feat(sbom): add a directive to generate SBOM for a layer #420
Conversation
rchincha
force-pushed
the
sbom
branch
24 times, most recently
from
7da4f20 to
f03e0b2
Compare
rchincha
force-pushed
the
sbom
branch
4 times, most recently
from
26ed290 to
80e499c
Compare
rchincha
force-pushed
the
sbom
branch
2 times, most recently
from
337145c to
d0cca1a
Compare
|
2023-08-14T17:31:17.2117593Z # bind mounting /home/runner/work/stacker/stacker/stackertest-test_can_read_previous_version-27s_cache.WKvnV5/.stacker/imports/test into container Since we have a breaking change in this PR |
rchincha
force-pushed
the
sbom
branch
2 times, most recently
from
203801c to
cd0f492
Compare
cmd/stacker/internal_go.go
Outdated
| return errors.Errorf("wrong number of args") | ||
| } | ||
|
|
||
| // merge |
There was a problem hiding this comment.
this is a strange comment here. I guess maybe it would make sense down a couple lines. Just reading it I thought "wait, this is Verify, not merge".
Makefile
Outdated
| @@ -45,7 +45,6 @@ stacker-dynamic: $(STACKER_DEPS) cmd/stacker/lxc-wrapper/lxc-wrapper | |||
| cmd/stacker/lxc-wrapper/lxc-wrapper: cmd/stacker/lxc-wrapper/lxc-wrapper.c | |||
| make -C cmd/stacker/lxc-wrapper LDFLAGS=-static LDLIBS="$(shell pkg-config --static --libs lxc) -lpthread -ldl" lxc-wrapper | |||
|
|
|||
|
|
|||
cmd/stacker/internal_go.go
Outdated
| return nil | ||
| } | ||
|
|
||
| // pkgname, license, paths... |
There was a problem hiding this comment.
improve or remove this comment. It doesn't line up with the Args().Get calls below.
cmd/stacker/internal_go.go
Outdated
| // check against inventory | ||
| if err := fs.GenerateInventory("/", | ||
| []string{"/proc", "/sys", "/dev", "/etc/resolv.conf", | ||
| "/stacker", "/stacker/artifacts", "/stacker-bom", "/static-stacker"}, |
There was a problem hiding this comment.
i think you can drop /stacker-bom now ? and /stactic-stacker ?
this should just have '/stacker/' right?
| } | ||
|
|
||
| // publishArtifact to a registry/repo for this subject | ||
| func (p *Publisher) publishArtifact(path, mtype, registry, repo, subject string, skipTLS bool) error { |
There was a problem hiding this comment.
Are there 'containers/image' library calls that you could use?
| @@ -476,7 +476,7 @@ func (b *Builder) build(s types.Storage, file string) error { | |||
| } | |||
|
|
|||
| // These should all be non-interactive; let's ensure that. | |||
| err = c.Execute("/stacker/.stacker-run.sh", nil) | |||
| err = c.Execute("/stacker/imports/.stacker-run.sh", nil) | |||
There was a problem hiding this comment.
this feels weird in /stacker/imports, but it seems unlikely to stomp on user content. so unless you think of something that fits better, this seems fine.
There was a problem hiding this comment.
Maybe we can put this under /stacker/tools/.stacker-run.sh
There was a problem hiding this comment.
Actually, this is under "automatic" binding of /stacker/imports, let's not change that.
| /etc/sysconfig/sshd-permitrootlogin /root/anaconda-* /root/original-* /run/nologin \ | ||
| /var/lib/rpm/.rpm.lock /etc/.pwd.lock /etc/BUILDTIME | ||
| annotations: | ||
| org.opencontainers.image.authors: bom-test |
There was a problem hiding this comment.
I'm curious if whitespace correctly goes through into the internal command.
Does it work if your 'authors' are "George Williams, Mary Andrews".
Same for 'vendor' being "ACME Widgets & Trinkets Inc".
There was a problem hiding this comment.
