From 4103b3b661c15d5ff93e900a7e6a51d03c66dcfd Mon Sep 17 00:00:00 2001 From: ironbank-bot Date: Thu, 10 Dec 2020 01:17:29 +0000 Subject: [PATCH] Migrate to hardening_manifest.yaml --- Dockerfile | 146 +++++++++++++++++++--------------------- Jenkinsfile | 2 - download.yaml | 51 -------------- hardening_manifest.yaml | 103 ++++++++++++++++++++++++++++ 4 files changed, 173 insertions(+), 129 deletions(-) delete mode 100644 Jenkinsfile delete mode 100644 download.yaml create mode 100644 hardening_manifest.yaml diff --git a/Dockerfile b/Dockerfile index 316fd99..60c3b37 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,77 +1,71 @@ -ARG BASE_REGISTRY=registry1.dsop.io -ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 -ARG BASE_TAG=8.2 - -FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} - -# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added -RUN groupadd -r mongodb && useradd --no-log-init -r -g mongodb mongodb; \ - mkhomedir_helper mongodb; - -LABEL name="MongoDB Community Server" \ - description="MongoDB Community Server image based on the Red Hat Universal Base Image for DSOP." \ - vendor="MongoDB Inc." \ - summary="MongoDB (Red Hat UBI)" \ - maintainer="michael.simmons@anchore.com" \ - version="4.4.1" - -RUN set -eux; \ - dnf repolist; \ - dnf update --disableplugin=subscription-manager -y; \ - dnf install -y \ - ca-certificates \ - procps; \ - dnf clean all; - -ENV JSYAML_VERSION 3.13.0 - -RUN mkdir /docker-entrypoint-initdb.d - -COPY *.rpm /tmp/mongo_install/ -COPY jq-linux64 /usr/local/bin/jq -COPY gosu-amd64 /usr/local/bin/gosu -COPY /scripts/docker-entrypoint.sh /usr/local/bin/ - -ENV MONGO_MAJOR 4.4 -ENV MONGO_VERSION 4.4.1 - -COPY /config/* /tmp/mongo_install/ - -RUN set -x && \ - rpm --import /tmp/mongo_install/server-4.4.asc && \ - dnf install -y /tmp/mongo_install/mongodb-database-tools.rpm \ - /tmp/mongo_install/mongodb-org-database-tools-extra.rpm \ - /tmp/mongo_install/mongodb-org.rpm \ - /tmp/mongo_install/mongodb-org-mongos.rpm \ - /tmp/mongo_install/mongodb-org-shell.rpm \ - /tmp/mongo_install/mongodb-org-tools.rpm \ - /tmp/mongo_install/mongodb-org-server.rpm \ - && rm -rf /var/lib/apt/lists/* \ - && rm -rf /var/lib/mongodb \ - && rm -rf /usr/lib64/python2.7/ \ - && rm -rf /usr/lib/python2.7 \ - && mv /etc/mongod.conf /etc/mongod.conf.orig \ - && dnf clean all \ - && chmod +x /usr/local/bin/jq \ - && chmod +x /usr/local/bin/gosu \ - && chown mongodb:mongodb /usr/local/bin/docker-entrypoint.sh \ - && chmod +x /usr/local/bin/docker-entrypoint.sh \ - && rm -rf /tmp/mongo_install \ - && gosu --version \ - && gosu nobody true; - -RUN mkdir -p /data/db /data/configdb \ - && chown -R mongodb:mongodb /data/db /data/configdb - -# Disable Ctrl+Alt+Del burst action -RUN echo CtrlAltDelBurstAction=none >> /etc/systemd/system.conf - -COPY LICENSE /licenses/ - -USER mongodb:mongodb -ENTRYPOINT ["docker-entrypoint.sh"] - -EXPOSE 27017 -CMD ["mongod"] - +ARG BASE_REGISTRY=registry1.dsop.io +ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 +ARG BASE_TAG=8.2 + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added +RUN groupadd -r mongodb && useradd --no-log-init -r -g mongodb mongodb; \ + mkhomedir_helper mongodb; + + +RUN set -eux; \ + dnf repolist; \ + dnf update --disableplugin=subscription-manager -y; \ + dnf install -y \ + ca-certificates \ + procps; \ + dnf clean all; + +ENV JSYAML_VERSION 3.13.0 + +RUN mkdir /docker-entrypoint-initdb.d + +COPY *.rpm /tmp/mongo_install/ +COPY jq-linux64 /usr/local/bin/jq +COPY gosu-amd64 /usr/local/bin/gosu +COPY /scripts/docker-entrypoint.sh /usr/local/bin/ + +ENV MONGO_MAJOR 4.4 +ENV MONGO_VERSION 4.4.1 + +COPY /config/* /tmp/mongo_install/ + +RUN set -x && \ + rpm --import /tmp/mongo_install/server-4.4.asc && \ + dnf install -y /tmp/mongo_install/mongodb-database-tools.rpm \ + /tmp/mongo_install/mongodb-org-database-tools-extra.rpm \ + /tmp/mongo_install/mongodb-org.rpm \ + /tmp/mongo_install/mongodb-org-mongos.rpm \ + /tmp/mongo_install/mongodb-org-shell.rpm \ + /tmp/mongo_install/mongodb-org-tools.rpm \ + /tmp/mongo_install/mongodb-org-server.rpm \ + && rm -rf /var/lib/apt/lists/* \ + && rm -rf /var/lib/mongodb \ + && rm -rf /usr/lib64/python2.7/ \ + && rm -rf /usr/lib/python2.7 \ + && mv /etc/mongod.conf /etc/mongod.conf.orig \ + && dnf clean all \ + && chmod +x /usr/local/bin/jq \ + && chmod +x /usr/local/bin/gosu \ + && chown mongodb:mongodb /usr/local/bin/docker-entrypoint.sh \ + && chmod +x /usr/local/bin/docker-entrypoint.sh \ + && rm -rf /tmp/mongo_install \ + && gosu --version \ + && gosu nobody true; + +RUN mkdir -p /data/db /data/configdb \ + && chown -R mongodb:mongodb /data/db /data/configdb + +# Disable Ctrl+Alt+Del burst action +RUN echo CtrlAltDelBurstAction=none >> /etc/systemd/system.conf + +COPY LICENSE /licenses/ + +USER mongodb:mongodb +ENTRYPOINT ["docker-entrypoint.sh"] + +EXPOSE 27017 +CMD ["mongod"] + HEALTHCHECK --interval=15s --timeout=3s CMD echo 'db.runCommand("ping").ok' | mongo localhost:27017/test \ No newline at end of file diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index 1ea4678..0000000 --- a/Jenkinsfile +++ /dev/null @@ -1,2 +0,0 @@ -@Library('DCCSCR@master') _ -dccscrPipeline(version: "4.4.1") diff --git a/download.yaml b/download.yaml deleted file mode 100644 index a2a92f5..0000000 --- a/download.yaml +++ /dev/null @@ -1,51 +0,0 @@ -resources: - - url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-4.4.1-1.el8.x86_64.rpm - filename: mongodb-org.rpm - validation: - type: sha256 - value: fdcfae773806144b2072882cdc3757293d354617940ed882bdc04fbb774f452f - - url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-mongos-4.4.1-1.el8.x86_64.rpm - filename: mongodb-org-mongos.rpm - validation: - type: sha256 - value: c9b8011ca350157a83b93e02cc7a120a0b96255d609d20b87971222a2cf8acb0 - - url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-server-4.4.1-1.el8.x86_64.rpm - filename: mongodb-org-server.rpm - validation: - type: sha256 - value: 76f7e65e39c5ca563f7dc15868f2accc43da6f0654eb72ef054407f7755d841f - - url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-shell-4.4.1-1.el8.x86_64.rpm - filename: mongodb-org-shell.rpm - validation: - type: sha256 - value: 9089c4d5dd05cde71c7ed509454c8158251def4c5b0cc0b9b03940dc18696cc0 - - url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-tools-4.4.1-1.el8.x86_64.rpm - filename: mongodb-org-tools.rpm - validation: - type: sha256 - value: b8ef170cd79cf53a2ebda6288ee31ee8e8f6757991ffb6cfc3092b930927c832 - - url: https://raw.githubusercontent.com/nodeca/js-yaml/3.13.0/dist/js-yaml.js - filename: js-yaml.js - validation: - type: sha256 - value: 490a40d65dabe72b9c34567fa9ce5da53c577a3c761b568ceba994751e6e74b9 - - url: https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 - filename: jq-linux64 - validation: - type: sha256 - value: af986793a515d500ab2d35f8d2aecd656e764504b789b66d7e1a0b727a124c44 - - url: https://github.com/tianon/gosu/releases/download/1.11/gosu-amd64 - filename: gosu-amd64 - validation: - type: sha256 - value: 0b843df6d86e270c5b0f5cbd3c326a04e18f4b7f9b8457fa497b0454c4b138d7 - - url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-database-tools-100.2.0.x86_64.rpm - filename: mongodb-database-tools.rpm - validation: - type: sha256 - value: 0d330820e283eb47bec82fe37306b0e759de7e97995b33f1ef73c9fbfd723b22 - - url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-database-tools-extra-4.4.1-1.el8.x86_64.rpm - filename: mongodb-org-database-tools-extra.rpm - validation: - type: sha256 - value: b22e8118bacf3311c65bc65e6e1975dfb0e31ee86cfd4452d3e82ac64bdead64 \ No newline at end of file diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..1202b41 --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,103 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "opensource/mongodb/mongodb" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "4.4.1" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "redhat/ubi/ubi8" + BASE_TAG: "8.3" + +# Docker image labels +labels: + org.opencontainers.image.title: "mongodb" + ## Human-readable description of the software packaged in the image + # org.opencontainers.image.description: "FIXME" + ## License(s) under which contained software is distributed + # org.opencontainers.image.licenses: "FIXME" + ## URL to find more information on the image + # org.opencontainers.image.url: "FIXME" + ## Name of the distributing entity, organization or individual + # org.opencontainers.image.vendor: "FIXME" + org.opencontainers.image.version: "4.4.1" + ## Keywords to help with search (ex. "cicd,gitops,golang") + # mil.dso.ironbank.image.keywords: "FIXME" + ## This value can be "opensource" or "commercial" + # mil.dso.ironbank.image.type: "FIXME" + ## Product the image belongs to for grouping multiple images + # mil.dso.ironbank.product.name: "FIXME" + +# List of resources to make available to the offline build context +resources: +- filename: mongodb-org.rpm + url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-4.4.1-1.el8.x86_64.rpm + validation: + type: sha256 + value: fdcfae773806144b2072882cdc3757293d354617940ed882bdc04fbb774f452f +- filename: mongodb-org-mongos.rpm + url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-mongos-4.4.1-1.el8.x86_64.rpm + validation: + type: sha256 + value: c9b8011ca350157a83b93e02cc7a120a0b96255d609d20b87971222a2cf8acb0 +- filename: mongodb-org-server.rpm + url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-server-4.4.1-1.el8.x86_64.rpm + validation: + type: sha256 + value: 76f7e65e39c5ca563f7dc15868f2accc43da6f0654eb72ef054407f7755d841f +- filename: mongodb-org-shell.rpm + url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-shell-4.4.1-1.el8.x86_64.rpm + validation: + type: sha256 + value: 9089c4d5dd05cde71c7ed509454c8158251def4c5b0cc0b9b03940dc18696cc0 +- filename: mongodb-org-tools.rpm + url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-tools-4.4.1-1.el8.x86_64.rpm + validation: + type: sha256 + value: b8ef170cd79cf53a2ebda6288ee31ee8e8f6757991ffb6cfc3092b930927c832 +- filename: js-yaml.js + url: https://raw.githubusercontent.com/nodeca/js-yaml/3.13.0/dist/js-yaml.js + validation: + type: sha256 + value: 490a40d65dabe72b9c34567fa9ce5da53c577a3c761b568ceba994751e6e74b9 +- filename: jq-linux64 + url: https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 + validation: + type: sha256 + value: af986793a515d500ab2d35f8d2aecd656e764504b789b66d7e1a0b727a124c44 +- filename: gosu-amd64 + url: https://github.com/tianon/gosu/releases/download/1.11/gosu-amd64 + validation: + type: sha256 + value: 0b843df6d86e270c5b0f5cbd3c326a04e18f4b7f9b8457fa497b0454c4b138d7 +- filename: mongodb-database-tools.rpm + url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-database-tools-100.2.0.x86_64.rpm + validation: + type: sha256 + value: 0d330820e283eb47bec82fe37306b0e759de7e97995b33f1ef73c9fbfd723b22 +- filename: mongodb-org-database-tools-extra.rpm + url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-database-tools-extra-4.4.1-1.el8.x86_64.rpm + validation: + type: sha256 + value: b22e8118bacf3311c65bc65e6e1975dfb0e31ee86cfd4452d3e82ac64bdead64 + +# List of project maintainers +# FIXME: Fill in the following details for the current container owner in the whitelist +# FIXME: Include any other vendor information if applicable +maintainers: +- email: "michael.simmons@anchore.com" +# # The name of the current container owner +# name: "FIXME" +# # The gitlab username of the current container owner +# username: "FIXME" +# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT +# - name: "FIXME" +# username: "FIXME" +# email: "FIXME" -- GitLab