From b9e20cb7d55d1ca4f07baffb936e2ea69282273e Mon Sep 17 00:00:00 2001 From: cspicer Date: Thu, 22 Apr 2021 11:01:30 -0400 Subject: [PATCH 01/17] Uploading initial resources --- Dockerfile | 37 ++++++++++++++++++++++++++ LICENSE | 47 +++++++++++++++++++++++++++++++++ examples/Jenkinsfile | 8 ++++++ hardening_manifest.yaml | 58 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 150 insertions(+) create mode 100644 Dockerfile create mode 100644 LICENSE create mode 100644 examples/Jenkinsfile create mode 100644 hardening_manifest.yaml diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..1815464 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,37 @@ +ARG BASE_REGISTRY=nexus-docker-secure.levelup-nexus.svc.cluster.local:18082 +ARG BASE_IMAGE=redhat/openjdk/openjdk11 +ARG BASE_TAG=1.11 +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +USER root + +ARG TARBALL=jenkinsfile-runner-dependencies-dcar-0.1 +ENV JENKINS_UC https://updates.jenkins.io +ENV CASC_JENKINS_CONFIG /usr/share/jenkins/ref/casc +ARG JENKINS_HOME=/var/jenkins_home +ARG TMP_DIR=/var/groovy-tmpdir +ARG user=jenkins +ARG group=jenkins +ARG uid=1000 +ARG gid=1000 + +COPY LICENSE /licenses +COPY ${TARBALL}.tar.gz /tmp/${TARBALL}.tar.gz + +RUN cd /tmp && tar -xzf ${TARBALL}.tar.gz \ + && mkdir -p $JENKINS_HOME $TMP_DIR /usr/share/jenkins /build \ + && mv dependencies/ref /usr/share/jenkins/ref \ + && mv dependencies/app /app \ + && rm -rf /tmp/* \ + && chown ${uid}:${gid} $JENKINS_HOME \ + && chown ${uid}:${gid} $TMP_DIR \ + && chown ${uid}:${gid} /app \ + && chown ${uid}:${gid} /usr/share/jenkins \ + && chown ${uid}:${gid} /build \ + && groupadd -g ${gid} ${group} \ + && useradd -d "$JENKINS_HOME" -d "$TMP_DIR" -d /app -d /usr/share/jenkins -u ${uid} -g ${gid} -m -s /bin/bash ${user} + +VOLUME /build +VOLUME /usr/share/jenkins/ref/casc +VOLUME $JENKINS_HOME +USER $user +ENTRYPOINT ["/app/bin/jenkinsfile-runner-launcher"] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..91bebd8 --- /dev/null +++ b/LICENSE @@ -0,0 +1,47 @@ +## Booz Allen Public License v1.0 + + +### INTRODUCTION +The Booz Allen Public License allows government, non-profit academic, other non-profit, and commercial entities access to distinctive, disruptive, and robust code with the goal of Empowering People to Change the World℠. Products licensed under the Booz Allen Public License are founded on the basis that collective ingenuity can make the largest impact in the community. + +### DEFINITIONS +* **Commercial Entity.** “Commercial Entity” means any individual or entity other than a government, non-profit academic, or other non-profit entity. +* **Derivative.** “Derivative” means any work of authorship in Source Code or Object Code form that results from an addition to, deletion from, or modification of the Source Code of the Product. +* **License.** “License” means this Booz Allen Public License. +* **Object Code.** “Object Code” means the form resulting from transformation or translation of Source Code into machine readable code, including but not limited to, compiled object code. +* **Originator.** “Originator” means each individual or legal entity that creates, contributes to the creation of, or owns the Product. +* **Patent Claims.** “Patent Claims” means any patent claim(s) in any patent to which Originator has a right to grant a license that would be infringed by Your making, using, selling, offering for sale, having made, or importing of the Product, but for the grant of this License. +* **Product.** “Product” means the Source Code of the software which the initial Originator made available under this License, and any Derivative of such Source Code. +* **Source Code.** “Source Code” means software in human-readable form. +* **You.** “You” means either an individual or an entity (if you are taking this license on behalf of an entity) that exercises the rights granted under this License. + +### LICENSE +**Government/Non-Profit Academic/Other Non-Profit.** +This Section applies if You are not a Commercial Entity. + +* **License.** Subject to the terms and conditions of this License, each Originator hereby grants You a perpetual, worldwide, non-exclusive, royalty-free license to reproduce, display, perform, modify, distribute and otherwise use the Product and Derivatives, in Source Code and Object Code form, in accordance with the terms and conditions of this License in order to support the general public good and for your internal business purposes. +* **Distribution.** You may distribute to third parties copies of the Product, including any Derivative that You create, in Source Code or Object Code form. If You distribute copies of the Product, including any Derivative that You create, in Source Code form, such distribution must be under the terms of this License and You must inform recipients of the Source Code that the Product is governed under this License and how they can obtain a copy of this License. You may distribute to third parties copies of the Product, including any Derivative that You create, in Object Code form, or allow third parties to access or use the Product, including any Derivative that You create, under a license of Your choice. +* **Commercial Sales.