Merge branch 'development' into 'master'

Development

See merge request !19

Dockerfile

+ARG BASE_REGISTRY=registry1.dso.mil
+ARG BASE_IMAGE=redhat/ubi/ubi8
+ARG BASE_TAG=8.3
+
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+
+# Set necessary environment variables for python and python development environment
+ARG APP_ROOT=/opt/app-root
+ENV PYTHON_VERSION=3.6 \
+    APP_ROOT=$APP_ROOT \
+    USER_NAME=hero \
+    HOME=${APP_ROOT} \
+    PATH=$HOME/.local/bin/:/opt/app-root/src/bin:/opt/app-root/bin:$PATH \
+    EDITOR=/usr/bin/vim \
+    PS1="AAP \W\$ " \
+    PYTHONUNBUFFERED=1 \
+    PYTHONIOENCODING=UTF-8 \
+    PIP_NO_CACHE_DIR=off \
+    LANG="en_US.UTF-8"
+
+# - Enable the virtual python environment and default interactive and non-interactive 
+#   shell environment upon container startup
+ENV PROMPT_COMMAND=". /usr/bin/aap && unset PROMPT_COMMAND"
+
+# Copy extra files to the image.
+COPY ./scripts /usr/bin
+RUN chmod a+x /usr/bin/container-entrypoint && \
+    chmod a+x /usr/bin/fix-permissions && \
+    chmod a+x /usr/bin/rpm-file-permissions && \
+    chmod a+x /usr/bin/generate-container-user && \
+    chmod a+x /usr/bin/py-enable && \
+    chmod a+x /usr/bin/aap
+
+# Install packages
+RUN INSTALL_PKGS="vim-enhanced rsync iputils bind-utils git python36 python36-devel python3-setuptools python3-pip python3-virtualenv jq" && \
+    yum -y update-minimal --setopt=tsflags=nodocs --security && \
+    yum -y --setopt=tsflags=nodocs install $INSTALL_PKGS && \
+    yum -y remove vim-minimal && \
+    rpm -V $INSTALL_PKGS && \
+    yum -y clean all --enablerepo="*"
+
+# Install the OpenShift command line tool, oc
+COPY oc.tar.gz /tmp/oc.tar.gz
+RUN tar xvf /tmp/oc.tar.gz && \
+    mv ./oc /usr/bin/ && \
+    rm -f /tmp/oc.tar.gz
+
+RUN # subscription-manager registervc     
+
+# Install mongodb shell (client)
+COPY config/key.asc /tmp/key.asc
+COPY mongodb-org-shell-4.4.4-1.el8.x86_64.rpm /tmp/mongodb-org-shell-4.4.4-1.el8.x86_64.rpm
+RUN rpm --import /tmp/key.asc && \
+    yum -y install /tmp/mongodb-org-shell-4.4.4-1.el8.x86_64.rpm && \
+    rm -f /tmp/key.asc && \
+    rm -f /tmp/mongodb-org-shell-4.4.4-1.el8.x86_64.rpm
+
+# # Instal helm
+COPY helm-v3.5.2-linux-amd64.tar.gz /tmp/helm-v3.5.2-linux-amd64.tar.gz
+RUN tar -zxvf /tmp/helm-v3.5.2-linux-amd64.tar.gz && \
+    mv linux-amd64/helm /usr/bin/helm && \
+    chmod a+x /usr/bin/helm && \
+    rm -f /tmp/helm-v3.5.2-linux-amd64.tar.gz
+
+# Set up container user and adjust permissions to run in OpenShift environment
+WORKDIR ${HOME}
+RUN useradd -u 1001 -r -g 0 -d ${HOME} -s /sbin/nologin \
+       -c "Default Application User" default && \
+    fix-permissions ${APP_ROOT} -P && \
+    fix-permissions ${HOME} -P && \
+    rpm-file-permissions
+
+# Remove sticky bit
+RUN chmod g-s /usr/libexec/openssh/ssh-keysign
+
+ENTRYPOINT ["/usr/bin/container-entrypoint"]
+USER 1001
+
+HEALTHCHECK CMD python --version
+

README.md

-# <application name>
+# AAP Command Line Interface
+_Deploy this container to your project and open a shell in it to gain access to command line tools that help you manage your project._
 
