Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue 168 vulnerability checks #183

Merged
merged 11 commits into from
Mar 24, 2022
Merged

Conversation

nigelgbanks
Copy link
Contributor

@nigelgbanks nigelgbanks commented Feb 2, 2022

Also updates many packages and software to reduce the number of vulnerabilities though many still exist in the java portions of the stack.

  • alpine to latest stable release
  • imagemagick
  • tomcat
  • fits

Requires Islandora-Devops/isle-gradle-docker-plugin#12 to be reviewed and merged.

@nigelgbanks nigelgbanks requested a review from dannylamb February 2, 2022 13:34
@nigelgbanks
Copy link
Contributor Author

nigelgbanks commented Feb 2, 2022

Tested with isle-dc and cantalope doesn't seem to work, on further investigation though it seems that it's looking for the files in the wrong place (i.e. in Fedora when the service file is on disc, doesn't actually seem like cantalope it self broke),

-- EDIT

Ya I just tested isle-dc with older images and cantaloupe isn't working their either it's likely not related.

@nigelgbanks
Copy link
Contributor Author

Islandora-Devops/isle-dc#219 resolved the cantaloupe issue

@nigelgbanks
Copy link
Contributor Author

Since you've been looking a pull requests, bump @dannylamb.

@g7morris g7morris added security release question Further information is requested and removed question Further information is requested labels Mar 14, 2022
@g7morris
Copy link
Contributor

Hi @nigelgbanks & @dannylamb curious what action or review is further required here? Should this go into the March / April 2022 - isle-buildkit 1.0.0 release ?

@nigelgbanks
Copy link
Contributor Author

Just needs to be tested and merged, by someone other than me.

@g7morris
Copy link
Contributor

g7morris commented Mar 23, 2022

Reporting results from testing process:

Test Environment

  • OS: Ubuntu 20.04 LTS Desktop
  • CPU: Intel i7-10510U (8 cores) @ 4.900 GHZ
  • Mem: 32 GB

Test process / steps

  • git clone git@github.com:Islandora-Devops/isle-buildkit.git to local laptop
  • git checkout issue-168-vulnerability-checks`
  • ./gradlew build

Attempt 1

Ran for about ~8 mins with full CPU lockup the entire time. @nigelgbanks Any way we can reduce that?

#44 [stage-4 16/17] RUN ln -s /usr/local/share/.config/yarn/global/node_modules/.bin/code-server /usr/local/bin/code-server &&     ln -s /usr/local/share/.config/yarn/global/node_modules/.bin/node-gyp /usr/local/bin/node-gyp &&     ln -s /usr/local/share/.config/yarn/global/node_modules/.bin/grunt /usr/local/bin/grunt &&     ln -s /usr/local/share/.config/yarn/global/node_modules/.bin/bower /usr/local/bin/bower
#44 DONE 0.3s

#45 [stage-4 17/17] RUN chmod a=r,u+w /etc/sudo.conf
#45 DONE 0.3s

#46 exporting to image
#46 exporting layers
#46 exporting layers 3.1s done
#46 writing image sha256:164bfced1d11cf2b05c914dfac688138cbd19d4acf2bbf7ebc5c60f8456d303a done
#46 naming to docker.io/local/code-server:latest done
#46 DONE 3.1s

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':alpaca:build'.
> Process 'command 'docker'' finished with non-zero exit value 1

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 8m 20s
28 actionable tasks: 28 executed

Attempt 2

  • ./gradlew build
#18 exporting to image
#18 exporting layers
#18 exporting layers 0.4s done
#18 writing image sha256:f92db08a102678c7525c8db5d0222553053d350b955af8673e0f96e87592d7de done
#18 naming to docker.io/local/alpaca:latest done
#18 DONE 0.4s

BUILD SUCCESSFUL in 2m 17s
33 actionable tasks: 7 executed, 26 up-to-date

@nigelgbanks 2nd time is the charm? What additional steps should I take from here? Attempt to use isle-dc with these created images?

@g7morris g7morris added question Further information is requested gradle labels Mar 23, 2022
@nigelgbanks
Copy link
Contributor Author

@g7morris looks like I need to rebase this due to conflicts on main from just merging the fixes for code-server #198

@g7morris
Copy link
Contributor

@nigelgbanks To be clear this is something you're intending to do this week and then I can get back to testing correct?

