New buildah task for RHTAP #729
Conversation
| name: varlibcontainers | ||
| workingDir: $(workspaces.source.path) | ||
|
|
||
| - name: upload-sbom |
There was a problem hiding this comment.
@lcarva, do you have thoughts on whether we should change the process for uploading SBOMs to the registry for customer utilization? Is cosign attach sbom still the best option?
There was a problem hiding this comment.
Funny thing is that cosign attach sbom actually uploads the sbom to the registry as a blob which is great. what we do need is to record the digest of the sbom so we can ensure it has not changed post-build. We had this at some point but had to revert because that was the tipping point for exceeding the size of the results in the buildah task.
In konflux, we can get around this because the sbom is always embedded in the image itself, so EC can just use that.
There was a problem hiding this comment.
We are removing the embedded SBOM for RHTAP in this PR, so we won't be able to rely on that in case we need to. 😬
(no changes for Konflux though)
There was a problem hiding this comment.
Oh... Can we introduce the SBOM_BLOB_URL for this task, then?
I'm happy to do so as a follow up PR.
There was a problem hiding this comment.
I found this is already a requirement for RHTAP (related comment). It is supposed to be renamed to LINK_TO_SBOM, but I believe it has the same purpose.
Although, I'm confused on how to implement this now. I entered the deprecate cosign attachment rabbit hole once I saw the deprecation message in the CLI, and the task currently still is dependent on attach.
There was a problem hiding this comment.
My suggestion is to keep using the cosign attach command as it is done today. It is deprecated, but right now we don't really have a better alternative. The main thing here is that that command uploads the SBOM to the registry as a "blob". So just record the sh256 digest of the SBOM and we should be able to find it in the registry, e.g. quay.io/foo/bar@sha256:abc...
I can help you with this. Feel free to ping me.
There was a problem hiding this comment.
So, @lcarva, I took the same approach to generate the digest as in the PR you linked. Thing is, taking the sha256sum sbom-cyclonedx.json will give me the digest of the layer, not of the SBOM image that is pushed to the registry.
You can see the test I did in https://quay.io/repository/bpimente/test-images:
- the SBOM image digest is
ed244f35bd7959a1149836997cd568361dbae6e496ffa560821e0d29c46c94fc - the only layer existing has a digest of
57a8c881a24e554cecd66dce96645b55b331138c9613586c3507482b09f0e3c4
I can compute the latter if I
cosign download sbom quay.io/bpimente/test-images:test-rhtap > sbom.json
sha256sum sbom.json
Maybe I'm doing something wrong?
There was a problem hiding this comment.
I'll move this to a separate PR so we can wrap up the work on this one here.
There was a problem hiding this comment.
Bruno and I chatted offline, summarizing it here for posterity/transparency.
We want to record the digest of the layer (which should match the digest of the SBOM file). This is what EC will fetch. An SBOM image could, in theory, contain multiple SBOMs. Adding an SBOM changes the image digest, but not the digest of the other SBOMs (as layers).
brunoapimentel
force-pushed
the
buildah-dance
branch
from
3705b80 to
bb8079c
Compare
There was a problem hiding this comment.
Oh no, taking a good look at our buildah task did not end well. Congratulations @brunoapimentel, you get a review for the whole task 😁
Some of the comments are definitely not blockers, we can probably just file new stories or say it's acceptable
brunoapimentel
force-pushed
the
buildah-dance
branch
from
bb8079c to
c39cef1
Compare
|
Newer pushes are addressing some of the comments, but there are still quite a few comments to address. The idea of using the default buildah task from the catalog proved not very promising, at least not for the current phase. I think the way the catalog handles tasks is very different from what we currently do, which makes the current approach of cleaning the current buildah task still easier. The catalog keeps a separate repository for scripts and templates, and generates the actual tasks with the scripts files added as base64 encoded strings. My initial idea was to simply add the decoded scripts to our task, but it proved to be very verbose in the end, not to mention we lose the ability to reuse functions among different steps, since the script files can be imported whenever needed. |
brunoapimentel
force-pushed
the
buildah-dance
branch
5 times, most recently
from
b62bc4b to
86c8513
Compare
| name: build | ||
| script: | | ||
| # Check if the Dockerfile exists | ||
| SOURCE_CODE_DIR=source |
There was a problem hiding this comment.
