From 2af52f90e814c576674ed963a1d8552db72d892b Mon Sep 17 00:00:00 2001 From: Karol Stolarski Date: Mon, 2 Nov 2020 16:48:46 -0600 Subject: [PATCH 01/10] First commit --- .gitignore | 3 +++ Dockerfile | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++ Jenkinsfile | 2 ++ LICENSE | 12 ++++++++++++ Makefile | 38 +++++++++++++++++++++++++++++++++++++ download.yaml | 9 +++++++++ 6 files changed, 116 insertions(+) create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 Jenkinsfile create mode 100644 Makefile create mode 100644 download.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2b3cdbe --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +history.txt +Dockerfile.* +musl-1.2.0.tar.gz \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..20fb92a --- /dev/null +++ b/Dockerfile @@ -0,0 +1,52 @@ +# Build the intermediate container +ARG BASE_REGISTRY=registry1.dsop.io/ironbank/redhat/ubi +ARG BASE_IMAGE=ubi8 +ARG BASE_TAG=8.2 +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as build +USER 0 +RUN dnf install make gcc -y && \ + dnf upgrade -y && \ + dnf clean all && \ + rm -rf /var/cache/dnf +WORKDIR /opt +COPY musl-1.2.0.tar.gz . + +RUN mkdir -p /usr/local/src/musl && \ + tar -zxf /opt/musl-1.2.0.tar.gz -C /usr/local/src/musl --strip-components=1 +WORKDIR /usr/local/src/musl +RUN ./configure && \ + make && \ + make install && \ + rm -f /opt/musl-1.2.0.tar.gz +FROM mpioperator/mpi-operator:0.1.0 AS base +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +# Label +LABEL org.opencontainers.image.title="mpi-operator" \ + org.opencontainers.image.description="mpi-operator 0.1.0 container based off UBI 8" \ + org.opencontainers.image.licenses="Apache-2.0" \ + org.opencontainers.image.url="hub.docker.com/layers/mpioperator/mpi-operator/0.1.0/images/sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" \ + org.opencontainers.image.version="0.1.0" \ + maintainer="karol.stolarski@annoai.com" +RUN dnf upgrade -y && \ + dnf clean all && \ + rm -rf /var/cache/dnf +USER 0 + +RUN mkdir -p /app +COPY --from=build /usr/local/musl/lib/libc.so /usr/local/musl/lib/libc.so +COPY --from=build /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1 +COPY --from=base /bin/mpi-operator /app + +RUN find / -path /proc -prune -o -perm /4000 -exec chmod u-s {} \; +RUN find / -path /proc -prune -o -perm /2000 -exec chmod g-s {} \; +RUN groupadd -r kf && useradd -r -g kf kf + +RUN chown -R kf /app +WORKDIR /app + +USER kf + +ENTRYPOINT [ "./mpi-operator" ] +CMD ["--help"] +HEALTHCHECK CMD ps | grep mpi-operator | grep -v grep \ No newline at end of file diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000..4a594bf --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,2 @@ +@Library('DCCSCR@master') _ +dccscrPipeline(version: '0.1.0') diff --git a/LICENSE b/LICENSE index 56ebeef..dbd71b1 100644 --- a/LICENSE +++ b/LICENSE @@ -178,7 +178,11 @@ APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following +<<<<<<< HEAD + boilerplate notice, with the fields enclosed by brackets "[]" +======= boilerplate notice, with the fields enclosed by brackets "{}" +>>>>>>> master replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a @@ -186,7 +190,11 @@ same "printed page" as the copyright notice for easier identification within third-party archives. +<<<<<<< HEAD + Copyright [yyyy] [name of copyright owner] +======= Copyright 2020 Ironbank Containers / Kubeflow +>>>>>>> master Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -198,4 +206,8 @@ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and +<<<<<<< HEAD limitations under the License. +======= + limitations under the License. +>>>>>>> master diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..c12b31f --- /dev/null +++ b/Makefile @@ -0,0 +1,38 @@ +.PHONY: history + +ORIGINAL=mpioperator/mpi-operator:0.1.0 +HARDENED=mpioperator-hardened + +run-original: + docker run --rm \ + ${ORIGINAL} + /bin/bash + +run-original-it: + docker