Migrate to hardening_manifest.yaml

4103b3b6 · ironbank-bot · 58f83b88 · 4103b3b6 · 58f83b88 · 58f83b88
Commit 4103b3b6 authored Dec 10, 2020 by ironbank-bot
Hide whitespace changes
Inline Side-by-side

Showing with 173 additions and 129 deletions

Dockerfile Dockerfile +70 -76

Jenkinsfile Jenkinsfile +0 -2

download.yaml download.yaml +0 -51

hardening_manifest.yaml hardening_manifest.yaml +103 -0

No files found.
--- a/Dockerfile
+++ b/Dockerfile
 ARG BASE_REGISTRY=registry1.dsop.io
 ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8
 ARG BASE_TAG=8.2 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 # add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
 RUN groupadd -r mongodb && useradd --no-log-init -r -g mongodb mongodb; \
 	mkhomedir_helper mongodb;
-LABEL name="MongoDB Community Server" \
-	description="MongoDB Community Server image based on the Red Hat Universal Base Image for DSOP." \
+RUN set -eux; \
-	vendor="MongoDB Inc." \
+	dnf repolist; \
-	summary="MongoDB (Red Hat UBI)" \
+	dnf update --disableplugin=subscription-manager -y; \
-	maintainer="michael.simmons@anchore.com" \
+	dnf install -y \
-	version="4.4.1"
+	ca-certificates \
+	procps; \
-RUN set -eux; \
+	dnf clean all;
-	dnf repolist; \
-	dnf update --disableplugin=subscription-manager -y; \
+ENV JSYAML_VERSION 3.13.0
-	dnf install -y \
-	ca-certificates \
+RUN mkdir /docker-entrypoint-initdb.d
-	procps; \
-	dnf clean all;
+COPY *.rpm /tmp/mongo_install/
+COPY jq-linux64 /usr/local/bin/jq 
-ENV JSYAML_VERSION 3.13.0
+COPY gosu-amd64 /usr/local/bin/gosu
+COPY /scripts/docker-entrypoint.sh /usr/local/bin/
-RUN mkdir /docker-entrypoint-initdb.d
+ENV MONGO_MAJOR 4.4
-COPY *.rpm /tmp/mongo_install/
+ENV MONGO_VERSION 4.4.1
-COPY jq-linux64 /usr/local/bin/jq 
-COPY gosu-amd64 /usr/local/bin/gosu
+COPY /config/* /tmp/mongo_install/
-COPY /scripts/docker-entrypoint.sh /usr/local/bin/
+RUN set -x && \
-ENV MONGO_MAJOR 4.4
+	rpm --import /tmp/mongo_install/server-4.4.asc && \
-ENV MONGO_VERSION 4.4.1
+	dnf install -y /tmp/mongo_install/mongodb-database-tools.rpm \
+	/tmp/mongo_install/mongodb-org-database-tools-extra.rpm \ 
-COPY /config/* /tmp/mongo_install/
+	/tmp/mongo_install/mongodb-org.rpm \
+	/tmp/mongo_install/mongodb-org-mongos.rpm \
-RUN set -x && \
+	/tmp/mongo_install/mongodb-org-shell.rpm \
-	rpm --import /tmp/mongo_install/server-4.4.asc && \
+	/tmp/mongo_install/mongodb-org-tools.rpm \
-	dnf install -y /tmp/mongo_install/mongodb-database-tools.rpm \
+	/tmp/mongo_install/mongodb-org-server.rpm \
-	/tmp/mongo_install/mongodb-org-database-tools-extra.rpm \ 
+	&& rm -rf /var/lib/apt/lists/* \
-	/tmp/mongo_install/mongodb-org.rpm \
+	&& rm -rf /var/lib/mongodb \
-	/tmp/mongo_install/mongodb-org-mongos.rpm \
+	&& rm -rf /usr/lib64/python2.7/ \
-	/tmp/mongo_install/mongodb-org-shell.rpm \
+	&& rm -rf /usr/lib/python2.7 \
-	/tmp/mongo_install/mongodb-org-tools.rpm \
+	&& mv /etc/mongod.conf /etc/mongod.conf.orig \
-	/tmp/mongo_install/mongodb-org-server.rpm \
+	&& dnf clean all \
-	&& rm -rf /var/lib/apt/lists/* \
+	&& chmod +x /usr/local/bin/jq \
-	&& rm -rf /var/lib/mongodb \
+	&& chmod +x /usr/local/bin/gosu \
-	&& rm -rf /usr/lib64/python2.7/ \
+	&& chown mongodb:mongodb /usr/local/bin/docker-entrypoint.sh \
-	&& rm -rf /usr/lib/python2.7 \
+	&& chmod +x /usr/local/bin/docker-entrypoint.sh \
-	&& mv /etc/mongod.conf /etc/mongod.conf.orig \
+	&& rm -rf /tmp/mongo_install \
-	&& dnf clean all \
+	&& gosu --version \
-	&& chmod +x /usr/local/bin/jq \
+	&& gosu nobody true;
-	&& chmod +x /usr/local/bin/gosu \
-	&& chown mongodb:mongodb /usr/local/bin/docker-entrypoint.sh \
+RUN mkdir -p /data/db /data/configdb \
-	&& chmod +x /usr/local/bin/docker-entrypoint.sh \
+	&& chown -R mongodb:mongodb /data/db /data/configdb
