diff --git a/Dockerfile b/Dockerfile index c3c7d0fb487f3e2ddf887482725af4a304ff7740..4fea996483648f7f43f6b4e02693425d2e11a2ec 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ ARG BASE_REGISTRY=registry1.dsop.io ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 -ARG BASE_TAG=8.2 +ARG BASE_TAG=8.3 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS builder @@ -16,42 +16,75 @@ RUN dnf upgrade -y && \ cd $GOPATH/src/k8s.io/kubernetes/ && \ make WHAT=cmd/kube-proxy -FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +COPY texinfo.tar.gz bison.tar.gz flex.tar.gz signatures/RPM-GPG-KEY-CentOS-Official \ + libtirpc-devel.rpm libmnl.tar.bz2 libnetfilter_conntrack.tar.bz2 \ + libnetfilter_cthelper.tar.bz2 libnetfilter_cttimeout.tar.bz2 \ + libnetfilter_queue.tar.bz2 texinfo.tar.gz libnfnetlink.tar.bz2 conntrack-tools.tar.bz2 / + +ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +# Install necessary container packages for conntrack +# TODO: use WORKDIR? + +RUN dnf upgrade -y && \ + dnf install -y automake autoconf make gcc iptables ipset kmod bzip2 m4 \ + diffutils pkgconf pkgconf-m4 pkgconf-pkg-config man-db && \ + mkdir -p /usr/src/texinfo && \ + tar -zxf /texinfo.tar.gz --strip-components=1 -C /usr/src/texinfo && \ + cd /usr/src/texinfo && \ + ./configure && make && make install && \ + mkdir -p /usr/src/bison && \ + tar -zxf /bison.tar.gz --strip-components=1 -C /usr/src/bison && \ + cd /usr/src/bison && \ + ./configure && make && make install && \ + mkdir -p /usr/src/flex && \ + tar -zxf /flex.tar.gz --strip-components=1 -C /usr/src/flex && \ + cd /usr/src/flex && \ + ./configure && make && make install && \ + rpm --import /RPM-GPG-KEY-CentOS-Official && \ + rpm -iv /libtirpc-devel.rpm && \ + mkdir -p /usr/src/libnfnetlink && \ + tar -jxf /libnfnetlink.tar.bz2 --strip-components=1 -C /usr/src/libnfnetlink && \ + cd /usr/src/libnfnetlink && \ + ./configure && make && make install && \ + mkdir -p /usr/src/libmnl && \ + tar -jxf /libmnl.tar.bz2 --strip-components=1 -C /usr/src/libmnl && \ + cd /usr/src/libmnl && \ + ./configure && make && make install + +ENV PKG_CONFIG_PATH=/usr/local/lib/pkgconfig +RUN mkdir -p /usr/src/libnetfilter_conntrack && \ + tar -jxf /libnetfilter_conntrack.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_conntrack && \ + cd /usr/src/libnetfilter_conntrack && \ + ./configure && make && make install && \ + mkdir -p /usr/src/libnetfilter_cttimeout && \ + tar -jxf /libnetfilter_cttimeout.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_cttimeout && \ + cd /usr/src/libnetfilter_cttimeout && \ + ./configure && make && make install && \ + mkdir -p /usr/src/libnetfilter_cthelper && \ + tar -jxf /libnetfilter_cthelper.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_cthelper && \ + cd /usr/src/libnetfilter_cthelper && \ + ./configure && make && make install && \ + mkdir -p /usr/src/libnetfilter_queue && \ + tar -jxf /libnetfilter_queue.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_queue && \ + cd /usr/src/libnetfilter_queue && \ + ./configure && make && make install && \ + mkdir -p /usr/src/conntrack-tools && \ + tar -jxf /conntrack-tools.tar.bz2 --strip-components=1 -C /usr/src/conntrack-tools && \ + cd /usr/src/conntrack-tools && \ + ./configure && make && make install + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} COPY --from=builder /src/k8s.io/kubernetes/_output/bin/kube-proxy /usr/local/bin/ -COPY scripts/iptables-wrapper ebtables-2.0.11.tar.gz / +COPY --from=builder /usr/local/sbin/conntrack /usr/local/sbin/conntrack + ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -# Install necessary container packages and etables + RUN dnf upgrade -y && \ - dnf install -y make gcc iptables ipset kmod && \ - tar xzf ebtables-2.0.11.tar.gz && \ - rm -f ebtables-2.0.11.tar.gz && \ - cd ebtables-2.0.11 && \ - ./configure && \ - make && \ - make install && \ - cd .. && \ - mv iptables-wrapper /usr/sbin/iptables-wrapper && \ - chmod +x /usr/sbin/iptables-wrapper && \ - dnf remove -y make && \ - dnf remove -y gcc && \ - dnf remove -y unbound-libs && \ - dnf remove -y python3-unbound && \ + dnf install -y iptables ipset kmod && \ dnf clean all && \ rm -rf /var/cache/dnf -# Run script commands for iptables-wrapper -RUN update-alternatives \ - --install /usr/sbin/iptables iptables /usr/sbin/iptables-wrapper 100 \ - --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-wrapper \ - --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-wrapper - -RUN update-alternatives \ - --install /usr/sbin/ip6tables ip6tables /usr/sbin/iptables-wrapper 100 \ - --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/iptables-wrapper \ - --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/iptables-wrapper - -RUN chmod 0755 /usr/sbin/iptables-wrapper - CMD ["/bin/sh"] diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 3aa697e8ee07801c1407d1769d00ce3817922cbf..8184e722ec4c7f14ee499c44e60d8000b5751492 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -42,21 +42,69 @@ resources: validation: type: sha256 value: 79dac2d1095c7176ab707a9c6349d1aa745574382802c8040843674b3c7845a4 -- filename: ebtables-2.0.11.tar.gz - url: http://ftp.netfilter.org/pub/ebtables/ebtables-2.0.11.tar.gz +- filename: texinfo.tar.gz + url: "https://ftp.gnu.org/gnu/texinfo/texinfo-6.7.tar.gz" validation: type: sha256 - value: b71f654784a726329f88b412ef7b96b4e5d786ed2bd28193ed7b4c0d677dfd2a + value: a52d05076b90032cb2523673c50e53185938746482cf3ca0213e9b4b50ac2d3e +- filename: bison.tar.gz + url: "http://ftp.gnu.org/gnu/bison/bison-3.5.4.tar.gz" + validation: + type: sha256 + value: c0dd154dfaba63553a892d41dc400c7baa88cc06a1e2e27813fdd503715e4c28 +- filename: flex.tar.gz + url: "https://github.com/westes/flex/releases/download/v2.6.4/flex-2.6.4.tar.gz" + validation: + type: sha256 + value: e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c45ee995 +- filename: libtirpc-devel.rpm + url: "http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/libtirpc-devel-1.1.4-4.el8.x86_64.rpm" + validation: + type: sha256 + value: 4d3a43db83a983b7a375f18c87a9cc0298867e875b11571496ce42eaa3653d75 +- filename: libnfnetlink.tar.bz2 + url: "http://netfilter.org/projects/libnfnetlink/files/libnfnetlink-1.0.1.tar.bz2" + validation: + type: sha256 + value: f270e19de9127642d2a11589ef2ec97ef90a649a74f56cf9a96306b04817b51a +- filename: libmnl.tar.bz2 + url: "https://netfilter.org/projects/libmnl/files/libmnl-1.0.4.tar.bz2" + validation: + type: sha256 + value: 171f89699f286a5854b72b91d06e8f8e3683064c5901fb09d954a9ab6f551f81 +- filename: libnetfilter_conntrack.tar.bz2 + url: "https://netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-1.0.8.tar.bz2" + validation: + type: sha256 + value: 0cd13be008923528687af6c6b860f35392d49251c04ee0648282d36b1faec1cf +- filename: libnetfilter_cttimeout.tar.bz2 + url: "https://netfilter.org/projects/libnetfilter_cttimeout/files/libnetfilter_cttimeout-1.0.0.tar.bz2" + validation: + type: sha256 + value: aeab12754f557cba3ce2950a2029963d817490df7edb49880008b34d7ff8feba +- filename: libnetfilter_cthelper.tar.bz2 + url: "https://netfilter.org/projects/libnetfilter_cthelper/files/libnetfilter_cthelper-1.0.0.tar.bz2" + validation: + type: sha256 + value: 07618e71c4d9a6b6b3dc1986540486ee310a9838ba754926c7d14a17d8fccf3d +- filename: libnetfilter_queue.tar.bz2 + url: "https://netfilter.org/projects/libnetfilter_queue/files/libnetfilter_queue-1.0.5.tar.bz2" + validation: + type: sha256 + value: f9ff3c11305d6e03d81405957bdc11aea18e0d315c3e3f48da53a24ba251b9f5 +- filename: conntrack-tools.tar.bz2 + url: "http://ftp.netfilter.org/pub/conntrack-tools/conntrack-tools-1.4.6.tar.bz2" + validation: + type: sha256 + value: 