airship/promenade
Code Issues Proposed changes

Uplift Promenade image to address CVEs

Browse Source 
The current Promenade image is vulnerable to several CVEs:
CVE-2019-3462
CVE-2018-16865
CVE-2018-16864

Which Ubuntu 16.04/18.04 addresses.
This patchset makes the following changes:
1. Adds new distro specific dockerfiles for xenial/bionic.
2. Updates gates to be specific about the ubuntu image being
   checked.
3. Updates .zuul.yaml checks/gates/post jobs for xenial/bionic.
4. Updates build-image.sh docker build for specific dockerfile
   specified in config.sh (IMAGE_PROMENADE_DISTRO).

Change-Id: I89e5297a3baa8c2d2c142e5e29932476fc628398
This commit is contained in:
anthony.bellino 2020-05-22 16:09:50 +00:00
parent 20e191781c
commit 0e8b5cfe59
11 changed files with 171 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
.zuul.yaml
View File

@ -20,7 +20,8 @@
jobs: jobs:
- openstack-tox-pep8 - openstack-tox-pep8
- airship-promenade-lint-ws - airship-promenade-lint-ws
- airship-promenade-docker-build-gate - airship-promenade-docker-build-gate-ubuntu_xenial
- airship-promenade-docker-build-gate-ubuntu_bionic
- airship-promenade-chart-build-gate - airship-promenade-chart-build-gate
- airship-promenade-chart-build-latest-htk - airship-promenade-chart-build-latest-htk
- airship-promenade-unit-py35 - airship-promenade-unit-py35
@ -31,7 +32,8 @@
jobs: jobs:
- openstack-tox-pep8 - openstack-tox-pep8
- airship-promenade-lint-ws - airship-promenade-lint-ws
- airship-promenade-docker-build-gate - airship-promenade-docker-build-gate-ubuntu_xenial
- airship-promenade-docker-build-gate-ubuntu_bionic
- airship-promenade-chart-build-gate - airship-promenade-chart-build-gate
- airship-promenade-unit-py35 - airship-promenade-unit-py35
- airship-promenade-genesis-gate - airship-promenade-genesis-gate
@ -39,7 +41,8 @@
post: post:
jobs: jobs:
- airship-docker-build-post - airship-promenade-docker-build-post-ubuntu_xenial
- airship-promenade-docker-build-post-ubuntu_bionic
- promenade-upload-git-mirror - promenade-upload-git-mirror
- nodeset: - nodeset:
@ -63,6 +66,8 @@
- openstack/openstack-helm-infra - openstack/openstack-helm-infra
timeout: 3600 timeout: 3600
nodeset: airship-promenade-single-node-bionic nodeset: airship-promenade-single-node-bionic
vars:
distro: ubuntu_bionic
- job: - job:
name: airship-promenade-genesis-containerd-gate name: airship-promenade-genesis-containerd-gate
@ -73,6 +78,8 @@
- openstack/openstack-helm-infra - openstack/openstack-helm-infra
timeout: 3600 timeout: 3600
nodeset: airship-promenade-single-node-bionic nodeset: airship-promenade-single-node-bionic
vars:
distro: ubuntu_bionic
- job: - job:
name: airship-promenade-lint-ws name: airship-promenade-lint-ws
@ -117,11 +124,12 @@
nodeset: airship-promenade-single-node nodeset: airship-promenade-single-node
- job: - job:
name: airship-promenade-docker-build-gate name: airship-promenade-docker-build-gate-ubuntu_xenial
run: tools/zuul/playbooks/docker-image-build.yaml run: tools/zuul/playbooks/docker-image-build.yaml
nodeset: airship-promenade-single-node nodeset: airship-promenade-single-node
vars: vars:
publish: false publish: false
distro: ubuntu_xenial
tags: tags:
dynamic: dynamic:
patch_set: true patch_set: true
@ -131,13 +139,49 @@
- ^tests/.*$ - ^tests/.*$
- ^tools/.*$ - ^tools/.*$
- job: - job:
name: airship-docker-build-post name: airship-promenade-docker-build-gate-ubuntu_bionic
run: tools/zuul/playbooks/docker-image-build.yaml run: tools/zuul/playbooks/docker-image-build.yaml
nodeset: ubuntu-xenial nodeset: airship-promenade-single-node
vars:
publish: false
distro: ubuntu_bionic
tags:
dynamic:
patch_set: true
irrelevant-files:
- ^charts/.*$
- ^etc/.*$
- ^tests/.*$
- ^tools/.*$
- job:
name: airship-promenade-docker-build-post-ubuntu_xenial
run: tools/zuul/playbooks/docker-image-build.yaml
nodeset: airship-promenade-single-node
secrets: secrets:
- airship_promenade_quay_creds - airship_promenade_quay_creds
vars: vars:
publish: true publish: true
distro: ubuntu_xenial
tags:
dynamic:
branch: true
commit: true
static:
- latest
irrelevant-files:
- ^charts/.*$
- ^etc/.*$
- ^tests/.*$
- ^tools/.*$
- job:
name: airship-promenade-docker-build-post-ubuntu_bionic
run: tools/zuul/playbooks/docker-image-build.yaml
nodeset: airship-promenade-single-node
secrets:
- airship_promenade_quay_creds
vars:
publish: true
distro: ubuntu_bionic
tags: tags:
dynamic: dynamic:
branch: true branch: true