@nigelgbanks nigelgbanks force-pushed the issue-168-vulnerability-checks branch from dde3f2f to 562ca98 Compare March 23, 2022 18:54
@nigelgbanks
Copy link
Contributor Author

@g7morris I was just sorting out the conflict and doing a quick build to check locally.

@nigelgbanks
Copy link
Contributor Author

You should be good to test when this finishes: https://github.com/Islandora-Devops/isle-buildkit/runs/5665429249?check_suite_focus=true with the commit 562ca9854343031da934dbaaea9728bca0f9371a

@g7morris
Copy link
Contributor

Ignore previous comment. I'm too quick to test the build / push needs to finish.

@nigelgbanks
Copy link
Contributor Author

@g7morris Unfortunately this one needs to do a full rebuild which includes compiling imagemagick under emulation for linux/arm64 which is super slow

@nigelgbanks
Copy link
Contributor Author

@g7morris actually in this case it might be faster to build it locally as you'd only be building for your platform.

@g7morris
Copy link
Contributor

g7morris commented Mar 23, 2022

@nigelgbanks What steps would be needed to do this? I can run it over night when I get back home on my laptop (non-Arm) or Apple M1 (ARM ish) Is there a flag for arm? Is this in isle-dc for the full monty or isle-buildkit. Sorry long day I'm probably asking something stupid.

@nigelgbanks
Copy link
Contributor Author

@g7morris looks like it's finished 😌 so you can just pull 562ca9854343031da934dbaaea9728bca0f9371a.

That being said, if you do ./gradlew build on a Mac M1 it will build natively for Linux/arm64 if you use the same command on older x86 Mac it will build natively for Linux/x86_64 so it's handled automatically for you. The build and push task for the Github actions though always builds both platforms Linux/x86_64 which is relatively fast to build, and Linux/arm64 is built via emulation with qemu which is super slow. This is cause we push to Docker hub and need to support people downloading for either platform.

@nigelgbanks
Copy link
Contributor Author

Typically we make user of heavy caching which cuts the time down from over an hour to like 10 mins or so, but this pull request changes all the base images so no caching can be used.

@nigelgbanks
Copy link
Contributor Author

As for tests just the normal bring up the demo and muck about, the grype reports can be downloaded here:

https://github.com/Islandora-Devops/isle-buildkit/suites/5774283956/artifacts/192302600

So that bit works, it's more so just to confirm I'm not broke anything, the automated tests wouldn't pick up on.

@g7morris
Copy link
Contributor

Okay I think this passes and using the arm images to test is much faster on a Mac both in the isle-dc make demo process (built in < 2 mins) and the gradle build.

Reporting results from testing process:

isle-buildkit

Test Environment

  • OS: MacOS Monterey 12.3 - (Mac Mini 9,1)
  • CPU: 8 cores
  • Mem: 16 GB

Test process / steps

  • git clone git@github.com:Islandora-Devops/isle-buildkit.git to local laptop
  • git checkout issue-168-vulnerability-checks`
  • ./gradlew build

Attempt 1

Ran for about < 6 mins with not so full CPU lockup the entire time. Close but it did go heavy into swap ~ 8GB.

BUILD SUCCESSFUL in 5m 32s
33 actionable tasks: 33 executed

isle-dc

Test Environment

  • OS: MacOS Monterey 12.3 - (Mac Mini 9,1)
  • CPU: 8 cores
  • Mem: 16 GB

Steps taken to test

  • git clone git@github.com:Islandora-Devops/isle-dc.git to local laptop
  • cd isle-dc
  • cp sample.env .env
  • vi / nano .env
    • Changed TAG= to TAG= 562ca9854343031da934dbaaea9728bca0f9371a
  • make demo

Results

@nigelgbanks Process worked great and much faster than x86. No new errors. Site is snappier and drush commands don't lag. Nice

Think we can ship this one eh?

@g7morris g7morris requested review from g7morris and removed request for dannylamb March 24, 2022 03:31
@g7morris g7morris self-assigned this Mar 24, 2022
@nigelgbanks
Copy link
Contributor Author

@g7morris awesome I'll merge it then 👍

@nigelgbanks nigelgbanks merged commit 2ee80c7 into main Mar 24, 2022
@nigelgbanks nigelgbanks deleted the issue-168-vulnerability-checks branch March 24, 2022 07:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
gradle question Further information is requested release security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants