Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MLE-15790 Support UBI9 based images #307

Merged
merged 8 commits into from
Sep 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 19 additions & 6 deletions Jenkinsfile
Original file line number Diff line number Diff line change
Expand Up @@ -149,12 +149,22 @@ void copyRPMs() {
RPMversion = "10.0"
}
else if (marklogicVersion == "11") {
RPMsuffix = ".nightly-rhel"
//if dockerImageType contains "ubi9" then use nightly-rhel9 suffix
if (dockerImageType.contains("ubi9")) {
RPMsuffix = ".nightly-rhel9"
} else {
RPMsuffix = ".nightly-rhel"
}
RPMbranch = "b11"
RPMversion = "11.4"
}
else if (marklogicVersion == "12") {
RPMsuffix = ".nightly-rhel"
//if dockerImageType contains "ubi9" then use nightly-rhel9 suffix
if (dockerImageType.contains("ubi9")) {
RPMsuffix = ".nightly-rhel9"
} else {
RPMsuffix = ".nightly-rhel"
}
RPMbranch = "b12"
RPMversion = "12.0"
}
Expand Down Expand Up @@ -243,10 +253,10 @@ void lint() {
void vulnerabilityScan() {
sh """
make scan current_image=marklogic/marklogic-server-${dockerImageType}:${marklogicVersion}-${env.dockerImageType}-${env.dockerVersion} Jenkins=true
grep \'High\\|Critical\' scan-server-image.txt
"""

SCAN_OUTPUT = sh(returnStdout: true, script: 'grep \'High\\|Critical\' scan-server-image.txt')
SCAN_OUTPUT = sh(returnStdout: true, script: 'grep --invert-match \' Unknown\\| Low\\| Medium\' scan-server-image.txt; echo \'------------- end of scan -------------\' | tee -a scan-server-image.txt')
sh 'echo "SCAN_OUTPUT: ${SCAN_OUTPUT}"'
if (SCAN_OUTPUT.size()) {
mail charset: 'UTF-8', mimeType: 'text/html', to: "${emailSecList}", body: "<br/>Jenkins pipeline for ${env.JOB_NAME} <br/>Build Number: ${env.BUILD_NUMBER} <br/>Vulnerabilities: <pre><code>${SCAN_OUTPUT}</code></pre>", subject: "Critical or High Security Vulnerabilities Found: ${env.JOB_NAME} #${env.BUILD_NUMBER}"
}
Expand Down Expand Up @@ -339,7 +349,10 @@ pipeline {
30 02 * * * % marklogicVersion=10;dockerImageType=ubi-rootless-hardened;SCAP_SCAN=true
00 03 * * * % marklogicVersion=12;dockerImageType=ubi
00 03 * * * % marklogicVersion=12;dockerImageType=ubi-rootless
00 03 * * * % marklogicVersion=12;dockerImageType=ubi-rootless-hardened;SCAP_SCAN=true''' : '')
00 03 * * * % marklogicVersion=12;dockerImageType=ubi-rootless-hardened;SCAP_SCAN=true
30 03 * * * % marklogicVersion=11;dockerImageType=ubi9
30 03 * * * % marklogicVersion=11;dockerImageType=ubi9-rootless
30 03 * * * % marklogicVersion=11;dockerImageType=ubi9-rootless-hardened;SCAP_SCAN=true''' : '')
}
environment {
QA_LICENSE_KEY = credentials('QA_LICENSE_KEY')
Expand All @@ -348,7 +361,7 @@ pipeline {
parameters {
string(name: 'emailList', defaultValue: emailList, description: 'List of email for build notification', trim: true)
string(name: 'dockerVersion', defaultValue: '2.0.1', description: 'ML Docker version. This version along with ML rpm package version will be the image tag as {ML_Version}_{dockerVersion}', trim: true)
choice(name: 'dockerImageType', choices: 'ubi-rootless\nubi\nubi-rootless-hardened\ncentos', description: 'Platform type for Docker image. Will be made part of the docker image tag')
choice(name: 'dockerImageType', choices: 'ubi-rootless\nubi\nubi-rootless-hardened\nubi9-rootless\nubi9\nubi9-rootless-hardened\ncentos', description: 'Platform type for Docker image. Will be made part of the docker image tag')
string(name: 'upgradeDockerImage', defaultValue: '', description: 'Docker image for testing upgrades. Defaults to ubi image if left blank.\n Currently upgrading to ubi-rotless is not supported hence the test is skipped when ubi-rootless image is provided.', trim: true)
choice(name: 'marklogicVersion', choices: '11\n12\n10', description: 'MarkLogic Server Branch. used to pick appropriate rpm')
string(name: 'ML_RPM', defaultValue: '', description: 'URL for RPM to be used for Image creation. \n If left blank nightly ML rpm will be used.\n Please provide Jenkins accessible path e.g. /project/engineering or /project/qa', trim: true)
Expand Down
34 changes: 29 additions & 5 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -23,17 +23,36 @@ endif
ifeq ($(docker_image_type),ubi-rootless-hardened)
cp dockerFiles/marklogic-deps-ubi\:base dockerFiles/marklogic-deps-ubi-rootless-hardened\:base
endif
ifeq ($(docker_image_type),ubi9)
cp dockerFiles/marklogic-server-ubi\:base dockerFiles/marklogic-server-ubi9\:base
endif
ifeq ($(docker_image_type),ubi9-rootless)
cp dockerFiles/marklogic-deps-ubi9\:base dockerFiles/marklogic-deps-ubi9-rootless\:base
cp dockerFiles/marklogic-server-ubi-rootless\:base dockerFiles/marklogic-server-ubi9-rootless\:base
endif
ifeq ($(docker_image_type),ubi9-rootless-hardened)
cp dockerFiles/marklogic-deps-ubi9\:base dockerFiles/marklogic-deps-ubi9-rootless-hardened\:base
cp dockerFiles/marklogic-server-ubi-rootless-hardened\:base dockerFiles/marklogic-server-ubi9-rootless-hardened\:base
endif

