meh

7eb1c3bc · Scott Stroud · 9419d280 · 7eb1c3bc · 7eb1c3bc · 7eb1c3bc
Commit 7eb1c3bc authored Aug 23, 2021 by Scott Stroud
Expand all Hide whitespace changes
Inline Side-by-side

Showing with 92 additions and 254 deletions

.gitignore .gitignore +2 -1

Dockerfile Dockerfile +32 -20

hardening_manifest.yaml hardening_manifest.yaml +58 -233

No files found.
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,5 @@ archive.key
 *.whl
 *.jar
 *.tar.gz
 *.rpm
\ No newline at end of file
+*.rpm.1
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,17 +9,22 @@ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 ENV LANG="C.UTF-8"
 # IB custom ENV vars
-ENV RPM_VERSION=6.1.2-1
+ENV RPM_VERSION=6.1.3-1
-ENV IMG_TAR_VERSION=6.1.2.1
+ENV IMG_TAR_VERSION=6.1.3.1
 USER root
 ########################################
 ## Install Python
-RUN dnf update -y && dnf install -y python38.x86_64 python38-pip-wheel.noarch openssl tar procps iputils hostname findutils nc \
+RUN dnf update -y --nodocs && dnf install -y --nodocs python3 openssl tar procps iputils hostname \
    && ln -s /usr/bin/python3 /usr/bin/python \
-    && ln -s /usr/bin/pip3 /usr/bin/pip
+    && ln -s /usr/bin/pip3 /usr/bin/pip \
+    && alias python=python3 \
+    && alias pip=pip3 \
+    && alternatives --set python /usr/bin/python3 \
+    && dnf clean all \
+    && rm -rf /var/cache/dnf
 ## Python Installed
 ########################################
@@ -27,11 +32,18 @@ RUN dnf update -y && dnf install -y python38.x86_64 python38-pip-wheel.noarch op
 ## Add the Confluent Docker Utility Belt which helps with starting the proper applications
 ## https://github.com/confluentinc/common-docker/tree/master/utility-belt
+COPY cp-init-container-operator-6.1.2.1_UsrLocalLib64.tar.gz /usr/local/lib64/
+COPY cp-init-container-operator-6.1.2.1_1_UsrLocalLib.tar.gz /usr/local/lib/
 COPY confluent_docker_utils-0.0.44-py3-none-any.whl /tmp/confluent_docker_utils-0.0.44-py3-none-any.whl
 COPY *.whl /tmp/python-dependencies/
 COPY *.gz  /tmp/python-dependencies/
-RUN pip3 install --no-index --prefix=/usr/local --upgrade --find-links /tmp/python-dependencies/ /tmp/confluent_docker_utils-0.0.44-py3-none-any.whl
+## copy in the python libs and then 
+RUN cd /usr/local/lib64 && tar -xvf *_UsrLocalLib64.tar.gz && rm *_UsrLocalLib64.tar.gz \
+    && cd /usr/local/lib && tar -xvf *_UsrLocalLib.tar.gz && rm *_UsrLocalLib.tar.gz \
+    && pip3 install --no-index --prefix=/usr/local --find-links /tmp/python-dependencies/ /tmp/confluent_docker_utils-0.0.44-py3-none-any.whl
 ## dub installed
 ########################################
@@ -48,7 +60,7 @@ RUN chown appuser:appuser -R /usr/logs
 # Copy required RPMs
 COPY *.rpm /tmp/
-COPY archive.key /tmp/
+# COPY archive.key /tmp/
 ########################################
 # confluentinc/kafka-images/server
@@ -60,15 +72,15 @@ ARG KAFKA_ADVERTISED_LISTENERS
 ENV KAFKA_ADVERTISED_LISTENERS=${KAFKA_ADVERTISED_LISTENERS}
 ENV COMPONENT=kafka
-ENV CONFLUENT_VERSION=6.1.2
+ENV CONFLUENT_VERSION=6.1.3
 ENV CUB_CLASSPATH='"/usr/share/java/cp-base-new/*"'
 # primary
 EXPOSE 9092
+# Add back in the archive key stuff
 RUN echo "===> Installing ${COMPONENT}" \
-    && rpm --import /tmp/archive.key \
+    && dnf install --nogpgcheck -y /tmp/confluent-common-${RPM_VERSION}.noarch.rpm \
-    && dnf install -y /tmp/confluent-common-${RPM_VERSION}.noarch.rpm \
        /tmp/confluent-rest-utils-${RPM_VERSION}.noarch.rpm \
        /tmp/confluent-metadata-service-${RPM_VERSION}.noarch.rpm \
        /tmp/confluent-server-${RPM_VERSION}.noarch.rpm \
@@ -97,21 +109,21 @@ ENV DOCKER_SCRIPT_DIR=/opt/caas/bin
 ## Operator stuff
 RUN mkdir -p /etc/confluent/ironbank
-COPY cp-server-operator-*_OptCaas.tar.gz /opt/
+# COPY cp-server-operator-*_OptCaas.tar.gz /opt/
-COPY cp-server-operator-*_UsrShareJava.tar.gz /usr/share/
+# COPY cp-server-operator-*_UsrShareJava.tar.gz /usr/share/
-COPY cp-server-operator-*_EtcConfluent.tar.gz /etc/
+# COPY cp-server-operator-*_EtcConfluent.tar.gz /etc/
 ## For auditing & debugging
 COPY Dockerfile /etc/confluent/ironbank/
 COPY hardening_manifest.yaml /etc/confluent/ironbank/
-RUN echo "===> Installing operator stuff" \
+# RUN echo "===> Installing operator stuff" \
-    && cd /usr/share && tar -xvf *_UsrShareJava.tar.gz && rm *_UsrShareJava.tar.gz \
+#     && cd /usr/share && tar -xvf *_UsrShareJava.tar.gz && rm *_UsrShareJava.tar.gz \
-    && cd /opt && tar -xvf *_OptCaas.tar.gz && rm *_OptCaas.tar.gz \
+#     && cd /opt && tar -xvf *_OptCaas.tar.gz && rm *_OptCaas.tar.gz \
-    && cd /etc && tar -xvf *_EtcConfluent.tar.gz && rm *_EtcConfluent.tar.gz \
+#     && cd /etc && tar -xvf *_EtcConfluent.tar.gz && rm *_EtcConfluent.tar.gz \
-    && chown -R appuser:appuser /etc/confluent \
+#     && chown -R appuser:appuser /etc/confluent \
-    && mkdir -p "$KAFKA_DATA_DIR" "${KAFKA_LOG4J_DIR}" "${KAFKA_CONFIG_DIR}" "${COMPONENT_SCRIPT_DIR}/${COMPONENT}" \
+#     && mkdir -p "$KAFKA_DATA_DIR" "${KAFKA_LOG4J_DIR}" "${KAFKA_CONFIG_DIR}" "${COMPONENT_SCRIPT_DIR}/${COMPONENT}" \
-   	&& chmod -R ag+w "${KAFKA_LOG4J_DIR}" "${KAFKA_CONFIG_DIR}" "$KAFKA_DATA_DIR" "/opt"
+#    	&& chmod -R ag+w "${KAFKA_LOG4J_DIR}" "${KAFKA_CONFIG_DIR}" "$KAFKA_DATA_DIR" "/opt"
 WORKDIR /opt
 CMD ["/opt/caas/bin/run"]

--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml