From 3cea7c148e91ae46288c97b78ded8e64525d5871 Mon Sep 17 00:00:00 2001 From: Casey Spicer Date: Wed, 12 May 2021 19:09:55 +0000 Subject: [PATCH] Beta-Testing to Development Branch --- Dockerfile | 47 ++++++++++ LICENSE | 47 ++++++++++ README.md | 125 +++++++++++++++++++++++++- examples/Jenkinsfile | 8 ++ hardening_manifest.yaml | 58 ++++++++++++ resources/hardening_manifest.yaml.old | 58 ++++++++++++ 6 files changed, 342 insertions(+), 1 deletion(-) create mode 100644 Dockerfile create mode 100644 LICENSE create mode 100644 examples/Jenkinsfile create mode 100644 hardening_manifest.yaml create mode 100644 resources/hardening_manifest.yaml.old diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..fb84b4e --- /dev/null +++ b/Dockerfile @@ -0,0 +1,47 @@ +ARG BASE_REGISTRY=nexus-docker-secure.levelup-nexus.svc.cluster.local:18082 +ARG BASE_IMAGE=redhat/openjdk/openjdk11 +ARG BASE_TAG=1.11 +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +USER root + +ARG TARBALL=jenkinsfile-runner-dependencies-dcar-1.8 +ENV JENKINS_UC https://updates.jenkins.io +ENV CASC_JENKINS_CONFIG /usr/share/jenkins/ref/casc +ENV PLUGINS /app/plugins.txt +ENV JENKINSFILE_PATH "" +ARG JENKINS_HOME=/var/jenkins_home +ARG TMP_DIR=/var/groovy-tmpdir +ARG user=jenkins +ARG group=jenkins +ARG uid=1000 +ARG gid=1000 + +COPY LICENSE /licenses +COPY ${TARBALL}.tar.gz /tmp/${TARBALL}.tar.gz + +RUN INSTALL_PKGS="git" && \ + yum -y update-minimal --setopt=tsflags=nodocs \ + --security && \ + yum -y install --setopt=tsflags=nodocs ${INSTALL_PKGS} + +RUN cd /tmp && tar -xzf ${TARBALL}.tar.gz \ + && mkdir -p $JENKINS_HOME $TMP_DIR /usr/share/jenkins /build \ + && mv dependencies/ref /usr/share/jenkins/ref \ + && mv dependencies/app /app \ + && rm -rf /tmp/* \ + && chown ${uid}:${gid} $JENKINS_HOME \ + && chown ${uid}:${gid} $TMP_DIR \ + && chown ${uid}:${gid} /app \ + && chown ${uid}:${gid} /usr/share/jenkins \ + && chown ${uid}:${gid} /build \ + && groupadd -g ${gid} ${group} \ + && useradd -d "$JENKINS_HOME" -d "$TMP_DIR" -d /app -d /usr/share/jenkins -u ${uid} -g ${gid} -m -s /bin/bash ${user} + +RUN cd /usr/share/jenkins/ref/plugins && \ + rm -rf github* + +VOLUME /build +VOLUME /usr/share/jenkins/ref/casc +VOLUME $JENKINS_HOME +USER $user +ENTRYPOINT ["/app/bin/jenkinsfile-runner-launcher"] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..91bebd8 --- /dev/null +++ b/LICENSE @@ -0,0 +1,47 @@ +## Booz Allen Public License v1.0 + + +### INTRODUCTION +The Booz Allen Public License allows government, non-profit academic, other non-profit, and commercial entities access to distinctive, disruptive, and robust code with the goal of Empowering People to Change the World℠. Products licensed under the Booz Allen Public License are founded on the basis that collective ingenuity can make the largest impact in the community. + +### DEFINITIONS +* **Commercial Entity.** “Commercial Entity” means any individual or entity other than a government, non-profit academic, or other non-profit entity. +* **Derivative.** “Derivative” means any work of authorship in Source Code or Object Code form that results from an addition to, deletion from, or modification of the Source Code of the Product. +* **License.** “License” means this Booz Allen Public License. +* **Object Code.** “Object Code” means the form resulting from transformation or translation of Source Code into machine readable code, including but not limited to, compiled object code. +* **Originator.** “Originator” means each individual or legal entity that creates, contributes to the creation of, or owns the Product. +* **Patent Claims.** “Patent Claims” means any patent claim(s) in any patent to which Originator has a right to grant a license that would be infringed by Your making, using, selling, offering for sale, having made, or importing of the Product, but for the grant of this License. +* **Product.** “Product” means the Source Code of the software which the initial Originator made available under this License, and any Derivative of such Source Code. +* **Source Code.** “Source Code” means software in human-readable form. +* **You.** “You” means either an individual or an entity (if you are taking this license on behalf of an entity) that exercises the rights granted under this License. + +### LICENSE +**Government/Non-Profit Academic/Other Non-Profit.