diff --git a/Dockerfile b/Dockerfile index 0f49f7dd278ef517f4e7c81980ea13deb6f5d46c..acd0fa1a17a421b3fdac6af751dc507331ec0fae 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,20 +2,22 @@ ARG BASE_REGISTRY=registry1.dso.mil ARG BASE_IMAGE=ironbank/opensource/python ARG BASE_TAG=v3.11.4 +FROM ironbank-modules:0.0.14 as modules FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} USER 0 COPY signatures/centos-gpg-key /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial -COPY *.rpm /opt/dnfmodules/ +COPY --from=modules /home/python/ironbank-modules . +COPY --chmod=0755 oscap-podman /usr/local/bin/ ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot PATH="${PATH}:/root/.local/bin" RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial; \ dnf upgrade -y; \ dnf install -y podman jq unzip --setopt=tsflags=nodocs; \ - dnf install -y /opt/dnfmodules/*.rpm --setopt=tsflags=nodocs; \ - dnf install zip unzip bzip2 jq; \ + dnf install -y openscap-scanner; \ + dnf install -y zip unzip bzip2 jq; \ rm /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial; \ rm -rf /opt/dnfmodules; \ dnf clean all; \ @@ -26,3 +28,31 @@ RUN chmod 0755 /usr/bin/fusermount3; \ RUN rm -f /usr/share/doc/perl-IO-Socket-SSL/example/simulate_proxy.pl; \ find /usr/share/doc -type f \( -iname \*.pem -o -iname \*.enc \) -exec rm -f {} \; + +# Setup Python environment +ENV POETRY_HOME=/opt/poetry +ENV MODULES_DIR=/ironbank-modules +ENV MODULES_IMPORT_PATH=${MODULES_DIR}/ironbank + +# Copying Ironbank modules from the first image +COPY --from=modules /home/python/ironbank-modules ${MODULES_DIR} + +# Setup venv and poetry +RUN mkdir ${POETRY_HOME} && chown python:python ${POETRY_HOME}; \ + chmod 0744 ${MODULES_DIR}; \ + python3 -m venv ${POETRY_HOME}; \ + pip install poetry==1.5.1 + +# Activate the virtual environment +ENV PATH=/bin:${PATH} + +# Install Python dependencies +RUN poetry source add -C ${MODULES_IMPORT_PATH} --priority=default nexus http://nexus-repository-manager.nexus-repository-manager.svc.cluster.local:8081/repository/pypi/simple/ +RUN poetry install -C ${MODULES_IMPORT_PATH} --no-root --without dev + +# Set the working directory +WORKDIR ${HOME_DIR} + +# Set the entrypoint +ENTRYPOINT ["poetry"] +CMD ["run", "-C", "ironbank-modules/ironbank"] diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 2384c8ea355e7f776f9f8c1e7e40c2ffce537e11..1d0acf6a353977f12a6cdad9fb93365ab5128ce6 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,7 +8,7 @@ name: "ironbank-pipelines/oscap-podman" # The most specific version should be the first tag and will be shown # on ironbank.dsop.io tags: - - "v0.1.2" + - "v0.1.3" - "latest" # Build args passed to Dockerfile ARGs @@ -31,32 +31,17 @@ labels: # List of project maintainers maintainers: - email: "ironbank@dsop.io" - name: "Cody Miller" - username: "cmillerp1" - cht_member: false - - email: "ironbank@dsop.io" - name: "Kenneth Maguire" - username: "kenneth.maguire" + name: "Jacob Dorlac" + username: "j.dorlac" cht_member: false + resources: - - url: https://rpmfind.net/linux/centos/8-stream/AppStream/x86_64/os/Packages/openscap-utils-1.3.6-4.el8.x86_64.rpm - filename: openscap-utils-1.3.6-4.el8.x86_64.rpm - validation: - type: sha256 - value: c6e9f8eb9a5027504a73a52eae29fac0dfa657e7f0f5ba96e99c723e58927d80 - - url: https://rpmfind.net/linux/centos/8-stream/AppStream/x86_64/os/Packages/openscap-1.3.6-4.el8.x86_64.rpm - filename: openscap-1.3.6-4.el8.x86_64.rpm + - url: https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.3/utils/oscap-podman + filename: oscap-podman validation: type: sha256 - value: 4d53b8f1b690b7621f4a8d649a915aa6ee8a4b52bed5191a7cd6b8c197b74e41 - - url: https://rpmfind.net/linux/centos/8-stream/AppStream/x86_64/os/Packages/openscap-scanner-1.3.6-4.el8.x86_64.rpm - filename: openscap-scanner-1.3.6-4.el8.x86_64.rpm - validation: - type: sha256 - value: 60362683f76f0c95c98c77b9edddd5fe95c479e985127b5aea1e5d0eb93f2644 - - url: https://rpmfind.net/linux/centos/8-stream/AppStream/x86_64/os/Packages/rpmdevtools-8.10-8.el8.noarch.rpm - filename: rpmdevtools-8.10-8.el8.noarch.rpm - validation: - type: sha256 - value: f6c9f11f58d8a0daffb755590ad239cdf1bf5fa69bfde752bbd3f1c89e325220 + value: d8d5e84ce8979f6fb1040f30108de80c5fa49bbbd6e6f02e6bd3d69826353966 + - tag: ironbank-modules:0.0.14 + url: docker://registry.dso.mil/ironbank-tools/ironbank-modules:0.0.14 +