfile.novnc @@ -2,7 +2,7 @@ ARG BASE_REGISTRY=redhat ARG BASE_IMAGE=ubi9 -ARG BASE_TAG=9.3 +ARG BASE_TAG=9.4 ARG IMAGE_UNDER_TEST=novnc FROM ${IMAGE_UNDER_TEST} AS image-under-test