590859cc848245dbfd9c6487761dd303b3a1771e007f4f42213063ca56205d5f # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist # FIXME: Include any other vendor information if applicable maintainers: -maintainers: -- email: "gavin.scallon@parsons.com" +- email: "jperez2@novetta.com" # # The name of the current container owner - name: "Gavin Scallon" + name: "Jason Perez" # # The gitlab username of the current container owner - username: "gavin.scallon" - cht_member: true - + username: "jperez2" + cht_member: false diff --git a/scripts/iptables-wrapper b/scripts/iptables-wrapper deleted file mode 100755 index 75f0c366ed3cea104741a0ed5a81f2db2b5c7724..0000000000000000000000000000000000000000 --- a/scripts/iptables-wrapper +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/sh - -# Copyright 2019 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -e - -# Detect whether the base system is using iptables-legacy or -# iptables-nft. This assumes that some non-containerized process (eg -# kubelet) has already created some iptables rules. - -# Bugs in iptables-nft 1.8.3 may cause it to get stuck in a loop in -# some circumstances, so we have to run the nft check in a timeout. To -# avoid hitting that timeout, we only bother to even check nft if -# legacy iptables was empty / mostly empty. - -num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l) -if [ "${num_legacy_lines}" -ge 10 ]; then - mode=legacy -else - num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep '^-' | wc -l) - if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then - mode=legacy - else - mode=nft - fi -fi - -update-alternatives --set iptables "/usr/sbin/iptables-${mode}" > /dev/null -update-alternatives --set ip6tables "/usr/sbin/ip6tables-${mode}" > /dev/null - -# Now re-exec the original command with the newly-selected alternative -exec "$0" "$@ \ No newline at end of file diff --git a/signatures/RPM-GPG-KEY-CentOS-Official b/signatures/RPM-GPG-KEY-CentOS-Official new file mode 100644 index 0000000000000000000000000000000000000000..30235a8647634c1706cfde7095c82c5a821e4bab --- /dev/null +++ b/signatures/RPM-GPG-KEY-CentOS-Official @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.22 (GNU/Linux) + +mQINBFzMWxkBEADHrskpBgN9OphmhRkc7P/YrsAGSvvl7kfu+e9KAaU6f5MeAVyn +rIoM43syyGkgFyWgjZM8/rur7EMPY2yt+2q/1ZfLVCRn9856JqTIq0XRpDUe4nKQ +8BlA7wDVZoSDxUZkSuTIyExbDf0cpw89Tcf62Mxmi8jh74vRlPy1PgjWL5494b3X +5fxDidH4bqPZyxTBqPrUFuo+EfUVEqiGF94Ppq6ZUvrBGOVo1V1+Ifm9CGEK597c +aevcGc1RFlgxIgN84UpuDjPR9/zSndwJ7XsXYvZ6HXcKGagRKsfYDWGPkA5cOL/e +f+yObOnC43yPUvpggQ4KaNJ6+SMTZOKikM8yciyBwLqwrjo8FlJgkv8Vfag/2UR7 +JINbyqHHoLUhQ2m6HXSwK4YjtwidF9EUkaBZWrrskYR3IRZLXlWqeOi/+ezYOW0m +vufrkcvsh+TKlVVnuwmEPjJ8mwUSpsLdfPJo1DHsd8FS03SCKPaXFdD7ePfEjiYk +nHpQaKE01aWVSLUiygn7F7rYemGqV9Vt7tBw5pz0vqSC72a5E3zFzIIuHx6aANry +Gat3aqU3qtBXOrA/dPkX9cWE+UR5wo/A2UdKJZLlGhM2WRJ3ltmGT48V9CeS6N9Y +m4CKdzvg7EWjlTlFrd/8WJ2KoqOE9leDPeXRPncubJfJ6LLIHyG09h9kKQARAQAB +tDpDZW50T1MgKENlbnRPUyBPZmZpY2lhbCBTaWduaW5nIEtleSkgPHNlY3VyaXR5 +QGNlbnRvcy5vcmc+iQI3BBMBAgAhBQJczFsZAhsDBgsJCAcDAgYVCAIJCgsDFgIB +Ah4BAheAAAoJEAW1VbOEg8ZdjOsP/2ygSxH9jqffOU9SKyJDlraL2gIutqZ3B8pl +Gy/Qnb9QD1EJVb4ZxOEhcY2W9VJfIpnf3yBuAto7zvKe/G1nxH4Bt6WTJQCkUjcs +N3qPWsx1VslsAEz7bXGiHym6Ay4xF28bQ9XYIokIQXd0T2rD3/lNGxNtORZ2bKjD +vOzYzvh2idUIY1DgGWJ11gtHFIA9CvHcW+SMPEhkcKZJAO51ayFBqTSSpiorVwTq +a0cB+cgmCQOI4/MY+kIvzoexfG7xhkUqe0wxmph9RQQxlTbNQDCdaxSgwbF2T+gw +byaDvkS4xtR6Soj7BKjKAmcnf5fn4C5Or0KLUqMzBtDMbfQQihn62iZJN6ZZ/4dg +q4HTqyVpyuzMXsFpJ9L/FqH2DJ4exGGpBv00ba/Zauy7GsqOc5PnNBsYaHCply0X +407DRx51t9YwYI/ttValuehq9+gRJpOTTKp6AjZn/a5Yt3h6jDgpNfM/EyLFIY9z +V6CXqQQ/8JRvaik/JsGCf+eeLZOw4koIjZGEAg04iuyNTjhx0e/QHEVcYAqNLhXG +rCTTbCn3NSUO9qxEXC+K/1m1kaXoCGA0UWlVGZ1JSifbbMx0yxq/brpEZPUYm+32 +o8XfbocBWljFUJ+6aljTvZ3LQLKTSPW7TFO+GXycAOmCGhlXh2tlc6iTc41PACqy +yy+mHmSv +=kkH7 +-----END PGP PUBLIC KEY BLOCK-----