Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitf24547e

Browse files
feat: add iron bank Dockerfile & manifest (#5934)
* feat: add iron bank Dockerfile & manifestCo-authored-by: Dean Sheather <dean@deansheather.com>* add: tfrc file* mv: ironbank/ /scripts* fixup! Merge branch 'main' into iron-bank* feat: add ironbank trivy scanning* fixup! feat: add ironbank trivy scanning* fixup! feat: add ironbank trivy scanning* fixup! feat: add ironbank trivy scanning* fixup! feat: add ironbank trivy scanning---------Co-authored-by: Dean Sheather <dean@deansheather.com>
1 parent691495d commitf24547e

File tree

7 files changed

+319
-2
lines changed

7 files changed

+319
-2
lines changed

‎.github/workflows/security.yaml

Lines changed: 41 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,9 @@ jobs:
9292
restore-keys:|
9393
js-${{ runner.os }}-
9494
95+
-name:Install yq
96+
run:go run github.com/mikefarah/yq/v4@v4.30.6
97+
9598
-name:Build Coder linux amd64 Docker image
9699
id:build
97100
run:|
@@ -112,6 +115,17 @@ jobs:
112115
make -j "$image_job"
113116
echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
114117
118+
-name:Build Coder linux amd64 Docker image (ironbank)
119+
id:build-ironbank
120+
run:|
121+
set -euo pipefail
122+
# NOTE: This is not a real image tag we publish.
123+
image_tag="${{ steps.build.outputs.image }}-ironbank"
124+
./scripts/ironbank/build_ironbank.sh \
125+
--target "$image_tag" \
126+
"build/coder_$(./scripts/version.sh)_linux_amd64"
127+
echo "image=$image_tag" >> $GITHUB_OUTPUT
128+
115129
-name:Run Trivy vulnerability scanner
116130
uses:aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
117131
with:
@@ -124,10 +138,36 @@ jobs:
124138
uses:github/codeql-action/upload-sarif@v2
125139
with:
126140
sarif_file:trivy-results.sarif
141+
category:"Trivy"
142+
143+
-name:Run Trivy vulnerability scanner (ironbank)
144+
uses:aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
145+
with:
146+
image-ref:${{ steps.build-ironbank.outputs.image }}
147+
format:sarif
148+
output:trivy-results-ironbank.sarif
149+
severity:"CRITICAL,HIGH"
150+
151+
# Update the tool name field in the ironbank SARIF file so it's not
152+
# indistinguishable from findings in the non-ironbank SARIF file in the
153+
# GitHub UI. Without this, findings from both scans would show up as
154+
# "Trivy".
155+
-name:Update tool name in SARIF file (ironbank)
156+
run:|
157+
set -euo pipefail
158+
yq eval -i '.runs[0].tool.driver.name = "Trivy Ironbank"' trivy-results-ironbank.sarif
159+
160+
-name:Upload Trivy scan results to GitHub Security tab (ironbank)
161+
uses:github/codeql-action/upload-sarif@v2
162+
with:
163+
sarif_file:trivy-results-ironbank.sarif
164+
category:"Trivy Ironbank"
127165

128166
-name:Upload Trivy scan results as an artifact
129167
uses:actions/upload-artifact@v2
130168
with:
131169
name:trivy
132-
path:trivy-results.sarif
170+
path:|
171+
trivy-results.sarif
172+
trivy-results-ironbank.sarif
133173
retention-days:7

‎scripts/ironbank/.gitignore

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
coder.tar.gz
2+
terraform.zip
3+
terraform-provider-coder.zip
4+
5+
.terraform.zip.*
6+
.terraform-provider-coder.zip.*

