diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000000000000000000000000000000000000..2b3cdbe51b3aaf5a1e5d2d4a73f9c7a6c05faf2f --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +history.txt +Dockerfile.* +musl-1.2.0.tar.gz \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..e59946b2ec151a47ecea93ceab599660d23ca0d1 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,32 @@ +# Build the intermediate container +ARG BASE_REGISTRY=registry1.dsop.io/ironbank/redhat/ubi +ARG BASE_IMAGE=ubi8 +ARG BASE_TAG=8.3 +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as build +USER 0 +RUN dnf install make gcc -y +WORKDIR /opt +COPY musl-1.2.0.tar.gz . +RUN mkdir -p /usr/local/src/musl && \ + tar -zxf /opt/musl-1.2.0.tar.gz -C /usr/local/src/musl --strip-components=1 +WORKDIR /usr/local/src/musl +RUN ./configure && \ + make && \ + make install && \ + rm -f /opt/musl-1.2.0.tar.gz +FROM mpioperator/mpi-operator:0.1.0 AS base +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +RUN dnf upgrade -y && \ + dnf clean all && \ + rm -rf /var/cache/dnf +USER 0 +COPY --from=build /usr/local/musl/lib/libc.so /usr/local/musl/lib/libc.so +COPY --from=build /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1 +COPY --from=base /bin/mpi-operator /bin/mpi-operator +RUN chmod +x /bin/mpi-operator +RUN find / -path /proc -prune -o -perm /4000 -exec chmod u-s {} \; +RUN find / -path /proc -prune -o -perm /2000 -exec chmod g-s {} \; +RUN groupadd -r kf && useradd -r -g kf kf +USER kf +ENTRYPOINT [ "/bin/mpi-operator" ] +CMD ["--help"] diff --git a/LICENSE b/LICENSE index 56ebeef871eb6352678dbe6ec97f8b8208a03430..dbd71b15daa2713eb3960947404437136d46e9bc 100644 --- a/LICENSE +++ b/LICENSE @@ -178,7 +178,11 @@ APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following +<<<<<<< HEAD + boilerplate notice, with the fields enclosed by brackets "[]" +======= boilerplate notice, with the fields enclosed by brackets "{}" +>>>>>>> master replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a @@ -186,7 +190,11 @@ same "printed page" as the copyright notice for easier identification within third-party archives. +<<<<<<< HEAD + Copyright [yyyy] [name of copyright owner] +======= Copyright 2020 Ironbank Containers / Kubeflow +>>>>>>> master Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -198,4 +206,8 @@ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and +<<<<<<< HEAD limitations under the License. +======= + limitations under the License. +>>>>>>> master diff --git a/Makefile b/Makefile new file mode 100644 index 0000000000000000000000000000000000000000..7892eae9315bd1193b1de0dd24260eeacc54d8fd --- /dev/null +++ b/Makefile @@ -0,0 +1,46 @@ +.PHONY: history + +ORIGINAL=mpioperator/mpi-operator:0.1.0 +HARDENED=mpioperator-hardened + +run-original: + docker run --rm \ + ${ORIGINAL} + /bin/bash + +run-original-it: + docker run -it \ + ${ORIGINAL} \ + /bin/bash + +history: + docker history --format "{{.CreatedBy}}" \ + ${ORIGINAL} \ + --no-trunc | tac | tee history.txt + +pull: + docker pull mpioperator/mpi-operator:0.1.0 + + +build: pull + curl -O https://musl.libc.org/releases/musl-1.2.0.tar.gz + docker build --no-cache \ + --build-arg BASE_REGISTRY="registry.access.redhat.com" \ + -t ${HARDENED} . + +# Build fast +fast: + curl -O https://musl.libc.org/releases/musl-1.2.0.tar.gz + docker build \ + --build-arg BASE_REGISTRY="registry.access.redhat.com" \ + -t ${HARDENED} . + +run: + docker run --rm \ + ${HARDENED} + +run-it: + docker run -it --rm \ + ${HARDENED} /bin/bash + +all: pull fast run \ No newline at end of file diff --git a/README.md b/README.md index 2a45faf9251a637463d2e24c7222ef8084d7a26a..9637c93a925b3242c24f85a16a5d675c27b643e5 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,6 @@ # mpi-operator-0.1.0 +To test, run `make build` then `make run`. + +To compare to unhardened container, run `make run-original` + diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000000000000000000000000000000000000..6f42eba983d10ac61aac2cf1a8106d6194450f28 --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "kubeflow/mpi-operator-0.1.0" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "0.1.0" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "redhat/ubi/ubi8" + BASE_TAG: "8.3" + +# Docker image labels +labels: + org.opencontainers.image.title: "mpi-operator-0.1.0" + ## Human-readable description of the software packaged in the image + org.opencontainers.image.description: "kubeflow mpi-operator 0.1.0 container based off UBI 8" + ## License(s) under which contained software is distributed + org.opencontainers.image.licenses: "apache-2.0" + ## URL to find more information on the image + org.opencontainers.image.url: "hub.docker.com/layers/mpioperator/mpi-operator/0.1.0/images/sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" + ## Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "kubeflow" + org.opencontainers.image.version: "v0.1.0" + ## Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "kubeflow,mpi-operator" + ## This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "opensource" + ## Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "kubeflow" + +# List of resources to make available to the offline build context +resources: + - url: "docker://docker.io/mpioperator/mpi-operator@sha256:bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" + tag: "mpioperator/mpi-operator:0.1.0" + - url: "https://musl.libc.org/releases/musl-1.2.0.tar.gz" + filename: musl-1.2.0.tar.gz + validation: + type: sha256 + value: c6de7b191139142d3f9a7b5b702c9cae1b5ee6e7f57e582da9328629408fd4e8 + +# List of project maintainers +# FIXME: Fill in the following details for the current container owner in the whitelist +# FIXME: Include any other vendor information if applicable +maintainers: +- email: "cvernooy@oteemo.com" + name: "Christopher Vernooy" + username: "cvernooy" + cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT +- name: "Christopher Vernooy" + username: "cvernooy" + email: "cvernooy@oteemo.com"