# retrieve and copy open scap hardening script
ifeq ($(docker_image_type),ubi-rootless-hardened)
ifeq ($(findstring hardened,$(docker_image_type)),hardened)
[ -f scap-security-guide-${open_scap_version}.zip ] || curl -Lo scap-security-guide-${open_scap_version}.zip https://github.com/ComplianceAsCode/content/releases/download/v${open_scap_version}/scap-security-guide-${open_scap_version}.zip
unzip -p scap-security-guide-${open_scap_version}.zip scap-security-guide-${open_scap_version}/bash/rhel8-script-cis.sh > src/rhel8-script-cis.sh
#UBI9 needs a different version of the remediation script
ifeq ($(findstring ubi9,$(docker_image_type)),ubi9)
unzip -p scap-security-guide-${open_scap_version}.zip scap-security-guide-${open_scap_version}/bash/rhel9-script-cis.sh > src/rhel-script-cis.sh
else
unzip -p scap-security-guide-${open_scap_version}.zip scap-security-guide-${open_scap_version}/bash/rhel8-script-cis.sh > src/rhel-script-cis.sh
endif
endif


# build the image
cd src/; docker build ${docker_build_options} -t "${repo_dir}/marklogic-deps-${docker_image_type}:${dockerTag}" -f ../dockerFiles/marklogic-deps-${docker_image_type}:base .
cd src/; docker build ${docker_build_options} -t "${repo_dir}/marklogic-server-${docker_image_type}:${dockerTag}" --build-arg BASE_IMAGE=${repo_dir}/marklogic-deps-${docker_image_type}:${dockerTag} --build-arg ML_RPM=${package} --build-arg ML_USER=marklogic_user --build-arg ML_DOCKER_VERSION=${dockerVersion} --build-arg ML_VERSION=${marklogicVersion} --build-arg ML_CONVERTERS=${converters} --build-arg BUILD_BRANCH=${build_branch} -f ../dockerFiles/marklogic-server-${docker_image_type}:base .
rm -f dockerFiles/marklogic-deps-ubi-rootless\:base dockerFiles/marklogic-deps-ubi-rootless-hardened\:base

# remove temporary files
rm -f dockerFiles/marklogic-deps-ubi-rootless\:base dockerFiles/marklogic-deps-ubi-rootless-hardened\:base dockerFiles/marklogic-deps-ubi9-rootless\:base dockerFiles/marklogic-deps-ubi9-rootless-hardened\:base dockerFiles/marklogic-server-ubi9-rootless-hardened\:base src/NOTICE.txt src/rhel-script-cis.sh

#***************************************************************************
# strcture test docker images
Expand Down Expand Up @@ -95,10 +114,15 @@ scan:
scap-scan:
mkdir -p scap
[ -f scap-security-guide-${open_scap_version}.zip ] || curl -Lo scap-security-guide-${open_scap_version}.zip https://github.com/ComplianceAsCode/content/releases/download/v${open_scap_version}/scap-security-guide-${open_scap_version}.zip
unzip -p scap-security-guide-${open_scap_version}.zip scap-security-guide-${open_scap_version}/ssg-rhel8-ds.xml > scap/ssg-rhel8-ds.xml
#UBI9 needs a different version of the evaluation profile
ifeq ($(findstring ubi9,$(current_image)),ubi9)
unzip -p scap-security-guide-${open_scap_version}.zip scap-security-guide-${open_scap_version}/ssg-rhel9-ds.xml > scap/ssg-rhel-ds.xml
else
unzip -p scap-security-guide-${open_scap_version}.zip scap-security-guide-${open_scap_version}/ssg-rhel8-ds.xml > scap/ssg-rhel-ds.xml
endif
docker run -itd --name scap-scan -v $(PWD)/scap:/scap ${current_image}
docker exec -u root scap-scan /bin/bash -c "microdnf install -y openscap-scanner"
docker exec -u root scap-scan /bin/bash -c "oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --results /scap/scap_scan_results.xml --report /scap/scap_scan_report.html /scap/ssg-rhel8-ds.xml > /scap/command-output.txt 2>&1" || true
docker exec -u root scap-scan /bin/bash -c "oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --results /scap/scap_scan_results.xml --report /scap/scap_scan_report.html /scap/ssg-rhel-ds.xml > /scap/command-output.txt 2>&1" || true
docker rm -f scap-scan

#***************************************************************************
Expand Down
25 changes: 25 additions & 0 deletions dockerFiles/marklogic-deps-ubi9:base
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
###############################################################
#
# Copyright (c) 2023 MarkLogic Corporation
#
###############################################################

FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4-1227.1725849298
LABEL "com.marklogic.maintainer"="[email protected]"

###############################################################
# install libnsl rpm package
###############################################################

RUN microdnf -y update \
&& curl -Lso libnsl.rpm https://bed-artifactory.bedford.progress.com:443/artifactory/ml-rpm-release-tierpoint/devdependencies/libnsl-2.34-100.el9_4.3.x86_64.rpm \
&& rpm -i libnsl.rpm \
&& rm -f libnsl.rpm

###############################################################
# install networking, base deps and tzdata for timezone
###############################################################
# hadolint ignore=DL3006
RUN echo "NETWORKING=yes" > /etc/sysconfig/network \
&& microdnf -y install gdb nss libtool-ltdl cpio tzdata \
&& microdnf clean all
6 changes: 3 additions & 3 deletions dockerFiles/marklogic-server-ubi-rootless-hardened:base
Original file line number Diff line number Diff line change
Expand Up @@ -138,9 +138,9 @@ RUN mkdir -p ${MARKLOGIC_DATA_DIR} \
# run open scap hardening script
###############################################################

COPY rhel8-script-cis.sh /tmp/rhel8-script-cis.sh
RUN chmod +x /tmp/rhel8-script-cis.sh \
&& /tmp/rhel8-script-cis.sh
COPY rhel-script-cis.sh /tmp/rhel-script-cis.sh
RUN chmod +x /tmp/rhel-script-cis.sh \
&& /tmp/rhel-script-cis.sh

###############################################################
# Copy converters package
Expand Down
8 changes: 6 additions & 2 deletions src/scripts/start-marklogic-rootless.sh
Original file line number Diff line number Diff line change
Expand Up @@ -283,8 +283,12 @@ if [[ "${MARKLOGIC_DEV_BUILD}" == "true" ]]; then
info "MARKLOGIC_DEV_BUILD is true, starting build using ${MARKLOGIC_INSTALL_DIR}/MarkLogic"
"${MARKLOGIC_INSTALL_DIR}/MarkLogic" -i . -d "${MARKLOGIC_DATA_DIR}" -p "${MARKLOGIC_PID_FILE}" &
elif [[ -z "${MARKLOGIC_DEV_BUILD}" ]] || [[ "${MARKLOGIC_DEV_BUILD}" == "false" ]]; then
# service MarkLogic start
/etc/init.d/MarkLogic start
# Choose between init.d and systemd based on the presence of the init.d script
if [[ -e /etc/init.d/MarkLogic ]]; then
/etc/init.d/MarkLogic start
else
/etc/MarkLogic/MarkLogic-service.sh start
fi
else
error "MARKLOGIC_DEV_BUILD must be true or false." exit
fi
Expand Down
7 changes: 6 additions & 1 deletion src/scripts/start-marklogic.sh
Original file line number Diff line number Diff line change
Expand Up @@ -307,7 +307,12 @@ if [[ "${MARKLOGIC_DEV_BUILD}" == "true" ]]; then
info "MARKLOGIC_DEV_BUILD is true, starting build using ${MARKLOGIC_INSTALL_DIR}/MarkLogic"
sudo "${MARKLOGIC_INSTALL_DIR}/MarkLogic" -i . -d "${MARKLOGIC_DATA_DIR}" -p "${MARKLOGIC_PID_FILE}" &
elif [[ -z "${MARKLOGIC_DEV_BUILD}" ]] || [[ "${MARKLOGIC_DEV_BUILD}" == "false" ]]; then
sudo /etc/init.d/MarkLogic start
# Choose between init.d and systemd based on the presence of the init.d script
if [[ -e /etc/init.d/MarkLogic ]]; then
sudo /etc/init.d/MarkLogic start
else
sudo /etc/MarkLogic/MarkLogic-service.sh start
fi
else
error "MARKLOGIC_DEV_BUILD must be true or false." exit
fi
Expand Down