From cd0f40ca574045c0b13bf9148c8d5b18d475315d Mon Sep 17 00:00:00 2001 From: Joshua Eason Date: Tue, 8 Jun 2021 14:54:08 +0000 Subject: [PATCH 1/8] Getting rid of update-checklist-AO branch --- .../issue_templates/Application - Initial.md | 143 ++++++++++++++++-- 1 file changed, 131 insertions(+), 12 deletions(-) diff --git a/.gitlab/issue_templates/Application - Initial.md b/.gitlab/issue_templates/Application - Initial.md index 7ddab91..574f8c6 100644 --- a/.gitlab/issue_templates/Application - Initial.md +++ b/.gitlab/issue_templates/Application - Initial.md @@ -17,6 +17,13 @@ If you need to contact the Container Hardening team, please identify your assign If you have no assignee, feel free to tag Container Hardening leadership in your issue by commenting on this issue with your questions/concerns and then add `/cc @ironbank-notifications/leadership`. Gitlab will automatically notify all Container Hardening leadership to look at this issue and respond. +## Get Unstuck/AMA: +Iron Bank Get Unstuck/AMA Working Sessions every Wednesday from 1630-1730EST. +Need some help with your containers getting through Iron Bank? Have questions on where things are at? Are you feeling stuck and want to figure out the next steps? This is the meeting for you! Come meet with the Iron Bank leadership and engineers to get answers to your questions. + Register in advance for this meeting: https://www.zoomgov.com/meeting/register/vJIsf-ytpz8qHSN_JW8Hl9Qf0AZZXSCSmfo +After registering, you will receive a confirmation email containing information about joining the meeting. + +If you have any questions, please come to our Get Unstuck/AMA sessions. There we will have the right combination of business folks and engineers to get your questions answered. ## Responsibilities @@ -25,28 +32,140 @@ If this application is owned by a Contributor or Vendor (identifed as `Owner::Co ## Definition of Done -Hardening: -- [ ] Hardening manifest is created and adheres to the schema (https://repo1.dsop.io/ironbank-tools/ironbank-pipeline/-/blob/master/schema/hardening_manifest.schema.json) -- [ ] Container builds successfully through the Gitlab CI pipeline -- [ ] Branch has been merged into `development` -- [ ] Project is configured for automatic renovate updates (if possible) -Justifications: -- [ ] All findings have been justified per the above documentation +This checklist is meant to provide a high level overview of the process and steps for getting your container(s) onto Iron Bank. + +- [ ] Create a Repo1 account (https://repo1.dso.mil/users/sign_in) to get access to the public repository of containers. You can register by clicking on the 'Sign in with Iron Bank SSO' button in the sign-in page, followed by the Register button + +- [ ] Fill out the onboarding form: https://p1.dso.mil/#/products/iron-bank/getting-started + +- [ ] Attend our once weekly onboarding session where you can ask questions. [Register here](https://www.zoomgov.com/meeting/register/vJIsce6rpzkqGq9hHHRscNfGENYqvRL1s10%E2%81%A9). + +- [ ] Your Onboarding form will be processed by the Iron Bank team, who will then assign it a priority level and create your repository. You will receive an email that your Gitlab issue has been created and is ready for you to complete the hardening process + +- [ ] Ensure that all POCs are assigned to the issue to ensure proper tracking and notifications + +## Hardening Process + +### Repository Requirements + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/structure_requirements.md) + +- [ ] A Dockerfile has been created in the root of the repository + +- [ ] Hardening_manifest.yaml has been created in the root of the repository + +- [ ] The project has a LICENSE or a copy of the EULA + +- [ ] The project has a README in the root of the repository with sufficient instructions on using the Iron Bank version of the image + +- [ ] If your container is an enterprise/commercial container, the opensource version is ready + +- [ ] Scripts used in the Dockerfile are placed into a `scripts` directory + +- [ ] Configuration files are placed into a `config` directory + +- [ ] Project is [configured for automatic renovate updates](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Renovate.md) (if possible) + + - [ ] Renovate.json is present in root of repository + + - [ ] Reviewers have been specified for notifications on new merge requests + +### Dockerfile Requirements + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Dockerfile_Requirements.md) + +- [ ] There is one Dockerfile named Dockerfile + +- [ ] The Dockerfile has the BASE_REGISTRY, BASE_IMAGE, and BASE_TAG arguments (used for local builds; the values in hardening_manifest.yaml are what will be used in the Container Hardening Pipeline) + +- [ ] The Dockerfile is [based on a hardened Iron Bank image](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Dockerfile_Requirements.md#requirements) + +- [ ] The Dockerfile includes a HEALTHCHECK (required if it is an application container) + +- [ ] The Dockerfile starts the container as a non-root USER. Otherwise, if you must run as root, you must have proper justification. + +- [ ] If your ENTRYPOINT entails using a script, the script is copied from a scripts directory on the project root + +- [ ] No ADD instructions are used in the Dockerfile + +## Hardening Manifest + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/hardening%20manifest) + +- [ ] Begin with this example and update with relevant information: https://repo1.dso.mil/dsop/dccscr/-/blob/master/hardening%20manifest/hardening_manifest.yaml + +- [ ] Hardening manifest adheres to the following schema: https://repo1.dsop.io/ironbank-tools/ironbank-pipeline/-/blob/master/schema/hardening_manifest.schema.json + +- [ ] The BASE_IMAGE and BASE_TAG arguments refer to a hardened/approved Iron Bank image (BASE_REGISTRY defaults to `registry1.dso.mil/ironbank` in the pipeline) + +- [ ] Relevant image metadata has been entered for the corresponding labels + +- [ ] Any downloaded resources include a checksum for verification (letters must be lowercase) + +- [ ] For resource URLs that require authentication, credentials have been provided to an Iron Bank team member + +- [ ] The maintainers' contact information has been provided in the `maintainers` section + +## Gitlab CI Pipeline + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/pipeline) + +- [ ] Validate your container builds successfully through the Gitlab CI pipeline. When viewing the repository in repo1.dso.mil, go to `CI/CD > Pipelines` on the left. From there, you can see the status of your pipelines. + +- [ ] Review scan output from `csv output` stage of the pipeline. For instructions on downloading the findings spreadsheet, click [here](https://repo1.dso.mil/dsop/dccscr/-/blob/master/pre-approval/spreadsheet.md) + +- [ ] Fix vulnerabilities that were found and run the pipeline again before requesting a merge to the development branch + +## Pre-Approval: + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/pre-approval) + +- [ ] Submit a Merge Request to the development branch + +- [ ] Feature branch has been merged into development + +- [ ] All findings from the development branch pipeline have been justified per the above documentation + - [ ] Justifications have been attached to this issue -- [ ] Apply the label `Approval` to indicate this container is ready for the approval phase -Note: The justifications must be provided in a timely fashion. Failure to do so could result in new findings being identified which may start this process over. +- [ ] Apply the `Approval` label and remove the `Doing` label to indicate this container is ready for the approval phase + +_Note: The justifications must be provided in a timely fashion. Failure to do so could result in new findings being identified which may start this process over._ + +## Approval Process (Container Hardening Team processes): + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/approval) -Approval Process (Container Hardening Team processes): - [ ] Peer review from Container Hardening Team + - [ ] Findings Approver has reviewed and approved all justifications + - [ ] Approval request has been sent to Authorizing Official + - [ ] Approval request has been processed by Authorizing Official -Note: If the above approval process is kicked back