Updated for UBI8

8f8f7116 · jonathan.janos@mongodb.com · fe6770d7 · 8f8f7116 · 8f8f7116 · 8f8f7116
Commit 8f8f7116 authored Jan 22, 2021 by jonathan.janos@mongodb.com
Hide whitespace changes
Inline Side-by-side

Showing with 98 additions and 50 deletions

Dockerfile Dockerfile +39 -47

README.md README.md +3 -3

hardening_manifest.yaml hardening_manifest.yaml +56 -0

No files found.
--- a/Dockerfile
+++ b/Dockerfile
+#
+# Base Template Dockerfile for Database Image.
+#
 ARG BASE_REGISTRY=registry1.dsop.io
-ARG BASE_IMAGE=redhat/ubi/ubi7
-ARG BASE_TAG=7.8
-
+ARG BASE_IMAGE=redhat/ubi/ubi8
+ARG BASE_TAG=8.2
+FROM quay.io/mongodb/mongodb-enterprise-database:1.5.3 as official
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
-
-ARG RELEASE=1.5.3
-ARG TARBALL=mongodb-enterprise-operator-binaries-release-${RELEASE}.tar.gz
-
 ENV MMS_HOME /mongodb-automation
 ENV MMS_LOG_DIR /var/log/mongodb-mms-automation
-ENV MDB_DIR /var/lib/mongodb-mms-automation/downloads
-
-ARG MDB_URL
-ARG BINARY_NAME
-ARG AA_DOWNLOAD_URL
-ARG AA_VERSION
-
 LABEL name="MongoDB Enterprise Database" \
      version="1.5.3" \
      summary="MongoDB Enterprise Database Image" \
@@ -23,48 +15,48 @@ LABEL name="MongoDB Enterprise Database" \
      vendor="MongoDB" \
      release="1" \
      maintainer="support@mongodb.com"
-
 COPY LICENSE /licenses/mongodb-enterprise-database
-
-RUN yum update -y && yum install \
-        libpcap \
+RUN yum update -y && rm -rf /var/cache/yum \
+        # these are the packages needed for the agent
+        &&  yum install -y --disableplugin=subscription-manager \
+            hostname \
+            nss_wrapper --exclude perl-IO-Socket-SSL \
+            procps \
+        # these are the packages needed for MongoDB
+        # (https://docs.mongodb.com/manual/tutorial/install-mongodb-enterprise-on-red-hat-tarball/ "RHEL/CentOS 8" tab)
+        && yum install -y --disableplugin=subscription-manager \
+        cyrus-sasl \
+        cyrus-sasl-gssapi \
+        cyrus-sasl-plain \
+        krb5-libs \
+        libcurl \
        lm_sensors-libs \
        net-snmp \
        net-snmp-agent-libs \
-        rpm-libs \
-        tcp_wrappers-libs \
-        nss_wrapper; \
-        yum clean all; \
-        ln -s /usr/lib64/libsasl2.so.3 /usr/lib64/libsasl2.so.2
-
-# TODO: remove once database is using init container
-COPY scripts/ "${MMS_HOME}"/files/
-
-# Copy readinessprobe and set the required permissions
-WORKDIR /opt
-COPY ${TARBALL} .
-RUN tar -zxf ./${TARBALL} \
-    && mv ./readinessprobe "${MMS_HOME}"/files/ \
-    && rm -rfv /opt/* /var/cache/yum \
-    && mkdir -p "${MMS_LOG_DIR}" \
-    && chmod 0775 "${MMS_LOG_DIR}" \
-    && mkdir -p /var/lib/mongodb-mms-automation \
-    && chmod 0775 /var/lib/mongodb-mms-automation \
-    && mkdir -p /data \
-    && chmod 0775 /data \
-    && mkdir -p /journal \
-    && chmod 0775 /journal \
-    && chmod -R 0775 "${MMS_HOME}"
-
+        openldap \
+        openssl \
+        jq \
+        # mongodb enterprise expects this library /usr/lib64/libsasl2.so.2 but
+        # cyrus-sasl creates it in /usr/lib64/libsasl2.so.3 instead
+        && ln -s /usr/lib64/libsasl2.so.3 /usr/lib64/libsasl2.so.2
+# Copy all the required scripts from the official database image
+COPY --from=official "${MMS_HOME}" ${MMS_HOME}/
+# Set the required perms
+RUN    mkdir -p "${MMS_LOG_DIR}" \
+        && chmod 0775 "${MMS_LOG_DIR}" \
+        && mkdir -p /var/lib/mongodb-mms-automation \
+        && chmod 0775 /var/lib/mongodb-mms-automation \
+        && mkdir -p /data \
+        && chmod 0775 /data \
+        && mkdir -p /journal \
+        && chmod 0775 /journal \
+        && mkdir -p "${MMS_HOME}" \
+        && chmod -R 0775 "${MMS_HOME}"
 # USER needs to be set for this image to pass RedHat verification. Some customers have these requirements as well
 # It does not matter what number it is, as long as it is set to something.
 # However, OpenShift will run the container as a random user,
 # and the number in this configuration is not relevant.
 USER 2000
-
-# TODO: make entrypoint be a sleep infinity once MDB is using init container
 ENTRYPOINT ["/mongodb-automation/files/agent-launcher.sh"]
-
-# TODO: switch this to actually run the probe
 HEALTHCHECK --timeout=30s CMD ls "${MMS_HOME}"/files/probe.sh || exit 1

--- a/README.md
+++ b/README.md
@@ -7,9 +7,9 @@

 For licensing and technical information, please use the following contact information:

-Anton Hoffman, EAE USAF  
-781-996-8860  
-anton.hoffman@mongodb.com  
+Keegan Wetzel, EAE USAF  
+708-256-7904  
+keegan.wetzel@mongodb.com  
 Please also CC: publicsector@mongodb.com



--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
+---
+apiVersion: v1
+
+# The repository name in registry1, excluding /ironbank/
+name: "mongodb/mongodb-enterprise/mongodb-enterprise-database"
+
+# List of tags to push for the repository in registry1
+# The most specific version should be the first tag and will be shown
+# on ironbank.dsop.io
+tags:
+- "1.5.3"
+- "latest"
+
+# Build args passed to Dockerfile ARGs
+args:
+  BASE_IMAGE: "redhat/ubi/ubi8"
+  BASE_TAG: "8.2"
+
+# Docker image labels
+labels:
+  org.opencontainers.image.title: "mongodb-enterprise-database"
+  ## Human-readable description of the software packaged in the image
+  org.opencontainers.image.description: "Base Database Image used in conjunction with MongoDB Enterprise Kubernetes Operator"
+  ## License(s) under which contained software is distributed
+  org.opencontainers.image.licenses: "license"
+  ## URL to find more information on the image
+  org.opencontainers.image.url: "https://docs.mongodb.com/kubernetes-operator/stable/"
+  ## Name of the distributing entity, organization or individual
+  org.opencontainers.image.vendor: "MongoDB"
+  org.opencontainers.image.version: "1.5.3"
+  ## Keywords to help with search (ex. "cicd,gitops,golang")
+  mil.dso.ironbank.image.keywords: "mongodb,nosql,json,database"
+  ## This value can be "opensource" or "commercial"
+  mil.dso.ironbank.image.type: "commercial"
+  ## Product the image belongs to for grouping multiple images
+  mil.dso.ironbank.product.name: "mongodb-enterprise"
+
+# List of resources to make available to the offline build context
+resources:
+- tag: quay.io/mongodb/mongodb-enterprise-database:1.5.3
+  url: docker://quay.io/mongodb/mongodb-enterprise-database@sha256:28abb642c1d1f37ecf6b96ea8c6c7f7d0f51f8ba4c7b2e31ffdf667412d4c552
+
+# List of project maintainers
+# FIXME: Fill in the following details for the current container owner in the whitelist
+# FIXME: Include any other vendor information if applicable
+maintainers:
+- email: "jonathan.janos@mongodb.com"
+  # The name of the current container owner
+  name: "Jonathan Janos"
+  # The gitlab username of the current container owner
+  username: "jonathan.janos"
+#   cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT
+# - name: "FIXME"
+#   username: "FIXME"
+#   email: "FIXME"
+