From 7e33e6d1c5576619027f7cf5111cf18b6aa67254 Mon Sep 17 00:00:00 2001 From: lachmanfrantisek Date: Thu, 29 Mar 2018 11:45:15 +0200 Subject: [PATCH 1/4] Add optional labels for redhat Signed-off-by: lachmanfrantisek --- .../checks/labels/io_openshift_expose-services.py | 14 ++++++++++++++ colin/checks/labels/vcs-url.py | 14 ++++++++++++++ config/fedora.json | 5 ++++- config/redhat.json | 5 ++++- 4 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 colin/checks/labels/io_openshift_expose-services.py create mode 100644 colin/checks/labels/vcs-url.py diff --git a/colin/checks/labels/io_openshift_expose-services.py b/colin/checks/labels/io_openshift_expose-services.py new file mode 100644 index 00000000..51d13bbe --- /dev/null +++ b/colin/checks/labels/io_openshift_expose-services.py @@ -0,0 +1,14 @@ +from colin.checks.abstract.labels import LabelCheck + + +class IoOpenshiftExposeServicesLabelCheck(LabelCheck): + + def __init__(self): + super().__init__(name="io.openshift.expose-services_label", + message="Label 'io.openshift.expose-services' has to be specified.", + description="port:service pairs separated with comma, e.g. \"8080:http,8443:https\"", + reference_url="?????", + tags=["io.openshift.expose-services", "label", "optional"], + label="io.openshift.expose-services", + required=True, + value_regex=None) diff --git a/colin/checks/labels/vcs-url.py b/colin/checks/labels/vcs-url.py new file mode 100644 index 00000000..cb7d9e22 --- /dev/null +++ b/colin/checks/labels/vcs-url.py @@ -0,0 +1,14 @@ +from colin.checks.abstract.labels import LabelCheck + + +class VcsUrlLabelCheck(LabelCheck): + + def __init__(self): + super().__init__(name="vcs-url_label", + message="Label 'vcs-url' has to be specified.", + description="URL of the version control repository.", + reference_url="https://github.com/projectatomic/ContainerApplicationGenericLabels", + tags=["vcs-url", "vcs", "label", "optional"], + label="vcs-url", + required=True, + value_regex=None) diff --git a/config/fedora.json b/config/fedora.json index a29c0eaa..df3053e1 100644 --- a/config/fedora.json +++ b/config/fedora.json @@ -18,7 +18,10 @@ "vcs-ref", "vcs-type", "description", - "io_k8s_description" + "io_k8s_description", + "vcs-url", + "maintainer", + "io_openshift_expose-services" ] }, "dockerfile": { diff --git a/config/redhat.json b/config/redhat.json index 401ee9be..ce21c652 100644 --- a/config/redhat.json +++ b/config/redhat.json @@ -1,7 +1,6 @@ { "labels": { "required": [ - "maintainer", "name", "com_redhat_component", "summary", @@ -30,6 +29,10 @@ "release_capital_deprecated" ], "optional": [ + "vcs-url", + "maintainer", + "io_openshift_expose-services", + "maintainer" ] }, "dockerfile": { From e11804bbb6bda50d9236848a62071623b79f14de Mon Sep 17 00:00:00 2001 From: lachmanfrantisek Date: Thu, 29 Mar 2018 13:56:39 +0200 Subject: [PATCH 2/4] Add check for CMD or ENTRYPOINT presence Signed-off-by: lachmanfrantisek --- .../best_practices/cmd_or_entrypoint.py | 36 +++++++++++++++++++ config/fedora.json | 3 +- config/redhat.json | 3 +- 3 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 colin/checks/best_practices/cmd_or_entrypoint.py diff --git a/colin/checks/best_practices/cmd_or_entrypoint.py b/colin/checks/best_practices/cmd_or_entrypoint.py new file mode 100644 index 00000000..e39a5c5b --- /dev/null +++ b/colin/checks/best_practices/cmd_or_entrypoint.py @@ -0,0 +1,36 @@ +import logging + +from colin.checks.abstract.containers import ContainerCheck +from colin.checks.abstract.images import ImageCheck +from colin.checks.result import CheckResult + +logger = logging.getLogger(__name__) + + +class CmdOrEntrypointCheck(ContainerCheck, ImageCheck): + + def __init__(self): + super().