-Project template for all Iron Bank container repositories.
\ No newline at end of file
+![AAP CLI](images/aap-cli-screenshot.png "AAP CLI")
+
+## To use
+This project is used to build the aap-cli image. To use it, add the container to your project by referencing the built image from a container repository (like Nexus).
+TBD: Add from the AAP Catalog (look for AAP CLI)
+
+## Tools included
+- `oc` (OpenShift CLI tool, v4.3.14)
+- `git` (v2.18.4)
+- `python` (v3.6)
+- `mongo` shell (v3.6.18)
+
+## Ideas, things you can do with this
+- Just use your browser... stop struggling with configuration of client-based shells like `git-bash` or Windows `cmd.exe`
+- Use command line and text-based tools to organize your work and keep track of it with git SCM
+- Perform troubleshooting and testing of other pods in your project using tools like `curl` and `pytest`
+
+## For help
+- Find support in NAVAIR Fusion chat channel [#aap_support](https://chat.navair1.navy.mil/channel/aap_support)
+- Check out the [AAP Wiki](https://wiki.navair1.navy.mil/display/Analytics/Advanced+Analytics+Platform) for user guides and further support

config/key.asc

+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQINBFzteqwBEADSirbLWsjgkQmdWr06jXPN8049MCqXQIZ2ovy9uJPyLkHgOCta
+8dmX+8Fkk5yNOLScjB1HUGJxAWJG+AhldW1xQGeo6loDfTW1mlfetq/zpW7CKbUp
+qve9eYYulneAy/81M/UoUZSzHqj6XY39wzJCH20H+Qx3WwcqXgSU7fSFXyJ4EBYs
+kWybbrAra5v29LUTBd7OvvS+Swovdh4T31YijUOUUL/gJkBI9UneVyV7/8DdUoVJ
+a8ym2pZ6ALy+GZrWBHcCKD/rQjEkXJnDglu+FSUI50SzaC9YX31TTzEMJijiPi6I
+MIZJMXLH7GpCIDcvyrLWIRYVJAQRoYJB4rmp42HTyed4eg4RnSiFrxVV5xQaDnSl
+/8zSOdVMBVewp8ipv34VeRXgNTgRkhA2JmL+KlALMkPo7MbRkJF01DiOOsIdz3Iu
+43oYg3QYmqxZI6kZNtXpUMnJeuRmMQJJN8yc9ZdOA9Ll2TTcIql8XEsjGcM7IWM9
+CP6zGwCcbrv72Ka+h/bGaLpwLbpkr5I8PjjSECn9fBcgnVX6HfKH7u3y11+Va1nh
+a8ZEE1TuOqRxnVDQ+K4iwaZFgFYsBMKo2ghoU2ZbZxu14vs6Eksn6UFsm8DpPwfy
+jtLtdje8jrbYAqAy5zIMLoW+I6Rb5sU3Olh9nI7NW4T5qQeemBcuRAwB4QARAQAB
+tDdNb25nb0RCIDQuNCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxwYWNrYWdpbmdAbW9u
+Z29kYi5jb20+iQI+BBMBAgAoBQJc7XqsAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsE
+FgIDAQIeAQIXgAAKCRBlZAjjkM+x9SKmD/9BzdjFAgBPPkUnD5pJQgsBQKUEkDsu
+cht6Q0Y4M635K7okpqJvXtZV5Mo+ajWZjUeHn4wPdVgzF2ItwVLRjjak3tIZfe3+
+ME5Y27Aej3LeqQC3Q5g6SnpeZwVEhWzU35CnyhQecP4AhDG3FO0gKUn3GkEgmsd6
+rnXAQLEw3VUYO8boxqBF3zjmFLIIaODYNmO1bLddJgvZlefUC62lWBBUs6Z7PBnl
+q7qBQFhz9qV9zXZwCT2/vgGLg5JcwVdcJXwAsQSr1WCVd7Y79+JcA7BZiSg9FAQd
+4t2dCkkctoUKgXsAH5fPwErGNj5L6iUnhFODPvdDJ7l35UcIZ2h74lqfEh+jh8eo
+UgxkcI2y2FY/lPapcPPKe0FHzCxG2U/NRdM+sqrIfp9+s88Bj+Eub7OhW4dF3AlL
+bh/BGHL9R8xAJRDLv8v7nsKkZWUnJaskeDFCKX3rjcTyTRWTG7EuMCmCn0Ou1hKc
+R3ECvIq0pVfVh+qk0hu+A5Dvj6k3QDcTfse+KfSAJkYvRKiuRuq5KgYcX3YSzL6K
+aZitMyu18XsQxKavpIGzaDhWyrVAig3XXF//zxowYVwuOikr5czgqizu87cqjpyn
+S0vVG4Q3+LswH4xVTn3UWadY/9FkM167ecouu4g3op29VDi7hCKsMeFvFP6OOIls
+G4vQ/QbzucK77Q==
+=eD3N
+-----END PGP PUBLIC KEY BLOCK-----

