Skip to content

Commit

Permalink
Break scanner binary build into separate task
Browse files Browse the repository at this point in the history 
This will hopefully speed up the build a bit.

Some other changes:

* Switched to the builder image from brew instead of from quay.io/stackrox-io
* Cleaned up some debug statements
* The buildah container no longer needs to be 6Gi
* Moved unzipping the vuln dumps into the gen-vuln-feed-data step
* Removed the builder image altogether from the dockerfile
  • Loading branch information
@kylape
kylape committed Dec 6, 2023
1 parent bef2ad6 commit 5eba918
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 37 deletions.
54 changes: 43 additions & 11 deletions .tekton/scanner-pull-request.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -223,7 +223,8 @@ spec:
memory: 6Gi
limits:
memory: 6Gi
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.61
# image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.61
image: brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.20
script: |
#!/usr/bin/env bash
ROOT="$(workspaces.source.path)/source"
Expand All @@ -237,24 +238,54 @@ spec:
make build-updater
info "Generating genesis dump"
mkdir -p $ROOT
"$ROOT/bin/updater" generate-dump --out-file $ROOT/genesis-dump.zip
ls -lrt $ROOT
info "Printing some stats"
"$ROOT/bin/updater" print-stats $ROOT/genesis-dump.zip
info "Extracting dumps"
mkdir -p /tmp/vuln-dump
zip $ROOT/genesis-dump.zip 'nvd/*' --copy --out $ROOT/nvd-definitions.zip
zip $ROOT/genesis-dump.zip 'k8s/*' --copy --out $ROOT/k8s-definitions.zip
zip $ROOT/genesis-dump.zip 'istio/*' --copy --out $ROOT/istio-definitions.zip
zip $ROOT/genesis-dump.zip 'rhelv2/repository-to-cpe.json' --copy --out $ROOT/repo2cpe.zip
unzip $ROOT/genesis-dump.zip 'manifest.json'
unzip -j $ROOT/genesis-dump.zip 'nvd/*' -d $ROOT/nvd_definitions
unzip -j $ROOT/genesis-dump.zip 'k8s/*' -d $ROOT/k8s_definitions
unzip -j $ROOT/genesis-dump.zip 'istio/*' -d $ROOT/istio_definitions
unzip -j $ROOT/genesis-dump.zip 'rhelv2/repository-to-cpe.json' -d $ROOT/repo2cpe
unzip -j $ROOT/genesis-dump.zip 'manifest.json'
mv manifest.json genesis_manifests.json
workspaces:
- name: source
workspace: workspace
- name: build-scanner-binary
runAfter:
- init
- clone-repository
taskSpec:
steps:
- name: build-scanner-binary
computeResources:
requests:
memory: 6Gi
limits:
memory: 6Gi
image: brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.20
script: |
#!/usr/bin/env bash
ROOT="$(workspaces.source.path)/source"
set -euo pipefail
info "Building scanner"
cd $ROOT
export CGO_ENABLED=1 GOFLAGS="" CI=1
export VERSION=$(git describe --tags --abbrev=10 --dirty --long)
if [ "$VERSION" == "" ]; then
echo "Failed to build verison string"
exit 1
fi
go build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=$VERSION" -o scanner ./cmd/clair
workspaces:
- name: source
workspace: workspace
- name: build-container
params:
- name: IMAGE
Expand All @@ -274,12 +305,13 @@ spec:
runAfter:
- prefetch-dependencies
- gen-vuln-feed-data
- build-scanner-binary
taskRef:
params:
- name: name
value: buildah-6gb
value: buildah
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-6gb:0.1
value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1
- name: kind
value: task
resolver: bundles
Expand Down
34 changes: 8 additions & 26 deletions image/scanner/rhtap/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,26 +2,6 @@ ARG BASE_REGISTRY=registry.access.redhat.com
ARG BASE_IMAGE=ubi8-minimal
ARG BASE_TAG=latest

FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.20 as builder

ENV CGO_ENABLED=1
ENV GOFLAGS=""
ENV CI=1

COPY . /src
WORKDIR /src

RUN ls -la; git log --oneline | wc -l; unzip -j repo2cpe.zip -d image/scanner/dump/repo2cpe && \
unzip -j k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \
unzip -j nvd-definitions.zip -d image/scanner/dump/nvd_definitions

RUN echo "version: $(git describe --tags --abbrev=10 --dirty --long)"; git status; go build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=$(git describe --tags --abbrev=10 --dirty --long)" -o image/scanner/bin/scanner ./cmd/clair

# Replace genesis manifests file in the source code with the one generated at
# the point when the dump was taken. This is to avoid discrepancy between other
# files of the dump and the manifest.
COPY ./genesis_manifests.json image/scanner/dump/genesis_manifests.json

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}

LABEL name="scanner" \
Expand All @@ -34,12 +14,14 @@ ENV NVD_DEFINITIONS_DIR="/nvd_definitions"
ENV K8S_DEFINITIONS_DIR="/k8s_definitions"
ENV REPO_TO_CPE_DIR="/repo2cpe"

COPY --from=builder /src/image/scanner/scripts /
COPY --from=builder /src/image/scanner/bin/scanner ./
COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${NVD_DEFINITIONS_DIR}/" ".${NVD_DEFINITIONS_DIR}/"
COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${K8S_DEFINITIONS_DIR}/" ".${K8S_DEFINITIONS_DIR}/"
COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifests.json ./
WORKDIR /src

COPY image/scanner/scripts /
COPY scanner ./
COPY --chown=65534:65534 "${NVD_DEFINITIONS_DIR}/" ".${NVD_DEFINITIONS_DIR}/"
COPY --chown=65534:65534 "${K8S_DEFINITIONS_DIR}/" ".${K8S_DEFINITIONS_DIR}/"
COPY --chown=65534:65534 "${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
COPY --chown=65534:65534 genesis_manifests.json ./

RUN microdnf upgrade --nobest && \
microdnf install xz && \
Expand Down

0 comments on commit 5eba918

Please sign in to comment.