** +This Section applies if You are not a Commercial Entity. + +* **License.** Subject to the terms and conditions of this License, each Originator hereby grants You a perpetual, worldwide, non-exclusive, royalty-free license to reproduce, display, perform, modify, distribute and otherwise use the Product and Derivatives, in Source Code and Object Code form, in accordance with the terms and conditions of this License in order to support the general public good and for your internal business purposes. +* **Distribution.** You may distribute to third parties copies of the Product, including any Derivative that You create, in Source Code or Object Code form. If You distribute copies of the Product, including any Derivative that You create, in Source Code form, such distribution must be under the terms of this License and You must inform recipients of the Source Code that the Product is governed under this License and how they can obtain a copy of this License. You may distribute to third parties copies of the Product, including any Derivative that You create, in Object Code form, or allow third parties to access or use the Product, including any Derivative that You create, under a license of Your choice. +* **Commercial Sales.** You may not distribute, or allow third parties to access or use, the Product or any Derivative for a fee, unless You first obtain permission from the Originator. If Booz Allen Hamilton is the Originator, please contact Booz Allen Hamilton at . + +**Commercial Entities**. +This Section applies if You are a Commercial Entity. + +* **License.** Subject to the terms and conditions of this License, each Originator hereby grants You a perpetual, worldwide, non-exclusive, royalty-free license to reproduce, display, perform, modify, distribute and otherwise use the Product and Derivatives, in Source Code and Object Code form, in accordance with the terms and conditions of this License for the sole purpose of Your internal business purposes and the provision of services to government, non-profit academic, and other non-profit entities. +* **Distribution and Derivatives.** You may distribute to third parties copies of the Product, including any Derivative that You create, in Source Code or Object Code form. If You distribute copies of the Product, including any Derivative that You create, in Source Code form, such distribution must be under the terms of this License and You must inform recipients of the Source Code that the Product is governed under this License and how they can obtain a copy of this License. You may distribute to third parties copies of the Product, including any Derivative that You create, in Object Code form, or allow third parties to access or use the Product, including any Derivative that You create, under a license of Your choice, provided that You make available, and inform the recipient of such distribution how they can obtain, a copy of the Source Code thereof, at no charge, and inform the recipient of the Source Code that the Product is governed under this License and how they can obtain a copy of this License. +* **Commercial Sales.** You may not distribute, or allow third parties to access or use, the Product or any Derivative for a fee, unless You first obtain permission from the Originator. If Booz Allen Hamilton, please contact Booz Allen Hamilton at . + +**Patent Claim(s)**. +This Section applies regardless of whether You are a government, non-profit academic, or other non-profit entity or a Commercial Entity. + +* **Patent License.** Subject to the limitations in the Sections above, each Originator hereby grants You a perpetual, worldwide, non-exclusive, royalty-free license under Patent Claims of such Originator to make, use, sell, offer for sale, have made, and import the Product. The foregoing patent license does not apply (a) to any code that an Originator has removed from the Product, or (b) for infringement caused by Your modifications of the Product or the combination of any Derivative created by You or on Your behalf with other software. + +### GENERAL TERMS +This Section applies regardless of whether You are a government, non-profit academic, or other non-profit entity or a Commercial Entity. + +* **Required Notices.** If You distribute the Product or a Derivative, in Object Code or Source Code form, You shall not remove or otherwise modify any proprietary markings or notices contained within or placed upon the Product or any Derivative. Any distribution of the Product or a Derivative, in Object Code or Source Code form, shall contain a clear and conspicuous Originator copyright and license reference in accordance with the below: + * *Unmodified Product Notice*: “This software package is licensed under the Booz Allen Public License. Copyright © 20__ [Copyright Holder Name]. All Rights Reserved.” + * *Derivative Notice*: “This software package is licensed under the Booz Allen Public License. Portions of this code are Copyright © 20__ [Copyright Holder Name]. All Rights Reserved.” +* **Compliance with Laws.** You agree that You shall not reproduce, display, perform, modify, distribute and otherwise use the Product in any way that violates applicable law or regulation or infringes or violates the rights of others, including, but not limited to, third party intellectual property, privacy, and publicity rights. +* **Disclaimer.** You understand that the Product is licensed to You, and not sold. The Product is provided on an “As Is” basis, without any warranties, representations, and guarantees, whether oral or written, express, implied or statutory, with regard to the Product, including without limitation, warranties of merchantability, fitness for a particular purpose, title, non-infringement, non-interference, and warranties arising from course of dealing or usage of trade, to the maximum extent permitted by applicable law. Originator does not warrant that (i) the Product will meet your needs; (ii) the Product will be error-free or accessible at all times; or (iii) the use or the results of the use of the Product will be correct, accurate, timely, or otherwise reliable. You acknowledge that the Product has not been prepared to meet Your individual requirements, whether or not such requirements have been communicated to Originator. You assume all responsibility for use of the Product. +* **Limitation of Liability.** Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Originator, or anyone who distributes the Product in accordance with this License, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if informed of the possibility of such damages. +* **Severability.** If the application of any provision of this License to any particular facts or circumstances shall be held to be invalid or unenforceable, then the validity and enforceability of other provisions of this License shall not in any way be affected or impaired thereby. diff --git a/README.md b/README.md index c9e902b..d0b809e 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,125 @@ -# jenkinsfile-runner +# jenkinsfile-runner 1.0-beta-27 +## Introduction + +Jenkinsfile-Runner is a slimmed version of Jenkins, utilizing the Jenkins pipeline execution engine a CLI tool. For more information on the open source project, please visit https://github.com/jenkinsci/jenkinsfile-runner + +## SDP + +To learn more about the Solutions Delivery Platform please visit https://boozallen.github.io/sdp-docs/overview/1/index.html + +## Notes + +Recommended resources for the image: + + - Min cpu - 1 vCpu + - Min memory - 1 GB + - Storage min - 1 GB. To persist data, volumes can be mounted various folders outlined in the Dockerfile. Storage requirements will vary based on the amount of builds you wish to keep. + +To run the container, you will need to volume mount a directory containing at least a Jenkinsfile for the container. By default, the container will look for the Jenkinsfile at /workspace in the container. +An example of running the container: +``` +podman run -it -v$(pwd):/workspace jenkins/jenkinsfile-runner:latest +``` + + - To display the help screen, issue --help in the command section after calling the container: "docker run -it -v $(pwd):/workspace jenkins/jenkinsfile-runner:latest --help" + - To avoid using the jenkinfile-runner-launcher script, which is an opinionated helper script, use option "--entrypoint /app/bin/jenkinsfile-runner" + - If not using jenkinsfile-runner-launcher, you will have to specify the jenkinsfile (-f) and the war (-w) or jenkins version (-jv) to use + - Location of the Jenkins WAR: /app/jenkins + - Using the JTE option, you will need to provide the location of the pipeline_config file (-p) and in the casc file provide the location of JTE libraries + +Example CASC Definition: + +unclassified: + templateGlobalConfig: + tier: + configurationProvider: "null" + librarySources: + - libraryProvider: + scm: + baseDir: "libraries" #<- the relative path to the libraries folder in the git repo + scm: + git: + branches: + - name: "*/master" + buildChooser: "default" + userRemoteConfigs: + - url: "file:///workspace" #<- the root directory of the git repo volume mounted to the container + +Help Screen Output: +``` +Usage: jenkinsfile-runner [-huV] [-jte] [-ns] [--skipShutdown] + [-b=] [-c=] [-f=] + [-jv=] [--libPath=] [-m=] + [-n=] [-p=] + [-pc=] + [--runHome=] + [--runWorkspace=] [--scm=] + [-w=] [--withInitHooks=] + [-a=]... [COMMAND] + -f, --file= Path to Jenkinsfile or directory containing a + Jenkinsfile, defaults to ./Jenkinsfile + --runWorkspace= + Path to the workspace of the run to be used within + the node{} context. It applies to both Jenkins + master and agents (or side containers) if any. + Requires Jenkins 2.119 or above + -n, --job-name= Name of the job the run belongs to + -c, --cause= Cause of the run + -b, --build-number= + Build number of the run + -a, --arg= Parameters to be passed to the build. Use multiple + -a switches for multiple params + -ns, --no-sandbox Disable workflow job execution within sandbox + environment + -u, --keep-undefined-parameters + Keep undefined parameters if set + --scm= YAML definition of the SCM, with optional + credentials, to use for the project + -jte, --jenkins-templating-engine + Use the Jenkins Templating Engine for the build + -pc, --pipeline-configuration= + The Pipeline Configuration File when using the + Jenkins Templating Engine + -w, --jenkins-war= Path to exploded jenkins war directory.Depending + on packaging, it may contain the entire WAR or + just resources to be loaded by the WAR file, for + example Groovy hooks or extra libraries. + -p, --plugins= Plugins required to run pipeline. Either a plugins. + txt file or a /plugins installation directory. + Defaults to plugins.txt + -jv, --jenkins-version= + Jenkins version to use if Jenkins WAR is not + specified by --jenkins-war. Defaults to the + latest LTS + -m, --mirror= Download mirror site of Jenkins, defaults to http: + //updates.jenkins.io/download. Get the mirror + list from http://mirrors.jenkins-ci.org/status. + html + --runHome, --jenkinsHome= + Path to the empty Jenkins Home directory to use + for this run. If not specified a temporary + directory will be created. Note that the + specified folder will not be disposed after the + run + --withInitHooks= + Path to a directory containing Groovy Init Hooks + to copy into init.groovy.d + --skipShutdown Forces Jenkinsfile Runner to skip the shutdown + logic. It reduces the instance termination time + but may lead to unexpected behavior in plugins + which release external resources on clean up + synchronous task queues on shutdown. + --libPath= When a slim packaging is used, points to the + library directory which contains payload.jar and + setup.jar files + -h, --help Show this help message and exit. + -V, --version Print version information and exit. +Commands: + run Runs Jenkinsfile + cli Runs interactive Jenkins CLI + generate-completion Generate bash/zsh completion script for + jenkinsfile-runner. + version Shows Jenkinsfile Runner version + help Displays help information about the specified command +``` diff --git a/examples/Jenkinsfile b/examples/Jenkinsfile new file mode 100644 index 0000000..7723289 --- /dev/null +++ b/examples/Jenkinsfile @@ -0,0 +1,8 @@ +stage('Read Evergreen YAML') { + node { + // Discover core version using Pipeline utility steps + sh 'curl -O https://raw.githubusercontent.com/jenkins-infra/evergreen/master/services/essentials.yaml' + def essentialsYaml = readYaml(file: "essentials.yaml") + echo "Jenkins Evergreen uses the following Core version: ${essentialsYaml.spec.core.version}" + } +} diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..7d13c0f --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "solutions-delivery-platform/jenkins/jenkins" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "1.0-beta-27" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "redhat/openjdk/openjdk11" + BASE_TAG: "1.11" + +# Docker image labels +labels: + org.opencontainers.image.title: "jenkinsfile-runner" + ## Human-readable description of the software packaged in the image + org.opencontainers.image.description: "Jenkins execution engine for CI/CD pipelines" + ## License(s) under which contained software is distributed + org.opencontainers.image.licenses: "Booz Allen Public License v1.0" + ## URL to find more information on the image + org.opencontainers.image.url: "https://github.com/boozallen/sdp-images" + ## Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "Booz Allen Hamiliton" + org.opencontainers.image.version: "1.0-beta-27" + ## Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "Jenkins, Jenkinsfile-Runner, Runner, Jenkinsfile, CI/CD, ci, cd, SPD, automation, server, pipeline" + ## This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "opensource" + ## Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "Solutions Delivery Platform" + +# List of resources to make available to the offline build context +resources: +- filename: jenkinsfile-runner-dependencies-dcar-1.8.tar.gz + url: https://github.com/boozallen/sdp-images/releases/download/dcar-1.8/jenkinsfile-runner-dependencies-dcar-1.8.tar.gz + validation: + type: sha256 + value: 174340489946288569958cab3d5159b0242547b8b0b104652ba0c0b81fb85987 + +# List of project maintainers +# FIXME: Fill in the following details for the current container owner in the whitelist +# FIXME: Include any other vendor information if applicable +maintainers: +- email: "spicer_casey@bah.com" +# # The name of the current container owner + name: "Casey Spicer" +# # The gitlab username of the current container owner + username: "cspicer" +# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT +- name: "Al Fontaine" + username: "alfontaine" + email: "alan.fontaine@centauricorp.com" diff --git a/resources/hardening_manifest.yaml.old b/resources/hardening_manifest.yaml.old new file mode 100644 index 0000000..e858d78 --- /dev/null +++ b/resources/hardening_manifest.yaml.old @@ -0,0 +1,58 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "solutions-delivery-platform/jenkins/jenkins" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "1.0-beta-27" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "redhat/openjdk/openjdk11" + BASE_TAG: "1.11" + +# Docker image labels +labels: + org.opencontainers.image.title: "jenkinsfile-runner" + ## Human-readable description of the software packaged in the image + org.opencontainers.image.description: "Jenkins execution engine for CI/CD pipelines" + ## License(s) under which contained software is distributed + org.opencontainers.image.licenses: "Booz Allen Public License v1.0" + ## URL to find more information on the image + org.opencontainers.image.url: "https://github.com/boozallen/sdp-images" + ## Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "Booz Allen Hamiliton" + org.opencontainers.image.version: "1.0-beta-27" + ## Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "Jenkins, Jenkinsfile-Runner, Runner, Jenkinsfile, CI/CD, ci, cd, SPD, automation, server, pipeline" + ## This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "opensource" + ## Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "Solutions Delivery Platform" + +# List of resources to make available to the offline build context +resources: +- filename: jenkinsfile-runner-dependencies-dcar-1.8.tar.gz + url: https://github.com/boozallen/sdp-images/releases/download/dcar-1.8/jenkinsfile-runner-dependencies-dcar-1.8.tar.gz + validation: + type: sha256 + value: 228b4f3d88cb330036a915a8528f9636569807a16d7e4da177d6432fa9bcf5ed + +# List of project maintainers +# FIXME: Fill in the following details for the current container owner in the whitelist +# FIXME: Include any other vendor information if applicable +maintainers: +- email: "spicer_casey@bah.com" +# # The name of the current container owner + name: "Casey Spicer" +# # The gitlab username of the current container owner + username: "cspicer" +# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT +- name: "Al Fontaine" + username: "alfontaine" + email: "alan.fontaine@centauricorp.com" -- GitLab