Update GitLab to the 17.3.0 Minor Feature Release

.gitignore

+*.out
+*.tar.gz
+failedlog.out

Dockerfile

-ARG BASE_REGISTRY=registry1.dso.mil
-ARG BASE_IMAGE=ironbank/redhat/ubi/ubi9
-ARG BASE_TAG=9.4
+ARG GITLAB_VERSION=v17.3.0-ubi
+ARG BASE_REGISTRY=nexus-docker-secure.levelup-nexus.svc.cluster.local:18082
+ARG BASE_IMAGE=gitlab/gitlab/gitlab-ruby
+ARG BASE_TAG=17.3.0
+ARG UBI_TAG=9.4
 
-FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+ARG RUBY_IMAGE=${BASE_REGISTRY}/gitlab/gitlab/gitlab-ruby:${BASE_TAG}
+ARG UBI_IMAGE=${BASE_REGISTRY}/redhat/ubi/ubi9/ubi-minimal:${UBI_TAG}
 
-RUN dnf update -y --nodocs && \
-    dnf clean all && \
-    rm -rf /var/cache/dnf
+FROM ${RUBY_IMAGE} as target
 
-USER nobody
+FROM ${UBI_IMAGE} as build
+
+ARG DNF_OPTS=--disableplugin=subscription-manager
+ARG GITLAB_USER=git
+ARG UID=1000
+ARG DNF_OPTS_ROOT="--installroot=/install-root --setopt=reposdir=/install-root/etc/yum.repos.d/ --setopt=cachedir=/install-cache/ --setopt=varsdir= --config= --noplugins"
+
+RUN mkdir -p /install-root
+COPY --from=target / /install-root/
+
+ADD gitlab-mailroom.tar.gz /install-root/assets/
+
+COPY scripts/ /install-root/scripts/
+
+RUN microdnf update -y && \
+    microdnf ${DNF_OPTS} install --nodocs --best --assumeyes --setopt=install_weak_deps=0 shadow-utils && \
+    adduser -m ${GITLAB_USER} -u ${UID} -R /install-root/ && \
+    chgrp -R 0 /install-root/scripts /install-root/home/${GITLAB_USER} && \
+    chmod -R g=u /install-root/scripts /install-root/home/${GITLAB_USER}
+
+RUN microdnf ${DNF_OPTS} ${DNF_OPTS_ROOT} install --best --assumeyes --nodocs --setopt=install_weak_deps=0 procps libicu tzdata \
+    && microdnf ${DNF_OPTS_ROOT} clean all \
+    && rm -f /install-root/var/lib/dnf/history*
+
+FROM ${BASE_REGISTRY:-}${BASE_REGISTRY:+/}${BASE_IMAGE}:${BASE_TAG} 
+
+ARG MAILROOM_VERSION=0.0.25
+ARG GITLAB_USER=git
+ARG UID=1000
+ARG FIPS_MODE=0
+
+COPY --from=build /install-root/ /
+
+## Hardening: CIS L1 SCAP
+COPY hardening /hardening
+RUN     set -ex; for f in /hardening/*.sh; do sh "$f"; done; rm -rf /hardening
+
+USER ${UID}
+
+CMD ["/usr/bin/mail_room", "-c", "/var/opt/gitlab/mail_room.yml", "--log-exit-as", "json"]
+
+HEALTHCHECK --interval=30s --timeout=30s --retries=5 CMD /scripts/healthcheck

