Uplift Promenade image to address CVEs

The current Promenade image is vulnerable to several CVEs: CVE-2019-3462 CVE-2018-16865 CVE-2018-16864 Which Ubuntu 16.04/18.04 addresses. This patchset makes the following changes: 1. Adds new distro specific dockerfiles for xenial/bionic. 2. Updates gates to be specific about the ubuntu image being checked. 3. Updates .zuul.yaml checks/gates/post jobs for xenial/bionic. 4. Updates build-image.sh docker build for specific dockerfile specified in config.sh (IMAGE_PROMENADE_DISTRO). Change-Id: I89e5297a3baa8c2d2c142e5e29932476fc628398
2020-05-22 16:09:50 +00:00 · 2020-05-22 16:09:50 +00:00 · 0e8b5cfe59
commit 0e8b5cfe59
parent 20e191781c
11 changed files with 171 additions and 23 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -20,7 +20,8 @@
      jobs:
        - openstack-tox-pep8
        - airship-promenade-lint-ws
-        - airship-promenade-docker-build-gate
+        - airship-promenade-docker-build-gate-ubuntu_xenial
+        - airship-promenade-docker-build-gate-ubuntu_bionic
        - airship-promenade-chart-build-gate
        - airship-promenade-chart-build-latest-htk
        - airship-promenade-unit-py35
@ -31,7 +32,8 @@
      jobs:
        - openstack-tox-pep8
        - airship-promenade-lint-ws
-        - airship-promenade-docker-build-gate
+        - airship-promenade-docker-build-gate-ubuntu_xenial
+        - airship-promenade-docker-build-gate-ubuntu_bionic
        - airship-promenade-chart-build-gate
        - airship-promenade-unit-py35
        - airship-promenade-genesis-gate
@ -39,7 +41,8 @@

    post:
      jobs:
-        - airship-docker-build-post
+        - airship-promenade-docker-build-post-ubuntu_xenial
+        - airship-promenade-docker-build-post-ubuntu_bionic
        - promenade-upload-git-mirror

 - nodeset:
@ -63,6 +66,8 @@
      - openstack/openstack-helm-infra
    timeout: 3600
    nodeset: airship-promenade-single-node-bionic
+    vars:
+      distro: ubuntu_bionic

 - job:
    name: airship-promenade-genesis-containerd-gate
@ -73,6 +78,8 @@
      - openstack/openstack-helm-infra
    timeout: 3600
    nodeset: airship-promenade-single-node-bionic
+    vars:
+      distro: ubuntu_bionic

 - job:
    name: airship-promenade-lint-ws
@ -117,11 +124,12 @@
    nodeset: airship-promenade-single-node