** You may not distribute, or allow third parties to access or use, the Product or any Derivative for a fee, unless You first obtain permission from the Originator. If Booz Allen Hamilton is the Originator, please contact Booz Allen Hamilton at . + +**Commercial Entities**. +This Section applies if You are a Commercial Entity. + +* **License.** Subject to the terms and conditions of this License, each Originator hereby grants You a perpetual, worldwide, non-exclusive, royalty-free license to reproduce, display, perform, modify, distribute and otherwise use the Product and Derivatives, in Source Code and Object Code form, in accordance with the terms and conditions of this License for the sole purpose of Your internal business purposes and the provision of services to government, non-profit academic, and other non-profit entities. +* **Distribution and Derivatives.** You may distribute to third parties copies of the Product, including any Derivative that You create, in Source Code or Object Code form. If You distribute copies of the Product, including any Derivative that You create, in Source Code form, such distribution must be under the terms of this License and You must inform recipients of the Source Code that the Product is governed under this License and how they can obtain a copy of this License. You may distribute to third parties copies of the Product, including any Derivative that You create, in Object Code form, or allow third parties to access or use the Product, including any Derivative that You create, under a license of Your choice, provided that You make available, and inform the recipient of such distribution how they can obtain, a copy of the Source Code thereof, at no charge, and inform the recipient of the Source Code that the Product is governed under this License and how they can obtain a copy of this License. +* **Commercial Sales.** You may not distribute, or allow third parties to access or use, the Product or any Derivative for a fee, unless You first obtain permission from the Originator. If Booz Allen Hamilton, please contact Booz Allen Hamilton at . + +**Patent Claim(s)**. +This Section applies regardless of whether You are a government, non-profit academic, or other non-profit entity or a Commercial Entity. + +* **Patent License.** Subject to the limitations in the Sections above, each Originator hereby grants You a perpetual, worldwide, non-exclusive, royalty-free license under Patent Claims of such Originator to make, use, sell, offer for sale, have made, and import the Product. The foregoing patent license does not apply (a) to any code that an Originator has removed from the Product, or (b) for infringement caused by Your modifications of the Product or the combination of any Derivative created by You or on Your behalf with other software. + +### GENERAL TERMS +This Section applies regardless of whether You are a government, non-profit academic, or other non-profit entity or a Commercial Entity. + +* **Required Notices.** If You distribute the Product or a Derivative, in Object Code or Source Code form, You shall not remove or otherwise modify any proprietary markings or notices contained within or placed upon the Product or any Derivative. Any distribution of the Product or a Derivative, in Object Code or Source Code form, shall contain a clear and conspicuous Originator copyright and license reference in accordance with the below: + * *Unmodified Product Notice*: “This software package is licensed under the Booz Allen Public License. Copyright © 20__ [Copyright Holder Name]. All Rights Reserved.” + * *Derivative Notice*: “This software package is licensed under the Booz Allen Public License. Portions of this code are Copyright © 20__ [Copyright Holder Name]. All Rights Reserved.” +* **Compliance with Laws.** You agree that You shall not reproduce, display, perform, modify, distribute and otherwise use the Product in any way that violates applicable law or regulation or infringes or violates the rights of others, including, but not limited to, third party intellectual property, privacy, and publicity rights. +* **Disclaimer.