-	&& rm -rf /tmp/mongo_install \
-	&& gosu --version \
+# Disable Ctrl+Alt+Del burst action
-	&& gosu nobody true;
+RUN echo CtrlAltDelBurstAction=none >> /etc/systemd/system.conf
-RUN mkdir -p /data/db /data/configdb \
+COPY LICENSE /licenses/
-	&& chown -R mongodb:mongodb /data/db /data/configdb
+USER mongodb:mongodb
-# Disable Ctrl+Alt+Del burst action
+ENTRYPOINT ["docker-entrypoint.sh"]
-RUN echo CtrlAltDelBurstAction=none >> /etc/systemd/system.conf
+EXPOSE 27017
-COPY LICENSE /licenses/
+CMD ["mongod"]
-USER mongodb:mongodb
-ENTRYPOINT ["docker-entrypoint.sh"]
-EXPOSE 27017
-CMD ["mongod"]
 HEALTHCHECK --interval=15s --timeout=3s CMD echo 'db.runCommand("ping").ok' | mongo localhost:27017/test
\ No newline at end of file
--- a/Jenkinsfile
+++ b/Jenkinsfile
-@Library('DCCSCR@master') _
-dccscrPipeline(version: "4.4.1")
--- a/download.yaml
+++ b/download.yaml
-resources: 
-  - url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-4.4.1-1.el8.x86_64.rpm
-    filename: mongodb-org.rpm
-    validation:
-      type: sha256
-      value: fdcfae773806144b2072882cdc3757293d354617940ed882bdc04fbb774f452f 
-  - url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-mongos-4.4.1-1.el8.x86_64.rpm
-    filename: mongodb-org-mongos.rpm
-    validation:
-      type: sha256
-      value: c9b8011ca350157a83b93e02cc7a120a0b96255d609d20b87971222a2cf8acb0
-  - url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-server-4.4.1-1.el8.x86_64.rpm
-    filename: mongodb-org-server.rpm
-    validation:
-      type: sha256
-      value: 76f7e65e39c5ca563f7dc15868f2accc43da6f0654eb72ef054407f7755d841f     
-  - url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-shell-4.4.1-1.el8.x86_64.rpm
-    filename: mongodb-org-shell.rpm
-    validation:
-      type: sha256
-      value: 9089c4d5dd05cde71c7ed509454c8158251def4c5b0cc0b9b03940dc18696cc0     
-  - url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-tools-4.4.1-1.el8.x86_64.rpm
-    filename: mongodb-org-tools.rpm
-    validation:
-      type: sha256
-      value: b8ef170cd79cf53a2ebda6288ee31ee8e8f6757991ffb6cfc3092b930927c832     
-  - url: https://raw.githubusercontent.com/nodeca/js-yaml/3.13.0/dist/js-yaml.js
-    filename: js-yaml.js
-    validation:
-      type: sha256
-      value: 490a40d65dabe72b9c34567fa9ce5da53c577a3c761b568ceba994751e6e74b9    
-  - url: https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
-    filename: jq-linux64
-    validation:
-      type: sha256
-      value: af986793a515d500ab2d35f8d2aecd656e764504b789b66d7e1a0b727a124c44    
-  - url: https://github.com/tianon/gosu/releases/download/1.11/gosu-amd64
-    filename: gosu-amd64
-    validation:
-      type: sha256
-      value: 0b843df6d86e270c5b0f5cbd3c326a04e18f4b7f9b8457fa497b0454c4b138d7    
-  - url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-database-tools-100.2.0.x86_64.rpm
-    filename: mongodb-database-tools.rpm
-    validation:
-      type: sha256
-      value: 0d330820e283eb47bec82fe37306b0e759de7e97995b33f1ef73c9fbfd723b22    
-  - url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-database-tools-extra-4.4.1-1.el8.x86_64.rpm
-    filename: mongodb-org-database-tools-extra.rpm
-    validation:
-      type: sha256
-      value: b22e8118bacf3311c65bc65e6e1975dfb0e31ee86cfd4452d3e82ac64bdead64  
\ No newline at end of file
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
+---
+apiVersion: v1
+# The repository name in registry1, excluding /ironbank/
+name: "opensource/mongodb/mongodb"
+# List of tags to push for the repository in registry1
+# The most specific version should be the first tag and will be shown
+# on ironbank.dsop.io
+tags:
+- "4.4.1"
+- "latest"
+# Build args passed to Dockerfile ARGs
+args:
+  BASE_IMAGE: "redhat/ubi/ubi8"
+  BASE_TAG: "8.3"
+# Docker image labels
+labels:
+  org.opencontainers.image.title: "mongodb"
+  ## Human-readable description of the software packaged in the image
+  # org.opencontainers.image.description: "FIXME"
+  ## License(s) under which contained software is distributed
+  # org.opencontainers.image.licenses: "FIXME"
+  ## URL to find more information on the image
+  # org.opencontainers.image.url: "FIXME"
+  ## Name of the distributing entity, organization or individual
+  # org.opencontainers.image.vendor: "FIXME"
+  org.opencontainers.image.version: "4.4.1"
+  ## Keywords to help with search (ex. "cicd,gitops,golang")
+  # mil.dso.ironbank.image.keywords: "FIXME"
+  ## This value can be "opensource" or "commercial"
+  # mil.dso.ironbank.image.type: "FIXME"
+  ## Product the image belongs to for grouping multiple images
+  # mil.dso.ironbank.product.name: "FIXME"
+# List of resources to make available to the offline build context
+resources:
+- filename: mongodb-org.rpm
+  url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-4.4.1-1.el8.x86_64.rpm
+  validation:
+    type: sha256
+    value: fdcfae773806144b2072882cdc3757293d354617940ed882bdc04fbb774f452f
+- filename: mongodb-org-mongos.rpm
+  url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-mongos-4.4.1-1.el8.x86_64.rpm
+  validation:
+    type: sha256
+    value: c9b8011ca350157a83b93e02cc7a120a0b96255d609d20b87971222a2cf8acb0
+- filename: mongodb-org-server.rpm
+  url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-server-4.4.1-1.el8.x86_64.rpm
+  validation:
+    type: sha256
+    value: 76f7e65e39c5ca563f7dc15868f2accc43da6f0654eb72ef054407f7755d841f
+- filename: mongodb-org-shell.rpm
+  url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-shell-4.4.1-1.el8.x86_64.rpm
+  validation:
+    type: sha256
+    value: 9089c4d5dd05cde71c7ed509454c8158251def4c5b0cc0b9b03940dc18696cc0
+- filename: mongodb-org-tools.rpm
+  url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-tools-4.4.1-1.el8.x86_64.rpm
+  validation:
+    type: sha256
+    value: b8ef170cd79cf53a2ebda6288ee31ee8e8f6757991ffb6cfc3092b930927c832
+- filename: js-yaml.js
+  url: https://raw.githubusercontent.com/nodeca/js-yaml/3.13.0/dist/js-yaml.js
+  validation:
+    type: sha256
+    value: 490a40d65dabe72b9c34567fa9ce5da53c577a3c761b568ceba994751e6e74b9
+- filename: jq-linux64
+  url: https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
+  validation:
+    type: sha256
+    value: af986793a515d500ab2d35f8d2aecd656e764504b789b66d7e1a0b727a124c44
+- filename: gosu-amd64
+  url: https://github.com/tianon/gosu/releases/download/1.11/gosu-amd64
+  validation:
+    type: sha256
+    value: 0b843df6d86e270c5b0f5cbd3c326a04e18f4b7f9b8457fa497b0454c4b138d7
+- filename: mongodb-database-tools.rpm
+  url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-database-tools-100.2.0.x86_64.rpm
+  validation:
+    type: sha256
+    value: 0d330820e283eb47bec82fe37306b0e759de7e97995b33f1ef73c9fbfd723b22
+- filename: mongodb-org-database-tools-extra.rpm
+  url: https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/RPMS/mongodb-org-database-tools-extra-4.4.1-1.el8.x86_64.rpm
+  validation:
+    type: sha256
+    value: b22e8118bacf3311c65bc65e6e1975dfb0e31ee86cfd4452d3e82ac64bdead64
+# List of project maintainers
+# FIXME: Fill in the following details for the current container owner in the whitelist
+# FIXME: Include any other vendor information if applicable
+maintainers:
+- email: "michael.simmons@anchore.com"
+#   # The name of the current container owner
+#   name: "FIXME"
+#   # The gitlab username of the current container owner
+#   username: "FIXME"
+#   cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT
+# - name: "FIXME"
+#   username: "FIXME"
+#   email: "FIXME"