From fedff8384418f27b5a711824ca04b7ea23bc0a1e Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Wed, 31 Mar 2021 20:39:31 +0000 Subject: [PATCH 1/2] Merge Wingdev to Development --- Dockerfile | 80 ++++++++++++++++++++++++++++ LICENSE | 0 config/key.asc | 30 +++++++++++ documentation/Documentation.txt | 0 hardening_manifest.yaml | 63 ++++++++++++++++++++++ root/usr/bin/aap | 23 ++++++++ root/usr/bin/container-entrypoint | 9 ++++ root/usr/bin/fix-permissions | 28 ++++++++++ root/usr/bin/generate-container-user | 20 +++++++ root/usr/bin/py-enable | 6 +++ root/usr/bin/rpm-file-permissions | 22 ++++++++ 11 files changed, 281 insertions(+) create mode 100644 Dockerfile create mode 100644 LICENSE create mode 100644 config/key.asc create mode 100644 documentation/Documentation.txt create mode 100644 hardening_manifest.yaml create mode 100644 root/usr/bin/aap create mode 100644 root/usr/bin/container-entrypoint create mode 100644 root/usr/bin/fix-permissions create mode 100644 root/usr/bin/generate-container-user create mode 100644 root/usr/bin/py-enable create mode 100644 root/usr/bin/rpm-file-permissions diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..db71de8 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,80 @@ +ARG BASE_REGISTRY=registry1.dso.mil +ARG BASE_IMAGE=redhat/ubi/ubi8 +ARG BASE_TAG=8.3 + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +# Set necessary environment variables for python and python development environment +ARG APP_ROOT=/opt/app-root +ENV PYTHON_VERSION=3.6 \ + APP_ROOT=$APP_ROOT \ + USER_NAME=hero \ + HOME=${APP_ROOT} \ + PATH=$HOME/.local/bin/:/opt/app-root/src/bin:/opt/app-root/bin:$PATH \ + EDITOR=/usr/bin/vim \ + PS1="AAP \W\$ " \ + PYTHONUNBUFFERED=1 \ + PYTHONIOENCODING=UTF-8 \ + PIP_NO_CACHE_DIR=off \ + LANG="en_US.UTF-8" + +# - Enable the virtual python environment and default interactive and non-interactive +# shell environment upon container startup +ENV PROMPT_COMMAND=". /usr/bin/aap && unset PROMPT_COMMAND" + +# Copy extra files to the image. +COPY ./root / +RUN chmod a+x /usr/bin/container-entrypoint && \ + chmod a+x /usr/bin/fix-permissions && \ + chmod a+x /usr/bin/rpm-file-permissions && \ + chmod a+x /usr/bin/generate-container-user && \ + chmod a+x /usr/bin/py-enable && \ + chmod a+x /usr/bin/aap + +# Install packages +RUN INSTALL_PKGS="vim-enhanced rsync iputils bind-utils git python36 python36-devel python3-setuptools python3-pip python3-virtualenv" && \ + yum -y update-minimal --setopt=tsflags=nodocs --security && \ + yum -y --setopt=tsflags=nodocs install $INSTALL_PKGS && \ + yum -y remove vim-minimal && \ + rpm -V $INSTALL_PKGS && \ + yum -y clean all --enablerepo="*" + +# Install the OpenShift command line tool, oc +COPY oc.tar.gz /tmp/oc.tar.gz +RUN tar xvf /tmp/oc.tar.gz && \ + mv ./oc /usr/bin/ && \ + rm -f /tmp/oc.tar.gz + +RUN # subscription-manager registervc + +# Install mongodb shell (client) +COPY config/key.asc /tmp/key.asc +COPY mongodb-org-shell-4.4.4-1.el8.x86_64.rpm /tmp/mongodb-org-shell-4.4.4-1.el8.x86_64.rpm +RUN rpm --import /tmp/key.asc && \ + yum -y install /tmp/mongodb-org-shell-4.4.4-1.el8.x86_64.rpm && \ + rm -f /tmp/key.asc && \ + rm -f /tmp/mongodb-org-shell-4.4.4-1.el8.x86_64.rpm + +# Install jq (to parse openshift api query results) +RUN yum -y install jq + +# # Instal helm +COPY helm-v3.5.2-linux-amd64.tar.gz /tmp/helm-v3.5.2-linux-amd64.tar.gz +RUN tar -zxvf /tmp/helm-v3.5.2-linux-amd64.tar.gz && \ + mv linux-amd64/helm /usr/bin/helm && \ + chmod a+x /usr/bin/helm && \ + rm -f /tmp/helm-v3.5.2-linux-amd64.tar.gz + +# Set up container user and adjust permissions to run in OpenShift environment +WORKDIR ${HOME} +RUN useradd -u 1001 -r -g 0 -d ${HOME} -s /sbin/nologin \ + -c "Default Application User" default && \ + fix-permissions ${APP_ROOT} -P && \ + fix-permissions ${HOME} -P && \ + rpm-file-permissions + +ENTRYPOINT ["/usr/bin/container-entrypoint"] +USER 1001 + +HEALTHCHECK CMD python --version + diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..e69de29 diff --git a/config/key.asc b/config/key.asc new file mode 100644 index 0000000..6911973 --- /dev/null +++ b/config/key.asc @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 + +mQINBFzteqwBEADSirbLWsjgkQmdWr06jXPN8049MCqXQIZ2ovy9uJPyLkHgOCta +8dmX+8Fkk5yNOLScjB1HUGJxAWJG+AhldW1xQGeo6loDfTW1mlfetq/zpW7CKbUp +qve9eYYulneAy/81M/UoUZSzHqj6XY39wzJCH20H+Qx3WwcqXgSU7fSFXyJ4EBYs +kWybbrAra5v29LUTBd7OvvS+Swovdh4T31YijUOUUL/gJkBI9UneVyV7/8DdUoVJ +a8ym2pZ6ALy+GZrWBHcCKD/rQjEkXJnDglu+FSUI50SzaC9YX31TTzEMJijiPi6I +MIZJMXLH7GpCIDcvyrLWIRYVJAQRoYJB4rmp42HTyed4eg4RnSiFrxVV5xQaDnSl +/8zSOdVMBVewp8ipv34VeRXgNTgRkhA2JmL+KlALMkPo7MbRkJF01DiOOsIdz3Iu +43oYg3QYmqxZI6kZNtXpUMnJeuRmMQJJN8yc9ZdOA9Ll2TTcIql8XEsjGcM7IWM9 +CP6zGwCcbrv72Ka+h/bGaLpwLbpkr5I8PjjSECn9fBcgnVX6HfKH7u3y11+Va1nh +a8ZEE1TuOqRxnVDQ+K4iwaZFgFYsBMKo2ghoU2ZbZxu14vs6Eksn6UFsm8DpPwfy +jtLtdje8jrbYAqAy5zIMLoW+I6Rb5sU3Olh9nI7NW4T5qQeemBcuRAwB4QARAQAB +tDdNb25nb0RCIDQuNCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxwYWNrYWdpbmdAbW9u +Z29kYi5jb20+iQI+BBMBAgAoBQJc7XqsAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsE +FgIDAQIeAQIXgAAKCRBlZAjjkM+x9SKmD/9BzdjFAgBPPkUnD5pJQgsBQKUEkDsu +cht6Q0Y4M635K7okpqJvXtZV5Mo+ajWZjUeHn4wPdVgzF2ItwVLRjjak3tIZfe3+ +ME5Y27Aej3LeqQC3Q5g6SnpeZwVEhWzU35CnyhQecP4AhDG3FO0gKUn3GkEgmsd6 +rnXAQLEw3VUYO8boxqBF3zjmFLIIaODYNmO1bLddJgvZlefUC62lWBBUs6Z7PBnl +q7qBQFhz9qV9zXZwCT2/vgGLg5JcwVdcJXwAsQSr1WCVd7Y79+JcA7BZiSg9FAQd +4t2dCkkctoUKgXsAH5fPwErGNj5L6iUnhFODPvdDJ7l35UcIZ2h74lqfEh+jh8eo +UgxkcI2y2FY/lPapcPPKe0FHzCxG2U/NRdM+sqrIfp9+s88Bj+Eub7OhW4dF3AlL +bh/BGHL9R8xAJRDLv8v7nsKkZWUnJaskeDFCKX3rjcTyTRWTG7EuMCmCn0Ou1hKc +R3ECvIq0pVfVh+qk0hu+A5Dvj6k3QDcTfse+KfSAJkYvRKiuRuq5KgYcX3YSzL6K +aZitMyu18XsQxKavpIGzaDhWyrVAig3XXF//zxowYVwuOikr5czgqizu87cqjpyn +S0vVG4Q3+LswH4xVTn3UWadY/9FkM167ecouu4g3op29VDi7hCKsMeFvFP6OOIls +G4vQ/QbzucK77Q== +=eD3N +-----END PGP PUBLIC KEY BLOCK----- diff --git a/documentation/Documentation.txt b/documentation/Documentation.txt new file mode 100644 index 0000000..e69de29 diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..081a2f3 --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "diat/aap-cli" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dso.mil +tags: +- "4.0" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_REGISTRY: "registry1.dsop.io" + BASE_IMAGE: "redhat/ubi/ubi8" + BASE_TAG: "8.3" + +# Docker image labels +labels: + # Name of the image + org.opencontainers.image.title: "aap-cli" + # Human-readable description of the software packaged in the image + org.opencontainers.image.description: "Command line interface tools for working with the Advanced Analytics Platform on Atlas" + # License(s) under which contained software is distributed + org.opencontainers.image.licenses: "AAP License" + # URL to find more information on the image + org.opencontainers.image.url: "https://wiki.navair1.navy.mil/display/Analytics/Advanced+Analytics+Platform" + # Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "aap-cli" + # Authoritative version of the software + org.opencontainers.image.version: "4.0" + # Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "aap,cli,aapcli,aap-cli,client,atlas,diat" + # This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "commercial" + # Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "diat/aap-cli" + +# List of resources to make available to the offline build context +resources: + - url: "https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-shell-4.4.4-1.el8.x86_64.rpm" + filename: "mongodb-org-shell-4.4.4-1.el8.x86_64.rpm" + validation: + type: "sha256" # supported: sha256, sha512 + value: "4954fe92d5642056752561b7f4c5278a4f47619cf7b488d1676c016c714744b3" # must be lowercase + - url: "https://mirror.openshift.com/pub/openshift-v4/clients/oc/4.5/linux/oc.tar.gz" + filename: "oc.tar.gz" + validation: + type: "sha256" # supported: sha256, sha512 + value: "4fccebb411e7579aeb025a9780d0e35f8d220487a5cf203387442f1e40fa179c" # must be lowercase + - url: "https://get.helm.sh/helm-v3.5.2-linux-amd64.tar.gz" + filename: "helm-v3.5.2-linux-amd64.tar.gz" + validation: + type: "sha256" # supported: sha256, sha512 + value: "01b317c506f8b6ad60b11b1dc3f093276bb703281cb1ae01132752253ec706a2" # must be lowercase + + +# List of project maintainers +maintainers: +- email: "wingkwan.lau1@navy.mil" + name: "WingKwan Lau" + username: "wlau" diff --git a/root/usr/bin/aap b/root/usr/bin/aap new file mode 100644 index 0000000..546c5d0 --- /dev/null +++ b/root/usr/bin/aap @@ -0,0 +1,23 @@ +#!/bin/bash + +echo -e "\e[38;5;1m ___\e[38;5;208m ___\e[38;5;226m ____\033[97m ________ ____" +echo -e "\e[38;5;1m / |\e[38;5;208m / |\e[38;5;226m / __ \ \033[97m / ____/ / / _/" +echo -e "\e[38;5;1m / /| |\e[38;5;208m / /| |\e[38;5;226m / /_/ /\033[97m / / / / / / " +echo -e "\e[38;5;1m / ___ |\e[38;5;208m/ ___ |\e[38;5;226m/ ____/\033[97m / /___/ /____/ / " +echo -e "\e[38;5;1m/_/ |_\e[38;5;208m/_/ |_\e[38;5;226m/_/ \033[97m \____/_____/___/ " +echo +echo -e "\033[37mCommand line interface for the Advanced Analytics Platform" +echo -e "\033[94mhttps://wiki.navair1.navy.mil/display/Analytics/Advanced+Analytics+Platform\033[37m" +echo -e "Red Hat Universal Base Image 8 (ubi8) with additions: git, helm, mongo, oc, python, vim\033[97m" +echo + +if [ ! -f ~/bin/python ]; then + virtualenv-$PYTHON_VERSION ${APP_ROOT} +fi + +if [ ! -f ~/.bashrc ]; then + echo "alias vi='vim'" >> ~/.bashrc + echo "alias ll='ls -lah --color'" >> ~/.bashrc +fi + +. ~/.bashrc diff --git a/root/usr/bin/container-entrypoint b/root/usr/bin/container-entrypoint new file mode 100644 index 0000000..339a74c --- /dev/null +++ b/root/usr/bin/container-entrypoint @@ -0,0 +1,9 @@ +#!/bin/bash + +# temp: hard coding "hero" as container username (todo: fix to use env vars for username and homedir) +if [ `id -u` -ge 1 ]; then + echo "hero:x:`id -u`:`id -g`:here:/opt/app-root:/bin/bash" >> /etc/passwd +fi + +exec "$@" + diff --git a/root/usr/bin/fix-permissions b/root/usr/bin/fix-permissions new file mode 100644 index 0000000..827eeb5 --- /dev/null +++ b/root/usr/bin/fix-permissions @@ -0,0 +1,28 @@ +#!