15
Makefile
View File

@ -25,10 +25,11 @@ PUSH_IMAGE ?= false
# use this variable for image labels added in internal build process # use this variable for image labels added in internal build process
LABEL ?= org.airshipit.build=community LABEL ?= org.airshipit.build=community
COMMIT ?= $(shell git rev-parse HEAD) COMMIT ?= $(shell git rev-parse HEAD)
DISTRO ?= ubuntu_bionic
PYTHON = python3 PYTHON = python3
CHARTS := $(patsubst charts/%/.,%,$(wildcard charts/*/.)) CHARTS := $(patsubst charts/%/.,%,$(wildcard charts/*/.))
IMAGE := ${DOCKER_REGISTRY}/${IMAGE_PREFIX}/${IMAGE_NAME}:${IMAGE_TAG} IMAGE := ${DOCKER_REGISTRY}/${IMAGE_PREFIX}/${IMAGE_NAME}:${IMAGE_TAG}-${DISTRO}
PYTHON_BASE_IMAGE ?= python:3.6 BASE_IMAGE ?=
HELM_PIDFILE ?= $(abspath ./.helm-pid) HELM_PIDFILE ?= $(abspath ./.helm-pid)
@ -97,14 +98,16 @@ dry-run-%: helm-lint-%
$(CHARTS): $(addprefix dry-run-,$(CHARTS)) chartbanner $(CHARTS): $(addprefix dry-run-,$(CHARTS)) chartbanner
$(HELM) package -d charts charts/$@ $(HELM) package -d charts charts/$@
_BASE_IMAGE_ARG := $(if $(BASE_IMAGE),--build-arg FROM="${BASE_IMAGE}" ,)
build_promenade: build_promenade:
ifeq ($(USE_PROXY), true) ifeq ($(USE_PROXY), true)
docker build --network host -t $(IMAGE) --label $(LABEL) \ docker build --network host -t $(IMAGE) --label $(LABEL) \
--label "org.opencontainers.image.revision=$(COMMIT)" \ --label "org.opencontainers.image.revision=$(COMMIT)" \
--label "org.opencontainers.image.created=$(shell date --rfc-3339=seconds --utc)" \ --label "org.opencontainers.image.created=$(shell date --rfc-3339=seconds --utc)" \
--label "org.opencontainers.image.title=$(IMAGE_NAME)" \ --label "org.opencontainers.image.title=$(IMAGE_NAME)" \
-f ./Dockerfile \ -f images/promenade/Dockerfile.${DISTRO} \
--build-arg FROM=$(PYTHON_BASE_IMAGE) \ $(_BASE_IMAGE_ARG) \
--build-arg http_proxy=$(PROXY) \ --build-arg http_proxy=$(PROXY) \
--build-arg https_proxy=$(PROXY) \ --build-arg https_proxy=$(PROXY) \
--build-arg HTTP_PROXY=$(PROXY) \ --build-arg HTTP_PROXY=$(PROXY) \
@ -116,8 +119,8 @@ else
--label "org.opencontainers.image.revision=$(COMMIT)" \ --label "org.opencontainers.image.revision=$(COMMIT)" \
--label "org.opencontainers.image.created=$(shell date --rfc-3339=seconds --utc)" \ --label "org.opencontainers.image.created=$(shell date --rfc-3339=seconds --utc)" \
--label "org.opencontainers.image.title=$(IMAGE_NAME)" \ --label "org.opencontainers.image.title=$(IMAGE_NAME)" \
-f ./Dockerfile \ -f images/promenade/Dockerfile.${DISTRO} \
--build-arg FROM=$(PYTHON_BASE_IMAGE) . $(_BASE_IMAGE_ARG) .
endif endif
ifeq ($(PUSH_IMAGE), true) ifeq ($(PUSH_IMAGE), true)
docker push $(IMAGE) docker push $(IMAGE)

73
images/promenade/Dockerfile.ubuntu_bionic Normal file
View File

@ -0,0 +1,73 @@
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
ARG FROM=ubuntu:18.04
FROM ${FROM}
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' \
org.opencontainers.image.url='https://airshipit.org' \
org.opencontainers.image.documentation='https://airship-promenade.readthedocs.org' \
org.opencontainers.image.source='https://opendev.org/airship/promenade' \
org.opencontainers.image.vendor='The Airship Authors' \
org.opencontainers.image.licenses='Apache-2.0'
VOLUME /etc/promenade
VOLUME /target
RUN mkdir /opt/promenade
WORKDIR /opt/promenade
ENV PORT 9000
EXPOSE $PORT
ENV LANG=C.UTF-8
ENV LC_ALL=C.UTF-8
ENTRYPOINT ["/opt/promenade/entrypoint.sh"]
RUN set -ex \
&& apt-get update -qq \
&& apt-get install --no-install-recommends -y \
ca-certificates \
curl \
dnsutils \
gcc \
git \
gpg \
gpg-agent \
libpcre3-dev \
libyaml-dev \
python3-dev \
python3-pip \
python3-setuptools \
rsync \
&& ln -s /usr/bin/python3 /usr/bin/python \
&& curl -Lo /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \
&& chmod 555 /usr/local/bin/cfssl \
&& python3 -m pip install -U pip \
&& apt-get autoremove -yqq --purge \
&& apt-get clean \
&& useradd -u 1000 -g users -d /opt/promenade promenade \
&& rm -rf /var/lib/apt/lists/*
COPY requirements-frozen.txt /opt/promenade
RUN pip3 install --no-cache-dir -r requirements-frozen.txt
# Setting promenade version for BPR
ENV PBR_VERSION 0.8.0
COPY . /opt/promenade
RUN pip3 install -e /opt/promenade
USER promenade

