Merge branch 'development' into 'master'

Development into master fixing issue 3 See merge request !11

Merge branch 'development' into 'master'
Development into master fixing issue 3 See merge request !11
ce9e33cc · Andy Maksymowicz · 12ce6528 · 76b7f63d · ce9e33cc · ce9e33cc
Commit ce9e33cc authored Jan 04, 2021 by Andy Maksymowicz
4 changed files
--- a/Dockerfile
+++ b/Dockerfile
-ARG BASE_REGISTRY=registry1.dsop.io/ironbank
+ARG BASE_REGISTRY=registry1.dsop.io
 ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8
-ARG BASE_TAG=8.2
+ARG BASE_TAG=8.3
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS builder
 #install Go 1.15.2
 COPY go1.15.2.linux-amd64.tar.gz /
 RUN tar -C /usr/local -xzf go1.15.2.linux-amd64.tar.gz
 ENV PATH="$PATH:/usr/local/go/bin"
-COPY kubernetes.tar.gz scripts/iptables-wrapper ebtables-2.0.11.tar.gz /
+COPY kubernetes.tar.gz /
 RUN dnf upgrade -y && \
    dnf install -y make gcc diffutils rsync && \
@@ -22,40 +21,75 @@ RUN dnf upgrade -y && \
    cd $GOPATH/src/k8s.io/kubernetes/ && \
    make WHAT=cmd/kube-proxy
+COPY texinfo.tar.gz bison.tar.gz flex.tar.gz signatures/RPM-GPG-KEY-CentOS-Official \
+     libtirpc-devel.rpm libmnl.tar.bz2 libnetfilter_conntrack.tar.bz2 \
+     libnetfilter_cthelper.tar.bz2 libnetfilter_cttimeout.tar.bz2 \
+     libnetfilter_queue.tar.bz2 texinfo.tar.gz libnfnetlink.tar.bz2 conntrack-tools.tar.bz2 /
-FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+# Install necessary container packages for conntrack
+# TODO: use WORKDIR?
+RUN dnf upgrade -y && \
+    dnf install -y automake autoconf make gcc iptables ipset kmod bzip2 m4 \
+    diffutils pkgconf pkgconf-m4 pkgconf-pkg-config man-db && \
+    mkdir -p /usr/src/texinfo && \
+    tar -zxf /texinfo.tar.gz --strip-components=1 -C /usr/src/texinfo && \
+    cd /usr/src/texinfo && \
+    ./configure && make && make install && \
+    mkdir -p /usr/src/bison && \
+    tar -zxf /bison.tar.gz --strip-components=1 -C /usr/src/bison && \
+    cd /usr/src/bison && \
+    ./configure && make && make install && \
+    mkdir -p /usr/src/flex && \
+    tar -zxf /flex.tar.gz --strip-components=1 -C /usr/src/flex && \
+    cd /usr/src/flex && \
+    ./configure && make && make install && \
+    rpm --import /RPM-GPG-KEY-CentOS-Official && \
+    rpm -iv /libtirpc-devel.rpm && \
+    mkdir -p /usr/src/libnfnetlink && \
+    tar -jxf /libnfnetlink.tar.bz2 --strip-components=1 -C /usr/src/libnfnetlink && \
+    cd /usr/src/libnfnetlink && \
+    ./configure && make && make install && \
+    mkdir -p /usr/src/libmnl && \
+    tar -jxf /libmnl.tar.bz2 --strip-components=1 -C /usr/src/libmnl && \
+    cd /usr/src/libmnl && \
+    ./configure && make && make install
+ENV PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
+RUN mkdir -p /usr/src/libnetfilter_conntrack && \
+    tar -jxf /libnetfilter_conntrack.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_conntrack && \
+    cd /usr/src/libnetfilter_conntrack && \
+    ./configure && make && make install && \
+    mkdir -p /usr/src/libnetfilter_cttimeout && \
+    tar -jxf /libnetfilter_cttimeout.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_cttimeout && \
+    cd /usr/src/libnetfilter_cttimeout && \
+    ./configure && make && make install && \