** You understand that the Product is licensed to You, and not sold. The Product is provided on an “As Is” basis, without any warranties, representations, and guarantees, whether oral or written, express, implied or statutory, with regard to the Product, including without limitation, warranties of merchantability, fitness for a particular purpose, title, non-infringement, non-interference, and warranties arising from course of dealing or usage of trade, to the maximum extent permitted by applicable law. Originator does not warrant that (i) the Product will meet your needs; (ii) the Product will be error-free or accessible at all times; or (iii) the use or the results of the use of the Product will be correct, accurate, timely, or otherwise reliable. You acknowledge that the Product has not been prepared to meet Your individual requirements, whether or not such requirements have been communicated to Originator. You assume all responsibility for use of the Product. +* **Limitation of Liability.** Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Originator, or anyone who distributes the Product in accordance with this License, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if informed of the possibility of such damages. +* **Severability.** If the application of any provision of this License to any particular facts or circumstances shall be held to be invalid or unenforceable, then the validity and enforceability of other provisions of this License shall not in any way be affected or impaired thereby. diff --git a/examples/Jenkinsfile b/examples/Jenkinsfile new file mode 100644 index 0000000..7723289 --- /dev/null +++ b/examples/Jenkinsfile @@ -0,0 +1,8 @@ +stage('Read Evergreen YAML') { + node { + // Discover core version using Pipeline utility steps + sh 'curl -O https://raw.githubusercontent.com/jenkins-infra/evergreen/master/services/essentials.yaml' + def essentialsYaml = readYaml(file: "essentials.yaml") + echo "Jenkins Evergreen uses the following Core version: ${essentialsYaml.spec.core.version}" + } +} diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..2aa99a3 --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "solutions-delivery-platform/jenkins/jenkins" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "1.0-beta-27" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "redhat/openjdk/openjdk11" + BASE_TAG: "1.11" + +# Docker image labels +labels: + org.opencontainers.image.title: "jenkinsfile-runner" + ## Human-readable description of the software packaged in the image + org.opencontainers.image.description: "Jenkins automation server for CI/CD pipelines" + ## License(s) under which contained software is distributed + org.opencontainers.image.licenses: "Booz Allen Public License v1.0" + ## URL to find more information on the image + org.opencontainers.image.url: "https://github.com/boozallen/sdp-images" + ## Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "Booz Allen Hamiliton" + org.opencontainers.image.version: "1.0-beta-27" + ## Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "Jenkins, Jenkinsfile-Runner, Runner, Jenkinsfile, CI/CD, ci, cd, SPD, automation, server, pipeline" + ## This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "opensource" + ## Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "Solutions Delivery Platform" + +# List of resources to make available to the offline build context +resources: +- filename: jenkinsfile-runner-dependencies-dcar-0.1.tar.gz + url: https://github.com//CSpicer-BAH/test/releases/download/dcar-0.1/jenkinsfile-runner-dependencies-dcar-0.1.tar.gz + validation: + type: sha256 + value: c6203450deadd3b48c0361501dae01a8718f92562eb85887e490becdccbd7c9d + +# List of project maintainers +# FIXME: Fill in the following details for the current container owner in the whitelist +# FIXME: Include any other vendor information if applicable +maintainers: +- email: "spicer_casey@bah.com" +# # The name of the current container owner + name: "Casey Spicer" +# # The gitlab username of the current container owner + username: "cspicer" +# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT +- name: "Al Fontaine" + username: "alfontaine" + email: "alan.fontaine@centauricorp.com" -- GitLab From db0c0902d3083d90e48e41f7b1d28c76e1867a46 Mon Sep 17 00:00:00 2001 From: cspicer Date: Mon, 26 Apr 2021 14:23:15 -0400 Subject: [PATCH 02/17] updated tarball resources --- Dockerfile | 8 +++++++- hardening_manifest.yaml | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1815464..10adf56 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,6 +7,8 @@ USER root ARG TARBALL=jenkinsfile-runner-dependencies-dcar-0.1 ENV JENKINS_UC https://updates.jenkins.io ENV CASC_JENKINS_CONFIG /usr/share/jenkins/ref/casc +ENV PLUGINS /app/plugins.txt +ENV JENKINSFILE_PATH ARG JENKINS_HOME=/var/jenkins_home ARG TMP_DIR=/var/groovy-tmpdir ARG user=jenkins @@ -28,7 +30,11 @@ RUN cd /tmp && tar -xzf ${TARBALL}.tar.gz \ && chown ${uid}:${gid} /usr/share/jenkins \ && chown ${uid}:${gid} /build \ && groupadd -g ${gid} ${group} \ - && useradd -d "$JENKINS_HOME" -d "$TMP_DIR" -d /app -d /usr/share/jenkins -u ${uid} -g ${gid} -m -s /bin/bash ${user} + && useradd -d "$JENKINS_HOME" -d "$TMP_DIR" -d /app -d /usr/share/jenkins -u ${uid} -g ${gid} -m -s /bin/bash ${user} \ + && touch /app/plugins.txt + +RUN cd /usr/share/jenkins/ref/plugins && \ + rm -rf github* VOLUME /build VOLUME /usr/share/jenkins/ref/casc diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 2aa99a3..0c84676 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -41,7 +41,7 @@ resources: url: https://github.com//CSpicer-BAH/test/releases/download/dcar-0.1/jenkinsfile-runner-dependencies-dcar-0.1.tar.gz validation: type: sha256 - value: c6203450deadd3b48c0361501dae01a8718f92562eb85887e490becdccbd7c9d + value: fc3df11ab78a6d19a179c172a7cceaebd215251ea8419178ebd5827149792e97 # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist -- GitLab From a97df1047bfefb5932058651f30291c75bf8250d Mon Sep 17 00:00:00 2001 From: cspicer Date: Mon, 26 Apr 2021 14:31:38 -0400 Subject: [PATCH 03/17] fixed dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 10adf56..5f3857a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ ARG TARBALL=jenkinsfile-runner-dependencies-dcar-0.1 ENV JENKINS_UC https://updates.jenkins.io ENV CASC_JENKINS_CONFIG /usr/share/jenkins/ref/casc ENV PLUGINS /app/plugins.txt -ENV JENKINSFILE_PATH +ENV JENKINSFILE_PATH "" ARG JENKINS_HOME=/var/jenkins_home ARG TMP_DIR=/var/groovy-tmpdir ARG user=jenkins -- GitLab From 60fd71e959d3b84b9eb6fc3f00ec36b58d70a5a7 Mon Sep 17 00:00:00 2001 From: cspicer Date: Tue, 27 Apr 2021 12:50:57 -0400 Subject: [PATCH 04/17] remade dependency tarball --- hardening_manifest.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 0c84676..1957753 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -41,7 +41,7 @@ resources: url: https://github.com//CSpicer-BAH/test/releases/download/dcar-0.1/jenkinsfile-runner-dependencies-dcar-0.1.tar.gz validation: type: sha256 - value: fc3df11ab78a6d19a179c172a7cceaebd215251ea8419178ebd5827149792e97 + value: 28d6309fd2fdff55085c4e5254b56ea0f38fa6fe2a4f8b07cae0d6834738d7bb # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist -- GitLab From 2a82b290e6414759273c8abe3f5405a00e1163d2 Mon Sep 17 00:00:00 2001 From: cspicer Date: Tue, 27 Apr 2021 13:22:05 -0400 Subject: [PATCH 05/17] remade dependency tarball --- hardening_manifest.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 1957753..295bf0f 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -41,7 +41,7 @@ resources: url: https://github.com//CSpicer-BAH/test/releases/download/dcar-0.1/jenkinsfile-runner-dependencies-dcar-0.1.tar.gz validation: type: sha256 - value: 28d6309fd2fdff55085c4e5254b56ea0f38fa6fe2a4f8b07cae0d6834738d7bb + value: 9183e0c116b21afdc87a65061c3c299b9a732646358c3114df450055a7795870 # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist -- GitLab From 90bdbbf2a77ce87958162586561f3dca9767d809 Mon Sep 17 00:00:00 2001 From: Casey Spicer Date: Tue, 27 Apr 2021 18:10:49 +0000 Subject: [PATCH 06/17] Testing yum update to reduce cves --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 5f3857a..0a921f7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -36,6 +36,8 @@ RUN cd /tmp && tar -xzf ${TARBALL}.tar.gz \ RUN cd /usr/share/jenkins/ref/plugins && \ rm -rf github* +RUN yum update -y --setopt=tsflags=nodocs && um -y -v clean all && [ ! -d /var/cache/yum ] || rm -rf /var/cache/yum + VOLUME /build VOLUME /usr/share/jenkins/ref/casc VOLUME $JENKINS_HOME -- GitLab From b391dee4a458e8fb6571ab33c3d3cf5006a2374a Mon Sep 17 00:00:00 2001 From: cspicer Date: Wed, 28 Apr 2021 10:31:10 -0400 Subject: [PATCH 07/17] updated dependency tarball --- Dockerfile | 2 -- hardening_manifest.yaml | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0a921f7..5f3857a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -36,8 +36,6 @@ RUN cd /tmp && tar -xzf ${TARBALL}.tar.gz \ RUN cd /usr/share/jenkins/ref/plugins && \ rm -rf github* -RUN yum update -y --setopt=tsflags=nodocs && um -y -v clean all && [ ! -d /var/cache/yum ] || rm -rf /var/cache/yum - VOLUME /build VOLUME /usr/share/jenkins/ref/casc VOLUME $JENKINS_HOME diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 295bf0f..3fc458c 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -41,7 +41,7 @@ resources: url: https://github.com//CSpicer-BAH/test/releases/download/dcar-0.1/jenkinsfile-runner-dependencies-dcar-0.1.tar.gz validation: type: sha256 - value: 9183e0c116b21afdc87a65061c3c299b9a732646358c3114df450055a7795870 + value: 982b8fef783214cb5905cc20d74ef3c2c9d806806f4258c97f2fbc40f6d5d0dd # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist -- GitLab From 4f0ae42c14b8633a7a17540f7ade1a848b772bf3 Mon Sep 17 00:00:00 2001 From: cspicer Date: Wed, 28 Apr 2021 13:05:06 -0400 Subject: [PATCH 08/17] updated dependency tarball --- hardening_manifest.