ROX-11315: Bump Scanner to CentOS9 (#156)

.circleci/config.yml

@@ -114,7 +114,7 @@ commands:
     steps:
       - checkout
       - setup_remote_docker:
-          version: 20.10.7
+          version: 20.10.14
       - run:
           name: Build & push image
           command: |
@@ -126,20 +126,28 @@ commands:
               BUILD_ARGS+=(--build-arg "BASE_TAG=$BASE_TAG")
             fi
 
-            CENTOS_TAG="$(cat CENTOS_TAG)"
-            BUILD_ARGS+=(--build-arg "CENTOS_TAG=${CENTOS_TAG}")
+            STACKROX_CENTOS_TAG="$(cat STACKROX_CENTOS_TAG)"
 
-            BUILD_ARGS+=(--build-arg "ROCKSDB_TAG=$(.circleci/get_tag.sh rocksdb "${CENTOS_TAG}")")
-
-            TAG="$(.circleci/get_tag.sh "<< parameters.image-flavor >>" "${CENTOS_TAG}")"
+            TAG="$(.circleci/get_tag.sh "<< parameters.image-flavor >>" "${STACKROX_CENTOS_TAG}")"
             IMAGE="quay.io/rhacs-eng/apollo-ci:${TAG}"
 
-            if [[ "<< parameters.image-flavor >>" == "rocksdb" ]] && \
-                   DOCKER_CLI_EXPERIMENTAL=enabled docker manifest inspect "$IMAGE" >/dev/null; then
-              echo "Image '$IMAGE' already exists - no need to build it"
-              circleci step halt
-              exit 0
-            fi
+            # The `stackrox-build` and `rocksdb` images share the centos image
+            # tag through `STACKROX_CENTOS_TAG`.
+
+            case "<< parameters.image-flavor >>" in
+               rocksdb)
+                   if DOCKER_CLI_EXPERIMENTAL=enabled docker manifest inspect "$IMAGE" >/dev/null; then
+                      echo "Image '$IMAGE' already exists - no need to build it"
+                      circleci step halt
+                      exit 0
+                   fi
+                   BUILD_ARGS+=(--build-arg "STACKROX_CENTOS_TAG=${STACKROX_CENTOS_TAG}")
+                   ;;
+               stackrox-build)
+                   BUILD_ARGS+=(--build-arg "STACKROX_CENTOS_TAG=${STACKROX_CENTOS_TAG}")
+                   BUILD_ARGS+=(--build-arg "ROCKSDB_TAG=$(.circleci/get_tag.sh rocksdb "${STACKROX_CENTOS_TAG}")")
+                   ;;
+            esac
 
             docker build \
               "${BUILD_ARGS[@]}" \
@@ -148,7 +156,7 @@ commands:
               images/
 
             for _ in {1..5}; do
-              docker push "quay.io/rhacs-eng/apollo-ci:${TAG}" && break || sleep 15
+              docker push "${IMAGE}" && break || sleep 15
             done
 
             for _ in {1..5}; do

Makefile

@@ -1,8 +1,8 @@
-ifeq ($(CENTOS_TAG),)
-CENTOS_TAG=$(shell cat CENTOS_TAG)
+ifeq ($(STACKROX_CENTOS_TAG),)
+STACKROX_CENTOS_TAG=$(shell cat STACKROX_CENTOS_TAG)
 endif
 ifeq ($(ROCKSDB_TAG),)
-ROCKSDB_TAG=$(shell .circleci/get_tag.sh "rocksdb" "$(CENTOS_TAG)")
+ROCKSDB_TAG=$(shell .circleci/get_tag.sh "rocksdb" "$(STACKROX_CENTOS_TAG)")
 endif
 ifeq ($(DOCKER),)
 DOCKER=docker
@@ -14,7 +14,7 @@ rocksdb-image:
 	$(DOCKER) build \
 	    -t stackrox/apollo-ci:$(ROCKSDB_TAG) \
 	    -t quay.io/$(QUAY_REPO)/apollo-ci:$(ROCKSDB_TAG) \
-		--build-arg CENTOS_TAG=$(CENTOS_TAG) \
+		--build-arg STACKROX_CENTOS_TAG=$(STACKROX_CENTOS_TAG) \
 		-f images/rocksdb.Dockerfile \
 		images/
 
@@ -26,7 +26,7 @@ stackrox-build-image:
 	    -t stackrox/apollo-ci:$(STACKROX_BUILD_TAG) \
 	    -t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_BUILD_TAG) \
 		--build-arg ROCKSDB_TAG=$(ROCKSDB_TAG) \
-		--build-arg CENTOS_TAG=$(CENTOS_TAG) \
+		--build-arg STACKROX_CENTOS_TAG=$(STACKROX_CENTOS_TAG) \
 		-f images/stackrox-build.Dockerfile \
 		images/
 

images/rocksdb.Dockerfile

@@ -1,5 +1,5 @@
-ARG CENTOS_TAG
-FROM quay.io/centos/centos:${CENTOS_TAG}
+ARG STACKROX_CENTOS_TAG
+FROM quay.io/centos/centos:${STACKROX_CENTOS_TAG}
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 

images/scanner-build.Dockerfile

@@ -1,7 +1,6 @@
 # Provides the tooling required to run Scanner dockerized build targets.
 