35
Dockerfile → images/promenade/Dockerfile.ubuntu_xenial
View File

@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
ARG FROM=python:3.6 ARG FROM=ubuntu:16.04
FROM ${FROM} FROM ${FROM}
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' \ LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' \
@ -31,27 +31,42 @@ WORKDIR /opt/promenade
ENV PORT 9000 ENV PORT 9000
EXPOSE $PORT EXPOSE $PORT
# Setting promenade version for BPR ENV LANG=C.UTF-8
ENV PBR_VERSION 0.8.0 ENV LC_ALL=C.UTF-8
ENTRYPOINT ["/opt/promenade/entrypoint.sh"] ENTRYPOINT ["/opt/promenade/entrypoint.sh"]
RUN set -ex \ RUN set -ex \
&& apt-get update -qq \
&& apt-get install --no-install-recommends -y \
ca-certificates \
curl \
dnsutils \
gcc \
git \
libpcre3-dev \
libssl-dev \
libyaml-dev \
python3-dev \
python3-pip \
python3-setuptools \
rsync \
&& ln -s /usr/bin/python3 /usr/bin/python \
&& curl -Lo /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \ && curl -Lo /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \
&& chmod 555 /usr/local/bin/cfssl \ && chmod 555 /usr/local/bin/cfssl \
&& python3 -m pip install -U pip \
&& apt-get autoremove -yqq --purge \
&& apt-get clean \ && apt-get clean \
&& apt-get update -q \
&& apt-get install --no-install-recommends -y \
dnsutils \
libyaml-dev \
rsync \
&& useradd -u 1000 -g users -d /opt/promenade promenade \ && useradd -u 1000 -g users -d /opt/promenade promenade \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
COPY requirements-frozen.txt /opt/promenade COPY requirements-frozen.txt /opt/promenade
RUN pip install --no-cache-dir -r requirements-frozen.txt RUN pip3 install --no-cache-dir -r requirements-frozen.txt
# Setting promenade version for BPR
ENV PBR_VERSION 0.8.0
COPY . /opt/promenade COPY . /opt/promenade
RUN pip install -e /opt/promenade RUN pip3 install -e /opt/promenade
USER promenade USER promenade

1
requirements-frozen.txt
View File

@ -111,6 +111,7 @@ vine==1.3.0
wcwidth==0.1.7 wcwidth==0.1.7
WebOb==1.8.5 WebOb==1.8.5
websocket-client==0.56.0 websocket-client==0.56.0
wheel==0.34.2
Werkzeug==0.14.1 Werkzeug==0.14.1
wrapt==1.11.2 wrapt==1.11.2
yappi==1.0 yappi==1.0

5
tools/dev-build.sh
View File

@ -6,7 +6,10 @@ SCRIPT_DIR=$(realpath $(dirname $0))
SOURCE_DIR=$(realpath $SCRIPT_DIR/..) SOURCE_DIR=$(realpath $SCRIPT_DIR/..)
echo === Building image === echo === Building image ===
docker build -t quay.io/airshipit/promenade:master ${SOURCE_DIR} docker build \
-t quay.io/airshipit/promenade:master \
-f "${SOURCE_DIR}/images/promenade/Dockerfile.${DISTRO}" \
${SOURCE_DIR}
export PROMENADE_DEBUG=${PROMENADE_DEBUG:-1} export PROMENADE_DEBUG=${PROMENADE_DEBUG:-1}

1
tools/g2/lib/config.sh
View File

@ -2,6 +2,7 @@ export TEMP_DIR=${TEMP_DIR:-$(mktemp -d)}
export BASE_IMAGE_SIZE=${BASE_IMAGE_SIZE:-68719476736} export BASE_IMAGE_SIZE=${BASE_IMAGE_SIZE:-68719476736}
export BASE_IMAGE_URL=${BASE_IMAGE_URL:-https://cloud-images.ubuntu.com/releases/16.04/release/ubuntu-16.04-server-cloudimg-amd64-disk1.img} export BASE_IMAGE_URL=${BASE_IMAGE_URL:-https://cloud-images.ubuntu.com/releases/16.04/release/ubuntu-16.04-server-cloudimg-amd64-disk1.img}
export IMAGE_PROMENADE=${IMAGE_PROMENADE:-quay.io/airshipit/promenade:master} export IMAGE_PROMENADE=${IMAGE_PROMENADE:-quay.io/airshipit/promenade:master}
export IMAGE_PROMENADE_DISTRO=${IMAGE_PROMENADE_DISTRO:-ubuntu_bionic}
export IMAGE_HYPERKUBE=${IMAGE_HYPERKUBE:-gcr.io/google_containers/hyperkube-amd64:v1.17.3} export IMAGE_HYPERKUBE=${IMAGE_HYPERKUBE:-gcr.io/google_containers/hyperkube-amd64:v1.17.3}
export NGINX_DIR="${TEMP_DIR}/nginx" export NGINX_DIR="${TEMP_DIR}/nginx"
export NGINX_URL="http://192.168.77.1:7777" export NGINX_URL="http://192.168.77.1:7777"

