From c7fce0845eddf2e4c5e3c96e480736afb0b942cf Mon Sep 17 00:00:00 2001 From: Rory Hunter Date: Mon, 9 Aug 2021 14:27:17 +0100 Subject: [PATCH] Fixes for Iron Bank (#76087) (#76149) Second attempt after reverting #76087. This PR fixes a number of issues with the Iron Bank Docker context. Most notably it changes the generated `Dockerfile` in the build context to `COPY` the Elasticsearch archive, instead of downloading it, since Iron Bank images have a different process and will never be built on Docker Hub. This requires that the context task be wired to `assemble` instead of the build image task. The latter is only used for testing purposes. --- distribution/docker/build.gradle | 43 +++++++++++-------- distribution/docker/src/docker/Dockerfile | 15 ++++--- .../docker/iron_bank/hardening_manifest.yaml | 14 +++++- 3 files changed, 48 insertions(+), 24 deletions(-) diff --git a/distribution/docker/build.gradle b/distribution/docker/build.gradle index a5f797836aad3..64bd4c75cc2ef 100644 --- a/distribution/docker/build.gradle +++ b/distribution/docker/build.gradle @@ -53,9 +53,9 @@ ext.expansions = { Architecture architecture, DockerBase base -> String buildArgs = '' if (base == DockerBase.IRON_BANK) { buildArgs = """ -ARG BASE_REGISTRY=nexus-docker-secure.levelup-nexus.svc.cluster.local:18082 -ARG BASE_IMAGE=redhat/ubi/ubi8 -ARG BASE_TAG=8.3 +ARG BASE_REGISTRY=registry1.dso.mil +ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 +ARG BASE_TAG=8.4 """ } @@ -68,7 +68,7 @@ ARG BASE_TAG=8.3 'build_date' : BuildParams.buildDate, 'config_dir' : base == DockerBase.IRON_BANK ? 'scripts' : 'config', 'git_revision' : BuildParams.gitRevision, - 'license' : 'Elastic-License-2.0', + 'license' : base == DockerBase.IRON_BANK ? 'Elastic License 1.0' : 'Elastic-License-2.0', 'package_manager' : base == DockerBase.UBI ? 'microdnf' : 'yum', 'docker_base' : base.name().toLowerCase(), 'version' : VersionProperties.elasticsearch, @@ -205,20 +205,27 @@ void addBuildDockerContextTask(Architecture architecture, DockerBase base) { String configDirectory = base == DockerBase.IRON_BANK ? 'scripts' : 'config' String arch = architecture == Architecture.AARCH64 ? '-aarch64' : '' - tasks.register(taskName('build', architecture, base, 'DockerContext'), Tar) { - archiveExtension = 'tar.gz' - compression = Compression.GZIP - archiveClassifier = "docker-build-context${arch}" - archiveBaseName = "elasticsearch${base.suffix}" - with dockerBuildContext(architecture, base) - - into(configDirectory) { - from(configurations.log4jConfig) { - filter TransformLog4jConfigFilter + final TaskProvider buildDockerContextTask = + tasks.register(taskName('build', architecture, base, 'DockerContext'), Tar) { + archiveExtension = 'tar.gz' + compression = Compression.GZIP + archiveClassifier = "docker-build-context${arch}" + archiveBaseName = "elasticsearch${base.suffix}" + with dockerBuildContext(architecture, base) + + into(configDirectory) { + from(configurations.log4jConfig) { + filter TransformLog4jConfigFilter + } } + + onlyIf { Architecture.current() == architecture } } - onlyIf { Architecture.current() == architecture } + if (base == DockerBase.IRON_BANK) { + tasks.named("assemble").configure { + dependsOn(buildDockerContextTask) + } } } @@ -306,8 +313,10 @@ void addBuildDockerImageTask(Architecture architecture, DockerBase base) { onlyIf { Architecture.current() == architecture } } - tasks.named("assemble").configure { - dependsOn(buildDockerImageTask) + if (base != DockerBase.IRON_BANK) { + tasks.named("assemble").configure { + dependsOn(buildDockerImageTask) + } } } diff --git a/distribution/docker/src/docker/Dockerfile b/distribution/docker/src/docker/Dockerfile index 1ff270ff58638..03aca07e7f217 100644 --- a/distribution/docker/src/docker/Dockerfile +++ b/distribution/docker/src/docker/Dockerfile @@ -156,12 +156,17 @@ FROM ${base_image} AS builder RUN mkdir /usr/share/elasticsearch WORKDIR /usr/share/elasticsearch -<% /* - Fetch the appropriate Elasticsearch distribution for this architecture. - Keep this command on one line - it is replaced with a `COPY` during local builds. - It uses the `arch` command to fetch the correct distro for the build machine. -*/ %> +<% if (docker_base == "iron_bank") { + // Iron Bank always copies the local artifact +%> +COPY elasticsearch-${version}-linux-x86_64.tar.gz /opt/elasticsearch.tar.gz +<% } else { + // Fetch the appropriate Elasticsearch distribution for this architecture. + // Keep this command on one line - it is replaced with a `COPY` during local builds. + // It uses the `arch` command to fetch the correct distro for the build machine. +%> RUN curl --retry 10 -S -L --output /opt/elasticsearch.tar.gz https://artifacts-no-kpi.elastic.co/downloads/elasticsearch/elasticsearch-${version}-linux-\$(arch).tar.gz +<% } %> RUN tar -zxf /opt/elasticsearch.tar.gz --strip-components=1 diff --git a/distribution/docker/src/docker/iron_bank/hardening_manifest.yaml b/distribution/docker/src/docker/iron_bank/hardening_manifest.yaml index a48944aada7ee..63da9424a0c45 100644 --- a/distribution/docker/src/docker/iron_bank/hardening_manifest.yaml +++ b/distribution/docker/src/docker/iron_bank/hardening_manifest.yaml @@ -39,6 +39,9 @@ labels: resources: - filename: "elasticsearch-${version}-linux-x86_64.tar.gz" url: "/elasticsearch-${version}-linux-x86_64.tar.gz" + validation: + type: "sha512" + value: "" - filename: "tini" url: "https://github.com/krallin/tini/releases/download/v0.19.0/tini-amd64" validation: @@ -47,7 +50,14 @@ resources: # List of project maintainers maintainers: - - name: "Nassim Kammah" - email: "nassim.kammah@elastic.co" - name: "Rory Hunter" email: "rory.hunter@elastic.co" + username: "rory" + - email: "klepal_alexander@bah.com" + name: "Alexander Klepal" + username: "alexander.klepal" + cht_member: true + - email: "yalabe.dukuly@anchore.com" + name: "Yalabe Dukuly" + username: "yalabe.dukuly" + cht_member: true