LICENSE

+MIT License
+
+Copyright (c) 2017
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

build-scripts/build.sh

+#!/bin/bash
+
+# NOTICE: This script requires `docker`.
+
+set -euxo pipefail
+
+REGISTRY=${1:-}
+REPOSITORY=${2:-"$(basename "$(builtin cd "$(dirname "$0")/.."; pwd)")"}
+TAG=${3:-17.3.0}
+
+DOCKER_BUILD="${DOCKER_BUILD:-docker build}"
+DOCKER_OPTS=${DOCKER_OPTS:-""}
+
+imageName() {
+  local name="${REGISTRY}/${REPOSITORY}:${TAG}"
+
+  echo "${name#/}"
+}
+
+buildImage() {
+  local image="${1}"
+  local context="${image%*-ee}"
+  {
+    # shellcheck disable=SC2086
+    ${DOCKER_BUILD} \
+      -t "$(imageName)" . \
+      ${DOCKER_OPTS:-} | tee "${context}.out"
+  } || {
+    echo "${context}" >> failed.log
+  }
+}
+
+# Cleanup log outputs from previous build
+rm -f -- *.out failed.log
+
+buildImage "${REPOSITORY}"

build-scripts/cleanup.sh

+#!/bin/bash
+
+set -euxo pipefail
+
+rm -f -- *.tar.gz *.out failed.log
+rm -f tini

hardening/000_rhel_disable_subscription.sh

+#!/bin/sh
+set -e
+
+(>&2 echo "RHEL: Disable subscription manager, use only official UBI repos")
+# Disable all repositories (to limit RHEL host repositories) and only use official UBI repositories
+if [ -e /etc/dnf/plugins/subscription-manager.conf ]; then
+    sed -i "s/enabled=1/enabled=0/" /etc/dnf/plugins/subscription-manager.conf
+fi

hardening/001_crypto_policies_fips.sh

+#!/bin/sh
+set -e
+
+if [ "$FIPS_MODE" -eq 1 ]; then
+
+(>&2 echo "Configuration: Setting system crypto-policies to FIPS")
+
+if [ ! -d /etc/crypto-policies ]; then
+  (>&2 echo "Notice: Configured for FIPS, but no crypto-policies found")
+  exit
+fi
+
+## Method derived from comparing host before and after
+## fips-mode-setup scripts.
+## Details in https://gitlab.com/gitlab-org/build/CNG/-/issues/779
+
+printf '# FIPS enabled' > /etc/system-fips
+printf 'FIPS' > /etc/crypto-policies/config
+printf 'FIPS' > /etc/crypto-policies/state/current
+
+for config in /usr/share/crypto-policies/FIPS/* ; do
+    file=$(basename "$config")
+    file="${file%.txt}.config"
+    ln -sf "$config" "/etc/crypto-policies/back-ends/$file"
+done
+
+fi

hardening/xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc.sh

+#!/bin/sh
+set -e
+
+(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc'")
+
+
+var_accounts_user_umask="027"
+
+
+
+grep -q umask /etc/bashrc && \
+  sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/bashrc
+if ! [ $? -eq 0 ]; then
+    echo "umask $var_accounts_user_umask" >> /etc/bashrc
+fi
+

hardening/xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc.sh

+#!/bin/sh
+set -e
+
+(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc'")
+
+var_accounts_user_umask='027'
+
+grep -q umask /etc/csh.cshrc && \
+  sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/csh.cshrc
+if ! [ $? -eq 0 ]; then
+    echo "umask $var_accounts_user_umask" >> /etc/csh.cshrc
+fi

hardening/xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs.sh

+#!/bin/sh
+set -e
+
+(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs'")
+
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q shadow-utils; then
+
+
+var_accounts_user_umask="027"
+# Function to replace configuration setting in config file or add the configuration setting if
+# it does not exist.
+#
+# Expects arguments:
+#
+# config_file:		Configuration file that will be modified
+# key:			Configuration option to change
+# value:		Value of the configuration option to change
+# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
+# format:		The printf-like format string that will be given stripped key and value as arguments,
+#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
+#
+# Optional arugments:
+#
+# format:		Optional argument to specify the format of how key/value should be
+# 			modified/appended in the configuration file. The default is key = value.
+#
+# Example Call(s):
+#
+#     With default format of 'key = value':
+#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
+#
+#     With custom key/value format:
+#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
+#
+#     With a variable:
+#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
+#
+function replace_or_append {
+  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
+  local config_file=$1
+  local key=$2
+  local value=$3
+  local cce=$4
+  local format=$5
+
+  if [ "$case_insensitive_mode" = yes ]; then
+    sed_case_insensitive_option="i"
+    grep_case_insensitive_option="-i"
+  fi
+  [ -n "$format" ] || format="$default_format"
+  # Check sanity of the input
+  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }
+
+  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+  # Otherwise, regular sed command will do.
+  sed_command=('sed' '-i')
+  if test -L "$config_file"; then
+    sed_command+=('--follow-symlinks')
+  fi
+
+  # Test that the cce arg is not empty or does not equal @CCENUM@.
+  # If @CCENUM@ exists, it means that there is no CCE assigned.
+  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
+    cce="${cce}"
+  else
+    cce="CCE"
+  fi
+
+  # Strip any search characters in the key arg so that the key can be replaced without
+  # adding any search characters to the config file.
+  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")
+
+  # shellcheck disable=SC2059
+  printf -v formatted_output "$format" "$stripped_key" "$value"
+
+  # If the key exists, change it. Otherwise, add it to the config_file.
+  # We search for the key string followed by a word boundary (matched by \>),
+  # so if we search for 'setting', 'setting2' won't match.
+  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
+    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
+  else
+    # \n is precaution for case where file ends without trailing newline
+    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
+    printf '%s\n' "$formatted_output" >> "$config_file"
+  fi
+}
+replace_or_append '/etc/login.defs' '^UMASK' "$var_accounts_user_umask" 'CCE-82888-9' '%s %s'
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

hardening/xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile.sh

+#!/bin/sh
+set -e
+
+(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile'")
+
+var_accounts_user_umask='027'
+
+grep -q umask /etc/profile && \
+  sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/profile
+if ! [ $? -eq 0 ]; then
+    echo "umask $var_accounts_user_umask" >> /etc/profile
+fi

hardening/xccdf_org.ssgproject.content_rule_coredump_disable_backtraces.sh

+#!/bin/sh
+set -e
+
+(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_coredump_disable_backtraces'")
+
+if [ ! -d "/etc/systemd" ]; then
+    exit
+fi
+
+if [ -e "/etc/systemd/coredump.conf" ] ; then
+    LC_ALL=C sed -i "/^\s*ProcessSizeMax\s*=\s*/Id" "/etc/systemd/coredump.conf"
+else
+    touch "/etc/systemd/coredump.conf"
+fi
+cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak"
+# Insert at the end of the file
+printf '%s\n' "ProcessSizeMax=0" >> "/etc/systemd/coredump.conf"
+# Clean up after ourselves.
+rm "/etc/systemd/coredump.conf.bak"

hardening/xccdf_org.ssgproject.content_rule_coredump_disable_storage.sh

+#!/bin/sh
+set -e
+
+(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_coredump_disable_storage'")
+
+if [ ! -d "/etc/systemd" ]; then
+    exit
+fi
+
+if [ -e "/etc/systemd/coredump.conf" ] ; then
+    LC_ALL=C sed -i "/^\s*Storage\s*=\s*/Id" "/etc/systemd/coredump.conf"
+else
+    touch "/etc/systemd/coredump.conf"
+fi
+cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak"
+# Insert at the end of the file
+printf '%s\n' "Storage=none" >> "/etc/systemd/coredump.conf"
+# Clean up after ourselves.
+rm "/etc/systemd/coredump.conf.bak"

hardening/xccdf_org.ssgproject.content_rule_disable_users_coredumps.sh

+#!/bin/sh
+set -e
+
+(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_disable_users_coredumps'")
+
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q pam; then
+
+SECURITY_LIMITS_FILE="/etc/security/limits.conf"
+
+if grep -qE '\*\s+hard\s+core' $SECURITY_LIMITS_FILE; then
+        sed -ri 's/(hard\s+core\s+)[[:digit:]]+/\1 0/' $SECURITY_LIMITS_FILE
+else
+        echo "*     hard   core    0" >> $SECURITY_LIMITS_FILE
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

