diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000000000000000000000000000000000000..2b3cdbe51b3aaf5a1e5d2d4a73f9c7a6c05faf2f --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +history.txt +Dockerfile.* +musl-1.2.0.tar.gz \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..43a7092131dfd4076064ec54433404f99380df9a --- /dev/null +++ b/Dockerfile @@ -0,0 +1,38 @@ +# Build the intermediate container +ARG BASE_REGISTRY=registry1.dsop.io/ironbank/redhat/ubi +ARG BASE_IMAGE=ubi8 +ARG BASE_TAG=8.3 +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as build +USER 0 +RUN dnf install make gcc -y +WORKDIR /opt +COPY musl-1.2.0.tar.gz . +RUN mkdir -p /usr/local/src/musl && \ + tar -zxf /opt/musl-1.2.0.tar.gz -C /usr/local/src/musl --strip-components=1 +WORKDIR /usr/local/src/musl +RUN ./configure && \ + make && \ + make install && \ + rm -f /opt/musl-1.2.0.tar.gz +FROM mpioperator/mpi-operator:0.1.0 AS base +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +LABEL org.opencontainers.image.title="mpi-operator" \ + org.opencontainers.image.description="mpi-operator 0.1.0 container based off UBI 8" \ + org.opencontainers.image.licenses="Apache-2.0" \ + org.opencontainers.image.url="hub.docker.com/layers/mpioperator/mpi-operator/0.1.0/images/sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" \ + org.opencontainers.image.version="0.1.0" \ + maintainer="karol.stolarski@annoai.com" +RUN dnf upgrade -y && \ + dnf clean all && \ + rm -rf /var/cache/dnf +USER 0 +COPY --from=build /usr/local/musl/lib/libc.so /usr/local/musl/lib/libc.so +COPY --from=build /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1 +COPY --from=base /bin/mpi-operator /bin/mpi-operator +RUN chmod +x /bin/mpi-operator +RUN find / -path /proc -prune -o -perm /4000 -exec chmod u-s {} \; +RUN find / -path /proc -prune -o -perm /2000 -exec chmod g-s {} \; +RUN groupadd -r kf && useradd -r -g kf kf +USER kf +ENTRYPOINT [ "/bin/mpi-operator" ] +CMD ["--help"] diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000000000000000000000000000000000000..4a594bf051b51f50c3427886763f34345efa6c4e --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,2 @@ +@Library('DCCSCR@master') _ +dccscrPipeline(version: '0.1.0') diff --git a/LICENSE b/LICENSE index 56ebeef871eb6352678dbe6ec97f8b8208a03430..dbd71b15daa2713eb3960947404437136d46e9bc 100644 --- a/LICENSE +++ b/LICENSE @@ -178,7 +178,11 @@ APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following +<<<<<<< HEAD + boilerplate notice, with the fields enclosed by brackets "[]" +======= boilerplate notice, with the fields enclosed by brackets "{}" +>>>>>>> master replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a @@ -186,7 +190,11 @@ same "printed page" as the copyright notice for easier identification within third-party archives. +<<<<<<< HEAD + Copyright [yyyy] [name of copyright owner] +======= Copyright 2020 Ironbank Containers / Kubeflow +>>>>>>> master Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -198,4 +206,8 @@ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and +<<<<<<< HEAD limitations under the License. +======= + limitations under the License. +>>>>>>> master diff --git a/Makefile b/Makefile new file mode 100644 index 0000000000000000000000000000000000000000..7892eae9315bd1193b1de0dd24260eeacc54d8fd --- /dev/null +++ b/Makefile @@ -0,0 +1,46 @@ +.PHONY: history + +ORIGINAL=mpioperator/mpi-operator:0.1.0 +HARDENED=mpioperator-hardened + +run-original: + docker run --rm \ + ${ORIGINAL} + /bin/bash + +run-original-it: + docker run -it \ + ${ORIGINAL} \ + /bin/bash + +history: + docker history --format "{{.CreatedBy}}" \ + ${ORIGINAL} \ + --no-trunc | tac | tee history.txt + +pull: + docker pull mpioperator/mpi-operator:0.1.0 + + +build: pull + curl -O https://musl.libc.org/releases/musl-1.2.0.tar.gz + docker build --no-cache \ + --build-arg BASE_REGISTRY="registry.access.redhat.com" \ + -t ${HARDENED} . + +# Build fast +fast: + curl -O https://musl.libc.org/releases/musl-1.2.0.tar.gz + docker build \ + --build-arg BASE_REGISTRY="registry.access.redhat.com" \ + -t ${HARDENED} . + +run: + docker run --rm \ + ${HARDENED} + +run-it: + docker run -it --rm \ + ${HARDENED} /bin/bash + +all: pull fast run \ No newline at end of file diff --git a/README.md b/README.md index 2a45faf9251a637463d2e24c7222ef8084d7a26a..9637c93a925b3242c24f85a16a5d675c27b643e5 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,6 @@ # mpi-operator-0.1.0 +To test, run `make build` then `make run`. + +To compare to unhardened container, run `make run-original` + diff --git a/download.yaml b/download.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a2f79c0e18626168f93c69a56e2797a3cd86d3eb --- /dev/null +++ b/download.yaml @@ -0,0 +1,9 @@ +--- +resources: + - url: "docker://docker.io/mpioperator/mpi-operator@sha256:bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" + tag: "mpioperator/mpi-operator:0.1.0" + - url: "https://musl.libc.org/releases/musl-1.2.0.tar.gz" + filename: musl-1.2.0.tar.gz + validation: + type: sha256 + value: c6de7b191139142d3f9a7b5b702c9cae1b5ee6e7f57e582da9328629408fd4e8