for any reason, the `Approval` label will be removed and the issue will be sent back to `Open`. Any comments will be listed in this issue for you to address. Once they have been addressed, you may re-add the `Approval` label. +One of the following statuses is assigned: + +- [ ] Conditional approval has been granted by the Authorizing Official for this container (`Approval::Expiring` label is applied) + +- [ ] This container has been approved by the Authorizing Official (`Approved` label is applied) + +_Note: If the above approval process is kicked back for any reason, the `Approval` label will be removed and the issue will be sent back to `Open`. Any comments will be listed in this issue for you to address. Once they have been addressed, you may re-add the `Approval` label._ + +## Post-Approval + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/post%20approval) + +- [ ] Your issue has been closed + +- [ ] Your project has been merged into master + +- [ ] Master branch pipeline has completed successfully (at this point, the image is made available on `ironbank.dso.mil` and `registry1.dso.mil` ) + +_Note: Now that your application has been approved, your container(s) will be subjected to continuous monitoring. If new CVEs are discovered or bugs are identified, you will need to address the issues and return to step 5 (Gitlab CI Pipeline). As you make changes, please make sure you are adhering to all of the requirements of the hardening process._ + -## Post Approval ### Continuous Monitoring -- GitLab From 96902c114e3df05ea700f621cbfe60e28684a843 Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Wed, 30 Jun 2021 14:16:00 +0000 Subject: [PATCH 2/8] Update .gitignore, Dockerfile, script/application-template.yaml, script/build-config-test.yaml, script/cluster-catrust.yaml, script/deployment-config.yaml, script/pvc.yaml, script/image-stream-test.yaml, hardening_manifest.yaml, README.md files --- .gitignore | 2 ++ Dockerfile | 56 +++++++++++++++++++++++++++++++++ LICENSE | 46 +++++++++++++++++++++++++++ README.md | 5 ++- hardening_manifest.yaml | 44 ++++++++++++++++++++++++++ scripts/container-entrypoint | 9 ++++++ scripts/fix-permissions | 28 +++++++++++++++++ scripts/generate-container-user | 20 ++++++++++++ scripts/py-enable | 6 ++++ scripts/rpm-file-permissions | 22 +++++++++++++ 10 files changed, 235 insertions(+), 3 deletions(-) create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 LICENSE create mode 100644 hardening_manifest.yaml create mode 100644 scripts/container-entrypoint create mode 100644 scripts/fix-permissions create mode 100644 scripts/generate-container-user create mode 100644 scripts/py-enable create mode 100644 scripts/rpm-file-permissions diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d71f403 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.nfs* +root/user/bin/.nfs* diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..3646244 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,56 @@ +ARG BASE_REGISTRY=registry1.dso.mil +ARG BASE_IMAGE=redhat/ubi/ubi8 +ARG BASE_TAG=8.3 + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +# Set necessary environment variables for python and python development environment +ARG APP_ROOT=/opt/app-root +ENV PYTHON_VERSION=3.8 \ + APP_ROOT=$APP_ROOT \ + USER_NAME=hero \ + HOME=${APP_ROOT} \ + PATH=$HOME/.local/bin/:$APP_ROOT/.local/bin:/opt/app-root/src/bin:/opt/app-root/bin:$PATH: \ + EDITOR=/usr/bin/vim \ + PS1="AAP \W\$ " \ + PYTHONUNBUFFERED=1 \ + PYTHONIOENCODING=UTF-8 \ + PIP_NO_CACHE_DIR=off \ + LANG="en_US.UTF-8" + +# - Enable the virtual python environment and default interactive and non-interactive +# shell environment upon container startup +ENV PROMPT_COMMAND="" + +# Copy extra files to the image. +COPY ./scripts /usr/bin +RUN chmod a+x /usr/bin/container-entrypoint && \ + chmod a+x /usr/bin/fix-permissions && \ + chmod a+x /usr/bin/rpm-file-permissions && \ + chmod a+x /usr/bin/generate-container-user && \ + chmod a+x /usr/bin/py-enable + + +# Install packages +RUN INSTALL_PKGS="vim-enhanced rsync iputils bind-utils git python38 python38-devel python38-setuptools python38-pip " && \ + yum -y update-minimal --setopt=tsflags=nodocs --security && \ + yum -y --setopt=tsflags=nodocs install $INSTALL_PKGS && \ + yum -y remove vim-minimal && \ + rpm -V $INSTALL_PKGS && \ + yum -y clean all --enablerepo="*" + +# - Create a Python virtual environment for use by any application to avoid potential conflicts with Python packages +# preinstalled in the main Python installation. +RUN python$PYTHON_VERSION -m venv ${APP_ROOT} && /usr/bin/py-enable + +# Set up container user and adjust permissions to run in OpenShift environment +WORKDIR ${HOME} +RUN useradd -u 1001 -r -g 0 -d ${HOME} -s /sbin/nologin \ + -c "Default Application User" default && \ + fix-permissions ${APP_ROOT} -P && \ + fix-permissions ${HOME} -P && \ + rpm-file-permissions + +ENTRYPOINT ["/usr/bin/container-entrypoint"] + +HEALTHCHECK CMD python --version diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..61afe9c --- /dev/null +++ b/LICENSE @@ -0,0 +1,46 @@ + + + Python: + + PSF LICENSE AGREEMENT FOR PYTHON 3.6.12 +1. This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and + the Individual or Organization ("Licensee") accessing and otherwise using Python + 3.6.12 software in source or binary form and its associated documentation. + +2. Subject to the terms and conditions of this License Agreement, PSF hereby + grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, + analyze, test, perform and/or display publicly, prepare derivative works, + distribute, and otherwise use Python 3.6.12 alone or in any derivative + version, provided, however, that PSF's License Agreement and PSF's notice of + copyright, i.e., "Copyright © 2001-2020 Python Software Foundation; All Rights + Reserved" are retained in Python 3.6.12 alone or in any derivative version + prepared by Licensee. + +3. In the event Licensee prepares a derivative work that is based on or + incorporates Python 3.6.12 or any part thereof, and wants to make the + derivative work available to others as provided herein, then Licensee hereby + agrees to include in any such work a brief summary of the changes made to Python + 3.6.12. + +4. PSF is making Python 3.6.12 available to Licensee on an "AS IS" basis. + PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF + EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR + WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE + USE OF PYTHON 3.6.12 WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. + +5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON 3.6.12 + FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF + MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON 3.6.12, OR ANY DERIVATIVE + THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. + +6. This License Agreement will automatically terminate upon a material breach of + its terms and conditions. + +7. Nothing in this License Agreement shall be deemed to create any relationship + of agency, partnership, or joint venture between PSF and Licensee. This License + Agreement does not grant permission to use PSF trademarks or trade name in a + trademark sense to endorse or promote products or services of Licensee, or any + third party. + +8. By copying, installing or otherwise using Python 3.6.12, Licensee agrees + to be bound by the terms and conditions of this License Agreement. diff --git a/README.md b/README.md index 5dc6fa6..14dc575 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,2 @@ -# - -Project template for all Iron Bank container repositories. \ No newline at end of file +# AAP Python base image +_Use as a base image for custom python apps._ diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..873532b --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "diat/aap-python" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dso.mil +tags: +- "14.0" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_REGISTRY: "registry1.dsop.io" + BASE_IMAGE: "redhat/ubi/ubi8" + BASE_TAG: "8.3" + +# Docker image labels +labels: + # Name of the image + org.opencontainers.image.title: "aap-python" + # Human-readable description of the software packaged in the image + org.opencontainers.image.description: "Python $PYTHON_VERSION available as container is a base platform for building and running various Python $PYTHON_VERSION applications and frameworks." + # License(s) under which contained software is distributed + org.opencontainers.image.licenses: "AAP License" + # URL to find more information on the image + org.opencontainers.image.url: "https://wiki.navair1.navy.mil/display/Analytics/Advanced+Analytics+Platform" + # Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "aap-python" + # Authoritative version of the software + org.opencontainers.image.version: "14.0" + # Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "aap,python,aappython,aap-python,pythonent,atlas,diat" + # This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "commercial" + # Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "diat/aap-python" + +# List of project maintainers +maintainers: +- email: "wingkwan.lau1@navy.mil" + name: "WingKwan Lau" + username: "wlau" diff --git a/scripts/container-entrypoint b/scripts/container-entrypoint new file mode 100644 index 0000000..339a74c --- /dev/null +++ b/scripts/container-entrypoint @@ -0,0 +1,9 @@ +#!/bin/bash + +# temp: hard coding "hero" as container username (todo: fix to use env vars for username and homedir) +if [ `id -u` -ge 1 ]; then + echo "hero:x:`id -u`:`id -g`:here:/opt/app-root:/bin/bash" >> /etc/passwd +fi + +exec "$@" + diff --git a/scripts/fix-permissions b/scripts/fix-permissions new file mode 100644 index 0000000..827eeb5 --- /dev/null +++ b/scripts/fix-permissions @@ -0,0 +1,28 @@ +#!/bin/sh + +# Allow this script to fail without failing a build +set +e + +SYMLINK_OPT=${2:--L} + +# Fix permissions on the given directory or file to allow group read/write of +# regular files and execute of directories. + +[ $(id -u) -ne 0 ] && CHECK_OWNER=" -uid $(id -u)" + +# If argument does not exist, script will still exit with 0, +# but at least we'll see something went wrong in the log +if ! [ -e "$1" ] ; then + echo "ERROR: File or directory $1 does not exist." >&2 + # We still want to end successfully + exit 0 +fi + +find $SYMLINK_OPT "$1" ${CHECK_OWNER} \! -gid 0 -exec chgrp 0 {} + +find $SYMLINK_OPT "$1" ${CHECK_OWNER} \! -perm -g+rw -exec chmod g+rw {} + +find $SYMLINK_OPT "$1" ${CHECK_OWNER} -perm /u+x -a \! -perm /g+x -exec chmod g+x {} + +find $SYMLINK_OPT "$1" ${CHECK_OWNER} -type d \! -perm /g+x -exec chmod g+x {} + + +# Always end successfully +exit 0 + diff --git a/scripts/generate-container-user b/scripts/generate-container-user new file mode 100644 index 0000000..f092c51 --- /dev/null +++ b/scripts/generate-container-user @@ -0,0 +1,20 @@ +# Set current user in nss_wrapper +USER_ID=$(id -u) +GROUP_ID=$(id -g) + +if [ x"$USER_ID" != x"0" -a x"$USER_ID" != x"1001" ]; then + + NSS_WRAPPER_PASSWD=/opt/app-root/etc/passwd + NSS_WRAPPER_GROUP=/etc/group + + cat /etc/passwd | sed -e 's/^default:/builder:/' > $NSS_WRAPPER_PASSWD + + echo "default:x:${USER_ID}:${GROUP_ID}:Default Application User:${HOME}:/sbin/nologin" >> $NSS_WRAPPER_PASSWD + + export NSS_WRAPPER_PASSWD + export NSS_WRAPPER_GROUP + + LD_PRELOAD=libnss_wrapper.so + export LD_PRELOAD +fi + diff --git a/scripts/py-enable b/scripts/py-enable new file mode 100644 index 0000000..9d1443b --- /dev/null +++ b/scripts/py-enable @@ -0,0 +1,6 @@ +# IMPORTANT: Do not add more content to this file unless you know what you are +# doing. This file is sourced everytime the shell session is opened. +# This will make the python libraries work out of the box. +unset BASH_ENV PROMPT_COMMAND ENV +source /opt/app-root/bin/activate + diff --git a/scripts/rpm-file-permissions b/scripts/rpm-file-permissions new file mode 100644 index 0000000..e96e705 --- /dev/null +++ b/scripts/rpm-file-permissions @@ -0,0 +1,22 @@ +#!