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 3fc458c..87d28ec 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -41,7 +41,7 @@ resources: url: https://github.com//CSpicer-BAH/test/releases/download/dcar-0.1/jenkinsfile-runner-dependencies-dcar-0.1.tar.gz validation: type: sha256 - value: 982b8fef783214cb5905cc20d74ef3c2c9d806806f4258c97f2fbc40f6d5d0dd + value: 008702cb76401006b007fe63041adc8c9b8cdf488220857d28ba7755f856fd55 # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist -- GitLab From dedf1fa95e5aef43de3b505775d3d4477303d951 Mon Sep 17 00:00:00 2001 From: cspicer Date: Wed, 28 Apr 2021 14:44:17 -0400 Subject: [PATCH 09/17] updated hardening manifest --- hardening_manifest.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 87d28ec..253447b 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -41,7 +41,7 @@ resources: url: https://github.com//CSpicer-BAH/test/releases/download/dcar-0.1/jenkinsfile-runner-dependencies-dcar-0.1.tar.gz validation: type: sha256 - value: 008702cb76401006b007fe63041adc8c9b8cdf488220857d28ba7755f856fd55 + value: cd5d465ac0b36112a2ddf8948c28c531ef04a36d7387ae4b073703464e814fba # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist -- GitLab From 9eb4696b11952193e31be29ae887c6985b23a596 Mon Sep 17 00:00:00 2001 From: cspicer Date: Wed, 28 Apr 2021 17:41:13 -0400 Subject: [PATCH 10/17] updated dependency tarball --- Dockerfile | 2 +- hardening_manifest.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5f3857a..db70743 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ ARG BASE_TAG=1.11 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} USER root -ARG TARBALL=jenkinsfile-runner-dependencies-dcar-0.1 +ARG TARBALL=jenkinsfile-runner-dependencies-dcar-1.8 ENV JENKINS_UC https://updates.jenkins.io ENV CASC_JENKINS_CONFIG /usr/share/jenkins/ref/casc ENV PLUGINS /app/plugins.txt diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 253447b..e858d78 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -20,7 +20,7 @@ args: labels: org.opencontainers.image.title: "jenkinsfile-runner" ## Human-readable description of the software packaged in the image - org.opencontainers.image.description: "Jenkins automation server for CI/CD pipelines" + org.opencontainers.image.description: "Jenkins execution engine for CI/CD pipelines" ## License(s) under which contained software is distributed org.opencontainers.image.licenses: "Booz Allen Public License v1.0" ## URL to find more information on the image @@ -37,11 +37,11 @@ labels: # List of resources to make available to the offline build context resources: -- filename: jenkinsfile-runner-dependencies-dcar-0.1.tar.gz - url: https://github.com//CSpicer-BAH/test/releases/download/dcar-0.1/jenkinsfile-runner-dependencies-dcar-0.1.tar.gz +- filename: jenkinsfile-runner-dependencies-dcar-1.8.tar.gz + url: https://github.com/boozallen/sdp-images/releases/download/dcar-1.8/jenkinsfile-runner-dependencies-dcar-1.8.tar.gz validation: type: sha256 - value: cd5d465ac0b36112a2ddf8948c28c531ef04a36d7387ae4b073703464e814fba + value: 228b4f3d88cb330036a915a8528f9636569807a16d7e4da177d6432fa9bcf5ed # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist -- GitLab From a0e2a58fe2bb8865f51a4dbb19437f1fa66ffe3e Mon Sep 17 00:00:00 2001 From: cspicer Date: Fri, 30 Apr 2021 08:41:31 -0400 Subject: [PATCH 11/17] Updated README.md --- README.md | 125 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 124 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c9e902b..d0b809e 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,125 @@ -# jenkinsfile-runner +# jenkinsfile-runner 1.0-beta-27 +## Introduction + +Jenkinsfile-Runner is a slimmed version of Jenkins, utilizing the Jenkins pipeline execution engine a CLI tool. For more information on the open source project, please visit https://github.com/jenkinsci/jenkinsfile-runner + +## SDP + +To learn more about the Solutions Delivery Platform please visit https://boozallen.github.io/sdp-docs/overview/1/index.html + +## Notes + +Recommended resources for the image: + + - Min cpu - 1 vCpu + - Min memory - 1 GB + - Storage min - 1 GB. To persist data, volumes can be mounted various folders outlined in the Dockerfile. Storage requirements will vary based on the amount of builds you wish to keep. + +To run the container, you will need to volume mount a directory containing at least a Jenkinsfile for the container. By default, the container will look for the Jenkinsfile at /workspace in the container. +An example of running the container: +``` +podman run -it -v$(pwd):/workspace jenkins/jenkinsfile-runner:latest +``` + + - To display the help screen, issue --help in the command section after calling the container: "docker run -it -v $(pwd):/workspace jenkins/jenkinsfile-runner:latest --help" + - To avoid using the jenkinfile-runner-launcher script, which is an opinionated helper script, use option "--entrypoint /app/bin/jenkinsfile-runner" + - If not using jenkinsfile-runner-launcher, you will have to specify the jenkinsfile (-f) and the war (-w) or jenkins version (-jv) to use + - Location of the Jenkins WAR: /app/jenkins + - Using the JTE option, you will need to provide the location of the pipeline_config file (-p) and in the