From b394c3841c8d58ba36aca97cf6776ab74352bf13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakob=20M=C3=B6ller?= Date: Thu, 28 Nov 2024 10:07:59 +0100 Subject: [PATCH] feat: migrate to fully distroless ocm image (#1087) #### What this PR does / why we need it Migrates to Distroless which has a few advantages over alpine: 1. Smaller Base Image 2. No Package Manager or Shell that could be used to exploit vulnerabilities 3. Non-Root user by default I also remove the latest check in alpine since it only fetched a tag anyhow and we should pin by digest #### Which issue(s) this PR fixes --- Dockerfile | 22 +++++++++------------- components/ocmcli/Dockerfile | 23 +++++++++-------------- components/ocmcli/Makefile | 6 ------ components/ocmcli/ocm.sh | 20 -------------------- 4 files changed, 18 insertions(+), 53 deletions(-) delete mode 100644 components/ocmcli/ocm.sh diff --git a/Dockerfile b/Dockerfile index a7cd172537..d867203530 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,6 @@ ARG GO_VERSION="1.23" ARG ALPINE_VERSION="3.20" +ARG DISTROLESS_VERSION=debian12:nonroot@sha256:d71f4b239be2d412017b798a0a401c44c3049a3ca454838473a4c32ed076bfea FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS build @@ -20,26 +21,21 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ "-s -w -X ocm.software/ocm/api/version.gitVersion=$VERSION -X ocm.software/ocm/api/version.buildDate=$NOW" \ -o /bin/ocm ./cmds/ocm/main.go -FROM alpine:${ALPINE_VERSION} +FROM gcr.io/distroless/static-${DISTROLESS_VERSION} +# pass arg from initial build +ARG DISTROLESS_VERSION -# Create group and user -ARG UID=1000 -ARG GID=1000 -RUN addgroup -g "${GID}" ocmGroup && adduser -u "${UID}" ocmUser -G ocmGroup -D - -COPY --from=build /bin/ocm /bin/ocm -COPY --chmod=0755 components/ocmcli/ocm.sh /bin/ocm.sh +COPY --from=build /bin/ocm /usr/local/bin/ocm # https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys -LABEL org.opencontainers.image.description="Open Component Model command line interface based on Alpine ${ALPINE_VERSION}" +LABEL org.opencontainers.image.description="Open Component Model command line interface based on Distroless ${DISTROLESS_VERSION}" LABEL org.opencontainers.image.vendor="SAP SE" LABEL org.opencontainers.image.licenses="Apache-2.0" LABEL org.opencontainers.image.url="https://ocm.software/" LABEL org.opencontainers.image.source="https://github.com/open-component-model/ocm" LABEL org.opencontainers.image.title="ocm" LABEL org.opencontainers.image.documentation="https://github.com/open-component-model/ocm/blob/main/docs/reference/ocm.md" -LABEL org.opencontainers.image.base.name="alpine:${ALPINE_VERSION}" +LABEL org.opencontainers.image.base.name="gcr.io/distroless/static-${DISTROLESS_VERSION}" -USER ocmUser -ENTRYPOINT ["/bin/ocm.sh"] -CMD ["/bin/ocm"] +ENTRYPOINT ["/usr/local/bin/ocm"] +CMD ["version"] diff --git a/components/ocmcli/Dockerfile b/components/ocmcli/Dockerfile index dc5a504d7e..1cb3673bac 100644 --- a/components/ocmcli/Dockerfile +++ b/components/ocmcli/Dockerfile @@ -1,21 +1,17 @@ # This Dockerfile is used by `make` via the Makefile -ARG ALPINE_VERSION="3.20.2" -FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} - -# Create group and user -ARG UID=1000 -ARG GID=1000 -RUN addgroup -g "${GID}" ocmGroup && adduser -u "${UID}" ocmUser -G ocmGroup -D +ARG DISTROLESS_VERSION=debian12:nonroot@sha256:d71f4b239be2d412017b798a0a401c44c3049a3ca454838473a4c32ed076bfea +FROM --platform=$BUILDPLATFORM gcr.io/distroless/static-${DISTROLESS_VERSION} +# pass arg from initial build +ARG DISTROLESS_VERSION ARG SUFFIX ARG OCM_VERSION -COPY gen/ocmcli/ocmcli.$SUFFIX /bin/ocm -COPY --chmod=0755 components/ocmcli/ocm.sh /bin/ocm.sh +COPY gen/ocmcli/ocmcli.$SUFFIX /usr/local/bin/ocm # https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys -LABEL org.opencontainers.image.description="Open Component Model command line interface based on Alpine ${ALPINE_VERSION}" +LABEL org.opencontainers.image.description="Open Component Model command line interface based on Distroless ${DISTROLESS_VERSION}" LABEL org.opencontainers.image.vendor="SAP SE" LABEL org.opencontainers.image.licenses="Apache-2.0" LABEL org.opencontainers.image.url="https://ocm.software/" @@ -24,8 +20,7 @@ LABEL org.opencontainers.image.title="ocm" LABEL org.opencontainers.image.version="${OCM_VERSION}" LABEL org.opencontainers.image.revision="${OCM_VERSION}" LABEL org.opencontainers.image.documentation="https://github.com/open-component-model/ocm/blob/main/docs/reference/ocm.md" -LABEL org.opencontainers.image.base.name="alpine:${ALPINE_VERSION}" +LABEL org.opencontainers.image.base.name="gcr.io/distroless/static-${DISTROLESS_VERSION}" -USER ocmUser -ENTRYPOINT ["/bin/ocm.sh"] -CMD ["/bin/ocm"] +ENTRYPOINT ["/usr/local/bin/ocm"] +CMD ["version"] diff --git a/components/ocmcli/Makefile b/components/ocmcli/Makefile index 18d955580f..20915dab42 100644 --- a/components/ocmcli/Makefile +++ b/components/ocmcli/Makefile @@ -55,8 +55,6 @@ BUILD_FLAGS := "-s -w \ -X ocm.software/ocm/api/version.gitCommit=$(COMMIT) \ -X ocm.software/ocm/api/version.buildDate=$(NOW)" -ALPINE_LATEST_VER=$(shell curl -s https://registry.hub.docker.com/v2/repositories/library/alpine/tags | jq '.results[1].name' | xargs) - .PHONY: build build: $(GEN)/build @@ -78,13 +76,11 @@ $(GEN)/image: $(GEN)/.exists Dockerfile $(GEN)/build echo; echo "Building linux instead of darwin as there's no native Docker platform for darwin"; echo; \ docker buildx build -t $(IMAGE):$(VERSION) --platform linux/$(PLATFORM_ARCH) --file Dockerfile $(REPO_ROOT) \ --build-arg OCM_VERSION=$(EFFECTIVE_VERSION) \ - --build-arg ALPINE_VERSION=$(ALPINE_LATEST_VER) \ --build-arg SUFFIX=$$(echo linux/$(PLATFORM_ARCH) | sed -e s:/:-:g); \ else \ echo; echo "Building for $(PLATFORM_OS)/$(ARCH)"; echo; \ docker buildx build -t $(IMAGE):$(VERSION) --platform $(PLATFORM_OS)/$(PLATFORM_ARCH) --file Dockerfile $(REPO_ROOT) \ --build-arg OCM_VERSION=$(EFFECTIVE_VERSION) \ - --build-arg ALPINE_VERSION=$(ALPINE_LATEST_VER) \ --build-arg SUFFIX=$$(echo $(PLATFORM_OS)/$(PLATFORM_ARCH) | sed -e s:/:-:g); \ fi @touch $(GEN)/image @@ -93,13 +89,11 @@ $(GEN)/image: $(GEN)/.exists Dockerfile $(GEN)/build image.multi: $(GEN)/image.multi $(GEN)/image.multi: Dockerfile $(GEN)/build - echo "Building with Alpine version: ${ALPINE_LATEST_VER}" for i in $(IMAGE_PLATFORMS); do \ tag=$$(echo $$i | sed -e s:/:-:g); \ echo building platform $$i; \ docker buildx build --load -t $(IMAGE):$(VERSION)-$$tag --platform $$i --file Dockerfile $(REPO_ROOT) \ --build-arg OCM_VERSION=$(EFFECTIVE_VERSION) \ - --build-arg ALPINE_VERSION=$(ALPINE_LATEST_VER) \ --build-arg SUFFIX=$$tag; \ done @touch $(GEN)/image.multi diff --git a/components/ocmcli/ocm.sh b/components/ocmcli/ocm.sh deleted file mode 100644 index 0225d4c62d..0000000000 --- a/components/ocmcli/ocm.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh -set -e - -# this if will check if the first argument is a flag but only works if all arguments require a hyphenated flag -v; -SL; -f arg; etc will work, but not arg1 arg2 -if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then - set -- "$@" - exec /bin/ocm "$@" - return -fi - -# this case will check if the first argument is a known OCM command -case $1 in - add | bootstrap | cache | check | clean | completion | controller | create | credentials | describe | download | execute | get | hash | help | install | oci | ocm | show | sign | toi | transfer | verify | version) - exec /bin/ocm "$@" - return - ;; -esac - -# else default to run whatever the user wanted like "bash" or "sh" -exec "$@"