/bin/sh + +# Allow this script to fail without failing a build +set +e + +SYMLINK_OPT=${2:--L} + +# Fix permissions on the given directory or file to allow group read/write of +# regular files and execute of directories. + +[ $(id -u) -ne 0 ] && CHECK_OWNER=" -uid $(id -u)" + +# If argument does not exist, script will still exit with 0, +# but at least we'll see something went wrong in the log +if ! [ -e "$1" ] ; then + echo "ERROR: File or directory $1 does not exist." >&2 + # We still want to end successfully + exit 0 +fi + +find $SYMLINK_OPT "$1" ${CHECK_OWNER} \! -gid 0 -exec chgrp 0 {} + +find $SYMLINK_OPT "$1" ${CHECK_OWNER} \! -perm -g+rw -exec chmod g+rw {} + +find $SYMLINK_OPT "$1" ${CHECK_OWNER} -perm /u+x -a \! -perm /g+x -exec chmod g+x {} + +find $SYMLINK_OPT "$1" ${CHECK_OWNER} -type d \! -perm /g+x -exec chmod g+x {} + + +# Always end successfully +exit 0 + diff --git a/root/usr/bin/generate-container-user b/root/usr/bin/generate-container-user new file mode 100644 index 0000000..f092c51 --- /dev/null +++ b/root/usr/bin/generate-container-user @@ -0,0 +1,20 @@ +# Set current user in nss_wrapper +USER_ID=$(id -u) +GROUP_ID=$(id -g) + +if [ x"$USER_ID" != x"0" -a x"$USER_ID" != x"1001" ]; then + + NSS_WRAPPER_PASSWD=/opt/app-root/etc/passwd + NSS_WRAPPER_GROUP=/etc/group + + cat /etc/passwd | sed -e 's/^default:/builder:/' > $NSS_WRAPPER_PASSWD + + echo "default:x:${USER_ID}:${GROUP_ID}:Default Application User:${HOME}:/sbin/nologin" >> $NSS_WRAPPER_PASSWD + + export NSS_WRAPPER_PASSWD + export NSS_WRAPPER_GROUP + + LD_PRELOAD=libnss_wrapper.so + export LD_PRELOAD +fi + diff --git a/root/usr/bin/py-enable b/root/usr/bin/py-enable new file mode 100644 index 0000000..9d1443b --- /dev/null +++ b/root/usr/bin/py-enable @@ -0,0 +1,6 @@ +# IMPORTANT: Do not add more content to this file unless you know what you are +# doing. This file is sourced everytime the shell session is opened. +# This will make the python libraries work out of the box. +unset BASH_ENV PROMPT_COMMAND ENV +source /opt/app-root/bin/activate + diff --git a/root/usr/bin/rpm-file-permissions b/root/usr/bin/rpm-file-permissions new file mode 100644 index 0000000..e96e705 --- /dev/null +++ b/root/usr/bin/rpm-file-permissions @@ -0,0 +1,22 @@ +#!/bin/sh + +CHECK_DIRS="/ /opt /etc /usr /usr/bin /usr/lib /usr/lib64 /usr/share /usr/libexec" + +rpm_format="[%{FILESTATES:fstate} %7{FILEMODES:octal} %{FILENAMES:shescape}\n]" + +rpm -q --qf "$rpm_format" filesystem | while read line +do + eval "set -- $line" + + case $1 in + normal) ;; + *) continue ;; + esac + + case " $CHECK_DIRS " in + *" $3 "*) + chmod "${2: -4}" "$3" + ;; + esac +done + -- GitLab From 89b10af5a2ac8bd032fbadd28820cfa244e3c021 Mon Sep 17 00:00:00 2001 From: wlau Date: Mon, 5 Apr 2021 14:37:09 -0700 Subject: [PATCH 2/2] oc sha256 debug --- hardening_manifest.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 081a2f3..e0ca9fd 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -48,7 +48,7 @@ resources: filename: "oc.tar.gz" validation: type: "sha256" # supported: sha256, sha512 - value: "4fccebb411e7579aeb025a9780d0e35f8d220487a5cf203387442f1e40fa179c" # must be lowercase + value: "abaaded020eebcb009bd0fc266ac2bd1ee56e9feec03a5c75b51b085e56dfacf" # must be lowercase - url: "https://get.helm.sh/helm-v3.5.2-linux-amd64.tar.gz" filename: "helm-v3.5.2-linux-amd64.tar.gz" validation: -- GitLab