From 2af52f90e814c576674ed963a1d8552db72d892b Mon Sep 17 00:00:00 2001 From: Karol Stolarski Date: Mon, 2 Nov 2020 16:48:46 -0600 Subject: [PATCH 1/7] First commit --- .gitignore | 3 +++ Dockerfile | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++ Jenkinsfile | 2 ++ LICENSE | 12 ++++++++++++ Makefile | 38 +++++++++++++++++++++++++++++++++++++ download.yaml | 9 +++++++++ 6 files changed, 116 insertions(+) create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 Jenkinsfile create mode 100644 Makefile create mode 100644 download.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2b3cdbe --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +history.txt +Dockerfile.* +musl-1.2.0.tar.gz \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..20fb92a --- /dev/null +++ b/Dockerfile @@ -0,0 +1,52 @@ +# Build the intermediate container +ARG BASE_REGISTRY=registry1.dsop.io/ironbank/redhat/ubi +ARG BASE_IMAGE=ubi8 +ARG BASE_TAG=8.2 +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as build +USER 0 +RUN dnf install make gcc -y && \ + dnf upgrade -y && \ + dnf clean all && \ + rm -rf /var/cache/dnf +WORKDIR /opt +COPY musl-1.2.0.tar.gz . + +RUN mkdir -p /usr/local/src/musl && \ + tar -zxf /opt/musl-1.2.0.tar.gz -C /usr/local/src/musl --strip-components=1 +WORKDIR /usr/local/src/musl +RUN ./configure && \ + make && \ + make install && \ + rm -f /opt/musl-1.2.0.tar.gz +FROM mpioperator/mpi-operator:0.1.0 AS base +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +# Label +LABEL org.opencontainers.image.title="mpi-operator" \ + org.opencontainers.image.description="mpi-operator 0.1.0 container based off UBI 8" \ + org.opencontainers.image.licenses="Apache-2.0" \ + org.opencontainers.image.url="hub.docker.com/layers/mpioperator/mpi-operator/0.1.0/images/sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" \ + org.opencontainers.image.version="0.1.0" \ + maintainer="karol.stolarski@annoai.com" +RUN dnf upgrade -y && \ + dnf clean all && \ + rm -rf /var/cache/dnf +USER 0 + +RUN mkdir -p /app +COPY --from=build /usr/local/musl/lib/libc.so /usr/local/musl/lib/libc.so +COPY --from=build /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1 +COPY --from=base /bin/mpi-operator /app + +RUN find / -path /proc -prune -o -perm /4000 -exec chmod u-s {} \; +RUN find / -path /proc -prune -o -perm /2000 -exec chmod g-s {} \; +RUN groupadd -r kf && useradd -r -g kf kf + +RUN chown -R kf /app +WORKDIR /app + +USER kf + +ENTRYPOINT [ "./mpi-operator" ] +CMD ["--help"] +HEALTHCHECK CMD ps | grep mpi-operator | grep -v grep \ No newline at end of file diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000..4a594bf --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,2 @@ +@Library('DCCSCR@master') _ +dccscrPipeline(version: '0.1.0') diff --git a/LICENSE b/LICENSE index 56ebeef..dbd71b1 100644 --- a/LICENSE +++ b/LICENSE @@ -178,7 +178,11 @@ APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following +<<<<<<< HEAD + boilerplate notice, with the fields enclosed by brackets "[]" +======= boilerplate notice, with the fields enclosed by brackets "{}" +>>>>>>> master replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a @@ -186,7 +190,11 @@ same "printed page" as the copyright notice for easier identification within third-party archives. +<<<<<<< HEAD + Copyright [yyyy] [name of copyright owner] +======= Copyright 2020 Ironbank Containers / Kubeflow +>>>>>>> master Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -198,4 +206,8 @@ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and +<<<<<<< HEAD limitations under the License. +======= + limitations under the License. +>>>>>>> master diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..c12b31f --- /dev/null +++ b/Makefile @@ -0,0 +1,38 @@ +.PHONY: history + +ORIGINAL=mpioperator/mpi-operator:0.1.0 +HARDENED=mpioperator-hardened + +run-original: + docker run --rm \ + ${ORIGINAL} + /bin/bash + +run-original-it: + docker run -it \ + ${ORIGINAL} \ + /bin/bash + +history: + docker history --format "{{.CreatedBy}}" \ + ${ORIGINAL} \ + --no-trunc | tac | tee history.txt + +build: + docker build --no-cache \ + --build-arg BASE_REGISTRY="registry.access.redhat.com" \ + -t ${HARDENED} . + +# Build fast +fast: + docker build \ + --build-arg BASE_REGISTRY="registry.access.redhat.com" \ + -t ${HARDENED} . + +run: + docker run --rm \ + ${HARDENED} + +run-it: + docker run -it --rm \ + ${HARDENED} /bin/bash \ No newline at end of file diff --git a/download.yaml b/download.yaml new file mode 100644 index 0000000..78e6108 --- /dev/null +++ b/download.yaml @@ -0,0 +1,9 @@ +--- +resources: + - url: "docker://hub.docker.com/layers/mpioperator/mpi-operator/0.1.0/images/sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" + tag: "mpioperator/mpi-operator:0.1.0" + - url: "https://musl.libc.org/releases/musl-1.2.0.tar.gz" + filename: musl-1.2.0.tar.gz + validation: + type: sha256 + value: c6de7b191139142d3f9a7b5b702c9cae1b5ee6e7f57e582da9328629408fd4e8 -- GitLab From a4a2125de3d8a150c36d1acf41da5438f88229ec Mon Sep 17 00:00:00 2001 From: Karol Stolarski Date: Wed, 4 Nov 2020 14:00:11 -0600 Subject: [PATCH 2/7] Updated dockefile --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 20fb92a..3c203c0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,6 +34,7 @@ RUN dnf upgrade -y && \ USER 0 RUN mkdir -p /app + COPY --from=build /usr/local/musl/lib/libc.so /usr/local/musl/lib/libc.so COPY --from=build /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1 COPY --from=base /bin/mpi-operator /app -- GitLab From 8dd92d31007f0ea8f854619f029fe3311d099a15 Mon Sep 17 00:00:00 2001 From: Karol Stolarski Date: Wed, 4 Nov 2020 15:24:23 -0600 Subject: [PATCH 3/7] Fixed download.yaml --- download.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/download.yaml b/download.yaml index 78e6108..c9affdb 100644 --- a/download.yaml +++ b/download.yaml @@ -1,6 +1,6 @@ --- resources: - - url: "docker://hub.docker.com/layers/mpioperator/mpi-operator/0.1.0/images/sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" + - url: "docker://docker.io/mpioperator/mpi-operator/0.1.0/images/sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" tag: "mpioperator/mpi-operator:0.1.0" - url: "https://musl.libc.org/releases/musl-1.2.0.tar.gz" filename: musl-1.2.0.tar.gz -- GitLab From 1d7430254c1694589700eb8ee9641bbc1394c112 Mon Sep 17 00:00:00 2001 From: Karol Stolarski Date: Wed, 4 Nov 2020 16:56:51 -0600 Subject: [PATCH 4/7] Fixed download.yaml again --- download.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/download.yaml b/download.yaml index c9affdb..1e65c63 100644 --- a/download.yaml +++ b/download.yaml @@ -1,6 +1,6 @@ --- resources: - - url: "docker://docker.io/mpioperator/mpi-operator/0.1.0/images/sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" + - url: "docker://docker.io/mpioperator/mpi-operator@sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" tag: "mpioperator/mpi-operator:0.1.0" - url: "https://musl.libc.org/releases/musl-1.2.0.tar.gz" filename: musl-1.2.0.tar.gz -- GitLab From 5d104df373790ec789e2f8b7e36524beca38c42b Mon Sep 17 00:00:00 2001 From: Karol Stolarski Date: Tue, 10 Nov 2020 14:39:46 -0600 Subject: [PATCH 5/7] Updated to 8.3 --- Dockerfile | 2 +- Makefile | 12 ++++++++++-- README.md | 4 ++++ 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3c203c0..20ea033 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # Build the intermediate container ARG BASE_REGISTRY=registry1.dsop.io/ironbank/redhat/ubi ARG BASE_IMAGE=ubi8 -ARG BASE_TAG=8.2 +ARG BASE_TAG=8.3 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as build USER 0 RUN dnf install make gcc -y && \ diff --git a/Makefile b/Makefile index c12b31f..7892eae 100644 --- a/Makefile +++ b/Makefile @@ -18,13 +18,19 @@ history: ${ORIGINAL} \ --no-trunc | tac | tee history.txt -build: +pull: + docker pull mpioperator/mpi-operator:0.1.0 + + +build: pull + curl -O https://musl.libc.org/releases/musl-1.2.0.tar.gz docker build --no-cache \ --build-arg BASE_REGISTRY="registry.access.redhat.com" \ -t ${HARDENED} . # Build fast fast: + curl -O https://musl.libc.org/releases/musl-1.2.0.tar.gz docker build \ --build-arg BASE_REGISTRY="registry.access.redhat.com" \ -t ${HARDENED} . @@ -35,4 +41,6 @@ run: run-it: docker run -it --rm \ - ${HARDENED} /bin/bash \ No newline at end of file + ${HARDENED} /bin/bash + +all: pull fast run \ No newline at end of file diff --git a/README.md b/README.md index 2a45faf..9637c93 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,6 @@ # mpi-operator-0.1.0 +To test, run `make build` then `make run`. + +To compare to unhardened container, run `make run-original` + -- GitLab From 5bcd6ce9a8b0c773dd1a39ccd4495b4a14de9965 Mon Sep 17 00:00:00 2001 From: cvernooy Date: Mon, 16 Nov 2020 21:31:15 +0000 Subject: [PATCH 6/7] Update Dockerfile --- Dockerfile | 23 ++++------------------- 1 file changed, 4 insertions(+), 19 deletions(-) diff --git a/Dockerfile b/Dockerfile index 20ea033..43a7092 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,13 +4,9 @@ ARG BASE_IMAGE=ubi8 ARG BASE_TAG=8.3 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as build USER 0 -RUN dnf install make gcc -y && \ - dnf upgrade -y && \ - dnf clean all && \ - rm -rf /var/cache/dnf +RUN dnf install make gcc -y WORKDIR /opt COPY musl-1.2.0.tar.gz . - RUN mkdir -p /usr/local/src/musl && \ tar -zxf /opt/musl-1.2.0.tar.gz -C /usr/local/src/musl --strip-components=1 WORKDIR /usr/local/src/musl @@ -20,8 +16,6 @@ RUN ./configure && \ rm -f /opt/musl-1.2.0.tar.gz FROM mpioperator/mpi-operator:0.1.0 AS base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} - -# Label LABEL org.opencontainers.image.title="mpi-operator" \ org.opencontainers.image.description="mpi-operator 0.1.0 container based off UBI 8" \ org.opencontainers.image.licenses="Apache-2.0" \ @@ -32,22 +26,13 @@ RUN dnf upgrade -y && \ dnf clean all && \ rm -rf /var/cache/dnf USER 0 - -RUN mkdir -p /app - COPY --from=build /usr/local/musl/lib/libc.so /usr/local/musl/lib/libc.so COPY --from=build /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1 -COPY --from=base /bin/mpi-operator /app - +COPY --from=base /bin/mpi-operator /bin/mpi-operator +RUN chmod +x /bin/mpi-operator RUN find / -path /proc -prune -o -perm /4000 -exec chmod u-s {} \; RUN find / -path /proc -prune -o -perm /2000 -exec chmod g-s {} \; RUN groupadd -r kf && useradd -r -g kf kf - -RUN chown -R kf /app -WORKDIR /app - USER kf - -ENTRYPOINT [ "./mpi-operator" ] +ENTRYPOINT [ "/bin/mpi-operator" ] CMD ["--help"] -HEALTHCHECK CMD ps | grep mpi-operator | grep -v grep \ No newline at end of file -- GitLab From 043c4067203a96668e6d049e89ec0c8f5d8f2ee7 Mon Sep 17 00:00:00 2001 From: Karol Stolarski Date: Wed, 2 Dec 2020 09:51:58 -0600 Subject: [PATCH 7/7] Fixed yaml file --- download.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/download.yaml b/download.yaml index 1e65c63..a2f79c0 100644 --- a/download.yaml +++ b/download.yaml @@ -1,6 +1,6 @@ --- resources: - - url: "docker://docker.io/mpioperator/mpi-operator@sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" + - url: "docker://docker.io/mpioperator/mpi-operator@sha256:bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" tag: "mpioperator/mpi-operator:0.1.0" - url: "https://musl.libc.org/releases/musl-1.2.0.tar.gz" filename: musl-1.2.0.tar.gz -- GitLab