__init__(name="cmd_or_entrypoint", + message="Cmd or Entrypoint has to be specified", + description="", + reference_url="?????", + tags=["cmd", "entrypoint", "required"]) + + def check(self, target): + metadata = target.instance.get_metadata()["Config"] + cmd_present = "Cmd" in metadata and metadata["Cmd"] + msg_cmd_present = "Cmd {}specified.".format("" if cmd_present else "not ") + logger.debug(msg_cmd_present) + + entrypoint_present = "Entrypoint" in metadata and metadata["Entrypoint"] + msg_entrypoint_present = "Entrypoint {}specified.".format("" if entrypoint_present else "not ") + logger.debug(msg_entrypoint_present) + + passed = cmd_present or entrypoint_present + return CheckResult(ok=passed, + severity=self.severity, + description=self.description, + message=self.message, + reference_url=self.reference_url, + check_name=self.name, + logs=[msg_cmd_present, msg_entrypoint_present]) diff --git a/config/fedora.json b/config/fedora.json index df3053e1..0d82157e 100644 --- a/config/fedora.json +++ b/config/fedora.json @@ -35,7 +35,8 @@ }, "best_practices": { "required": [ - "help_file_or_readme" + "help_file_or_readme", + "cmd_or_entrypoint" ], "optional": [ ] diff --git a/config/redhat.json b/config/redhat.json index ce21c652..d34b11a6 100644 --- a/config/redhat.json +++ b/config/redhat.json @@ -46,7 +46,8 @@ }, "best_practices": { "required": [ - "help_file" + "help_file", + "cmd_or_entrypoint" ], "optional": [ ] From 6eb99c047bffc65bb8049d1882906da58a16ba67 Mon Sep 17 00:00:00 2001 From: lachmanfrantisek Date: Thu, 29 Mar 2018 13:58:33 +0200 Subject: [PATCH 3/4] Add check for running as root Signed-off-by: lachmanfrantisek --- colin/checks/best_practices/no_root.py | 25 +++++++++++++++++++++++++ config/fedora.json | 3 ++- config/redhat.json | 3 ++- 3 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 colin/checks/best_practices/no_root.py diff --git a/colin/checks/best_practices/no_root.py b/colin/checks/best_practices/no_root.py new file mode 100644 index 00000000..d7fdcddd --- /dev/null +++ b/colin/checks/best_practices/no_root.py @@ -0,0 +1,25 @@ +from colin.checks.abstract.containers import ContainerCheck +from colin.checks.abstract.images import ImageCheck +from colin.checks.result import CheckResult + + +class NoRootCheck(ContainerCheck, ImageCheck): + + def __init__(self): + super().__init__(name="no_root", + message="Service should not run as root by default.", + description="", + reference_url="?????", + tags=["root", "user"]) + + def check(self, target): + metadata = target.instance.get_metadata()["Config"] + root_present = "User" in metadata and metadata["User"] and metadata["User"] != "root" + + return CheckResult(ok=root_present, + severity=self.severity, + description=self.description, + message=self.message, + reference_url=self.reference_url, + check_name=self.name, + logs=[]) diff --git a/config/fedora.json b/config/fedora.json index 0d82157e..241d2dc8 100644 --- a/config/fedora.json +++ b/config/fedora.json @@ -36,7 +36,8 @@ "best_practices": { "required": [ "help_file_or_readme", - "cmd_or_entrypoint" + "cmd_or_entrypoint", + "no_root" ], "optional": [ ] diff --git a/config/redhat.json b/config/redhat.json index d34b11a6..dba83ce5 100644 --- a/config/redhat.json +++ b/config/redhat.json @@ -47,7 +47,8 @@ "best_practices": { "required": [ "help_file", - "cmd_or_entrypoint" + "cmd_or_entrypoint", + "no_root" ], "optional": [ ] From f0e2747ec0e9fbcbed47e90d50d7019f611e1c93 Mon Sep 17 00:00:00 2001 From: lachmanfrantisek Date: Thu, 29 Mar 2018 14:46:32 +0200 Subject: [PATCH 4/4] Correct root check Signed-off-by: lachmanfrantisek --- colin/checks/best_practices/no_root.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/colin/checks/best_practices/no_root.py b/colin/checks/best_practices/no_root.py index d7fdcddd..4c9267a3 100644 --- a/colin/checks/best_practices/no_root.py +++ b/colin/checks/best_practices/no_root.py @@ -14,9 +14,9 @@ def __init__(self): def check(self, target): metadata = target.instance.get_metadata()["Config"] - root_present = "User" in metadata and metadata["User"] and metadata["User"] != "root" + root_present = "User" in metadata and metadata["User"] in ["", "0", "root"] - return CheckResult(ok=root_present, + return CheckResult(ok=not root_present, severity=self.severity, description=self.description, message=self.message,