From cf02cb14f86c8660658c3b10d86a4edb8e8a72c7 Mon Sep 17 00:00:00 2001 From: Christopger Vernooy Date: Tue, 13 Oct 2020 12:52:35 -0400 Subject: [PATCH 01/10] inital push --- Dockerfile | 18 ++++++++++++++++++ Jenkinsfile | 2 ++ download.yaml | 3 +++ 3 files changed, 23 insertions(+) create mode 100644 Dockerfile create mode 100644 Jenkinsfile create mode 100644 download.yaml diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..570d16e --- /dev/null +++ b/Dockerfile @@ -0,0 +1,18 @@ +ARG BASE_REGISTRY=registry1.dsop.io +ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 +ARG BASE_TAG=8.2 +FROM kubeflow-images-public/katib/metrics-collector:latest as base +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +USER 0 +RUN dnf upgrade -y && \ + dnf clean all && \ + rm -rf /var/cache/dnf +CMD ["/bin/sh"] +COPY --from=base /app /app +RUN find / -path /proc -prune -o -perm /4000 -exec chmod u-s {} \; +RUN find / -path /proc -prune -o -perm /2000 -exec chmod g-s {} \; +RUN groupadd -r metrics && useradd -r -g metrics metrics +RUN chown -R metrics. /app +WORKDIR /app +USER metrics +ENTRYPOINT ["./metricscollector"] \ No newline at end of file diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000..fe3b45d --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,2 @@ +@Library('DCCSCR@master') _ +dccscrPipeline(version: "latest") diff --git a/download.yaml b/download.yaml new file mode 100644 index 0000000..9317c64 --- /dev/null +++ b/download.yaml @@ -0,0 +1,3 @@ +resources: + - url: "docker://gcr.io/kubeflow-images-public/katib/metrics-collector@sha256:393ed3258d6171bbd3f5d3de03dea2ddbec38715b469a3694a66d574277a5881" + tag: "kubeflow-images-public/katib/metrics-collector:latest" \ No newline at end of file -- GitLab From e672806ff6ac6fa54e8d2ea84ce92d9f099090dc Mon Sep 17 00:00:00 2001 From: cvernooy Date: Tue, 13 Oct 2020 16:53:42 +0000 Subject: [PATCH 02/10] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 8ebcb2a..fe611f5 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,3 @@ # metrics-collector-2019 +blah -- GitLab From e14a0079cc376f1b0409beb9707692d8c081b5c3 Mon Sep 17 00:00:00 2001 From: jeason Date: Wed, 14 Oct 2020 12:51:19 -0600 Subject: [PATCH 03/10] Project template: file templates --- .gitlab/CODEOWNERS | 6 +++ .gitlab/issue_templates/Access Request.md | 16 ++++++++ .../issue_templates/Application - Archive.md | 21 +++++++++++ .../issue_templates/Application - Initial.md | 32 ++++++++++++++++ .../issue_templates/Application - Update.md | 35 ++++++++++++++++++ .gitlab/issue_templates/Bug.md | 37 +++++++++++++++++++ .gitlab/issue_templates/Feature Request.md | 32 ++++++++++++++++ .../issue_templates/Leadership Question.md | 7 ++++ .gitlab/issue_templates/New Findings.md | 20 ++++++++++ .../issue_templates/Onboarding Question.md | 7 ++++ .gitlab/issue_templates/Pipeline Failure.md | 31 ++++++++++++++++ 11 files changed, 244 insertions(+) create mode 100644 .gitlab/CODEOWNERS create mode 100644 .gitlab/issue_templates/Access Request.md create mode 100644 .gitlab/issue_templates/Application - Archive.md create mode 100644 .gitlab/issue_templates/Application - Initial.md create mode 100644 .gitlab/issue_templates/Application - Update.md create mode 100644 .gitlab/issue_templates/Bug.md create mode 100644 .gitlab/issue_templates/Feature Request.md create mode 100644 .gitlab/issue_templates/Leadership Question.md create mode 100644 .gitlab/issue_templates/New Findings.md create mode 100644 .gitlab/issue_templates/Onboarding Question.md create mode 100644 .gitlab/issue_templates/Pipeline Failure.md diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS new file mode 100644 index 0000000..64a2c68 --- /dev/null +++ b/.gitlab/CODEOWNERS @@ -0,0 +1,6 @@ +[Pipelines] +.gitlab-ci.yml @ironbank-notifications/cht +.gitlab-ci.yaml @ironbank-notifications/cht + +[Gitlab Configuration Files] +.gitlab/* @ironbank-notifications/cht diff --git a/.gitlab/issue_templates/Access Request.md b/.gitlab/issue_templates/Access Request.md new file mode 100644 index 0000000..1a7b224 --- /dev/null +++ b/.gitlab/issue_templates/Access Request.md @@ -0,0 +1,16 @@ +## Summary + +The following individuals are requesting access to this project (one per line): +(List or tag all individuals here) + + +The access level should be: +- [ ] Developer access +- [ ] Remove access + + +## Definition of Done +- [ ] All accounts have been provided the necessary accesses + + +/label ~"Access" ~"To Do" \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Archive.md b/.gitlab/issue_templates/Application - Archive.md new file mode 100644 index 0000000..9f3b5fe --- /dev/null +++ b/.gitlab/issue_templates/Application - Archive.md @@ -0,0 +1,21 @@ +## Summary + +Requesting this application be archived due to one of the following reasons: +- [ ] Version is no longer supported by vendor +- [ ] Application is End-Of-Life +- [ ] License violation. +- [ ] Other. See below. + +## Detailed Description + +(Please provide a detailed description of why this application should be archived) + + +## Definition of Done +- [ ] Application has been reviewed for archival +- [ ] Project is officially marked as stale +- [ ] Iron Bank frontend no longer lists application as available or approved + + +/label ~"Container::Archive" +/cc @ironbank-notifications/archive \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Initial.md b/.gitlab/issue_templates/Application - Initial.md new file mode 100644 index 0000000..6594a05 --- /dev/null +++ b/.gitlab/issue_templates/Application - Initial.md @@ -0,0 +1,32 @@ +## Summary + +Requesting application to be hardened. This is only for initial hardening of a container. + + +## Version Information + +Current version: (State the current version of the application as you see it) + +Under support: (Is the updated version within the same major version of the application or is this a new major version?) + + +## Definition of Done +Hardening: +- [ ] Container builds successfully +- [ ] Greylist file has been created (requires a member from container hardening) +- [ ] Branch has been merged into `development` + +Justifications: +- [ ] All findings have been justified per the above documentation +- [ ] Justifications have been provided to the container hardening team + +Approval Process (container hardening team processes): +- [ ] Peer review from Container Hardening Team +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::Initial" +/cc @ironbank-notifications/cht \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Update.md b/.gitlab/issue_templates/Application - Update.md new file mode 100644 index 0000000..caebb3e --- /dev/null +++ b/.gitlab/issue_templates/Application - Update.md @@ -0,0 +1,35 @@ +## Summary + +Requesting application be updated to a newer version. + + + +## Version Information + +Current version: (State the current version of the application as you see it) + +Updated version: (State the version you would like the application updated to) + +Under support: (Is the updated version within the same major version of the application or is this a new major version?) + + +## Definition of Done +Hardening: +- [ ] Container builds successfully +- [ ] Container version has been updated in greylist file +- [ ] Branch has been merged into `development` + +Justifications: +- [ ] All findings have been justified per the above documentation +- [ ] Justifications have been provided to the container hardening team + +Approval Process: +- [ ] Peer review from Container Hardening Team +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::Update" +/cc @ironbank-notifications/updates \ No newline at end of file diff --git a/.gitlab/issue_templates/Bug.md b/.gitlab/issue_templates/Bug.md new file mode 100644 index 0000000..1427a0c --- /dev/null +++ b/.gitlab/issue_templates/Bug.md @@ -0,0 +1,37 @@ +## Summary + +(Summarize the bug encountered concisely) + + +## Steps to reproduce + +(How one can reproduce the issue - this is very important) + + +## What is the current bug behavior? + +(What actually happens) + + +## What is the expected correct behavior? + +(What you should see instead) + + +## Relevant logs and/or screenshots + +(Paste any relevant logs - please use code blocks (```) to format console output, +logs, and code as it's very hard to read otherwise.) + + +## Possible fixes + +(If you can, link to the line of code that might be responsible for the problem) + + +## Defintion of Done +- [ ] Bug has been identified and corrected within the container + + +/label ~Bug +/cc @ironbank-notifications/bug \ No newline at end of file diff --git a/.gitlab/issue_templates/Feature Request.md b/.gitlab/issue_templates/Feature Request.md new file mode 100644 index 0000000..a0e2f19 --- /dev/null +++ b/.gitlab/issue_templates/Feature Request.md @@ -0,0 +1,32 @@ +## Feature description + +(Detailed description of the feature being requested) + + +## Use cases + + +(Detailed description of the use case for this feature) + + +## Benefits + +(How does this benefit others) + + +## Requirements + +(Any requirements for this feature to be enabled?) + + +## Links / references + +(List of links or references that support this feature) + + +## Definition of Done +- [ ] Feature has been implemented + + +/label ~Feature +/cc @ironbank-notifications/feature \ No newline at end of file diff --git a/.gitlab/issue_templates/Leadership Question.md b/.gitlab/issue_templates/Leadership Question.md new file mode 100644 index 0000000..4674f82 --- /dev/null +++ b/.gitlab/issue_templates/Leadership Question.md @@ -0,0 +1,7 @@ +## Leadership question + +(Detailed description of the question you'd like to ask the leadership team) + + +/label ~"Question::Leadership" ~"To Do" +/cc @ironbank-notifications/leadership \ No newline at end of file diff --git a/.gitlab/issue_templates/New Findings.md b/.gitlab/issue_templates/New Findings.md new file mode 100644 index 0000000..068d029 --- /dev/null +++ b/.gitlab/issue_templates/New Findings.md @@ -0,0 +1,20 @@ +## Summary + +Container has new findings discovered during continuous monitoring. + + + +## Definition of Done +Justifications: +- [ ] All findings have been justified +- [ ] Justifications have been provided to the container hardening team + +Approval Process: +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::New Findings" +/cc @ironbank-notifications/security \ No newline at end of file diff --git a/.gitlab/issue_templates/Onboarding Question.md b/.gitlab/issue_templates/Onboarding Question.md new file mode 100644 index 0000000..77dea11 --- /dev/null +++ b/.gitlab/issue_templates/Onboarding Question.md @@ -0,0 +1,7 @@ +## Onboarding question + +(Detailed description of the question you'd like to ask the onboarding team) + + +/label ~"Question::Onboarding" ~"To Do" +/cc @ironbank-notifications/onboarding \ No newline at end of file diff --git a/.gitlab/issue_templates/Pipeline Failure.md b/.gitlab/issue_templates/Pipeline Failure.md new file mode 100644 index 0000000..28b82a9 --- /dev/null +++ b/.gitlab/issue_templates/Pipeline Failure.md @@ -0,0 +1,31 @@ +## Summary + +(Summarize the pipeline issue encountered concisely) + + +## Link to failed pipeline + +(Link to the failed pipeline) + + +## What is the current bug behavior? + +(What actually happens) + + +## What is the expected correct behavior? + +(What you should see instead) + + +## Possible fixes + +(If you can, link to the line of