hardening_manifest.yaml

+apiVersion: v1
+
+# The repository name in registry1, excluding /ironbank/
+name: "diat/aap-cli"
+
+# List of tags to push for the repository in registry1
+# The most specific version should be the first tag and will be shown
+# on ironbank.dso.mil
+tags:
+- "4.0"
+- "latest"
+
+# Build args passed to Dockerfile ARGs
+args:
+  BASE_REGISTRY: "registry1.dsop.io"
+  BASE_IMAGE: "redhat/ubi/ubi8"
+  BASE_TAG: "8.3"
+
+# Docker image labels
+labels:
+  # Name of the image
+  org.opencontainers.image.title: "aap-cli"
+  # Human-readable description of the software packaged in the image
+  org.opencontainers.image.description: "Command line interface tools for working with the Advanced Analytics Platform on Atlas"
+  # License(s) under which contained software is distributed
+  org.opencontainers.image.licenses: "AAP License"
+  # URL to find more information on the image
+  org.opencontainers.image.url: "https://wiki.navair1.navy.mil/display/Analytics/Advanced+Analytics+Platform"
+  # Name of the distributing entity, organization or individual
+  org.opencontainers.image.vendor: "aap-cli"
+  # Authoritative version of the software
+  org.opencontainers.image.version: "4.0"
+  # Keywords to help with search (ex. "cicd,gitops,golang")
+  mil.dso.ironbank.image.keywords: "aap,cli,aapcli,aap-cli,client,atlas,diat"
+  # This value can be "opensource" or "commercial"
+  mil.dso.ironbank.image.type: "commercial"
+  # Product the image belongs to for grouping multiple images
+  mil.dso.ironbank.product.name: "diat/aap-cli"
+ 
+# List of resources to make available to the offline build context
+resources: 
+  - url: "https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-shell-4.4.4-1.el8.x86_64.rpm"
+    filename: "mongodb-org-shell-4.4.4-1.el8.x86_64.rpm" 
+    validation:
+      type: "sha256" # supported: sha256, sha512
+      value: "4954fe92d5642056752561b7f4c5278a4f47619cf7b488d1676c016c714744b3" # must be lowercase
+  - url: "https://mirror.openshift.com/pub/openshift-v4/clients/oc/4.5/linux/oc.tar.gz"
+    filename: "oc.tar.gz" 
+    validation:
+      type: "sha256" # supported: sha256, sha512
+      value: "a4326b35a07f5ec260c7a87cf68d9064f59f05e15a7d54996978cf2811f6eacd" # must be lowercase
+  - url: "https://get.helm.sh/helm-v3.5.2-linux-amd64.tar.gz"
+    filename: "helm-v3.5.2-linux-amd64.tar.gz" 
+    validation:
+      type: "sha256" # supported: sha256, sha512
+      value: "01b317c506f8b6ad60b11b1dc3f093276bb703281cb1ae01132752253ec706a2" # must be lowercase
+
+# List of project maintainers
+maintainers:
+- email: "wingkwan.lau1@navy.mil"
+  name: "WingKwan Lau"
+  username: "wlau"

