diff --git a/pipelines/scanning/images/scanner/Dockerfile.local b/pipelines/scanning/images/scanner/Dockerfile.local new file mode 100644 index 0000000..50dd177 --- /dev/null +++ b/pipelines/scanning/images/scanner/Dockerfile.local @@ -0,0 +1,61 @@ +## Kabanero Scanner Image containing OpenSCAP tools +## Note: Pulling container will require logging into Red Hat's registry using `docker login registry.redhat.io` . + +## Note: We're using the UBI 8 registry instead of RHEL here +FROM registry.access.redhat.com/ubi8:latest +MAINTAINER ttorres@us.ibm.com + +### Required Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels +LABEL name="Kabanero Scanner Image" \ + vendor="IBM" \ + version="1.3.4" \ + release="1.3.4" \ + summary="Kabanero Scanner Image containing OpenSCAP tools" \ + description="OpenSCAP tools necessary to run an image scan from a Tekton pipeline, built from the OpenSCAP version and pull request indicated in the release label." + +### add licenses to this directory +COPY licenses /licenses + +### Copy repository configuration for temporary tools needed during the build that will be removed after OpenSCAP is built. +COPY etc/yum.repos.d /etc/yum.repos.d +COPY etc/pki/rpm-gpg /etc/pki/rpm-gpg + +### Add necessary Red Hat repos here +## Note: The UBI has different repos than the RHEL repos. +RUN REPOLIST=ubi-8-baseos,ubi-8-codeready-builder,ubi-8-appstream \ + VERSION=1.3.4 \ +### Add your package needs here + INSTALL_PKGS="libcurl-devel libgcrypt-devel libselinux-devel libxml2-devel libxslt-devel openldap-devel pcre-devel perl-devel python36-devel bzip2-devel libyaml-devel" \ + TEMP_BUILD_UBI_PKGS="wget make gcc-c++" \ + INSTALL_OTHER_PKGS="dbus-devel libacl-devel libblkid-devel libcap-devel libattr-devel perl-XML-Parser perl-XML-XPath rpm-devel" \ + TEMP_BUILD_OTHER_PKGS="cmake git swig" \ + REMOVE_PKGS="kernel-headers vim-minimal" && \ + yum -y update --setopt=tsflags=nodocs --allowerasing && \ + yum -y update-minimal --disablerepo "*" --enablerepo ubi-8* --setopt=tsflags=nodocs \ + --security --sec-severity=Important --sec-severity=Critical && \ + yum repolist && \ + yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${INSTALL_PKGS} && \ + yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${TEMP_BUILD_UBI_PKGS} && \ + yum -y install --disablerepo "ubi-*" --setopt=tsflags=nodocs ${INSTALL_OTHER_PKGS} && \ + yum -y install --disablerepo "ubi-*" --setopt=tsflags=nodocs ${TEMP_BUILD_OTHER_PKGS} && \ + +### Install your application here -- add all other necessary items to build your image + wget https://github.com/OpenSCAP/openscap/releases/download/${VERSION}/openscap-${VERSION}.tar.gz && \ + wget https://github.com/OpenSCAP/openscap/releases/download/${VERSION}/openscap-${VERSION}.tar.gz.sha512 && \ + sha512sum -c openscap-${VERSION}.tar.gz.sha512 && \ + tar -xzpf openscap-${VERSION}.tar.gz && \ + cd openscap-${VERSION} && \ + mkdir -p build && \ +# +# git clone https://github.com/OpenSCAP/openscap.git && \ +# cd openscap && \ +# git checkout maint-1.3 && \ + cd build && \ + cmake -DENABLE_OSCAP_UTIL=TRUE -DENABLE_OSCAP_UTIL_CHROOT=TRUE -DENABLE_OSCAP_UTIL_PODMAN=TRUE ../ && \ + make && \ + make install && \ + yum -y remove --setopt=tsflags=nodocs ${TEMP_BUILD_UBI_PKGS} ${TEMP_BUILD_OTHER_PKGS} ${REMOVE_PKGS} && \ + yum clean all -y && \ + # Remove repos' configs + rm -rf /etc/rhsm /etc/yum.repos.d /etc/pki/entitlement /etc/pki/rpm-gpg + diff --git a/pipelines/scanning/images/scanner/build-local.sh b/pipelines/scanning/images/scanner/build-local.sh new file mode 100755 index 0000000..32edf09 --- /dev/null +++ b/pipelines/scanning/images/scanner/build-local.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +# To build locally on RHEL 8 or Centos 8 machine +# Prerequisites: podman, and git +export DOCKER_ORG=icp4apps +rm -rf ./etc +mkdir -p ./etc +cp -R /etc/yum.repos.d ./etc +mkdir -p ./etc/pki +cp -R /etc/pki/rpm-gpg ./etc/pki +podman build -f Dockerfile.local -t $DOCKER_ORG/scanner:latest .