code that might be responsible for the problem) + + +## Definition of Done +- [ ] Pipeline failure has been resolved + + +/label ~Pipeline +/cc @ironbank-notifications/pipelines \ No newline at end of file -- GitLab From 60a39499f9c6c6f4473df2efc37ff05c52a65af9 Mon Sep 17 00:00:00 2001 From: Christopger Vernooy Date: Wed, 21 Oct 2020 15:36:46 -0400 Subject: [PATCH 04/10] updates for musl to libc --- .gitignore | 1 + Dockerfile | 35 ++++++++++++++++++++++++++++++----- download.yaml | 7 ++++++- 3 files changed, 37 insertions(+), 6 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b72d989 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +musl-1.2.0.tar.gz diff --git a/Dockerfile b/Dockerfile index 570d16e..fe16bed 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,38 @@ ARG BASE_REGISTRY=registry1.dsop.io ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 ARG BASE_TAG=8.2 -FROM kubeflow-images-public/katib/metrics-collector:latest as base +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as build +USER 0 +RUN dnf install go wget make cmake gcc -y && \ + dnf upgrade -y && \ + dnf clean all && \ + rm -rf /var/cache/dnf +WORKDIR /opt +COPY musl-1.2.0.tar.gz . +RUN mkdir -p /usr/local/src/musl && \ + tar -zxf /opt/musl-1.2.0.tar.gz -C /usr/local/src/musl --strip-components=1 +WORKDIR /usr/local/src/musl +RUN ./configure && \ + make && \ + make install && \ + rm -f /opt/musl-1.2.0.tar.gz +#FROM kubeflow-images-public/katib/metrics-coillector:latest as base +FROM gcr.io/kubeflow-images-public/katib/metrics-collector@sha256:393ed3258d6171bbd3f5d3de03dea2ddbec38715b469a3694a66d574277a5881 as base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +LABEL org.opencontainers.image.title="Katib-metrics-coillector" \ + org.opencontainers.image.description="metrics Colelctor" \ + org.opencontainers.image.licenses="Apache-2.0" \ + org.opencontainers.image.url="gcr.io/kubeflow-images-public/katib/metrics-coillector@sha256:393ed3258d6171bbd3f5d3de03dea2ddbec38715b469a3694a66d574277a5881" \ + org.opencontainers.image.version="latest" \ + maintainer="cvernooy@oteemo.com" USER 0 -RUN dnf upgrade -y && \ - dnf clean all && \ - rm -rf /var/cache/dnf -CMD ["/bin/sh"] +RUN dnf install go -y && \ + dnf upgrade -y && \ + dnf clean all && \ + rm -rf /var/cache/dnf +COPY --from=base /app /app +COPY --from=build /usr/local/musl/lib/libc.so /usr/local/musl/lib/libc.so +COPY --from=build /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1 COPY --from=base /app /app RUN find / -path /proc -prune -o -perm /4000 -exec chmod u-s {} \; RUN find / -path /proc -prune -o -perm /2000 -exec chmod g-s {} \; diff --git a/download.yaml b/download.yaml index 9317c64..c1e3f69 100644 --- a/download.yaml +++ b/download.yaml @@ -1,3 +1,8 @@ resources: - url: "docker://gcr.io/kubeflow-images-public/katib/metrics-collector@sha256:393ed3258d6171bbd3f5d3de03dea2ddbec38715b469a3694a66d574277a5881" - tag: "kubeflow-images-public/katib/metrics-collector:latest" \ No newline at end of file + tag: "kubeflow-images-public/katib/metrics-collector:latest" + - url: "https://musl.libc.org/releases/musl-1.2.0.tar.gz" + filename: musl-1.2.0.tar.gz + validation: + type: sha256 + value: c6de7b191139142d3f9a7b5b702c9cae1b5ee6e7f57e582da9328629408fd4e8 \ No newline at end of file -- GitLab From f0a20ce0d3c2240343d991230ecfb941a4da9ad9 Mon Sep 17 00:00:00 2001 From: cvernooy Date: Tue, 27 Oct 2020 14:25:57 +0000 Subject: [PATCH 05/10] Update Jenkinsfile --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index fe3b45d..d5b1091 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,2 +1,2 @@ @Library('DCCSCR@master') _ -dccscrPipeline(version: "latest") +dccscrPipeline(version: "393ed3258d61") -- GitLab From 600a2b32826d68fa35728e72b0271b7d33bbc62b Mon Sep 17 00:00:00 2001 From: cvernooy