/bin/sh + +CHECK_DIRS="/ /opt /etc /usr /usr/bin /usr/lib /usr/lib64 /usr/share /usr/libexec" + +rpm_format="[%{FILESTATES:fstate} %7{FILEMODES:octal} %{FILENAMES:shescape}\n]" + +rpm -q --qf "$rpm_format" filesystem | while read line +do + eval "set -- $line" + + case $1 in + normal) ;; + *) continue ;; + esac + + case " $CHECK_DIRS " in + *" $3 "*) + chmod "${2: -4}" "$3" + ;; + esac +done + -- GitLab From 42dab06ee438ea4aab9104f0b4a7979d8ac579b4 Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Thu, 1 Jul 2021 14:58:57 +0000 Subject: [PATCH 3/8] Update Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 3646244..d1a8cfb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ ARG BASE_REGISTRY=registry1.dso.mil ARG BASE_IMAGE=redhat/ubi/ubi8 -ARG BASE_TAG=8.3 +ARG BASE_TAG=8.4 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -- GitLab From 3925111836aa5b322c1a43350b9133880fd529af Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Wed, 21 Jul 2021 20:37:33 +0000 Subject: [PATCH 4/8] Wingkwan.lau development patch 49370 --- Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index d1a8cfb..482930e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,9 @@ ARG BASE_TAG=8.4 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +# yum Update +RUN yum update -y + # Set necessary environment variables for python and python development environment ARG APP_ROOT=/opt/app-root ENV PYTHON_VERSION=3.8 \ -- GitLab From c45e9b4715648d3ab0bc36b541b24b0af25047ea Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Wed, 28 Jul 2021 21:07:20 +0000 Subject: [PATCH 5/8] Wingkwan.lau development patch 60189 --- Dockerfile | 14 +++++++++----- hardening_manifest.yaml | 6 +++--- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 482930e..f970335 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,9 +4,6 @@ ARG BASE_TAG=8.4 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -# yum Update -RUN yum update -y - # Set necessary environment variables for python and python development environment ARG APP_ROOT=/opt/app-root ENV PYTHON_VERSION=3.8 \ @@ -33,15 +30,18 @@ RUN chmod a+x /usr/bin/container-entrypoint && \ chmod a+x /usr/bin/generate-container-user && \ chmod a+x /usr/bin/py-enable - # Install packages -RUN INSTALL_PKGS="vim-enhanced rsync iputils bind-utils git python38 python38-devel python38-setuptools python38-pip " && \ +RUN INSTALL_PKGS="vim-enhanced rsync iputils bind-utils git python38 python38-devel python38-setuptools python38-pip gcc" && \ yum -y update-minimal --setopt=tsflags=nodocs --security && \ yum -y --setopt=tsflags=nodocs install $INSTALL_PKGS && \ yum -y remove vim-minimal && \ rpm -V $INSTALL_PKGS && \ yum -y clean all --enablerepo="*" +# yum Updates +RUN yum update -y +RUN yum update systemd-239-45.el8_4.2 + # - Create a Python virtual environment for use by any application to avoid potential conflicts with Python packages # preinstalled in the main Python installation. RUN python$PYTHON_VERSION -m venv ${APP_ROOT} && /usr/bin/py-enable @@ -54,6 +54,10 @@ RUN useradd -u 1001 -r -g 0 -d ${HOME} -s /sbin/nologin \ fix-permissions ${HOME} -P && \ rpm-file-permissions +USER 1001 + ENTRYPOINT ["/usr/bin/container-entrypoint"] HEALTHCHECK CMD python --version + + diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 873532b..8089eed 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -7,14 +7,14 @@ name: "diat/aap-python" # The most specific version should be the first tag and will be shown # on ironbank.dso.mil tags: -- "14.0" +- "14.1" - "latest" # Build args passed to Dockerfile ARGs args: BASE_REGISTRY: "registry1.dsop.io" BASE_IMAGE: "redhat/ubi/ubi8" - BASE_TAG: "8.3" + BASE_TAG: "8.4" # Docker image labels labels: @@ -29,7 +29,7 @@ labels: # Name of the distributing entity, organization or individual org.opencontainers.image.vendor: "aap-python" # Authoritative version of the software - org.opencontainers.image.version: "14.0" + org.opencontainers.image.version: "14.1" # Keywords to help with search (ex. "cicd,gitops,golang") mil.dso.ironbank.image.keywords: "aap,python,aappython,aap-python,pythonent,atlas,diat" # This value can be "opensource" or "commercial" -- GitLab From 313b3a32fc3df8ac7be0ccfc527fbb3b772484a0 Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Wed, 28 Jul 2021 21:57:32 +0000 Subject: [PATCH 6/8] remove sticky bit --- Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Dockerfile b/Dockerfile index f970335..7f0cc00 100644 --- a/Dockerfile +++ b/Dockerfile @@ -54,6 +54,10 @@ RUN useradd -u 1001 -r -g 0 -d ${HOME} -s /sbin/nologin \ fix-permissions ${HOME} -P && \ rpm-file-permissions +# Remove sticky bit +RUN