casc file provide the location of JTE libraries + +Example CASC Definition: + +unclassified: + templateGlobalConfig: + tier: + configurationProvider: "null" + librarySources: + - libraryProvider: + scm: + baseDir: "libraries" #<- the relative path to the libraries folder in the git repo + scm: + git: + branches: + - name: "*/master" + buildChooser: "default" + userRemoteConfigs: + - url: "file:///workspace" #<- the root directory of the git repo volume mounted to the container + +Help Screen Output: +``` +Usage: jenkinsfile-runner [-huV] [-jte] [-ns] [--skipShutdown] + [-b=] [-c=] [-f=] + [-jv=] [--libPath=] [-m=] + [-n=] [-p=] + [-pc=] + [--runHome=] + [--runWorkspace=] [--scm=] + [-w=] [--withInitHooks=] + [-a=]... [COMMAND] + -f, --file= Path to Jenkinsfile or directory containing a + Jenkinsfile, defaults to ./Jenkinsfile + --runWorkspace= + Path to the workspace of the run to be used within + the node{} context. It applies to both Jenkins + master and agents (or side containers) if any. + Requires Jenkins 2.119 or above + -n, --job-name= Name of the job the run belongs to + -c, --cause= Cause of the run + -b, --build-number= + Build number of the run + -a, --arg= Parameters to be passed to the build. Use multiple + -a switches for multiple params + -ns, --no-sandbox Disable workflow job execution within sandbox + environment + -u, --keep-undefined-parameters + Keep undefined parameters if set + --scm= YAML definition of the SCM, with optional + credentials, to use for the project + -jte, --jenkins-templating-engine + Use the Jenkins Templating Engine for the build + -pc, --pipeline-configuration= + The Pipeline Configuration File when using the + Jenkins Templating Engine + -w, --jenkins-war= Path to exploded jenkins war directory.Depending + on packaging, it may contain the entire WAR or + just resources to be loaded by the WAR file, for + example Groovy hooks or extra libraries. + -p, --plugins= Plugins required to run pipeline. Either a plugins. + txt file or a /plugins installation directory. + Defaults to plugins.txt + -jv, --jenkins-version= + Jenkins version to use if Jenkins WAR is not + specified by --jenkins-war. Defaults to the + latest LTS + -m, --mirror= Download mirror site of Jenkins, defaults to http: + //updates.jenkins.io/download. Get the mirror + list from http://mirrors.jenkins-ci.org/status. + html + --runHome, --jenkinsHome= + Path to the empty Jenkins Home directory to use + for this run. If not specified a temporary + directory will be created. Note that the + specified folder will not be disposed after the + run + --withInitHooks= + Path to a directory containing Groovy Init Hooks + to copy into init.groovy.d + --skipShutdown Forces Jenkinsfile Runner to skip the shutdown + logic. It reduces the instance termination time + but may lead to unexpected behavior in plugins + which release external resources on clean up + synchronous task queues on shutdown. + --libPath= When a slim packaging is used, points to the + library directory which contains payload.jar and + setup.jar files + -h, --help Show this help message and exit. + -V, --version Print version information and exit. +Commands: + run Runs Jenkinsfile + cli Runs interactive Jenkins CLI + generate-completion Generate bash/zsh completion script for + jenkinsfile-runner. + version Shows Jenkinsfile Runner version + help Displays help information about the specified command +``` -- GitLab From 3cf3badd87d054ae7b21d96907251cdbab6eecd5 Mon Sep 17 00:00:00 2001 From: cspicer Date: Fri, 30 Apr 2021 09:34:06 -0400 Subject: [PATCH 12/17] testing update fixing jte in jfr --- hardening_manifest.yaml | 4 +- resources/hardening_manifest.yaml.old | 58 +++++++++++++++++++++++++++ 2 files changed, 60 insertions(+), 2 deletions(-) create mode 100644 resources/hardening_manifest.yaml.old diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index e858d78..0fc82f5 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -38,10 +38,10 @@ labels: # List of resources to make available to the offline build context resources: - filename: jenkinsfile-runner-dependencies-dcar-1.8.tar.gz - url: https://github.com/boozallen/sdp-images/releases/download/dcar-1.8/jenkinsfile-runner-dependencies-dcar-1.8.tar.gz + url: https://github.com/boozallen/sdp-images/releases/download/fix-jte-jfr-test-1/jenkinsfile-runner-dependencies-dcar-1.8.tar.gz validation: type: sha256 - value: 228b4f3d88cb330036a915a8528f9636569807a16d7e4da177d6432fa9bcf5ed + value: 7c286b34eb1c01fd0cd1454f507a332af98290efe25ebc6913bbf42ab889cf48 # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist diff --git a/resources/hardening_manifest.yaml.old b/resources/hardening_manifest.yaml.old new file mode 100644 index 0000000..e858d78 --- /dev/null +++ b/resources/hardening_manifest.yaml.old @@ -0,0 +1,58 