scripts/aap

+#!/bin/bash
+
+echo -e "\e[38;5;1m    ___\e[38;5;208m    ___\e[38;5;226m    ____\033[97m     ________    ____"
+echo -e "\e[38;5;1m   /   |\e[38;5;208m  /   |\e[38;5;226m  / __ \ \033[97m  / ____/ /   /  _/"
+echo -e "\e[38;5;1m  / /| |\e[38;5;208m / /| |\e[38;5;226m / /_/ /\033[97m  / /   / /    / /  "
+echo -e "\e[38;5;1m / ___ |\e[38;5;208m/ ___ |\e[38;5;226m/ ____/\033[97m  / /___/ /____/ /   "
+echo -e "\e[38;5;1m/_/  |_\e[38;5;208m/_/  |_\e[38;5;226m/_/    \033[97m   \____/_____/___/   "
+echo                                     
+echo -e "\033[37mCommand line interface for the Advanced Analytics Platform"
+echo -e "\033[94mhttps://wiki.navair1.navy.mil/display/Analytics/Advanced+Analytics+Platform\033[37m"
+echo -e "Red Hat Universal Base Image 8 (ubi8) with additions: git, helm, mongo, oc, python, vim\033[97m"
+echo
+
+if [ ! -f ~/bin/python ]; then
+    virtualenv-$PYTHON_VERSION ${APP_ROOT}
+fi
+
+if [ ! -f ~/.bashrc ]; then
+    echo "alias vi='vim'" >> ~/.bashrc
+    echo "alias ll='ls -lah --color'" >> ~/.bashrc
+fi
+
+. ~/.bashrc

scripts/container-entrypoint

+#!/bin/bash
+
+exec "$@"
+

scripts/fix-permissions

+#!/bin/sh
+
+# Allow this script to fail without failing a build
+set +e
+
+SYMLINK_OPT=${2:--L}
+
+# Fix permissions on the given directory or file to allow group read/write of
+# regular files and execute of directories.
+
+[ $(id -u) -ne 0 ] && CHECK_OWNER=" -uid $(id -u)"
+
+# If argument does not exist, script will still exit with 0,
+# but at least we'll see something went wrong in the log
+if ! [ -e "$1" ] ; then
+  echo "ERROR: File or directory $1 does not exist." >&2
+  # We still want to end successfully
+  exit 0
+fi
+
+find $SYMLINK_OPT "$1" ${CHECK_OWNER} \! -gid 0 -exec chgrp 0 {} +
+find $SYMLINK_OPT "$1" ${CHECK_OWNER} \! -perm -g+rw -exec chmod g+rw {} +
+find $SYMLINK_OPT "$1" ${CHECK_OWNER} -perm /u+x -a \! -perm /g+x -exec chmod g+x {} +
+find $SYMLINK_OPT "$1" ${CHECK_OWNER} -type d \! -perm /g+x -exec chmod g+x {} +
+
+# Always end successfully
+exit 0
+

scripts/generate-container-user

+# Set current user in nss_wrapper
+USER_ID=$(id -u)
+GROUP_ID=$(id -g)
+
+if [ x"$USER_ID" != x"0" -a x"$USER_ID" != x"1001" ]; then
+
+    NSS_WRAPPER_PASSWD=/opt/app-root/etc/passwd
+    NSS_WRAPPER_GROUP=/etc/group
+
+    cat /etc/passwd | sed -e 's/^default:/builder:/' > $NSS_WRAPPER_PASSWD
+
+    echo "default:x:${USER_ID}:${GROUP_ID}:Default Application User:${HOME}:/sbin/nologin" >> $NSS_WRAPPER_PASSWD
+
+    export NSS_WRAPPER_PASSWD
+    export NSS_WRAPPER_GROUP
+
+    LD_PRELOAD=libnss_wrapper.so
+    export LD_PRELOAD
+fi
+

scripts/py-enable

+# IMPORTANT: Do not add more content to this file unless you know what you are
+#            doing. This file is sourced everytime the shell session is opened.
+# This will make the python libraries work out of the box.
+unset BASH_ENV PROMPT_COMMAND ENV
+source /opt/app-root/bin/activate
+

scripts/rpm-file-permissions

+#!/bin/sh
+
+CHECK_DIRS="/ /opt /etc /usr /usr/bin /usr/lib /usr/lib64 /usr/share /usr/libexec"
+
+rpm_format="[%{FILESTATES:fstate}  %7{FILEMODES:octal} %{FILENAMES:shescape}\n]"
+
+rpm -q --qf "$rpm_format" filesystem | while read line
+do
+    eval "set -- $line"
+
+    case $1 in
+        normal) ;;
+        *) continue ;;
+    esac
+
+    case " $CHECK_DIRS " in
+        *" $3 "*)
+            chmod "${2: -4}" "$3"
+            ;;
+    esac
+done
+