run -it \ + ${ORIGINAL} \ + /bin/bash + +history: + docker history --format "{{.CreatedBy}}" \ + ${ORIGINAL} \ + --no-trunc | tac | tee history.txt + +build: + docker build --no-cache \ + --build-arg BASE_REGISTRY="registry.access.redhat.com" \ + -t ${HARDENED} . + +# Build fast +fast: + docker build \ + --build-arg BASE_REGISTRY="registry.access.redhat.com" \ + -t ${HARDENED} . + +run: + docker run --rm \ + ${HARDENED} + +run-it: + docker run -it --rm \ + ${HARDENED} /bin/bash \ No newline at end of file diff --git a/download.yaml b/download.yaml new file mode 100644 index 0000000..78e6108 --- /dev/null +++ b/download.yaml @@ -0,0 +1,9 @@ +--- +resources: + - url: "docker://hub.docker.com/layers/mpioperator/mpi-operator/0.1.0/images/sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" + tag: "mpioperator/mpi-operator:0.1.0" + - url: "https://musl.libc.org/releases/musl-1.2.0.tar.gz" + filename: musl-1.2.0.tar.gz + validation: + type: sha256 + value: c6de7b191139142d3f9a7b5b702c9cae1b5ee6e7f57e582da9328629408fd4e8 -- GitLab From a4a2125de3d8a150c36d1acf41da5438f88229ec Mon Sep 17 00:00:00 2001 From: Karol Stolarski Date: Wed, 4 Nov 2020 14:00:11 -0600 Subject: [PATCH 02/10] Updated dockefile --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 20fb92a..3c203c0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,6 +34,7 @@ RUN dnf upgrade -y && \ USER 0 RUN mkdir -p /app + COPY --from=build /usr/local/musl/lib/libc.so /usr/local/musl/lib/libc.so COPY --from=build /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1 COPY --from=base /bin/mpi-operator /app -- GitLab From 8dd92d31007f0ea8f854619f029fe3311d099a15 Mon Sep 17 00:00:00 2001 From: Karol Stolarski Date: Wed, 4 Nov 2020 15:24:23 -0600 Subject: [PATCH 03/10] Fixed download.yaml --- download.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/download.yaml b/download.yaml index 78e6108..c9affdb 100644 --- a/download.yaml +++ b/download.yaml @@ -1,6 +1,6 @@ --- resources: - - url: "docker://hub.docker.com/layers/mpioperator/mpi-operator/0.1.0/images/sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" + - url: "docker://docker.io/mpioperator/mpi-operator/0.1.0/images/sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" tag: "mpioperator/mpi-operator:0.1.0" - url: "https://musl.libc.org/releases/musl-1.2.0.tar.gz" filename: musl-1.2.0.tar.gz -- GitLab From 1d7430254c1694589700eb8ee9641bbc1394c112 Mon Sep 17 00:00:00 2001 From: Karol Stolarski Date: Wed, 4 Nov 2020 16:56:51 -0600 Subject: [PATCH 04/10] Fixed download.yaml again --- download.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/download.yaml b/download.yaml index c9affdb..1e65c63 100644 --- a/download.yaml +++ b/download.yaml @@ -1,6 +1,6 @@ --- resources: - - url: "docker://docker.io/mpioperator/mpi-operator/0.1.0/images/sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" + - url: "docker://docker.io/mpioperator/mpi-operator@sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" tag: "mpioperator/mpi-operator:0.1.0" - url: "https://musl.libc.org/releases/musl-1.2.0.tar.gz" filename: musl-1.2.0.tar.gz -- GitLab From 5d104df373790ec789e2f8b7e36524beca38c42b Mon Sep 17 00:00:00 2001 From: Karol Stolarski Date: Tue, 10 Nov 2020 14:39:46 -0600 Subject: [PATCH 05/10] Updated to 8.3 --- Dockerfile | 2 +- Makefile | 12 ++++++++++-- README.md | 4 ++++ 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3c203c0..20ea033 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # Build the intermediate container ARG BASE_REGISTRY=registry1.dsop.io/ironbank/redhat/ubi ARG BASE_IMAGE=ubi8 -ARG BASE_TAG=8.2 +ARG BASE_TAG=8.3 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as build USER 0 RUN dnf install make gcc -y && \ diff --git a/Makefile b/Makefile index c12b31f..7892eae 100644 --- a/Makefile +++ b/Makefile @@ -18,13 +18,19 @@ history: ${ORIGINAL} \ --no-trunc | tac | tee history.txt -build: +pull: + docker pull mpioperator/mpi-operator:0.1.0 + + +build: pull + curl -O https://musl.libc.org/releases/musl-1.2.0.tar.gz docker build --no-cache \ --build-arg BASE_REGISTRY="registry.access.redhat.com" \ -t ${HARDENED} . # Build fast fast: + curl -O https://musl.libc.org/releases/musl-1.2.0.tar.gz docker build \ --build-arg BASE_REGISTRY="registry.access.redhat.com" \ -t ${HARDENED} . @@ -35,4 +41,6 @@ run: run-it: docker run -it --rm \ - ${HARDENED} /bin/bash \ No newline at end of file + ${HARDENED} /bin/bash + +all: pull fast run \ No newline at end of file diff --git a/README.md b/README.md index 2a45faf..9637c93 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,6 @@ # mpi-operator-0.1.0 +To test, run `make build` then `make run`. + +To compare to unhardened container, run `make run-original` + -- GitLab From 5bcd6ce9a8b0c773dd1a39ccd4495b4a14de9965 Mon Sep 17 00:00:00 2001 From: cvernooy Date: Mon, 16 Nov 2020 21:31:15 +0000 Subject: [PATCH 06/10] Update Dockerfile --- Dockerfile | 23 ++++------------------- 1 file changed, 4 insertions(+), 19 deletions(-) diff --git a/Dockerfile b/Dockerfile index 20ea033..43a7092 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,13 +4,9 @@ ARG BASE_IMAGE=ubi8 ARG BASE_TAG=8.3 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as build USER 0 -RUN dnf install make gcc -y && \ - dnf upgrade -y && \ - dnf clean all && \ - rm -rf /var/cache/dnf +RUN dnf install make gcc -y WORKDIR /opt COPY musl-1.2.0.tar.gz . - RUN mkdir -p /usr/local/src/musl && \ tar -zxf /opt/musl-1.2.0.tar.gz -C /usr/local/src/musl --strip-components=1 WORKDIR /usr/local/src/musl @@ -20,8 +16,6 @@ RUN ./configure && \ rm -f /opt/musl-1.2.0.tar.gz FROM mpioperator/mpi-operator:0.1.0 AS base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} - -# Label LABEL org.opencontainers.image.title="mpi-operator" \ org.opencontainers.image.description="mpi-operator 0.1.0 container based off UBI 8" \ org.opencontainers.image.licenses="Apache-2.0" \ @@ -32,22 +26,13 @@ RUN dnf upgrade -y && \ dnf clean all && \ rm -rf /var/cache/dnf USER 0 - -RUN mkdir -p /app - COPY --from=build /usr/local/musl/lib/libc.so /usr/local/musl/lib/libc.so COPY --from=build /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1 -COPY --from=base /bin/mpi-operator /app - +COPY --from=base /bin/mpi-operator /bin/mpi-operator +RUN chmod +x /bin/mpi-operator RUN find / -path /proc -prune -o -perm /4000 -exec chmod u-s {} \; RUN find / -path /proc -prune -o -perm /2000 -exec chmod g-s {} \; RUN groupadd -r kf && useradd -r -g kf kf - -RUN chown -R kf /app -WORKDIR /app - USER kf - -ENTRYPOINT [ "./mpi-operator" ] +ENTRYPOINT [ "/bin/mpi-operator" ] CMD ["--help"] -HEALTHCHECK CMD ps | grep mpi-operator | grep -v grep \ No newline at end of file -- GitLab From 043c4067203a96668e6d049e89ec0c8f5d8f2ee7 Mon Sep 17 00:00:00 2001 From: Karol Stolarski Date: Wed, 2 Dec 2020 09:51:58 -0600 Subject: [PATCH 07/10] Fixed yaml file --- download.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/download.yaml b/download.yaml index 1e65c63..a2f79c0 100644 --- a/download.yaml +++ b/download.yaml @@ -1,6 +1,6 @@ --- resources: - - url: "docker://docker.io/mpioperator/mpi-operator@sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" + - url: "docker://docker.io/mpioperator/mpi-operator@sha256:bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" tag: "mpioperator/mpi-operator:0.1.0" - url: "https://musl.libc.org/releases/musl-1.2.0.tar.gz" filename: musl-1.2.0.tar.gz -- GitLab From ae997ac5c3d8fb3957da47fe006d932b5881c808 Mon Sep 17 00:00:00 2001 From: Karol Stolarski Date: Mon, 14 Dec 2020 03:38:15 -0600 Subject: [PATCH 08/10] Added hardening manifest --- hardening_manifest.yaml | 58 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 hardening_manifest.yaml diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..6f42eba --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "kubeflow/mpi-operator-0.1.0" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "0.1.0" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "redhat/ubi/ubi8" + BASE_TAG: "8.3" + +# Docker image labels +labels: + org.opencontainers.image.title: "mpi-operator-0.1.0" + ## Human-readable description of the software packaged in the image + org.opencontainers.image.description: "kubeflow mpi-operator 0.1.0 container based off UBI 8" + ## License(s) under which contained software is distributed + org.opencontainers.image.licenses: "apache-2.0" + ## URL to find more information on the image + org.opencontainers.image.url: "hub.docker.com/layers/mpioperator/mpi-operator/0.1.0/images/sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" + ## Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "kubeflow" + org.opencontainers.image.version: "v0.1.0" + ## Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "kubeflow,mpi-operator" + ## This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "opensource" + ## Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "kubeflow" + +# List of resources to make available to the offline build context +resources: + - url: "docker://docker.io/mpioperator/mpi-operator@sha256:bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" + tag: "mpioperator/mpi-operator:0.1.0" + - url: "https://musl.libc.org/releases/musl-1.2.0.tar.gz" + filename: musl-1.2.0.tar.gz + validation: + type: sha256 + value: c6de7b191139142d3f9a7b5b702c9cae1b5ee6e7f57e582da9328629408fd4e8 + +# List of project maintainers +# FIXME: Fill in the following details for the current container owner in the whitelist +# FIXME: Include any other vendor information if applicable +maintainers: +- email: "cvernooy@oteemo.com" + name: "Christopher Vernooy" + username: "cvernooy" + cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT +- name: "Christopher Vernooy" + username: "cvernooy" + email: "cvernooy@oteemo.com" -- GitLab From bd78bc5a33da1630b9d258741ecafa72eac17d6c Mon Sep 17 00:00:00 2001 From: cvernooy Date: Tue, 15 Dec 2020 21:04:01 +0000 Subject: [PATCH 09/10] Update Dockerfile Deleted download.yaml --- Dockerfile | 6 ------ download.yaml | 9 --------- 2 files changed, 15 deletions(-) delete mode 100644 download.yaml diff --git a/Dockerfile b/Dockerfile index 43a7092..e59946b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,12 +16,6 @@ RUN ./configure && \ rm -f /opt/musl-1.2.0.tar.gz FROM mpioperator/mpi-operator:0.1.0 AS base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -LABEL org.opencontainers.image.title="mpi-operator" \ - org.opencontainers.image.description="mpi-operator 0.1.0 container based off UBI 8" \ - org.opencontainers.image.licenses="Apache-2.0" \ - org.opencontainers.image.url="hub.docker.com/layers/mpioperator/mpi-operator/0.1.0/images/sha256-bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" \ - org.opencontainers.image.version="0.1.0" \ - maintainer="karol.stolarski@annoai.com" RUN dnf upgrade -y && \ dnf clean all && \ rm -rf /var/cache/dnf diff --git a/download.yaml b/download.yaml deleted file mode 100644 index a2f79c0..0000000 --- a/download.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -resources: - - url: "docker://docker.io/mpioperator/mpi-operator@sha256:bb394f8a46650c2abd722c30b25bc771f976b603751235dfdda08a9fb786535f" - tag: "mpioperator/mpi-operator:0.1.0" - - url: "https://musl.libc.org/releases/musl-1.2.0.tar.gz" - filename: musl-1.2.0.tar.gz - validation: - type: sha256 - value: c6de7b191139142d3f9a7b5b702c9cae1b5ee6e7f57e582da9328629408fd4e8 -- GitLab From b3107b39643b35a01c99d63bf2685261d4b4acbc Mon Sep 17 00:00:00 2001 From: Al Fontaine Date: Thu, 21 Jan 2021 15:07:40 +0000 Subject: [PATCH 10/10] Delete Jenkinsfile --- Jenkinsfile | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 Jenkinsfile diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index 4a594bf..0000000 --- a/Jenkinsfile +++ /dev/null @@ -1,2 +0,0 @@ -@Library('DCCSCR@master') _ -dccscrPipeline(version: '0.1.0') -- GitLab