 - job:
-    name: airship-promenade-docker-build-gate
+    name: airship-promenade-docker-build-gate-ubuntu_xenial
    run: tools/zuul/playbooks/docker-image-build.yaml
    nodeset: airship-promenade-single-node
    vars:
      publish: false
+      distro: ubuntu_xenial
      tags:
        dynamic:
          patch_set: true
@ -131,13 +139,49 @@
      - ^tests/.*$
      - ^tools/.*$
 - job:
-    name: airship-docker-build-post
+    name: airship-promenade-docker-build-gate-ubuntu_bionic
    run: tools/zuul/playbooks/docker-image-build.yaml
-    nodeset: ubuntu-xenial
+    nodeset: airship-promenade-single-node
+    vars:
+      publish: false
+      distro: ubuntu_bionic
+      tags:
+        dynamic:
+          patch_set: true
+    irrelevant-files:
+      - ^charts/.*$
+      - ^etc/.*$
+      - ^tests/.*$
+      - ^tools/.*$
+- job:
+    name: airship-promenade-docker-build-post-ubuntu_xenial
+    run: tools/zuul/playbooks/docker-image-build.yaml
+    nodeset: airship-promenade-single-node
    secrets:
      - airship_promenade_quay_creds
    vars:
      publish: true
+      distro: ubuntu_xenial
+      tags:
+        dynamic:
+          branch: true
+          commit: true
+        static:
+          - latest
+    irrelevant-files:
+      - ^charts/.*$
+      - ^etc/.*$
+      - ^tests/.*$
+      - ^tools/.*$
+- job:
+    name: airship-promenade-docker-build-post-ubuntu_bionic
+    run: tools/zuul/playbooks/docker-image-build.yaml
+    nodeset: airship-promenade-single-node
+    secrets:
+      - airship_promenade_quay_creds
+    vars:
+      publish: true
+      distro: ubuntu_bionic
      tags:
        dynamic:
          branch: true
--- a/15
+++ b/15
@ -25,10 +25,11 @@ PUSH_IMAGE        ?= false
 # use this variable for image labels added in internal build process
 LABEL             ?= org.airshipit.build=community
 COMMIT            ?= $(shell git rev-parse HEAD)
+DISTRO            ?= ubuntu_bionic
 PYTHON            = python3
 CHARTS            := $(patsubst charts/%/.,%,$(wildcard charts/*/.))
-IMAGE             := ${DOCKER_REGISTRY}/${IMAGE_PREFIX}/${IMAGE_NAME}:${IMAGE_TAG}
-PYTHON_BASE_IMAGE ?= python:3.6
+IMAGE             := ${DOCKER_REGISTRY}/${IMAGE_PREFIX}/${IMAGE_NAME}:${IMAGE_TAG}-${DISTRO}
+BASE_IMAGE        ?=

 HELM_PIDFILE ?= $(abspath ./.helm-pid)

@ -97,14 +98,16 @@ dry-run-%: helm-lint-%
 $(CHARTS): $(addprefix dry-run-,$(CHARTS)) chartbanner
 	$(HELM) package -d charts charts/$@

+_BASE_IMAGE_ARG := $(if $(BASE_IMAGE),--build-arg FROM="${BASE_IMAGE}" ,)
+
 build_promenade:
 ifeq ($(USE_PROXY), true)
 	docker build --network host -t $(IMAGE) --label $(LABEL) \
 		--label "org.opencontainers.image.revision=$(COMMIT)" \
 		--label "org.opencontainers.image.created=$(shell date --rfc-3339=seconds --utc)" \
 		--label "org.opencontainers.image.title=$(IMAGE_NAME)" \
-		-f ./Dockerfile \
-		--build-arg FROM=$(PYTHON_BASE_IMAGE) \
+	        -f images/promenade/Dockerfile.${DISTRO} \
+                $(_BASE_IMAGE_ARG) \
 		--build-arg http_proxy=$(PROXY) \
 		--build-arg https_proxy=$(PROXY) \
 		--build-arg HTTP_PROXY=$(PROXY) \
@ -116,8 +119,8 @@ else
 		--label "org.opencontainers.image.revision=$(COMMIT)" \
 		--label "org.opencontainers.image.created=$(shell date --rfc-3339=seconds --utc)" \
 		--label "org.opencontainers.image.title=$(IMAGE_NAME)" \
-		-f ./Dockerfile \
-		--build-arg FROM=$(PYTHON_BASE_IMAGE) .
+	        -f images/promenade/Dockerfile.${DISTRO} \
+		$(_BASE_IMAGE_ARG) .
 endif
 ifeq ($(PUSH_IMAGE), true)
 	docker push $(IMAGE)
--- a/images/promenade/Dockerfile.ubuntu_bionic
+++ b/images/promenade/Dockerfile.ubuntu_bionic
@ -0,0 +1,73 @@
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ARG FROM=ubuntu:18.04
+FROM ${FROM}
+
+LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' \
+      org.opencontainers.image.url='https://airshipit.org' \
+      org.opencontainers.image.documentation='https://airship-promenade.readthedocs.org' \
+      org.opencontainers.image.source='https://opendev.org/airship/promenade' \
+      org.opencontainers.image.vendor='The Airship Authors' \
+      org.opencontainers.image.licenses='Apache-2.0'
+
+VOLUME /etc/promenade
+VOLUME /target
+
+RUN mkdir /opt/promenade
+WORKDIR /opt/promenade
+
+ENV PORT 9000
+EXPOSE $PORT
+
+ENV LANG=C.UTF-8
+ENV LC_ALL=C.UTF-8
+
+ENTRYPOINT ["/opt/promenade/entrypoint.sh"]
+
+RUN set -ex \
+    && apt-get update -qq \
+    && apt-get install --no-install-recommends -y \
+        ca-certificates \
+        curl \
+        dnsutils \
+        gcc \
+        git \
+        gpg \
+        gpg-agent \
+        libpcre3-dev \
+        libyaml-dev \
+        python3-dev \
+        python3-pip \
+        python3-setuptools \
+        rsync \
+    && ln -s /usr/bin/python3 /usr/bin/python \
+    && curl -Lo /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \
+    && chmod 555 /usr/local/bin/cfssl \
+    && python3 -m pip install -U pip \
+    && apt-get autoremove -yqq --purge \
+    && apt-get clean \
+    && useradd -u 1000 -g users -d /opt/promenade promenade \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY requirements-frozen.txt /opt/promenade
+RUN pip3 install --no-cache-dir -r requirements-frozen.txt
+
+# Setting promenade version for BPR
+ENV PBR_VERSION 0.8.0
+
+COPY . /opt/promenade
+RUN pip3 install -e /opt/promenade
+
+USER promenade
--- a/images/promenade/Dockerfile.ubuntu_xenial
+++ b/images/promenade/Dockerfile.ubuntu_xenial
@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-ARG FROM=python:3.6
+ARG FROM=ubuntu:16.04
 FROM ${FROM}

 LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' \
@ -31,27 +31,42 @@ WORKDIR /opt/promenade
 ENV PORT 9000
 EXPOSE $PORT

-# Setting promenade version for BPR
-ENV PBR_VERSION 0.8.0
+ENV LANG=C.UTF-8
+ENV LC_ALL=C.UTF-8

 ENTRYPOINT ["/opt/promenade/entrypoint.sh"]

 RUN set -ex \
+    && apt-get update -qq \
+    && apt-get install --no-install-recommends -y \
+        ca-certificates \
+        curl \
+        dnsutils \
+        gcc \
+        git \
+        libpcre3-dev \
+        libssl-dev \
+        libyaml-dev \
+        python3-dev \
+        python3-pip \
+        python3-setuptools \
+        rsync \
+    && ln -s /usr/bin/python3 /usr/bin/python \
    && curl -Lo /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \
    && chmod 555 /usr/local/bin/cfssl \
+    && python3 -m pip install -U pip \
+    && apt-get autoremove -yqq --purge \
    && apt-get clean \
-    && apt-get update -q \
-    && apt-get install --no-install-recommends -y \
-        dnsutils \
-        libyaml-dev \
-        rsync \
    && useradd -u 1000 -g users -d /opt/promenade promenade \
    && rm -rf /var/lib/apt/lists/*

 COPY requirements-frozen.txt /opt/promenade
-RUN pip install --no-cache-dir -r requirements-frozen.txt
+RUN pip3 install --no-cache-dir -r requirements-frozen.txt
+
+# Setting promenade version for BPR
+ENV PBR_VERSION 0.8.0

 COPY . /opt/promenade
-RUN pip install -e /opt/promenade
+RUN pip3 install -e /opt/promenade

 USER promenade
--- a/requirements-frozen.txt
+++ b/requirements-frozen.txt
@ -111,6 +111,7 @@ vine==1.3.0
 wcwidth==0.1.7
 WebOb==1.8.5
 websocket-client==0.56.0
+wheel==0.34.2
 Werkzeug==0.14.1
 wrapt==1.11.2
 yappi==1.0
--- a/tools/dev-build.sh
+++ b/tools/dev-build.sh
@ -6,7 +6,10 @@ SCRIPT_DIR=$(realpath $(dirname $0))
 SOURCE_DIR=$(realpath $SCRIPT_DIR/..)

 echo === Building image ===
-docker build -t quay.io/airshipit/promenade:master ${SOURCE_DIR}
+docker build \
+  -t quay.io/airshipit/promenade:master \
+  -f "${SOURCE_DIR}/images/promenade/Dockerfile.${DISTRO}" \
+  ${SOURCE_DIR}

 export PROMENADE_DEBUG=${PROMENADE_DEBUG:-1}

--- a/tools/g2/lib/config.sh
+++ b/tools/g2/lib/config.sh
@ -2,6 +2,7 @@ export TEMP_DIR=${TEMP_DIR:-$(mktemp -d)}
 export BASE_IMAGE_SIZE=${BASE_IMAGE_SIZE:-68719476736}
 export BASE_IMAGE_URL=${BASE_IMAGE_URL:-https://cloud-images.ubuntu.com/releases/16.04/release/ubuntu-16.04-server-cloudimg-amd64-disk1.img}
 export IMAGE_PROMENADE=${IMAGE_PROMENADE:-quay.io/airshipit/promenade:master}
+export IMAGE_PROMENADE_DISTRO=${IMAGE_PROMENADE_DISTRO:-ubuntu_bionic}
 export IMAGE_HYPERKUBE=${IMAGE_HYPERKUBE:-gcr.io/google_containers/hyperkube-amd64:v1.17.3}
 export NGINX_DIR="${TEMP_DIR}/nginx"
 export NGINX_URL="http://192.168.77.1:7777"
--- a/tools/g2/stages/build-image.sh
+++ b/tools/g2/stages/build-image.sh
@ -13,11 +13,13 @@ then
  docker build -q \
    --network host \
    -t "${IMAGE_PROMENADE}" \
+    -f "${WORKSPACE}/images/promenade/Dockerfile.${IMAGE_PROMENADE_DISTRO}" \
    "${WORKSPACE}"
 else
    docker build -q \
      --network host \
      -t "${IMAGE_PROMENADE}" \
+      -f "${WORKSPACE}/images/promenade/Dockerfile.${IMAGE_PROMENADE_DISTRO}" \
      --build-arg "HTTP_PROXY=${HTTP_PROXY:-}" \
      --build-arg "HTTPS_PROXY=${HTTPS_PROXY:-}" \
      --build-arg "NO_PROXY=${NO_PROXY:-}" \
--- a/tools/zuul/playbooks/deploy-promenade-containerd.yaml
+++ b/tools/zuul/playbooks/deploy-promenade-containerd.yaml
@ -17,6 +17,7 @@
      HTTPS_PROXY: ""
      NO_PROXY: ""
      PROMENADE_TMP_LOCAL: "cache"
+      DISTRO: "{{ distro }}"
  become: true
  tasks:
    - name: Install docker
--- a/tools/zuul/playbooks/deploy-promenade.yaml
+++ b/tools/zuul/playbooks/deploy-promenade.yaml
@ -17,6 +17,7 @@
      HTTPS_PROXY: ""
      NO_PROXY: ""
      PROMENADE_TMP_LOCAL: "cache"
+      DISTRO: "{{ distro }}"
  become: true
  tasks:
    - name: Install docker
--- a/tools/zuul/playbooks/docker-image-build.yaml
+++ b/tools/zuul/playbooks/docker-image-build.yaml
@ -52,6 +52,8 @@
            var: publish
        - debug:
            var: tags
+        - debug:
+            var: distro
        - debug:
            var: zuul
        - debug:
@ -77,6 +79,7 @@
            chdir: "{{ zuul.project.src_dir }}"
            target: images
            params:
+              DISTRO: "{{ distro }}"
              IMAGE_TAG: "{{ item }}"
          with_items: "{{ image_tags.stdout_lines }}"

@ -101,6 +104,7 @@
            params:
              DOCKER_REGISTRY: "quay.io"
              IMAGE_PREFIX: "airshipit"
+              DISTRO: "{{ distro }}"
              IMAGE_TAG: "{{ item }}"
              COMMIT: "{{ zuul.newrev | default('') }}"
              PUSH_IMAGE: "true"