[follow-up] We will probably want to remove this, I don't expect that the RHTAP clone task would still clone the source to the source subdirectory of the workspace.
IIRC we want to use the official git task, which makes the subdirectory configurable https://github.com/openshift-pipelines/tektoncd-catalog/tree/p/tasks/task-git/0.2.0#git-tekton-task (but clones to the root of the workspace by default)
There was a problem hiding this comment.
I will add this to the list of follow up stories.
|
|
||
| for component in source_sbom.get("components", []): | ||
| if "purl" in component: | ||
| if component["purl"] not in existing_purls: |
There was a problem hiding this comment.
I think component["purl"] is a string, while existing_purls is a list[dict] (so this condition is never true)
There was a problem hiding this comment.
You're absolutely right, I stopped halfway through that filter thing. It should be right now (this part at least... deduplication will need major rework)
brunoapimentel
force-pushed
the
buildah-dance
branch
2 times, most recently
from
b23b2ac to
9d6f2d3
Compare
The new buildah task that will be used in RHTAP will be closely derived from the current buildah task used in Konflux. This commit simply copies the current code, so it is easier to follow the diff in the following commits. Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
The removed parts were: - References to the JVM build service - References to Cachi2 prefetched content - Mechanism to make build hermetic - Generation of PURL SBOM - Copying of the SBOM into the built container image - Setting quay.io expiration date - Setting labels to the build image - Fetching a Dockerfile/.dockerignore from a remote location - Setting compute resources - Unused task params - Adding annotations to the built image - Enabling short name resolution Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
The image present in Red Hat's catalog is properly productized and should be preferred instead of the current quay.io image. We also don't want to allow the user to set any arbitrary builder image to be used in this task. Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
To avoid the need of root access, the SBOMs needed to be written in a separate volume instead of the "source" workspace. This also brings the benefit of not littering the cloned source code with files. The creation of "/workspace/container_name" was also removed since it was unused. Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
The built image was being mounted as a directory, which makes Syft use a different set of catalogers than it would use in case it was scanning an image. This patch instead saves the image content as an oci-dir, which uses the same sets of catalogers than scanning an image from a registry or from a container daemon. Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
Newer versions of Syft will default to the latest supported CycloneDX version, which can potentially bring breaking changes. Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
Since we don't want to make the digest available to any other tasks through the workspace (it is emitted as a task result), this patch changes the behavior so it is only saved in a temporary volume. Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
The combination of name+version is not a good enough to guarantee uniqueness, since there could be cases that components from different ecosystems (e.g. npm, rpm, golang) share the same name+version. The purl, on the other hand, takes in consideration not only name and version, but also the ecosystem, and potentially other things. There are cases in which the purl is absent, though, namely for components of type operating-system. Since they are only reported once in when scanning the image (not the source code), this case alone won't result in duplication. We still adding all components that lack a purl (at the risk of duplication) to avoid errors in scenarios we aren't aware of right now. Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
The new buildah-rhtap task should replace the current existing buildah task, as that one has Konflux-specific features. Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
brunoapimentel
force-pushed
the
buildah-dance
branch
from
9d6f2d3 to
1437d89
Compare
|
|
The newer push is just rebasing the branch. We still need to create the repository for the new task's image, since the CI is failing because of it. |
|
/retest |
|
@arewm it looks like your change request is blocking the merge button |
| - name: upload-sbom | ||
| image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 |
There was a problem hiding this comment.
I think we should be able to modify this to the RHTAS images
There was a problem hiding this comment.
Do you have a link for them?
There was a problem hiding this comment.
This PR proposes a new simplified and improved buildah task to be used for the new RHTAP docker build pipeline.
Compared to the current Konflux buildah task, this task: