From 9d6ec8b3f81e774d9d1cbb16c7979ea90cb8379e Mon Sep 17 00:00:00 2001 From: Christopger Vernooy Date: Tue, 13 Oct 2020 13:16:20 -0400 Subject: [PATCH 01/10] inital push --- Dockerfile | 18 ++++++++++++++++++ Jenkinsfile | 2 ++ README.md | 2 +- download.yaml | 3 +++ 4 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 Dockerfile create mode 100644 Jenkinsfile create mode 100644 download.yaml diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..6f79cc2 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,18 @@ +ARG BASE_REGISTRY=registry1.dsop.io +ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 +ARG BASE_TAG=8.2 +FROM kubeflow-images-public/katib/studyjob-controller:latest as base +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +USER 0 +RUN dnf upgrade -y && \ + dnf clean all && \ + rm -rf /var/cache/dnf +CMD ["/bin/sh"] +COPY --from=base /app /app +RUN find / -path /proc -prune -o -perm /4000 -exec chmod u-s {} \; +RUN find / -path /proc -prune -o -perm /2000 -exec chmod g-s {} \; +RUN groupadd -r controller && useradd -r -g controller controller +RUN chown -R controller. /app +WORKDIR /app +USER controller +ENTRYPOINT ["./studyjobcontroller"] \ No newline at end of file diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000..fe3b45d --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,2 @@ +@Library('DCCSCR@master') _ +dccscrPipeline(version: "latest") diff --git a/README.md b/README.md index 9c1866f..8ebcb2a 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,2 @@ -# studyjob-controller-2019 +# metrics-collector-2019 diff --git a/download.yaml b/download.yaml new file mode 100644 index 0000000..0803888 --- /dev/null +++ b/download.yaml @@ -0,0 +1,3 @@ +resources: + - url: "docker://gcr.io/kubeflow-images-public/katib/studyjob-controller@sha256:31a3e1534c1f4d1feeb83c27dde5baac3ec66bf8ee7c684e2a9583b866fb8325" + tag: "kubeflow-images-public/katib/studyjob-controller:latest" \ No newline at end of file -- GitLab From fdcb63b181359886e803256d9abb776cc028af43 Mon Sep 17 00:00:00 2001 From: cvernooy Date: Tue, 13 Oct 2020 17:20:06 +0000 Subject: [PATCH 02/10] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 8ebcb2a..e8588e5 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,3 @@ # metrics-collector-2019 +stuff \ No newline at end of file -- GitLab From d051b531a5eb3c396109fecd99244906428fbd66 Mon Sep 17 00:00:00 2001 From: jeason Date: Wed, 14 Oct 2020 12:53:52 -0600 Subject: [PATCH 03/10] Project template: file templates --- .gitlab/CODEOWNERS | 6 +++ .gitlab/issue_templates/Access Request.md | 16 ++++++++ .../issue_templates/Application - Archive.md | 21 +++++++++++ .../issue_templates/Application - Initial.md | 32 ++++++++++++++++ .../issue_templates/Application - Update.md | 35 ++++++++++++++++++ .gitlab/issue_templates/Bug.md | 37 +++++++++++++++++++ .gitlab/issue_templates/Feature Request.md | 32 ++++++++++++++++ .../issue_templates/Leadership Question.md | 7 ++++ .gitlab/issue_templates/New Findings.md | 20 ++++++++++ .../issue_templates/Onboarding Question.md | 7 ++++ .gitlab/issue_templates/Pipeline Failure.md | 31 ++++++++++++++++ 11 files changed, 244 insertions(+) create mode 100644 .gitlab/CODEOWNERS create mode 100644 .gitlab/issue_templates/Access Request.md create mode 100644 .gitlab/issue_templates/Application - Archive.md create mode 100644 .gitlab/issue_templates/Application - Initial.md create mode 100644 .gitlab/issue_templates/Application - Update.md create mode 100644 .gitlab/issue_templates/Bug.md create mode 100644 .gitlab/issue_templates/Feature Request.md create mode 100644 .gitlab/issue_templates/Leadership Question.md create mode 100644 .gitlab/issue_templates/New Findings.md create mode 100644 .gitlab/issue_templates/Onboarding Question.md create mode 100644 .gitlab/issue_templates/Pipeline Failure.md diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS new file mode 100644 index 0000000..64a2c68 --- /dev/null +++ b/.gitlab/CODEOWNERS @@ -0,0 +1,6 @@ +[Pipelines] +.gitlab-ci.yml @ironbank-notifications/cht +.gitlab-ci.yaml @ironbank-notifications/cht + +[Gitlab Configuration Files] +.gitlab/* @ironbank-notifications/cht diff --git a/.gitlab/issue_templates/Access Request.md b/.gitlab/issue_templates/Access Request.md new file mode 100644 index 0000000..1a7b224 --- /dev/null +++ b/.gitlab/issue_templates/Access Request.md @@ -0,0 +1,16 @@ +## Summary + +The following individuals are requesting access to this project (one per line): +(List or tag all individuals here) + + +The access level should be: +- [ ] Developer access +- [ ] Remove access + + +## Definition of Done +- [ ] All accounts have been provided the necessary accesses + + +/label ~"Access" ~"To Do" \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Archive.md b/.gitlab/issue_templates/Application - Archive.md new file mode 100644 index 0000000..9f3b5fe --- /dev/null +++ b/.gitlab/issue_templates/Application - Archive.md @@ -0,0 +1,21 @@ +## Summary + +Requesting this application be archived due to one of the following reasons: +- [ ] Version is no longer supported by vendor +- [ ] Application is End-Of-Life +- [ ] License violation. +- [ ] Other. See below. + +## Detailed Description + +(Please provide a detailed description of why this application should be archived) + + +## Definition of Done +- [ ] Application has been reviewed for archival +- [ ] Project is officially marked as stale +- [ ] Iron Bank frontend no longer lists application as available or approved + + +/label ~"Container::Archive" +/cc @ironbank-notifications/archive \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Initial.md b/.gitlab/issue_templates/Application - Initial.md new file mode 100644 index 0000000..6594a05 --- /dev/null +++ b/.gitlab/issue_templates/Application - Initial.md @@ -0,0 +1,32 @@ +## Summary + +Requesting application to be hardened. This is only for initial hardening of a container. + + +## Version Information + +Current version: (State the current version of the application as you see it) + +Under support: (Is the updated version within the same major version of the application or is this a new major version?) + + +## Definition of Done +Hardening: +- [ ] Container builds successfully +- [ ] Greylist file has been created (requires a member from container hardening) +- [ ] Branch has been merged into `development` + +Justifications: +- [ ] All findings have been justified per the above documentation +- [ ] Justifications have been provided to the container hardening team + +Approval Process (container hardening team processes): +- [ ] Peer review from Container Hardening Team +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::Initial" +/cc @ironbank-notifications/cht \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Update.md b/.gitlab/issue_templates/Application - Update.md new file mode 100644 index 0000000..caebb3e --- /dev/null +++ b/.gitlab/issue_templates/Application - Update.md @@ -0,0 +1,35 @@ +## Summary + +Requesting application be updated to a newer version. + + + +## Version Information + +Current version: (State the current version of the application as you see it) + +Updated version: (State the version you would like the application updated to) + +Under support: (Is the updated version within the same major version of the application or is this a new major version?) + + +## Definition of Done +Hardening: +- [ ] Container builds successfully +- [ ] Container version has been updated in greylist file +- [ ] Branch has been merged into `development` + +Justifications: +- [ ] All findings have been justified per the above documentation +- [ ] Justifications have been provided to the container hardening team + +Approval Process: +- [ ] Peer review from Container Hardening Team +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::Update" +/cc @ironbank-notifications/updates \ No newline at end of file diff --git a/.gitlab/issue_templates/Bug.md b/.gitlab/issue_templates/Bug.md new file mode 100644 index 0000000..1427a0c --- /dev/null +++ b/.gitlab/issue_templates/Bug.md @@ -0,0 +1,37 @@ +## Summary + +(Summarize the bug encountered concisely) + + +## Steps to reproduce + +(How one can reproduce the issue - this is very important) + + +## What is the current bug behavior? + +(What actually happens) + + +## What is the expected correct behavior? + +(What you should see instead) + + +## Relevant logs and/or screenshots + +(Paste any relevant logs - please use code blocks (```) to format console output, +logs, and code as it's very hard to read otherwise.) + + +## Possible fixes + +(If you can, link to the line of code that might be responsible for the problem) + + +## Defintion of Done +- [ ] Bug has been identified and corrected within the container + + +/label ~Bug +/cc @ironbank-notifications/bug \ No newline at end of file diff --git a/.gitlab/issue_templates/Feature Request.md b/.gitlab/issue_templates/Feature Request.md new file mode 100644 index 0000000..a0e2f19 --- /dev/null +++ b/.gitlab/issue_templates/Feature Request.md @@ -0,0 +1,32 @@ +## Feature description + +(Detailed description of the feature being requested) + + +## Use cases + + +(Detailed description of the use case for this feature) + + +## Benefits + +(How does this benefit others) + + +## Requirements + +(Any requirements for this feature to be enabled?) + + +## Links / references + +(List of links or references that support this feature) + + +## Definition of Done +- [ ] Feature has been implemented + + +/label ~Feature +/cc @ironbank-notifications/feature \ No newline at end of file diff --git a/.gitlab/issue_templates/Leadership Question.md b/.gitlab/issue_templates/Leadership Question.md new file mode 100644 index 0000000..4674f82 --- /dev/null +++ b/.gitlab/issue_templates/Leadership Question.md @@ -0,0 +1,7 @@ +## Leadership question + +(Detailed description of the question you'd like to ask the leadership team) + + +/label ~"Question::Leadership" ~"To Do" +/cc @ironbank-notifications/leadership \ No newline at end of file diff --git a/.gitlab/issue_templates/New Findings.md b/.gitlab/issue_templates/New Findings.md new file mode 100644 index 0000000..068d029 --- /dev/null +++ b/.gitlab/issue_templates/New Findings.md @@ -0,0 +1,20 @@ +## Summary + +Container has new findings discovered during continuous monitoring. + + + +## Definition of Done +Justifications: +- [ ] All findings have been justified +- [ ] Justifications have been provided to the container hardening team + +Approval Process: +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::New Findings" +/cc @ironbank-notifications/security \ No newline at end of file diff --git a/.gitlab/issue_templates/Onboarding Question.md b/.gitlab/issue_templates/Onboarding Question.md new file mode 100644 index 0000000..77dea11 --- /dev/null +++ b/.gitlab/issue_templates/Onboarding Question.md @@ -0,0 +1,7 @@ +## Onboarding question + +(Detailed description of the question you'd like to ask the onboarding team) + + +/label ~"Question::Onboarding" ~"To Do" +/cc @ironbank-notifications/onboarding \ No newline at end of file diff --git a/.gitlab/issue_templates/Pipeline Failure.md b/.gitlab/issue_templates/Pipeline Failure.md new file mode 100644 index 0000000..28b82a9 --- /dev/null +++ b/.gitlab/issue_templates/Pipeline Failure.md @@ -0,0 +1,31 @@ +## Summary + +(Summarize the pipeline issue encountered concisely) + + +## Link to failed pipeline + +(Link to the failed pipeline) + + +## What is the current bug behavior? + +(What actually happens) + + +## What is the expected correct behavior? + +(What you should see instead) + + +## Possible fixes + +(If you can, link to the line of code that might be responsible for the problem) + + +## Definition of Done +- [ ] Pipeline failure has been resolved + + +/label ~Pipeline +/cc @ironbank-notifications/pipelines \ No newline at end of file -- GitLab From 62044209ee4eb031938806a24cc06030219157d8 Mon Sep 17 00:00:00 2001 From: Christopger Vernooy Date: Wed, 21 Oct 2020 15:08:55 -0400 Subject: [PATCH 04/10] updated for musl to libc --- .gitignore | 1 + Dockerfile | 34 +++++++++++++++++++++++++++++----- download.yaml | 7 ++++++- 3 files changed, 36 insertions(+), 6 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b72d989 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +musl-1.2.0.tar.gz diff --git a/Dockerfile b/Dockerfile index 6f79cc2..98c9a50 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,38 @@ ARG BASE_REGISTRY=registry1.dsop.io ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 ARG BASE_TAG=8.2 -FROM kubeflow-images-public/katib/studyjob-controller:latest as base +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as build +USER 0 +RUN dnf install go wget make cmake gcc -y && \ + dnf upgrade -y && \ + dnf clean all && \ + rm -rf /var/cache/dnf +WORKDIR /opt +COPY musl-1.2.0.tar.gz . +RUN mkdir -p /usr/local/src/musl && \ + tar -zxf /opt/musl-1.2.0.tar.gz -C /usr/local/src/musl --strip-components=1 +WORKDIR /usr/local/src/musl +RUN ./configure && \ + make && \ + make install && \ + rm -f /opt/musl-1.2.0.tar.gz +#FROM kubeflow-images-public/katib/studyjob-controller:latest as base +FROM gcr.io/kubeflow-images-public/katib/studyjob-controller@sha256:31a3e1534c1f4d1feeb83c27dde5baac3ec66bf8ee7c684e2a9583b866fb8325 as base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +LABEL org.opencontainers.image.title="Katib-studyjob-controller" \ + org.opencontainers.image.description="studyjob controller" \ + org.opencontainers.image.licenses="Apache-2.0" \ + org.opencontainers.image.url="gcr.io/kubeflow-images-public/katib/studyjob-controller@sha256:31a3e1534c1f4d1feeb83c27dde5baac3ec66bf8ee7c684e2a9583b866fb8325" \ + org.opencontainers.image.version="latest" \ + maintainer="cvernooy@oteemo.com" USER 0 -RUN dnf upgrade -y && \ - dnf clean all && \ - rm -rf /var/cache/dnf -CMD ["/bin/sh"] +RUN dnf install go -y && \ + dnf upgrade -y && \ + dnf clean all && \ + rm -rf /var/cache/dnf COPY --from=base /app /app +COPY --from=build /usr/local/musl/lib/libc.so /usr/local/musl/lib/libc.so +COPY --from=build /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1 RUN find / -path /proc -prune -o -perm /4000 -exec chmod u-s {} \; RUN find / -path /proc -prune -o -perm /2000 -exec chmod g-s {} \; RUN groupadd -r controller && useradd -r -g controller controller diff --git a/download.yaml b/download.yaml index 0803888..9db5228 100644 --- a/download.yaml +++ b/download.yaml @@ -1,3 +1,8 @@ resources: - url: "docker://gcr.io/kubeflow-images-public/katib/studyjob-controller@sha256:31a3e1534c1f4d1feeb83c27dde5baac3ec66bf8ee7c684e2a9583b866fb8325" - tag: "kubeflow-images-public/katib/studyjob-controller:latest" \ No newline at end of file + tag: "kubeflow-images-public/katib/studyjob-controller:latest" + - url: "https://musl.libc.org/releases/musl-1.2.0.tar.gz" + filename: musl-1.2.0.tar.gz + validation: + type: sha256 + value: c6de7b191139142d3f9a7b5b702c9cae1b5ee6e7f57e582da9328629408fd4e8 \ No newline at end of file -- GitLab From 1a1c75668aec39ff11854901c6b974274886eaa9 Mon Sep 17 00:00:00 2001 From: cvernooy Date: Tue, 27 Oct 2020 14:22:40 +0000 Subject: [PATCH 05/10] Update Jenkinsfile --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index fe3b45d..84a5119 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,2 +1,2 @@ @Library('DCCSCR@master') _ -dccscrPipeline(version: "latest") +dccscrPipeline(version: "31a3e1534c1f") -- GitLab From ae4ba947f7eaa4b113f6dba03f2caaaeef72eb34 Mon Sep 17 00:00:00 2001 From: cvernooy Date: Tue, 27 Oct 2020 14:44:55 +0000 Subject: [PATCH 06/10] Update Dockerfile --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 98c9a50..9894c72 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,8 +16,8 @@ RUN ./configure && \ make && \ make install && \ rm -f /opt/musl-1.2.0.tar.gz -#FROM kubeflow-images-public/katib/studyjob-controller:latest as base -FROM gcr.io/kubeflow-images-public/katib/studyjob-controller@sha256:31a3e1534c1f4d1feeb83c27dde5baac3ec66bf8ee7c684e2a9583b866fb8325 as base +FROM kubeflow-images-public/katib/studyjob-controller:latest as base +#FROM gcr.io/kubeflow-images-public/katib/studyjob-controller@sha256:31a3e1534c1f4d1feeb83c27dde5baac3ec66bf8ee7c684e2a9583b866fb8325 as base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} LABEL org.opencontainers.image.title="Katib-studyjob-controller" \ org.opencontainers.image.description="studyjob controller" \ -- GitLab From 532fbc34cfc06f7fb7fcb0f356182345ed36b5a4 Mon Sep 17 00:00:00 2001 From: cvernooy Date: Tue, 27 Oct 2020 19:42:41 +0000 Subject: [PATCH 07/10] Update Dockerfile --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 9894c72..530266b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,6 +27,7 @@ LABEL org.opencontainers.image.title="Katib-studyjob-controller" \ maintainer="cvernooy@oteemo.com" USER 0 RUN dnf install go -y && \ + dnf remove kernel-headers -y && \ dnf upgrade -y && \ dnf clean all && \ rm -rf /var/cache/dnf -- GitLab From 4d4819527ea705adc33ba1cae7599bc6539eef04 Mon Sep 17 00:00:00 2001 From: cvernooy Date: Tue, 27 Oct 2020 20:38:49 +0000 Subject: [PATCH 08/10] Update Dockerfile --- Dockerfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 530266b..33666ef 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,9 +26,7 @@ LABEL org.opencontainers.image.title="Katib-studyjob-controller" \ org.opencontainers.image.version="latest" \ maintainer="cvernooy@oteemo.com" USER 0 -RUN dnf install go -y && \ - dnf remove kernel-headers -y && \ - dnf upgrade -y && \ +RUN dnf upgrade -y && \ dnf clean all && \ rm -rf /var/cache/dnf COPY --from=base /app /app @@ -38,6 +36,7 @@ RUN find / -path /proc -prune -o -perm /4000 -exec chmod u-s {} \; RUN find / -path /proc -prune -o -perm /2000 -exec chmod g-s {} \; RUN groupadd -r controller && useradd -r -g controller controller RUN chown -R controller. /app +RUN chmod +x /app/studyjobcontroller WORKDIR /app USER controller ENTRYPOINT ["./studyjobcontroller"] \ No newline at end of file -- GitLab From fab938f945a9fe93f232e5c55dfcb1d7a0f10aab Mon Sep 17 00:00:00 2001 From: cvernooy Date: Thu, 29 Oct 2020 13:50:09 +0000 Subject: [PATCH 09/10] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e8588e5..497aeaa 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,3 @@ -# metrics-collector-2019 +# Studyjob-Controller -stuff \ No newline at end of file +This is a hardened version of the upstream metrics-collector image. This is not mean for solo deployment, Anno team has automation to deploy this in place of the upstream container. No helm chart or deployment instructions will be included for this container \ No newline at end of file -- GitLab From c4ea2f44db2b234855efb698250118dc0e7502c4 Mon Sep 17 00:00:00 2001 From: cvernooy Date: Thu, 29 Oct 2020 13:53:46 +0000 Subject: [PATCH 10/10] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 497aeaa..b087fe4 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,3 @@ # Studyjob-Controller -This is a hardened version of the upstream metrics-collector image. This is not mean for solo deployment, Anno team has automation to deploy this in place of the upstream container. No helm chart or deployment instructions will be included for this container \ No newline at end of file +This is a hardened version of the upstream image. This is not mean for solo deployment, Anno team has automation to deploy this in place of the upstream container. No helm chart or deployment instructions will be included for this container \ No newline at end of file -- GitLab