Date: Tue, 27 Oct 2020 19:43:05 +0000 Subject: [PATCH 06/10] Update Dockerfile --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index fe16bed..30cbc6c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,6 +27,7 @@ LABEL org.opencontainers.image.title="Katib-metrics-coillector" \ maintainer="cvernooy@oteemo.com" USER 0 RUN dnf install go -y && \ + dnf remove kernel-headers -y && \ dnf upgrade -y && \ dnf clean all && \ rm -rf /var/cache/dnf -- GitLab From acbb8ba10006b4845f12745a23fd784df1492e86 Mon Sep 17 00:00:00 2001 From: cvernooy Date: Tue, 27 Oct 2020 20:39:45 +0000 Subject: [PATCH 07/10] Update Dockerfile --- Dockerfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 30cbc6c..f4c1c74 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,9 +26,7 @@ LABEL org.opencontainers.image.title="Katib-metrics-coillector" \ org.opencontainers.image.version="latest" \ maintainer="cvernooy@oteemo.com" USER 0 -RUN dnf install go -y && \ - dnf remove kernel-headers -y && \ - dnf upgrade -y && \ +RUN dnf upgrade -y && \ dnf clean all && \ rm -rf /var/cache/dnf COPY --from=base /app /app @@ -39,6 +37,7 @@ RUN find / -path /proc -prune -o -perm /4000 -exec chmod u-s {} \; RUN find / -path /proc -prune -o -perm /2000 -exec chmod g-s {} \; RUN groupadd -r metrics && useradd -r -g metrics metrics RUN chown -R metrics. /app +RUN chmod +x /app/metricscollector WORKDIR /app USER metrics ENTRYPOINT ["./metricscollector"] \ No newline at end of file -- GitLab From 53c3694a19daafb2cd42dca02bcd28ad64695d03 Mon Sep 17 00:00:00 2001 From: cvernooy Date: Wed, 28 Oct 2020 13:44:52 +0000 Subject: [PATCH 08/10] Update Dockerfile --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index f4c1c74..3819df8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,8 +16,8 @@ RUN ./configure && \ make && \ make install && \ rm -f /opt/musl-1.2.0.tar.gz -#FROM kubeflow-images-public/katib/metrics-coillector:latest as base -FROM gcr.io/kubeflow-images-public/katib/metrics-collector@sha256:393ed3258d6171bbd3f5d3de03dea2ddbec38715b469a3694a66d574277a5881 as base +FROM kubeflow-images-public/katib/metrics-coillector:latest as base +#FROM gcr.io/kubeflow-images-public/katib/metrics-collector@sha256:393ed3258d6171bbd3f5d3de03dea2ddbec38715b469a3694a66d574277a5881 as base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} LABEL org.opencontainers.image.title="Katib-metrics-coillector" \ org.opencontainers.image.description="metrics Colelctor" \ -- GitLab From 6cfee6f33f85ee09200971dce8fb602d4180b63c Mon Sep 17 00:00:00 2001 From: cvernooy Date: Wed, 28 Oct 2020 13:57:43 +0000 Subject: [PATCH 09/10] Update Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 3819df8..514ad2e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ RUN ./configure && \ make && \ make install && \ rm -f /opt/musl-1.2.0.tar.gz -FROM kubeflow-images-public/katib/metrics-coillector:latest as base +FROM kubeflow-images-public/katib/metrics-collector:latest as base #FROM gcr.io/kubeflow-images-public/katib/metrics-collector@sha256:393ed3258d6171bbd3f5d3de03dea2ddbec38715b469a3694a66d574277a5881 as base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} LABEL org.opencontainers.image.title="Katib-metrics-coillector" \ -- GitLab From 553fb13cbd017b90f76bbe457e6aca28fd9c33ca Mon Sep 17 00:00:00 2001 From: cvernooy Date: Thu, 29 Oct 2020 13:56:11 +0000 Subject: [PATCH 10/10] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fe611f5..65647d4 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,3 @@ -# metrics-collector-2019 +# metrics-collector -blah +This is a hardened version of the upstream image. This is not mean for solo deployment, Anno team has automation to deploy this in place of the upstream container. No helm chart or deployment instructions will be included for this container -- GitLab