‎scripts/ironbank/Dockerfile

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
ARG BASE_REGISTRY=registry1.dso.mil
2+
ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8-minimal
3+
ARG BASE_TAG=8.7
4+
5+
FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
6+
7+
SHELL ["/bin/bash","-c"]
8+
9+
ENV LANG=en_US.UTF-8
10+
11+
RUN microdnf update --assumeyes && \
12+
microdnf install --assumeyes \
13+
ca-certificates \
14+
git \
15+
gzip \
16+
shadow-utils \
17+
tar \
18+
unzip && \
19+
microdnf clean all
20+
21+
# Configure the cryptography policy manually. These policies likely
22+
# have no impact, since Go doesn't link against these libraries.
23+
#
24+
# Normally, one uses the update-crypto-policies script to create these
25+
# links, which is included in the crypto-policies-scripts package, but
26+
# that pulls in Python, so we create the links manually here. This
27+
# list of links comes from running strace on the update-crypto-policies
28+
# script (strace update-crypto-policies --set FIPS) in Fedora, since
29+
# RHEL and UBI do not provide an strace package by default.
30+
RUN echo"FIPS" >/etc/crypto-policies/config && \
31+
cp --force /usr/share/crypto-policies/policies/FIPS.pol /etc/crypto-policies/state/CURRENT.pol && \
32+
echo"FIPS" >/etc/crypto-policies/state/current && \
33+
ln --symbolic --force /usr/share/crypto-policies/FIPS/bind.txt /etc/crypto-policies/back-ends/bind.config && \
34+
ln --symbolic --force /usr/share/crypto-policies/FIPS/gnutls.txt /etc/crypto-policies/back-ends/gnutls.config && \
35+
ln --symbolic --force /usr/share/crypto-policies/FIPS/java.txt /etc/crypto-policies/back-ends/java.config && \
36+
ln --symbolic --force /usr/share/crypto-policies/FIPS/krb5.txt /etc/crypto-policies/back-ends/krb5.config && \
37+
ln --symbolic --force /usr/share/crypto-policies/FIPS/libreswan.txt /etc/crypto-policies/back-ends/libreswan.config && \
38+
ln --symbolic --force /usr/share/crypto-policies/FIPS/libssh.txt /etc/crypto-policies/back-ends/libssh.config && \
39+
ln --symbolic --force /usr/share/crypto-policies/FIPS/nss.txt /etc/crypto-policies/back-ends/nss.config && \
40+
ln --symbolic --force /usr/share/crypto-policies/FIPS/openssh.txt /etc/crypto-policies/back-ends/openssh.config && \
41+
ln --symbolic --force /usr/share/crypto-policies/FIPS/opensshserver.txt /etc/crypto-policies/back-ends/opensshserver.config && \
42+
ln --symbolic --force /usr/share/crypto-policies/FIPS/openssl.txt /etc/crypto-policies/back-ends/openssl.config && \
43+
ln --symbolic --force /usr/share/crypto-policies/FIPS/opensslcnf.txt /etc/crypto-policies/back-ends/opensslcnf.config
44+
45+
# Copy and extract Coder binary from tar file. We have to put this in /opt to
46+
# match the Dockerfile.
47+
ARG CODER_BIN=/opt/coder
48+
ARG CODER_BIN_TAR_GZ=coder.tar.gz
49+
COPY"$CODER_BIN_TAR_GZ" /tmp/coder.tar.gz
50+
RUN mkdir -p /opt && \
51+
tar -xzvf /tmp/coder.tar.gz --directory /opt --strip-components=1 ./coder && \
52+
rm /tmp/coder.tar.gz
53+
ENV PATH="/opt:${PATH}"
54+
55+
# Copy and extract Terraform binary from zip file.
56+
ARG TERRAFORM_BIN_DIR=/opt/terraform
57+
ARG TERRAFORM_BIN_ZIP=terraform.zip
58+
COPY"$TERRAFORM_BIN_ZIP" /tmp/terraform.zip
59+
RUN mkdir -p"$TERRAFORM_BIN_DIR" && \
60+
unzip /tmp/terraform.zip -d"$TERRAFORM_BIN_DIR" && \
61+
rm /tmp/terraform.zip
62+
ENV PATH="${TERRAFORM_BIN_DIR}:${PATH}"
63+
64+
# Install the Coder Terraform provider to a well-known location.
65+
ARG TERRAFORM_PLUGINS_DIR=/opt/terraform/plugins
66+
ARG TERRAFORM_CODER_PROVIDER_VERSION
67+
ARG TERRAFORM_CODER_PROVIDER_ZIP=terraform-provider-coder.zip
68+
COPY"$TERRAFORM_CODER_PROVIDER_ZIP""${TERRAFORM_PLUGINS_DIR}/registry.terraform.io/coder/coder/terraform-provider-coder_${TERRAFORM_CODER_PROVIDER_VERSION}_linux_amd64.zip"
69+
70+
# Configure Terraform to use plugins from this dir.
71+
COPY terraform-filesystem-mirror.tfrc /opt/terraform/config.tfrc
72+
ENV TF_CLI_CONFIG_FILE=/opt/terraform/config.tfrc
73+
74+
# Uninstall the build dependencies.
75+
RUN microdnf remove --assumeyes \
76+
tar \
77+
unzip && \
78+
microdnf clean all
79+
80+
# Transfer ownership of the binaries to the 'coder' user.
81+
RUN useradd coder \
82+
--create-home \
83+
--shell=/bin/bash \
84+
--uid=1000 \
85+
--user-group && \
86+
chown --recursive --quiet coder:coder"$CODER_BIN" && \
87+
chown --recursive --quiet coder:coder"$TERRAFORM_BIN_DIR" && \
88+
chown --recursive --quiet coder:coder"$TERRAFORM_PLUGINS_DIR" && \
89+
chmod 0755 /home/coder
90+
91+
USER 1000
92+
ENV HOME /home/coder
93+
ENV USER=coder
94+
95+
ENTRYPOINT ["/opt/coder","server" ]