2
tools/g2/stages/build-image.sh
View File

@ -13,11 +13,13 @@ then
docker build -q \ docker build -q \
--network host \ --network host \
-t "${IMAGE_PROMENADE}" \ -t "${IMAGE_PROMENADE}" \
-f "${WORKSPACE}/images/promenade/Dockerfile.${IMAGE_PROMENADE_DISTRO}" \
"${WORKSPACE}" "${WORKSPACE}"
else else
docker build -q \ docker build -q \
--network host \ --network host \
-t "${IMAGE_PROMENADE}" \ -t "${IMAGE_PROMENADE}" \
-f "${WORKSPACE}/images/promenade/Dockerfile.${IMAGE_PROMENADE_DISTRO}" \
--build-arg "HTTP_PROXY=${HTTP_PROXY:-}" \ --build-arg "HTTP_PROXY=${HTTP_PROXY:-}" \
--build-arg "HTTPS_PROXY=${HTTPS_PROXY:-}" \ --build-arg "HTTPS_PROXY=${HTTPS_PROXY:-}" \
--build-arg "NO_PROXY=${NO_PROXY:-}" \ --build-arg "NO_PROXY=${NO_PROXY:-}" \

1
tools/zuul/playbooks/deploy-promenade-containerd.yaml
View File

@ -17,6 +17,7 @@
HTTPS_PROXY: "" HTTPS_PROXY: ""
NO_PROXY: "" NO_PROXY: ""
PROMENADE_TMP_LOCAL: "cache" PROMENADE_TMP_LOCAL: "cache"
DISTRO: "{{ distro }}"
become: true become: true
tasks: tasks:
- name: Install docker - name: Install docker

1
tools/zuul/playbooks/deploy-promenade.yaml
View File

@ -17,6 +17,7 @@
HTTPS_PROXY: "" HTTPS_PROXY: ""
NO_PROXY: "" NO_PROXY: ""
PROMENADE_TMP_LOCAL: "cache" PROMENADE_TMP_LOCAL: "cache"
DISTRO: "{{ distro }}"
become: true become: true
tasks: tasks:
- name: Install docker - name: Install docker

4
tools/zuul/playbooks/docker-image-build.yaml
View File

@ -52,6 +52,8 @@
var: publish var: publish
- debug: - debug:
var: tags var: tags
- debug:
var: distro
- debug: - debug:
var: zuul var: zuul
- debug: - debug:
@ -77,6 +79,7 @@
chdir: "{{ zuul.project.src_dir }}" chdir: "{{ zuul.project.src_dir }}"
target: images target: images
params: params:
DISTRO: "{{ distro }}"
IMAGE_TAG: "{{ item }}" IMAGE_TAG: "{{ item }}"
with_items: "{{ image_tags.stdout_lines }}" with_items: "{{ image_tags.stdout_lines }}"
@ -101,6 +104,7 @@
params: params:
DOCKER_REGISTRY: "quay.io" DOCKER_REGISTRY: "quay.io"
IMAGE_PREFIX: "airshipit" IMAGE_PREFIX: "airshipit"
DISTRO: "{{ distro }}"
IMAGE_TAG: "{{ item }}" IMAGE_TAG: "{{ item }}"
COMMIT: "{{ zuul.newrev | default('') }}" COMMIT: "{{ zuul.newrev | default('') }}"
PUSH_IMAGE: "true" PUSH_IMAGE: "true"