chmod g-s /usr/libexec/openssh/ssh-keysign + +# set user to ensure image not running as root USER 1001 ENTRYPOINT ["/usr/bin/container-entrypoint"] -- GitLab From a9752113d36f6b33baf0ed9167a19a4ff22951d5 Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Wed, 18 Aug 2021 14:15:50 +0000 Subject: [PATCH 7/8] Wingkwan.lau development patch 51101 --- Dockerfile | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7f0cc00..32e32e1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,8 @@ ARG BASE_REGISTRY=registry1.dso.mil -ARG BASE_IMAGE=redhat/ubi/ubi8 +ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 ARG BASE_TAG=8.4 -FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as build # Set necessary environment variables for python and python development environment ARG APP_ROOT=/opt/app-root @@ -30,18 +30,17 @@ RUN chmod a+x /usr/bin/container-entrypoint && \ chmod a+x /usr/bin/generate-container-user && \ chmod a+x /usr/bin/py-enable +# yum Updates +RUN yum update -y + # Install packages -RUN INSTALL_PKGS="vim-enhanced rsync iputils bind-utils git python38 python38-devel python38-setuptools python38-pip gcc" && \ +RUN INSTALL_PKGS="vim-enhanced rsync iputils bind-utils git python38 python38-devel python38-setuptools python38-pip" && \ yum -y update-minimal --setopt=tsflags=nodocs --security && \ yum -y --setopt=tsflags=nodocs install $INSTALL_PKGS && \ yum -y remove vim-minimal && \ rpm -V $INSTALL_PKGS && \ yum -y clean all --enablerepo="*" -# yum Updates -RUN yum update -y -RUN yum update systemd-239-45.el8_4.2 - # - Create a Python virtual environment for use by any application to avoid potential conflicts with Python packages # preinstalled in the main Python installation. RUN python$PYTHON_VERSION -m venv ${APP_ROOT} && /usr/bin/py-enable @@ -60,8 +59,4 @@ RUN chmod g-s /usr/libexec/openssh/ssh-keysign # set user to ensure image not running as root USER 1001 -ENTRYPOINT ["/usr/bin/container-entrypoint"] - -HEALTHCHECK CMD python --version - - +HEALTHCHECK NONE -- GitLab From 4650ccd9b41982dd9f98e3bfc790f7af95a0d280 Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Fri, 20 Aug 2021 19:30:52 +0000 Subject: [PATCH 8/8] Update Dockerfile Deleted scripts/generate-container-user, scripts/container-entrypoint files --- Dockerfile | 4 +--- scripts/container-entrypoint | 9 --------- scripts/generate-container-user | 20 -------------------- 3 files changed, 1 insertion(+), 32 deletions(-) delete mode 100644 scripts/container-entrypoint delete mode 100644 scripts/generate-container-user diff --git a/Dockerfile b/Dockerfile index 32e32e1..eb0691e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,10 +24,8 @@ ENV PROMPT_COMMAND="" # Copy extra files to the image. COPY ./scripts /usr/bin -RUN chmod a+x /usr/bin/container-entrypoint && \ - chmod a+x /usr/bin/fix-permissions && \ +RUN chmod a+x /usr/bin/fix-permissions && \ chmod a+x /usr/bin/rpm-file-permissions && \ - chmod a+x /usr/bin/generate-container-user && \ chmod a+x /usr/bin/py-enable # yum Updates diff --git a/scripts/container-entrypoint b/scripts/container-entrypoint deleted file mode 100644 index 339a74c..0000000 --- a/scripts/container-entrypoint +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -# temp: hard coding "hero" as container username (todo: fix to use env vars for username and homedir) -if [ `id -u` -ge 1 ]; then - echo "hero:x:`id -u`:`id -g`:here:/opt/app-root:/bin/bash" >> /etc/passwd -fi - -exec "$@" - diff --git a/scripts/generate-container-user b/scripts/generate-container-user deleted file mode 100644 index f092c51..0000000 --- a/scripts/generate-container-user +++ /dev/null @@ -1,20 +0,0 @@ -# Set current user in nss_wrapper -USER_ID=$(id -u) -GROUP_ID=$(id -g) - -if [ x"$USER_ID" != x"0" -a x"$USER_ID" != x"1001" ]; then - - NSS_WRAPPER_PASSWD=/opt/app-root/etc/passwd - NSS_WRAPPER_GROUP=/etc/group - - cat /etc/passwd | sed -e 's/^default:/builder:/' > $NSS_WRAPPER_PASSWD - - echo "default:x:${USER_ID}:${GROUP_ID}:Default Application User:${HOME}:/sbin/nologin" >> $NSS_WRAPPER_PASSWD - - export NSS_WRAPPER_PASSWD - export NSS_WRAPPER_GROUP - - LD_PRELOAD=libnss_wrapper.so - export LD_PRELOAD -fi - -- GitLab