‎scripts/ironbank/build_ironbank.sh

Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,106 @@
1+
#!/usr/bin/env bash
2+
3+
# This script builds the ironbank Docker image of Coder containing the given
4+
# binary. Other dependencies will be automatically downloaded and cached.
5+
#
6+
# Usage: ./build_ironbank.sh --target image_tag path/to/coder
7+
8+
set -euo pipefail
9+
# shellcheck source=scripts/lib.sh
10+
source"$(dirname"${BASH_SOURCE[0]}")/../lib.sh"
11+
12+
image_tag=""
13+
14+
args="$(getopt -o"" -l target: --"$@")"
15+
evalset --"$args"
16+
whiletrue;do
17+
case"$1"in
18+
--target)
19+
image_tag="$2"
20+
shift 2
21+
;;
22+
--)
23+
shift
24+
break
25+
;;
26+
*)
27+
error"Unrecognized option:$1"
28+
;;
29+
esac
30+
done
31+
32+
if [["$image_tag"=="" ]];then
33+
error"The --image-tag parameter is required"
34+
fi
35+
36+
# Check dependencies
37+
dependencies docker sha256sum yq
38+
if [[$(yq --version)!=*" v4."* ]];then
39+
error"yq version 4 is required"
40+
fi
41+
42+
if [["$#"!= 1 ]];then
43+
error"Exactly one argument must be provided to this script,$# were supplied"
44+
fi
45+
if [[!-f"$1" ]];then
46+
error"File '$1' does not exist or is not a regular file"
47+
fi
48+
input_file="$(realpath"$1")"
49+
50+
# Make temporary dir for Docker build context.
51+
tmpdir="$(mktemp -d)"
52+
trap'rm -rf "$tmpdir"' EXIT
53+
pushd"$(dirname"${BASH_SOURCE[0]}")"
54+
cp Dockerfile"$tmpdir/"
55+
cp terraform-filesystem-mirror.tfrc"$tmpdir/"
56+
popd
57+
58+
# Create a coder.tar.gz file.
59+
execrelative ../archive.sh \
60+
--format tar.gz \
61+
--os linux \
62+
--output"$tmpdir/coder.tar.gz" \
63+
"$input_file"
64+
65+
# Download all resources in the hardening_manifest.yaml file except for
66+
# coder.tar.gz (which we will make ourselves).
67+
manifest_path="$(dirname"${BASH_SOURCE[0]}")/hardening_manifest.yaml"
68+
resources="$(yq e'.resources[] | select(.filename != "coder.tar.gz") | [.filename, .url, .validation.value] | @tsv'"$manifest_path")"
69+
whileread -r line;do
70+
filename="$(echo"$line"| cut -f1)"
71+
url="$(echo"$line"| cut -f2)"
72+
sha256_hash="$(echo"$line"| cut -f3)"
73+
74+
pushd"$(dirname"${BASH_SOURCE[0]}")"
75+
target=".${filename}.${sha256_hash}"
76+
if [[!-f"$target" ]];then
77+
log"Downloading$filename"
78+
curl -sSL"$url" -o"$target"
79+
fi
80+
81+
sum="$(sha256sum"$target"| cut -d'' -f1)"
82+
if [["$sum"!="$sha256_hash" ]];then
83+
rm"$target"
84+
error"Downloaded$filename has hash$sum, but expected$sha256_hash"
85+
fi
86+
cp"$target""$tmpdir/$filename"
87+
popd
88+
done<<<"$resources"
89+
90+
terraform_coder_provider_version="$(yq e'.args.TERRAFORM_CODER_PROVIDER_VERSION'"$manifest_path")"
91+
if [["$terraform_coder_provider_version"=="" ]];then
92+
error"TERRAFORM_CODER_PROVIDER_VERSION not found in hardening_manifest.yaml"
93+
fi
94+
95+
# Build the image.
96+
pushd"$tmpdir"
97+
docker build \
98+
--build-arg BASE_REGISTRY=registry.access.redhat.com \
99+
--build-arg BASE_IMAGE=ubi8/ubi-minimal \
100+
--build-arg BASE_TAG=8.7 \
101+
--build-arg TERRAFORM_CODER_PROVIDER_VERSION="$terraform_coder_provider_version" \
102+
-t"$image_tag" \
103+
.>&2
104+
popd
105+
106+
echo"$image_tag"
Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
apiVersion:v1
2+
3+
# The repository name in registry1, excluding /ironbank/
4+
name:"coder/coder-enterprise/coder-service-2"
5+
6+
# List of tags to push for the repository in registry1
7+
# The most specific version should be the first tag and will be shown
8+
# on ironbank.dso.mil
9+
tags:
10+
-"0.15.3"
11+
-"latest"
12+
13+
# Build args passed to Dockerfile ARGs
14+
args:
15+
# Needs to be kept in sync with the resource below.
16+
TERRAFORM_CODER_PROVIDER_VERSION:"0.6.10"
17+
18+
# Docker image labels
19+
labels:
20+
org.opencontainers.image.title:"coder-service-v2"
21+
# Human-readable description of the software packaged in the image
22+
org.opencontainers.image.description:"Coder server binary, includes REST API, Terraform, and dashboard"
23+
# License(s) under which contained software is distributed
24+
org.opencontainers.image.licenses:"AGPL"
25+
# URL to find more information on the image
26+
org.opencontainers.image.url:"https://coder.com/docs"
27+
# Name of the distributing entity, organization or individual
28+
org.opencontainers.image.vendor:"Coder Technologies"
29+
org.opencontainers.image.version:"0.15.3"
30+
# Keywords to help with search (ex. "cicd,gitops,golang")
31+
mil.dso.ironbank.image.keywords:"remote, workspaces"
32+
33+
# List of resources to make available to the offline build context
34+
resources:
35+
# Coder binary
36+
-url:"https://github.com/coder/coder/releases/download/v0.15.3/coder_0.15.3_linux_amd64.tar.gz"
37+
filename:"coder.tar.gz"
38+
validation:
39+
type:sha256
40+
value:2c88555777f1d9cc77a8f049093f4002472dc43d52b026e6784ef477bdced4a2
41+
# Terraform binary, bundled inside of Coder to support air-gapped installs.
42+
-url:https://releases.hashicorp.com/terraform/1.3.7/terraform_1.3.7_linux_amd64.zip
43+
filename:"terraform.zip"
44+
validation:
45+
type:sha256
46+
value:b8cf184dee15dfa89713fe56085313ab23db22e17284a9a27c0999c67ce3021e
47+
# Coder Terraform provider, bundled inside of Coder to support air-gapped
48+
# installs.
49+
#
50+
# The version of this provider needs to be kept in sync with the
51+
# TERRAFORM_CODER_PROVIDER_VERSION build arg.
52+
-url:https://github.com/coder/terraform-provider-coder/releases/download/v0.6.10/terraform-provider-coder_0.6.10_linux_amd64.zip
53+
filename:"terraform-provider-coder.zip"
54+
validation:
55+
type:sha256
56+
value:4c2a16010621e146251f6fb5e27105dde9213d85ca8f3c8866c3f5a4159b81b0
57+
58+
# List of project maintainers
59+
maintainers:
60+
-email:"eric@coder.com"
61+
name:"Eric Paulsen"
62+
username:"ericpaulsen"
63+
-email:"dean@coder.com"
64+
name:"Dean Sheather"
65+
username:"cdrdean"
Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
provider_installation {
2+
filesystem_mirror {
3+
path = "/opt/terraform/plugins"
4+
}
5+
}

‎scripts/lib.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ realpath() {
3939
}
4040

4141
# We have to define realpath before these otherwise it fails on Mac's bash.
42-
SCRIPT_DIR="$(realpath"$(dirname"${BASH_SOURCE[0]}")")"
42+
SCRIPT_DIR="$(realpath"$(dirname"${BASH_SOURCE[1]}")")"
4343
PROJECT_ROOT="$(cd"$SCRIPT_DIR"&& realpath"$(git rev-parse --show-toplevel)")"
4444

4545
# pushd is a silent alternative to the real pushd shell command.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp