Skip to content
This repository has been archived by the owner on Jul 28, 2023. It is now read-only.

Commit

Permalink
Merge pull request #81 from teddyjtorres/80-updateScannerImage
Browse files Browse the repository at this point in the history
Update scanner image to use ubi8 for issue #80
  • Loading branch information
teddyjtorres authored Nov 5, 2020
2 parents 351217c + 2597282 commit 85ae9e0
Show file tree
Hide file tree
Showing 3 changed files with 92 additions and 23 deletions.
51 changes: 28 additions & 23 deletions pipelines/scanning/images/scanner/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,54 +1,59 @@
## Kabanero Scanner Image containing OpenSCAP tools
## Note: Pulling container will require logging into Red Hat's registry using `docker login registry.redhat.io` .

## Note: We're using the UBI 7 registry instead of RHEL here
FROM registry.access.redhat.com/ubi7:latest
## Note: We're using the UBI 8 registry instead of RHEL here
FROM registry.access.redhat.com/ubi8:latest
MAINTAINER [email protected]

### Required Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels
LABEL name="Kabanero Scanner Image" \
maintainer="[email protected]" \
vendor="IBM" \
version="1.3" \
release="1.3-1413" \
version="1.3.4" \
release="1.3.4" \
summary="Kabanero Scanner Image containing OpenSCAP tools" \
description="OpenSCAP tools necessary to run an image scan from a Tekton pipeline, built from the OpenSCAP version and pull request indicated in the release label."

### add licenses to this directory
COPY licenses /licenses

### Copy repository configuration for temporary tools needed during the build that will be removed after OpenSCAP is built.
COPY ./yum.repos.d /etc/yum.repos.d
COPY /etc/yum.repos.d /etc/yum.repos.d

### Add necessary Red Hat repos here
## Note: The UBI has different repos than the RHEL repos.
RUN REPOLIST=ubi-7,ubi-7-optional \

RUN REPOLIST=ubi-8-baseos,ubi-8-codeready-builder,ubi-8-appstream \
VERSION=1.3.4 \
### Add your package needs here
INSTALL_PKGS="" \
TEMP_BUILD_OTHER_PKGS="cmake dbus-devel git GConf2-devel libacl-devel libblkid-devel libcap-devel libattr-devel perl-XML-Parser perl-XML-XPath python-devel rpm-devel swig bzip2-devel" \
TEMP_BUILD_UBI_PKGS="wget libcurl-devel libgcrypt-devel libselinux-devel libxml2-devel libxslt-devel make openldap-devel pcre-devel perl-devel gcc-c++" && \
yum -y update-minimal --disablerepo "*" --enablerepo ubi-7 --setopt=tsflags=nodocs \
INSTALL_PKGS="libcurl-devel libgcrypt-devel libselinux-devel libxml2-devel libxslt-devel openldap-devel pcre-devel perl-devel python36-devel bzip2-devel libyaml-devel" \
TEMP_BUILD_UBI_PKGS="wget make gcc-c++" \
INSTALL_OTHER_PKGS="dbus-devel libacl-devel libblkid-devel libcap-devel libattr-devel perl-XML-Parser perl-XML-XPath rpm-devel" \
TEMP_BUILD_OTHER_PKGS="cmake git swig" \
REMOVE_PKGS="kernel-headers vim-minimal" && \
yum -y update --setopt=tsflags=nodocs --allowerasing && \
yum -y update-minimal --disablerepo "*" --enablerepo ubi-8* --setopt=tsflags=nodocs \
--security --sec-severity=Important --sec-severity=Critical && \
yum repolist && \
yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${INSTALL_PKGS} ${TEMP_BUILD_UBI_PKGS} && \
yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${TEMP_BUILD_UBI_PKGS} && \
yum -y install --disablerepo "ubi-*" --setopt=tsflags=nodocs ${INSTALL_OTHER_PKGS} && \
yum -y install --disablerepo "ubi-*" --setopt=tsflags=nodocs ${TEMP_BUILD_OTHER_PKGS} && \

### Install your application here -- add all other necessary items to build your image
# wget https://github.com/OpenSCAP/openscap/releases/download/1.3.1/openscap-1.3.1.tar.gz && \
# wget https://github.com/OpenSCAP/openscap/releases/download/1.3.1/openscap-1.3.1.tar.gz.sha512 && \
# sha512sum -c openscap-1.3.1.tar.gz.sha512 && \
# tar -xzpf openscap-1.3.1.tar.gz && \
# cd openscap-1.3.1 && \
# mkdir -p build && \
git clone https://github.com/OpenSCAP/openscap.git && \
cd openscap && \
git checkout maint-1.3 && \
wget https://github.com/OpenSCAP/openscap/releases/download/${VERSION}/openscap-${VERSION}.tar.gz && \
wget https://github.com/OpenSCAP/openscap/releases/download/${VERSION}/openscap-${VERSION}.tar.gz.sha512 && \
sha512sum -c openscap-${VERSION}.tar.gz.sha512 && \
tar -xzpf openscap-${VERSION}.tar.gz && \
cd openscap-${VERSION} && \
mkdir -p build && \
#
# git clone https://github.com/OpenSCAP/openscap.git && \
# cd openscap && \
# git checkout maint-1.3 && \
cd build && \
cmake -DENABLE_OSCAP_UTIL=TRUE -DENABLE_OSCAP_UTIL_CHROOT=TRUE -DENABLE_OSCAP_UTIL_PODMAN=TRUE ../ && \
make && \
make install && \
yum -y remove --setopt=tsflags=nodocs ${TEMP_BUILD_UBI_PKGS} ${TEMP_BUILD_OTHER_PKGS} && \
yum -y remove --setopt=tsflags=nodocs ${TEMP_BUILD_UBI_PKGS} ${TEMP_BUILD_OTHER_PKGS} ${REMOVE_PKGS} && \
yum clean all -y && \
# Remove repos' configs
rm -rf /etc/rhsm /etc/yum.repos.d /etc/pki/entitlement /etc/pki/rpm-gpg
Expand Down
55 changes: 55 additions & 0 deletions pipelines/scanning/images/scanner/Dockerfile-ubi7
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
## Kabanero Scanner Image containing OpenSCAP tools
## Note: Pulling container will require logging into Red Hat's registry using `docker login registry.redhat.io` .

## Note: We're using the UBI 7 registry instead of RHEL here
FROM registry.access.redhat.com/ubi7:latest
MAINTAINER [email protected]

### Required Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels
LABEL name="Kabanero Scanner Image" \
maintainer="[email protected]" \
vendor="IBM" \
version="1.3" \
release="1.3-1413" \
summary="Kabanero Scanner Image containing OpenSCAP tools" \
description="OpenSCAP tools necessary to run an image scan from a Tekton pipeline, built from the OpenSCAP version and pull request indicated in the release label."

### add licenses to this directory
COPY licenses /licenses

### Copy repository configuration for temporary tools needed during the build that will be removed after OpenSCAP is built.
COPY ./yum.repos.d /etc/yum.repos.d

### Add necessary Red Hat repos here
## Note: The UBI has different repos than the RHEL repos.
RUN REPOLIST=ubi-7,ubi-7-optional \

### Add your package needs here
INSTALL_PKGS="" \
TEMP_BUILD_OTHER_PKGS="cmake dbus-devel git GConf2-devel libacl-devel libblkid-devel libcap-devel libattr-devel perl-XML-Parser perl-XML-XPath python-devel rpm-devel swig bzip2-devel" \
TEMP_BUILD_UBI_PKGS="wget libcurl-devel libgcrypt-devel libselinux-devel libxml2-devel libxslt-devel make openldap-devel pcre-devel perl-devel gcc-c++" && \
yum -y update-minimal --disablerepo "*" --enablerepo ubi-7 --setopt=tsflags=nodocs \
--security --sec-severity=Important --sec-severity=Critical && \
yum repolist && \
yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${INSTALL_PKGS} ${TEMP_BUILD_UBI_PKGS} && \
yum -y install --disablerepo "ubi-*" --setopt=tsflags=nodocs ${TEMP_BUILD_OTHER_PKGS} && \

### Install your application here -- add all other necessary items to build your image
# wget https://github.com/OpenSCAP/openscap/releases/download/1.3.1/openscap-1.3.1.tar.gz && \
# wget https://github.com/OpenSCAP/openscap/releases/download/1.3.1/openscap-1.3.1.tar.gz.sha512 && \
# sha512sum -c openscap-1.3.1.tar.gz.sha512 && \
# tar -xzpf openscap-1.3.1.tar.gz && \
# cd openscap-1.3.1 && \
# mkdir -p build && \
git clone https://github.com/OpenSCAP/openscap.git && \
cd openscap && \
git checkout maint-1.3 && \
cd build && \
cmake -DENABLE_OSCAP_UTIL=TRUE -DENABLE_OSCAP_UTIL_CHROOT=TRUE -DENABLE_OSCAP_UTIL_PODMAN=TRUE ../ && \
make && \
make install && \
yum -y remove --setopt=tsflags=nodocs ${TEMP_BUILD_UBI_PKGS} ${TEMP_BUILD_OTHER_PKGS} && \
yum clean all -y && \
# Remove repos' configs
rm -rf /etc/rhsm /etc/yum.repos.d /etc/pki/entitlement /etc/pki/rpm-gpg

9 changes: 9 additions & 0 deletions pipelines/scanning/images/scanner/build-podman.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#!/bin/bash

set -e

mkdir -p ./etc/yum.repos.d
cp -R /etc/yum.repos.d/* ./etc/yum.repos.d
echo "$DOCKER_PASSWORD" | podman login -u "$DOCKER_USERNAME" --password-stdin docker.io
podman build -t $DOCKER_ORG/scanner -t $DOCKER_ORG/scanner:latest .
podman push $DOCKER_ORG/scanner

0 comments on commit 85ae9e0

Please sign in to comment.