+    mkdir -p /usr/src/libnetfilter_cthelper && \
+    tar -jxf /libnetfilter_cthelper.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_cthelper && \
+    cd /usr/src/libnetfilter_cthelper && \
+    ./configure && make && make install && \
+    mkdir -p /usr/src/libnetfilter_queue && \
+    tar -jxf /libnetfilter_queue.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_queue && \
+    cd /usr/src/libnetfilter_queue && \
+    ./configure && make && make install && \
+    mkdir -p /usr/src/conntrack-tools && \
+    tar -jxf /conntrack-tools.tar.bz2 --strip-components=1 -C /usr/src/conntrack-tools && \
+    cd /usr/src/conntrack-tools && \
+    ./configure && make && make install
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 COPY --from=builder /src/k8s.io/kubernetes/_output/bin/kube-proxy /usr/local/bin/
-COPY scripts/iptables-wrapper ebtables-2.0.11.tar.gz /
+COPY --from=builder /usr/local/sbin/conntrack /usr/local/sbin/conntrack
 ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-# Install necessary container packages and etables
 RUN dnf upgrade -y && \
-    dnf install -y make gcc iptables ipset kmod && \
+    dnf install -y iptables ipset kmod && \
-    tar xzf ebtables-2.0.11.tar.gz && \
-    rm -f ebtables-2.0.11.tar.gz && \
-    cd ebtables-2.0.11 && \
-    ./configure && \
-    make && \
-    make install && \
-    cd .. && \
-    mv iptables-wrapper /usr/sbin/iptables-wrapper && \
-    dnf remove -y make && \
-    dnf remove -y gcc && \
-    dnf remove -y unbound-libs && \
-    dnf remove -y python3-unbound && \
    dnf clean all && \
    rm -rf /var/cache/dnf
-# Run script commands for iptables-wrapper
-RUN update-alternatives \
-	--install /usr/sbin/iptables iptables /usr/sbin/iptables-wrapper 100 \
-	--slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-wrapper \
-	--slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-wrapper
-RUN update-alternatives \
-	--install /usr/sbin/ip6tables ip6tables /usr/sbin/iptables-wrapper 100 \
-	--slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/iptables-wrapper \
-	--slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/iptables-wrapper
 CMD ["/bin/sh"]
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -42,25 +42,72 @@ resources:
  validation:
    type: sha256
    value: c5e4d8bf0844d86898a1c3577a5251124242890fa597db19eb588b2f76c2afbb
- filename: ebtables-2.0.11.tar.gz
-  url: http://ftp.netfilter.org/pub/ebtables/ebtables-2.0.11.tar.gz
-  validation:
-    type: sha256
-    value: b71f654784a726329f88b412ef7b96b4e5d786ed2bd28193ed7b4c0d677dfd2a
 - filename: go1.15.2.linux-amd64.tar.gz
  url: https://golang.org/dl/go1.15.2.linux-amd64.tar.gz
  validation:
    type: sha256
    value: b49fda1ca29a1946d6bb2a5a6982cf07ccd2aba849289508ee0f9918f6bb4552
+- filename: texinfo.tar.gz
+  url: "https://ftp.gnu.org/gnu/texinfo/texinfo-6.7.tar.gz"
+  validation:
+    type: sha256
+    value: a52d05076b90032cb2523673c50e53185938746482cf3ca0213e9b4b50ac2d3e
+- filename: bison.tar.gz
+  url: "http://ftp.gnu.org/gnu/bison/bison-3.5.4.tar.gz"
+  validation:
+    type: sha256
+    value: c0dd154dfaba63553a892d41dc400c7baa88cc06a1e2e27813fdd503715e4c28
+- filename: flex.tar.gz
+  url: "https://github.com/westes/flex/releases/download/v2.6.4/flex-2.6.4.tar.gz"
+  validation:
+    type: sha256
+    value: e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c45ee995
+- filename: libtirpc-devel.rpm
+  url: "http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/libtirpc-devel-1.1.4-4.el8.x86_64.rpm"
+  validation:
+    type: sha256
+    value: 4d3a43db83a983b7a375f18c87a9cc0298867e875b11571496ce42eaa3653d75
+- filename: libnfnetlink.tar.bz2
+  url: "http://netfilter.org/projects/libnfnetlink/files/libnfnetlink-1.0.1.tar.bz2"
+  validation:
+    type: sha256
+    value: f270e19de9127642d2a11589ef2ec97ef90a649a74f56cf9a96306b04817b51a
+- filename: libmnl.tar.bz2
+  url: "https://netfilter.org/projects/libmnl/files/libmnl-1.0.4.tar.bz2"
+  validation:
+    type: sha256
+    value: 171f89699f286a5854b72b91d06e8f8e3683064c5901fb09d954a9ab6f551f81
+- filename: libnetfilter_conntrack.tar.bz2
+  url: "https://netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-1.0.8.tar.bz2"
+  validation:
+    type: sha256
+    value: 0cd13be008923528687af6c6b860f35392d49251c04ee0648282d36b1faec1cf
+- filename: libnetfilter_cttimeout.tar.bz2
+  url: "https://netfilter.org/projects/libnetfilter_cttimeout/files/libnetfilter_cttimeout-1.0.0.tar.bz2"
+  validation:
+    type: sha256
+    value: aeab12754f557cba3ce2950a2029963d817490df7edb49880008b34d7ff8feba
+- filename: libnetfilter_cthelper.tar.bz2
+  url: "https://netfilter.org/projects/libnetfilter_cthelper/files/libnetfilter_cthelper-1.0.0.tar.bz2"
+  validation:
+    type: sha256
+    value: 07618e71c4d9a6b6b3dc1986540486ee310a9838ba754926c7d14a17d8fccf3d
+- filename: libnetfilter_queue.tar.bz2
+  url: "https://netfilter.org/projects/libnetfilter_queue/files/libnetfilter_queue-1.0.5.tar.bz2"
+  validation:
+    type: sha256
+    value: f9ff3c11305d6e03d81405957bdc11aea18e0d315c3e3f48da53a24ba251b9f5
+- filename: conntrack-tools.tar.bz2
+  url: "http://ftp.netfilter.org/pub/conntrack-tools/conntrack-tools-1.4.6.tar.bz2"
+  validation:
+    type: sha256
+    value: 590859cc848245dbfd9c6487761dd303b3a1771e007f4f42213063ca56205d5f
 # List of project maintainers
-# FIXME: Fill in the following details for the current container owner in the whitelist
-# FIXME: Include any other vendor information if applicable
-maintainers:
 maintainers:
- email: "gavin.scallon@parsons.com"
+- email: "jperez2@novetta.com"
 #   # The name of the current container owner
-  name: "Gavin Scallon"
+  name: "Jason Perez"
 #   # The gitlab username of the current container owner
-  username: "gavin.scallon"
+  username: "jperez2"
-  cht_member: true 
+  cht_member: false
\ No newline at end of file
--- a/scripts/iptables-wrapper
+++ b/scripts/iptables-wrapper
-#!/bin/sh
-# Copyright 2019 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-set -e
-# Detect whether the base system is using iptables-legacy or
-# iptables-nft. This assumes that some non-containerized process (eg
-# kubelet) has already created some iptables rules.
-# Bugs in iptables-nft 1.8.3 may cause it to get stuck in a loop in
-# some circumstances, so we have to run the nft check in a timeout. To
-# avoid hitting that timeout, we only bother to even check nft if
-# legacy iptables was empty / mostly empty.
-num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l)
-if [ "${num_legacy_lines}" -ge 10 ]; then
-    mode=legacy
-else
-    num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep '^-' | wc -l)
-    if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then
-	mode=legacy
-    else
-	mode=nft
-    fi
-fi
-update-alternatives --set iptables "/usr/sbin/iptables-${mode}" > /dev/null
-update-alternatives --set ip6tables "/usr/sbin/ip6tables-${mode}" > /dev/null
-# Now re-exec the original command with the newly-selected alternative
-exec "$0" "$@
--- a/signatures/RPM-GPG-KEY-CentOS-Official
+++ b/signatures/RPM-GPG-KEY-CentOS-Official
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+mQINBFzMWxkBEADHrskpBgN9OphmhRkc7P/YrsAGSvvl7kfu+e9KAaU6f5MeAVyn
+rIoM43syyGkgFyWgjZM8/rur7EMPY2yt+2q/1ZfLVCRn9856JqTIq0XRpDUe4nKQ
+8BlA7wDVZoSDxUZkSuTIyExbDf0cpw89Tcf62Mxmi8jh74vRlPy1PgjWL5494b3X
+5fxDidH4bqPZyxTBqPrUFuo+EfUVEqiGF94Ppq6ZUvrBGOVo1V1+Ifm9CGEK597c
+aevcGc1RFlgxIgN84UpuDjPR9/zSndwJ7XsXYvZ6HXcKGagRKsfYDWGPkA5cOL/e
+f+yObOnC43yPUvpggQ4KaNJ6+SMTZOKikM8yciyBwLqwrjo8FlJgkv8Vfag/2UR7
+JINbyqHHoLUhQ2m6HXSwK4YjtwidF9EUkaBZWrrskYR3IRZLXlWqeOi/+ezYOW0m
+vufrkcvsh+TKlVVnuwmEPjJ8mwUSpsLdfPJo1DHsd8FS03SCKPaXFdD7ePfEjiYk
+nHpQaKE01aWVSLUiygn7F7rYemGqV9Vt7tBw5pz0vqSC72a5E3zFzIIuHx6aANry
+Gat3aqU3qtBXOrA/dPkX9cWE+UR5wo/A2UdKJZLlGhM2WRJ3ltmGT48V9CeS6N9Y
+m4CKdzvg7EWjlTlFrd/8WJ2KoqOE9leDPeXRPncubJfJ6LLIHyG09h9kKQARAQAB
+tDpDZW50T1MgKENlbnRPUyBPZmZpY2lhbCBTaWduaW5nIEtleSkgPHNlY3VyaXR5
+QGNlbnRvcy5vcmc+iQI3BBMBAgAhBQJczFsZAhsDBgsJCAcDAgYVCAIJCgsDFgIB
+Ah4BAheAAAoJEAW1VbOEg8ZdjOsP/2ygSxH9jqffOU9SKyJDlraL2gIutqZ3B8pl
+Gy/Qnb9QD1EJVb4ZxOEhcY2W9VJfIpnf3yBuAto7zvKe/G1nxH4Bt6WTJQCkUjcs
+N3qPWsx1VslsAEz7bXGiHym6Ay4xF28bQ9XYIokIQXd0T2rD3/lNGxNtORZ2bKjD
+vOzYzvh2idUIY1DgGWJ11gtHFIA9CvHcW+SMPEhkcKZJAO51ayFBqTSSpiorVwTq
+a0cB+cgmCQOI4/MY+kIvzoexfG7xhkUqe0wxmph9RQQxlTbNQDCdaxSgwbF2T+gw
+byaDvkS4xtR6Soj7BKjKAmcnf5fn4C5Or0KLUqMzBtDMbfQQihn62iZJN6ZZ/4dg
+q4HTqyVpyuzMXsFpJ9L/FqH2DJ4exGGpBv00ba/Zauy7GsqOc5PnNBsYaHCply0X
+407DRx51t9YwYI/ttValuehq9+gRJpOTTKp6AjZn/a5Yt3h6jDgpNfM/EyLFIY9z
+V6CXqQQ/8JRvaik/JsGCf+eeLZOw4koIjZGEAg04iuyNTjhx0e/QHEVcYAqNLhXG
+rCTTbCn3NSUO9qxEXC+K/1m1kaXoCGA0UWlVGZ1JSifbbMx0yxq/brpEZPUYm+32
+o8XfbocBWljFUJ+6aljTvZ3LQLKTSPW7TFO+GXycAOmCGhlXh2tlc6iTc41PACqy
+yy+mHmSv
+=kkH7
+-----END PGP PUBLIC KEY BLOCK-----