-ARG CENTOS_TAG
-FROM quay.io/centos/centos:${CENTOS_TAG}
+FROM quay.io/centos/centos:stream9
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 

images/scanner-test.Dockerfile

@@ -9,40 +9,67 @@ FROM quay.io/rhacs-eng/apollo-ci:${BASE_TAG} as base
 # CMD/ENTRYPOINT.
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-# We are copying the contents in static-contents into / in the image, following the directory structure.
-# The reason we don't do a simple COPY ./static-contents / is that, in the base image (as of ubuntu:20.04)
-# /bin is a symlink to /usr/bin, and so the COPY ends up overwriting the symlink with a directory containing only
-# the contents of static-contents/bin, which is NOT what we want.
-# The following method of copying to /static-tmp and then explicitly copying file by file works around that.
-COPY ./static-contents/ /static-tmp
+# We are copying the contents in static-contents into / in the image, following
+# the directory structure.
+#
+# The reason we don't do a simple COPY ./static-contents / is that, in the base
+# image (as of ubuntu:20.04) /bin is a symlink to /usr/bin, and so the COPY ends
+# up overwriting the symlink with a directory containing only the contents of
+# static-contents/bin, which is NOT what we want.
+#
+# The following method of copying to /static-tmp and then explicitly copying
+# file by file works around that.
+COPY ./static-contents /static-tmp
 RUN set -ex \
-  && find /static-tmp -type f -print0 | \
-    xargs -0 -I '{}' -n1 bash -c 'dir="$(dirname "${1}")"; new_dir="${dir#/static-tmp}"; mkdir -p "${new_dir}"; cp "${1}" "${new_dir}";' -- {} \
-  && rm -r /static-tmp
+ && find /static-tmp -type f -print0 \
+  | xargs -0 -I '{}' -n1 \
+        bash -c 'dir="$(dirname "${1}")"; new_dir="${dir#/static-tmp}"; mkdir -p "${new_dir}"; cp "${1}" "${new_dir}";' -- {} \
+ && rm -r /static-tmp
+
+# Overwrite google cloud sdk with scanner's version.
+COPY ./static-contents-scanner/etc/yum.repos.d/google-cloud-sdk.repo /etc/yum.repos.d/google-cloud-sdk.repo
+
 # Circle CI uses BASH_ENV to pass an environment for bash. Other environments need
 # an initial BASH_ENV as a foundation for cci-export().
 ENV BASH_ENV /etc/initial-bash.env
 
-RUN dnf update -y && \
-    dnf install -y \
+# PostgreSQL environment.
+ENV PG_MAJOR=12
+ENV PATH="$PATH:/usr/pgsql-$PG_MAJOR/bin/"
+
+RUN dnf install -y \
+        https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm \
+ && dnf update -y \
+ && dnf install -y \
         expect \
         gcc \
         gcc-c++ \
-        google-cloud-sdk \
-        google-cloud-sdk-gke-gcloud-auth-plugin \
         jq \
         kubectl \
+        libxcrypt-compat \
         lsof \
         lz4 \
         openssl \
-        @postgresql:12 \
+        postgresql${PG_MAJOR}-server \
         python3 \
         unzip \
         xz \
         zip \
-        && \
-    dnf clean all && \
-    rm -rf /var/cache/dnf /var/cache/yum
+ && dnf clean all \
+ && rm -rf /var/cache/dnf /var/cache/yum
+
+# Installing GC and GCP SDK.
+#
+# These packages are signed with SHA1, which is restricted by default in
+# RHEL9[1]. We disable the restriction to verify signatures.
+#
+# [1]: https://access.redhat.com/articles/6846411
+#
+RUN update-crypto-policies --set DEFAULT:SHA1 \
+ && dnf install -y \
+        google-cloud-sdk \
+        google-cloud-sdk-gke-gcloud-auth-plugin \
+ && update-crypto-policies --set DEFAULT:NO-SHA1
 
 # Use updated auth plugin for GCP
 ENV USE_GKE_GCLOUD_AUTH_PLUGIN=True

images/stackrox-build.Dockerfile

@@ -1,10 +1,10 @@
 # Provides the tooling required to run StackRox dockerized build targets.
 
-ARG CENTOS_TAG
+ARG STACKROX_CENTOS_TAG
 ARG ROCKSDB_TAG
 FROM quay.io/rhacs-eng/apollo-ci:${ROCKSDB_TAG} as builder
 
-FROM quay.io/centos/centos:${CENTOS_TAG} as base
+FROM quay.io/centos/centos:${STACKROX_CENTOS_TAG} as base
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 

images/static-contents-scanner/etc/yum.repos.d/google-cloud-sdk.repo

@@ -0,0 +1,8 @@
+[google-cloud-sdk]
+name=Google Cloud SDK
+baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el9-x86_64
+enabled=1
+gpgcheck=1
+repo_gpgcheck=0
+gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
+       https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg