diff --git a/.circleci/config.yml b/.circleci/config.yml index 5c19c6be..85cd804b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -114,7 +114,7 @@ commands: steps: - checkout - setup_remote_docker: - version: 20.10.7 + version: 20.10.14 - run: name: Build & push image command: | @@ -126,20 +126,28 @@ commands: BUILD_ARGS+=(--build-arg "BASE_TAG=$BASE_TAG") fi - CENTOS_TAG="$(cat CENTOS_TAG)" - BUILD_ARGS+=(--build-arg "CENTOS_TAG=${CENTOS_TAG}") + STACKROX_CENTOS_TAG="$(cat STACKROX_CENTOS_TAG)" - BUILD_ARGS+=(--build-arg "ROCKSDB_TAG=$(.circleci/get_tag.sh rocksdb "${CENTOS_TAG}")") - - TAG="$(.circleci/get_tag.sh "<< parameters.image-flavor >>" "${CENTOS_TAG}")" + TAG="$(.circleci/get_tag.sh "<< parameters.image-flavor >>" "${STACKROX_CENTOS_TAG}")" IMAGE="quay.io/rhacs-eng/apollo-ci:${TAG}" - if [[ "<< parameters.image-flavor >>" == "rocksdb" ]] && \ - DOCKER_CLI_EXPERIMENTAL=enabled docker manifest inspect "$IMAGE" >/dev/null; then - echo "Image '$IMAGE' already exists - no need to build it" - circleci step halt - exit 0 - fi + # The `stackrox-build` and `rocksdb` images share the centos image + # tag through `STACKROX_CENTOS_TAG`. + + case "<< parameters.image-flavor >>" in + rocksdb) + if DOCKER_CLI_EXPERIMENTAL=enabled docker manifest inspect "$IMAGE" >/dev/null; then + echo "Image '$IMAGE' already exists - no need to build it" + circleci step halt + exit 0 + fi + BUILD_ARGS+=(--build-arg "STACKROX_CENTOS_TAG=${STACKROX_CENTOS_TAG}") + ;; + stackrox-build) + BUILD_ARGS+=(--build-arg "STACKROX_CENTOS_TAG=${STACKROX_CENTOS_TAG}") + BUILD_ARGS+=(--build-arg "ROCKSDB_TAG=$(.circleci/get_tag.sh rocksdb "${STACKROX_CENTOS_TAG}")") + ;; + esac docker build \ "${BUILD_ARGS[@]}" \ @@ -148,7 +156,7 @@ commands: images/ for _ in {1..5}; do - docker push "quay.io/rhacs-eng/apollo-ci:${TAG}" && break || sleep 15 + docker push "${IMAGE}" && break || sleep 15 done for _ in {1..5}; do diff --git a/Makefile b/Makefile index 8ced2d08..8800c1d4 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,8 @@ -ifeq ($(CENTOS_TAG),) -CENTOS_TAG=$(shell cat CENTOS_TAG) +ifeq ($(STACKROX_CENTOS_TAG),) +STACKROX_CENTOS_TAG=$(shell cat STACKROX_CENTOS_TAG) endif ifeq ($(ROCKSDB_TAG),) -ROCKSDB_TAG=$(shell .circleci/get_tag.sh "rocksdb" "$(CENTOS_TAG)") +ROCKSDB_TAG=$(shell .circleci/get_tag.sh "rocksdb" "$(STACKROX_CENTOS_TAG)") endif ifeq ($(DOCKER),) DOCKER=docker @@ -14,7 +14,7 @@ rocksdb-image: $(DOCKER) build \ -t stackrox/apollo-ci:$(ROCKSDB_TAG) \ -t quay.io/$(QUAY_REPO)/apollo-ci:$(ROCKSDB_TAG) \ - --build-arg CENTOS_TAG=$(CENTOS_TAG) \ + --build-arg STACKROX_CENTOS_TAG=$(STACKROX_CENTOS_TAG) \ -f images/rocksdb.Dockerfile \ images/ @@ -26,7 +26,7 @@ stackrox-build-image: -t stackrox/apollo-ci:$(STACKROX_BUILD_TAG) \ -t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_BUILD_TAG) \ --build-arg ROCKSDB_TAG=$(ROCKSDB_TAG) \ - --build-arg CENTOS_TAG=$(CENTOS_TAG) \ + --build-arg STACKROX_CENTOS_TAG=$(STACKROX_CENTOS_TAG) \ -f images/stackrox-build.Dockerfile \ images/ diff --git a/CENTOS_TAG b/STACKROX_CENTOS_TAG similarity index 100% rename from CENTOS_TAG rename to STACKROX_CENTOS_TAG diff --git a/images/rocksdb.Dockerfile b/images/rocksdb.Dockerfile index 41b9acc7..71c89998 100644 --- a/images/rocksdb.Dockerfile +++ b/images/rocksdb.Dockerfile @@ -1,5 +1,5 @@ -ARG CENTOS_TAG -FROM quay.io/centos/centos:${CENTOS_TAG} +ARG STACKROX_CENTOS_TAG +FROM quay.io/centos/centos:${STACKROX_CENTOS_TAG} SHELL ["/bin/bash", "-o", "pipefail", "-c"] diff --git a/images/scanner-build.Dockerfile b/images/scanner-build.Dockerfile index 9e25032a..ce33ee31 100644 --- a/images/scanner-build.Dockerfile +++ b/images/scanner-build.Dockerfile @@ -1,7 +1,6 @@ # Provides the tooling required to run Scanner dockerized build targets. -ARG CENTOS_TAG -FROM quay.io/centos/centos:${CENTOS_TAG} +FROM quay.io/centos/centos:stream9 SHELL ["/bin/bash", "-o", "pipefail", "-c"] diff --git a/images/scanner-test.Dockerfile b/images/scanner-test.Dockerfile index a7ef4c61..d016122a 100644 --- a/images/scanner-test.Dockerfile +++ b/images/scanner-test.Dockerfile @@ -9,40 +9,67 @@ FROM quay.io/rhacs-eng/apollo-ci:${BASE_TAG} as base # CMD/ENTRYPOINT. SHELL ["/bin/bash", "-o", "pipefail", "-c"] -# We are copying the contents in static-contents into / in the image, following the directory structure. -# The reason we don't do a simple COPY ./static-contents / is that, in the base image (as of ubuntu:20.04) -# /bin is a symlink to /usr/bin, and so the COPY ends up overwriting the symlink with a directory containing only -# the contents of static-contents/bin, which is NOT what we want. -# The following method of copying to /static-tmp and then explicitly copying file by file works around that. -COPY ./static-contents/ /static-tmp +# We are copying the contents in static-contents into / in the image, following +# the directory structure. +# +# The reason we don't do a simple COPY ./static-contents / is that, in the base +# image (as of ubuntu:20.04) /bin is a symlink to /usr/bin, and so the COPY ends +# up overwriting the symlink with a directory containing only the contents of +# static-contents/bin, which is NOT what we want. +# +# The following method of copying to /static-tmp and then explicitly copying +# file by file works around that. +COPY ./static-contents /static-tmp RUN set -ex \ - && find /static-tmp -type f -print0 | \ - xargs -0 -I '{}' -n1 bash -c 'dir="$(dirname "${1}")"; new_dir="${dir#/static-tmp}"; mkdir -p "${new_dir}"; cp "${1}" "${new_dir}";' -- {} \ - && rm -r /static-tmp + && find /static-tmp -type f -print0 \ + | xargs -0 -I '{}' -n1 \ + bash -c 'dir="$(dirname "${1}")"; new_dir="${dir#/static-tmp}"; mkdir -p "${new_dir}"; cp "${1}" "${new_dir}";' -- {} \ + && rm -r /static-tmp + +# Overwrite google cloud sdk with scanner's version. +COPY ./static-contents-scanner/etc/yum.repos.d/google-cloud-sdk.repo /etc/yum.repos.d/google-cloud-sdk.repo + # Circle CI uses BASH_ENV to pass an environment for bash. Other environments need # an initial BASH_ENV as a foundation for cci-export(). ENV BASH_ENV /etc/initial-bash.env -RUN dnf update -y && \ - dnf install -y \ +# PostgreSQL environment. +ENV PG_MAJOR=12 +ENV PATH="$PATH:/usr/pgsql-$PG_MAJOR/bin/" + +RUN dnf install -y \ + https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm \ + && dnf update -y \ + && dnf install -y \ expect \ gcc \ gcc-c++ \ - google-cloud-sdk \ - google-cloud-sdk-gke-gcloud-auth-plugin \ jq \ kubectl \ + libxcrypt-compat \ lsof \ lz4 \ openssl \ - @postgresql:12 \ + postgresql${PG_MAJOR}-server \ python3 \ unzip \ xz \ zip \ - && \ - dnf clean all && \ - rm -rf /var/cache/dnf /var/cache/yum + && dnf clean all \ + && rm -rf /var/cache/dnf /var/cache/yum + +# Installing GC and GCP SDK. +# +# These packages are signed with SHA1, which is restricted by default in +# RHEL9[1]. We disable the restriction to verify signatures. +# +# [1]: https://access.redhat.com/articles/6846411 +# +RUN update-crypto-policies --set DEFAULT:SHA1 \ + && dnf install -y \ + google-cloud-sdk \ + google-cloud-sdk-gke-gcloud-auth-plugin \ + && update-crypto-policies --set DEFAULT:NO-SHA1 # Use updated auth plugin for GCP ENV USE_GKE_GCLOUD_AUTH_PLUGIN=True diff --git a/images/stackrox-build.Dockerfile b/images/stackrox-build.Dockerfile index 60b4560b..f6e62e5d 100644 --- a/images/stackrox-build.Dockerfile +++ b/images/stackrox-build.Dockerfile @@ -1,10 +1,10 @@ # Provides the tooling required to run StackRox dockerized build targets. -ARG CENTOS_TAG +ARG STACKROX_CENTOS_TAG ARG ROCKSDB_TAG FROM quay.io/rhacs-eng/apollo-ci:${ROCKSDB_TAG} as builder -FROM quay.io/centos/centos:${CENTOS_TAG} as base +FROM quay.io/centos/centos:${STACKROX_CENTOS_TAG} as base SHELL ["/bin/bash", "-o", "pipefail", "-c"] diff --git a/images/static-contents-scanner/etc/yum.repos.d/google-cloud-sdk.repo b/images/static-contents-scanner/etc/yum.repos.d/google-cloud-sdk.repo new file mode 100644 index 00000000..b178a7af --- /dev/null +++ b/images/static-contents-scanner/etc/yum.repos.d/google-cloud-sdk.repo @@ -0,0 +1,8 @@ +[google-cloud-sdk] +name=Google Cloud SDK +baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el9-x86_64 +enabled=1 +gpgcheck=1 +repo_gpgcheck=0 +gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg + https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg