add sboms (#144)

mozilla-platform-ops · Jul 29, 2024 · 8a69c4c · 8a69c4c
1 parent 8af8f82
commit 8a69c4c
Show file tree

Hide file tree

Showing 25 changed files with 967 additions and 142 deletions.
diff --git a/.github/workflows/github-actions.yml b/.github/workflows/github-actions.yml
@@ -46,6 +46,9 @@ jobs:
       - name: Run tests
         run: |
           poetry run python -m pytest -sxv
+      - name: Generate coverage report
+        run: |
+          poetry run pytest -vv --cov=monopacker --cov-report=term-missing
   # poetry-update-check:
   #   runs-on: ubuntu-latest
   #   steps:

diff --git a/.gitignore b/.gitignore
@@ -20,8 +20,7 @@ packer-artifacts.json
 output-vagrant*
 
 ### Secrets ###
-real_secrets.yaml
-**/*secret*.yaml
+**/*secret*
 
 # Python cache
 *.pyc

diff --git a/SBOMs/.gitignore b/SBOMs/.gitignore
@@ -0,0 +1,2 @@
+*.md
+!README.md
diff --git a/SBOMs/README.md b/SBOMs/README.md
@@ -0,0 +1,5 @@
+# monopacker SBOMs
+
+## overview
+
+TBD
diff --git a/TEMPLATING.md b/TEMPLATING.md
@@ -160,6 +160,27 @@ simply create a `.jinja2` file with the name of your choice under `./template/bu
 Ensure that your builder template has a `name` key set to `{{builder.vars.name}}`, as this is how `monopacker` templating
 maps `builders` to `provisioners` in the Packer template.
 
+## Rebooting while building
+
+Monopacker has support for handling restarts during the build process.
+
+If a script's name includes 'reboot', Monopacker will add a pause after the step to ensure that the host is back up before continuing.
+
+## Software Bill of Materials (SBOMs)
+
+Monopacker has support for generating SBOMs.
+
+SBOM generation is enabled by adding a variable file to your builder that sets `monopacker_generate_sbom` to `true`. Here's an example variable file:
+
+```
+---
+monopacker_generate_sbom: true
+# defaults to ""
+monopacker_sbom_command_args: "-b $MONOPACKER_BUILDER_NAME -c $MONOPACKER_GIT_SHA"
+# default vaule is "monopacker_ubuntu_sbom.py"
+# monoopacker_sbom_script: monopacker_ubuntu_sbom.py
+```
+
 # FAQ
 
 ## I'm getting `did not find expected key` in my template
@@ -174,3 +195,9 @@ A number of things could be going wrong here.
 Ensure that the builder template properly
 references all variables as being namespaced under `builder.vars` and that your `builder_var_files`
 and `builder_vars` do _not_ have any namespacing. See above for a more thorough description.
+
+## What's the difference between variables and environment variaboles?
+
+Variables are set only in Packer's context. 
+
+Environment variables are set when scripts run on the target host.
diff --git a/builders/gw_fxci_gcp_l1.yaml b/builders/gw_fxci_gcp_l1.yaml
@@ -7,6 +7,7 @@ builder_var_files:
   - default_gcp
   - googlecompute_jammy
   - ubuntu_amd64
+  - monopacker_generate_sbom
 
 script_directories:
   - ubuntu-jammy-from-community

diff --git a/builders/gw_fxci_gcp_l1_arm64.yaml b/builders/gw_fxci_gcp_l1_arm64.yaml
@@ -7,6 +7,7 @@ builder_var_files:
   - default_gcp
   - googlecompute_jammy_arm64
   - ubuntu_arm64
+  - monopacker_generate_sbom
 
 script_directories:
   - ubuntu-jammy-from-community

diff --git a/builders/gw_fxci_gcp_l1_arm64_gui.yaml b/builders/gw_fxci_gcp_l1_arm64_gui.yaml
@@ -8,6 +8,7 @@ builder_var_files:
   - googlecompute_jammy_arm64
   - ubuntu_arm64
   - firefoxci_loopback
+  - monopacker_generate_sbom
 
 script_directories:
   - ubuntu-jammy-from-community

diff --git a/builders/gw_fxci_gcp_l1_gui.yaml b/builders/gw_fxci_gcp_l1_gui.yaml
@@ -8,6 +8,7 @@ builder_var_files:
   - googlecompute_jammy
   - ubuntu_amd64
   - firefoxci_loopback
+  - monopacker_generate_sbom
 
 script_directories:
   - ubuntu-jammy-from-community

diff --git a/builders/gw_fxci_gcp_l3.yaml b/builders/gw_fxci_gcp_l3.yaml
@@ -8,6 +8,7 @@ builder_var_files:
   - googlecompute_jammy
   - ubuntu_amd64
   - firefoxci_gcp_l3
+  - monopacker_generate_sbom
 
 script_directories:
   - ubuntu-jammy-from-community

diff --git a/builders/gw_fxci_gcp_l3_arm64.yaml b/builders/gw_fxci_gcp_l3_arm64.yaml
@@ -8,6 +8,7 @@ builder_var_files:
   - googlecompute_jammy_arm64
   - ubuntu_arm64
   - firefoxci_gcp_l3
+  - monopacker_generate_sbom
 
 script_directories:
   - ubuntu-jammy-from-community

diff --git a/builders/gw_fxci_gcp_l3_arm64_gui.yaml b/builders/gw_fxci_gcp_l3_arm64_gui.yaml
@@ -9,6 +9,7 @@ builder_var_files:
   - ubuntu_arm64
   - firefoxci_loopback
   - firefoxci_gcp_l3
+  - monopacker_generate_sbom
 
 script_directories:
   - ubuntu-jammy-from-community

diff --git a/builders/gw_fxci_gcp_l3_gui.yaml b/builders/gw_fxci_gcp_l3_gui.yaml
@@ -9,6 +9,7 @@ builder_var_files:
   - ubuntu_amd64
   - firefoxci_loopback
   - firefoxci_gcp_l3
+  - monopacker_generate_sbom
 
 script_directories:
   - ubuntu-jammy-from-community

diff --git a/builders/gw_translations_gcp.yaml b/builders/gw_translations_gcp.yaml
@@ -7,6 +7,7 @@ builder_var_files:
   - default_linux
   - translations_gcp  # TODO: merge this and following?
   - googlecompute_translations
+  - monopacker_generate_sbom
 
 script_directories:
   - ubuntu-jammy

diff --git a/builders/monopacker-testing-image.yaml b/builders/monopacker-testing-image.yaml
@@ -0,0 +1,13 @@
+# a barebones image used for testing monopacker
+template: googlecompute
+platform: linux
+
+builder_var_files:
+  - default_linux
+  - default_gcp
+  - googlecompute_jammy
+  - ubuntu_amd64
+  - monopacker_generate_sbom
+
+script_directories:
+  - ubuntu-tc-barebones
diff --git a/monopacker/post-processors/move_sbom_to_latest_artifact_name.py b/monopacker/post-processors/move_sbom_to_latest_artifact_name.py
@@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+
+import json
+import sys
+import argparse
+import os
+import shutil
+
+# Set up argparse
+parser = argparse.ArgumentParser(description="Move temp_sbom.md to the last build's artifact name.md")
+parser.add_argument('-d', '--debug', action='store_true', help='Print what would have happened instead of performing the move')
+args = parser.parse_args()
+
+# Load the JSON data from the file in the current working directory
+file_path = 'packer-artifacts.json'
+with open(file_path, 'r') as file:
+    data = json.load(file)
+
+# Extract the last_run_uuid
+last_run_uuid = data['last_run_uuid']
+
+# Find the matching build in the builds array
+matching_build = None
+for build in data['builds']:
+    if build['packer_run_uuid'] == last_run_uuid:
+        matching_build = build
+        break
+
+# Handle the move operation or describe the action if in debug mode
+if matching_build:
+    artifact_id = matching_build['artifact_id']
+    source_path = 'SBOMs/temp_sbom.md'
+    destination_dir = 'SBOMs'
+    destination_path = f'{destination_dir}/{artifact_id}.md'
+
+    if not os.path.exists(source_path):
+        print(f'File {source_path} not found.')
+        sys.exit(0)
+
+    if args.debug:
+        print(f'Would move {source_path} to {destination_path}')
+    else:
+        try:
+            # Create the destination directory if it doesn't exist
+            os.makedirs(destination_dir, exist_ok=True)
+            # Move the file
+            shutil.move(source_path, destination_path)
+            print(f'Moved {source_path} to {destination_path}')
+        except Exception as e:
+            print(f'An error occurred: {e}')
+            sys.exit(1)
+else:
+    print('No matching build found.')
+    sys.exit(1)