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "solutions-delivery-platform/jenkins/jenkins" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "1.0-beta-27" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "redhat/openjdk/openjdk11" + BASE_TAG: "1.11" + +# Docker image labels +labels: + org.opencontainers.image.title: "jenkinsfile-runner" + ## Human-readable description of the software packaged in the image + org.opencontainers.image.description: "Jenkins execution engine for CI/CD pipelines" + ## License(s) under which contained software is distributed + org.opencontainers.image.licenses: "Booz Allen Public License v1.0" + ## URL to find more information on the image + org.opencontainers.image.url: "https://github.com/boozallen/sdp-images" + ## Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "Booz Allen Hamiliton" + org.opencontainers.image.version: "1.0-beta-27" + ## Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "Jenkins, Jenkinsfile-Runner, Runner, Jenkinsfile, CI/CD, ci, cd, SPD, automation, server, pipeline" + ## This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "opensource" + ## Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "Solutions Delivery Platform" + +# List of resources to make available to the offline build context +resources: +- filename: jenkinsfile-runner-dependencies-dcar-1.8.tar.gz + url: https://github.com/boozallen/sdp-images/releases/download/dcar-1.8/jenkinsfile-runner-dependencies-dcar-1.8.tar.gz + validation: + type: sha256 + value: 228b4f3d88cb330036a915a8528f9636569807a16d7e4da177d6432fa9bcf5ed + +# List of project maintainers +# FIXME: Fill in the following details for the current container owner in the whitelist +# FIXME: Include any other vendor information if applicable +maintainers: +- email: "spicer_casey@bah.com" +# # The name of the current container owner + name: "Casey Spicer" +# # The gitlab username of the current container owner + username: "cspicer" +# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT +- name: "Al Fontaine" + username: "alfontaine" + email: "alan.fontaine@centauricorp.com" -- GitLab From 5716c816d824e9d6ce5c70c9dd103270de0e442d Mon Sep 17 00:00:00 2001 From: cspicer Date: Fri, 30 Apr 2021 15:39:41 -0400 Subject: [PATCH 13/17] remediating cves --- hardening_manifest.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 0fc82f5..a7b4a4b 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -41,7 +41,7 @@ resources: url: https://github.com/boozallen/sdp-images/releases/download/fix-jte-jfr-test-1/jenkinsfile-runner-dependencies-dcar-1.8.tar.gz validation: type: sha256 - value: 7c286b34eb1c01fd0cd1454f507a332af98290efe25ebc6913bbf42ab889cf48 + value: d73dc8208e1b194fe0c89ec2f41df1f95ffb808b8f62ffdef5b999b9263eec65 # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist -- GitLab From c7d2bd86a45bc4527e2426a4c80a58409da81058 Mon Sep 17 00:00:00 2001 From: cspicer Date: Fri, 7 May 2021 09:26:00 -0400 Subject: [PATCH 14/17] testing jte pipeline fix --- hardening_manifest.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index a7b4a4b..a099119 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -41,7 +41,7 @@ resources: url: https://github.com/boozallen/sdp-images/releases/download/fix-jte-jfr-test-1/jenkinsfile-runner-dependencies-dcar-1.8.tar.gz validation: type: sha256 - value: d73dc8208e1b194fe0c89ec2f41df1f95ffb808b8f62ffdef5b999b9263eec65 + value: aade7bd83fa4461d5398e24f8d8797f90eabe3adbc7ad01b5da639592df63279 # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist -- GitLab From 13e7ee36a2c983e6860982cd71465ca27385b80b Mon Sep 17 00:00:00 2001 From: cspicer Date: Fri, 7 May 2021 13:20:06 -0400 Subject: [PATCH 15/17] install git for jte fix --- Dockerfile | 9 +++++++-- hardening_manifest.yaml | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index db70743..1f2e7a1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,6 +2,7 @@ ARG BASE_REGISTRY=nexus-docker-secure.levelup-nexus.svc.cluster.local:18082 ARG BASE_IMAGE=redhat/openjdk/openjdk11 ARG BASE_TAG=1.11 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +#FROM registry1.dso.mil/ironbank/redhat/openjdk/openjdk11:latest USER root ARG TARBALL=jenkinsfile-runner-dependencies-dcar-1.8 @@ -19,6 +20,11 @@ ARG gid=1000 COPY LICENSE /licenses COPY ${TARBALL}.tar.gz /tmp/${TARBALL}.tar.gz +RUN INSTALL_PKGS="git" && \ + yum -y update-minimal --setopt=tsflags=nodocs \ + --security && \ + yum -y install --setopt=tsflags=nodocs ${INSTALL_PKGS} + RUN cd /tmp && tar -xzf ${TARBALL}.tar.gz \ && mkdir -p $JENKINS_HOME $TMP_DIR /usr/share/jenkins /build \ && mv dependencies/ref /usr/share/jenkins/ref \ @@ -30,8 +36,7 @@ RUN cd /tmp && tar -xzf ${TARBALL}.tar.gz \ && chown ${uid}:${gid} /usr/share/jenkins \ && chown ${uid}:${gid} /build \ && groupadd -g ${gid} ${group} \ - && useradd -d "$JENKINS_HOME" -d "$TMP_DIR" -d /app -d /usr/share/jenkins -u ${uid} -g ${gid} -m -s /bin/bash ${user} \ - && touch /app/plugins.txt + && useradd -d "$JENKINS_HOME" -d "$TMP_DIR" -d /app -d /usr/share/jenkins -u ${uid} -g ${gid} -m -s /bin/bash ${user} RUN cd /usr/share/jenkins/ref/plugins && \ rm -rf github* diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index a099119..6f183be 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -41,7 +41,7 @@ resources: url: https://github.com/boozallen/sdp-images/releases/download/fix-jte-jfr-test-1/jenkinsfile-runner-dependencies-dcar-1.8.tar.gz validation: type: sha256 - value: aade7bd83fa4461d5398e24f8d8797f90eabe3adbc7ad01b5da639592df63279 + value: 5e69b80497f9f9359a5c7927090f715e26d34547cb37f523c064e64ee691738b # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist -- GitLab From 452c12aaac7d71b70d6eebd3444adc5bc3ace4e2 Mon Sep 17 00:00:00 2001 From: cspicer Date: Tue, 11 May 2021 17:19:00 -0400 Subject: [PATCH 16/17] updated git --- Dockerfile | 10 ++-------- hardening_manifest.yaml | 4 ++-- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1f2e7a1..a38a56f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,6 @@ ARG BASE_REGISTRY=nexus-docker-secure.levelup-nexus.svc.cluster.local:18082 ARG BASE_IMAGE=redhat/openjdk/openjdk11 ARG BASE_TAG=1.11 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -#FROM registry1.dso.mil/ironbank/redhat/openjdk/openjdk11:latest USER root ARG TARBALL=jenkinsfile-runner-dependencies-dcar-1.8 @@ -20,16 +19,10 @@ ARG gid=1000 COPY LICENSE /licenses COPY ${TARBALL}.tar.gz /tmp/${TARBALL}.tar.gz -RUN INSTALL_PKGS="git" && \ - yum -y update-minimal --setopt=tsflags=nodocs \ - --security && \ - yum -y install --setopt=tsflags=nodocs ${INSTALL_PKGS} - RUN cd /tmp && tar -xzf ${TARBALL}.tar.gz \ && mkdir -p $JENKINS_HOME $TMP_DIR /usr/share/jenkins /build \ && mv dependencies/ref /usr/share/jenkins/ref \ && mv dependencies/app /app \ - && rm -rf /tmp/* \ && chown ${uid}:${gid} $JENKINS_HOME \ && chown ${uid}:${gid} $TMP_DIR \ && chown ${uid}:${gid} /app \ @@ -39,7 +32,8 @@ RUN cd /tmp && tar -xzf ${TARBALL}.tar.gz \ && useradd -d "$JENKINS_HOME" -d "$TMP_DIR" -d /app -d /usr/share/jenkins -u ${uid} -g ${gid} -m -s /bin/bash ${user} RUN cd /usr/share/jenkins/ref/plugins && \ - rm -rf github* + rm -rf github* && \ + rpm -ivh --replacepkgs --replacefiles /tmp/dependencies/rpms/*.rpm && rm -rf /tmp/* VOLUME /build VOLUME /usr/share/jenkins/ref/casc diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 6f183be..43a96f1 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -38,10 +38,10 @@ labels: # List of resources to make available to the offline build context resources: - filename: jenkinsfile-runner-dependencies-dcar-1.8.tar.gz - url: https://github.com/boozallen/sdp-images/releases/download/fix-jte-jfr-test-1/jenkinsfile-runner-dependencies-dcar-1.8.tar.gz + url: https://github.com/boozallen/sdp-images/releases/download/dcar-1.8/jenkinsfile-runner-dependencies-dcar-1.8.tar.gz validation: type: sha256 - value: 5e69b80497f9f9359a5c7927090f715e26d34547cb37f523c064e64ee691738b + value: 9f84626c55e6add5e0952829b9cc5de6a993618032b753f355cfe3c0b03db205 # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist -- GitLab From 3af8550d2a711a7891a4fe2ecdd8429905346ee3 Mon Sep 17 00:00:00 2001 From: cspicer Date: Wed, 12 May 2021 12:27:17 -0400 Subject: [PATCH 17/17] updated dependency tarball --- Dockerfile | 9 +++++++-- hardening_manifest.yaml | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index a38a56f..fb84b4e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,10 +19,16 @@ ARG gid=1000 COPY LICENSE /licenses COPY ${TARBALL}.tar.gz /tmp/${TARBALL}.tar.gz +RUN INSTALL_PKGS="git" && \ + yum -y update-minimal --setopt=tsflags=nodocs \ + --security && \ + yum -y install --setopt=tsflags=nodocs ${INSTALL_PKGS} + RUN cd /tmp && tar -xzf ${TARBALL}.tar.gz \ && mkdir -p $JENKINS_HOME $TMP_DIR /usr/share/jenkins /build \ && mv dependencies/ref /usr/share/jenkins/ref \ && mv dependencies/app /app \ + && rm -rf /tmp/* \ && chown ${uid}:${gid} $JENKINS_HOME \ && chown ${uid}:${gid} $TMP_DIR \ && chown ${uid}:${gid} /app \ @@ -32,8 +38,7 @@ RUN cd /tmp && tar -xzf ${TARBALL}.tar.gz \ && useradd -d "$JENKINS_HOME" -d "$TMP_DIR" -d /app -d /usr/share/jenkins -u ${uid} -g ${gid} -m -s /bin/bash ${user} RUN cd /usr/share/jenkins/ref/plugins && \ - rm -rf github* && \ - rpm -ivh --replacepkgs --replacefiles /tmp/dependencies/rpms/*.rpm && rm -rf /tmp/* + rm -rf github* VOLUME /build VOLUME /usr/share/jenkins/ref/casc diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 43a96f1..7d13c0f 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -41,7 +41,7 @@ resources: url: https://github.com/boozallen/sdp-images/releases/download/dcar-1.8/jenkinsfile-runner-dependencies-dcar-1.8.tar.gz validation: type: sha256 - value: 9f84626c55e6add5e0952829b9cc5de6a993618032b753f355cfe3c0b03db205 + value: 174340489946288569958cab3d5159b0242547b8b0b104652ba0c0b81fb85987 # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist -- GitLab