hardening/xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su.sh

+#!/bin/sh
+set -e
+
+(>&2 echo "Remediating: '	xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su'")
+
+if [ -e "/etc/pam.d/su"]; then
+    sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' \
+      -i /etc/pam.d/su
+fi

hardening_manifest.yaml

@@ -5,12 +5,13 @@ name: "gitlab/gitlab/gitlab-mailroom"
 # The most specific version should be the first tag and will be shown
 # on ironbank.dsop.io
 tags:
-  - "17.2.4"
+  - "17.3.0"
   - "latest"
 # Build args passed to Dockerfile ARGs
 args:
   BASE_IMAGE: "gitlab/gitlab/gitlab-ruby"
-  BASE_TAG: "17.2.4"
+  BASE_TAG: "17.3.0"
+  UBI_TAG: "9.4"
 # Docker image labels
 labels:
   org.opencontainers.image.title: "Gitlab Mailroom"
@@ -22,7 +23,7 @@ labels:
   org.opencontainers.image.url: "https://about.gitlab.com/"
   ## Name of the distributing entity, organization or individual
   org.opencontainers.image.vendor: "Gitlab"
-  org.opencontainers.image.version: "17.2.4"
+  org.opencontainers.image.version: "17.3.0"
   ## Keywords to help with search (ex. "cicd,gitops,golang")
   mil.dso.ironbank.image.keywords: "gitlab, git, gitops"
   ## This value can be "opensource" or "commercial"
@@ -38,6 +39,7 @@ maintainers:
     name: "Steven Terhar"
     #   # The gitlab username of the current container owner
     username: "sterhar"
+    cht_member: false
   #   cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT
   - name: "Al Fontaine"
     username: "alfontaine"
@@ -48,9 +50,8 @@ maintainers:
     email: "help@dsop.io"
     cht_member: true
 resources: 
-  - url: "https://gitlab-ubi.s3.amazonaws.com/ubi8-build-dependencies-v17.2.4-ubi8/gitlab-mailroom.tar.gz"
+  - url: "https://gitlab-ubi.s3.us-east-2.amazonaws.com/ubi-build-dependencies-v17.3.0-ubi/gitlab-mailroom.tar.gz"
     filename: "gitlab-mailroom.tar.gz"
     validation:
       type: "sha256"
-      value: "e774f9fd84cdaf8b266da5075e4bb8800cae0ededeb5792d6e7c65b914f7d810"
-
+      value: "f72496482eae6f0de1eb8c58600ac67b2e8f6c503ac37c560e9fc84863b23083"

openshift.metadata

+io.openshift.tags=gitlab-mailroom
+io.openshift.wants=gitlab-webservice
+io.k8s.description=GitLab service container for mailroom.
+io.openshift.non-scalable=false
+io.openshift-min-memory=150Mi
+io.openshift.min-cpu=100m

scripts/healthcheck

+#!/bin/bash
+
+set -e
+
+/usr/bin/pgrep -f mail_room

scripts/install-dependencies

+#!/bin/bash
+
+set -e
+
+apt-get update -q
+DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends make \
+        build-essential \
+        libicu-dev
+
+rm -rf /var/lib/apt/lists/*
+
+gem install charlock_holmes:0.7.6 \
+        redis-client:0.22.2 \
+        redis:5.2.0 \
+        redis-namespace:1.11.0 \
+        webrick:1.7.0 \
+        gitlab-mail_room:${MAILROOM_VERSION}
+
+/build-scripts/cleanup-gems /usr/lib/ruby/gems
+
+DEBIAN_FRONTEND=noninteractive apt-get purge -yq make build-essential libicu-dev