Let's amend test and try.
There was a problem hiding this comment.
test_bom_tool_should_work_inside_run.wZP2W7/oci --roots-dir /home/runner/work/stacker/stacker/stackertest-test_bom_tool_should_work_inside_run.wZP2W7/roots --stacker-dir /home/runner/work/stacker/stacker/stackertest-test_bom_tool_should_work_inside_run.wZP2W7/.stacker --storage-type overlay --internal-userns --debug internal-go bom-build /stacker/artifacts George Williams, Mary Andrews ACME Widgets & Trinkets Inc. MIT pkg1 1.0.0 /pkg1]
breaks!
| return errors.Wrapf(err, "couldn't find executable for bind mount") | ||
| } | ||
|
|
||
| err = c.BindMount(binary, "/stacker/tools/static-stacker", "") |
There was a problem hiding this comment.
Is there a reason to call this 'static-stacker' rather than just 'stacker' ?
There was a problem hiding this comment.
Just keeping with existing convention and also run-on /stacker/tools/stacker?
pkg/stacker/bom.go
Outdated
| return err | ||
| } | ||
|
|
||
| cmd := fmt.Sprintf("/static-stacker --oci-dir %s --roots-dir %s --stacker-dir %s --storage-type %s --internal-userns", |
There was a problem hiding this comment.
Is it possible to change this '/static-stacker' into /stacker/tools/ for consistency?
rchincha
force-pushed
the
sbom
branch
6 times, most recently
from
762cfb4 to
63b13f0
Compare
| return errors.Wrapf(err, "couldn't find executable for bind mount") | ||
| } | ||
|
|
||
| err = c.BindMount(binary, "/stacker/tools/static-stacker", "") |
test/bom.bats
Outdated
| paths: [/pkg2] | ||
| run: | | ||
| # discover installed pkgs | ||
| /stacker/tools/static-stacker --internal-userns internal-go bom-discover |
There was a problem hiding this comment.
The mechanism that you had before for executing stacker-bom was much cleaner. we should not expect a user to use '--internal-userns internal-go' flags (we should never document 'internal-go' flags).
We want the documented command that the user runs to be one of:
- stacker bom-discover
- stacker-bom discover
- stacker bom discover
I think i prefer 3, and making 'stacker bom discover' just work wherever it was run.
I think the right way to fix that is to add the bom commands to main (not internal-go), and then make shouldSkipInternalUserns (cmd/stacker/main.go) return false for 'bom' commands. stacker bom subcommand never needs to enter a internal user namespace. It just inspects directory trees and writes content somewhere.
| }, | ||
| &cli.Command{ | ||
| Name: "bom-verify", | ||
| Action: doBomVerify, |
There was a problem hiding this comment.
We don't have any convention in stacker here yet as to whether we want:
sub-subcommands (stacker bom build) or hyphenated commands (stacker bom-build).
because we're going to expose that and even document it to the user as the way to generate bom information, we should at least think on it.
rchincha
force-pushed
the
sbom
branch
4 times, most recently
from
fc9b711 to
c9f0ef0
Compare
pkg/stacker/bom.go
Outdated
| org := l.Annotations[types.OrgAnnotation] | ||
| license := l.Annotations[types.LicenseAnnotation] | ||
| dest := "/stacker/artifacts" | ||
| cmd := append(stackerInternal, "bom-build", dest, author, org, license, pkg.Name, pkg.Version) |
There was a problem hiding this comment.
it seems wrong to me that we pass the pkg.Name, pkg.Version (which are in the 'Package' type), but do not pass the pkg.License. Rather, we pass the 'license' that came from the globally scoped 'license' from the LicenseAnnotation.
The Package explicitly had a license and we took the one from the larger scope.
should the Package type have a Author and Org on it and then you use the higher-scoped annotations if they are not present?
I guess i would not have expected the 'author', 'org' at the global level to apply all of the Packages.
There was a problem hiding this comment.
A bit tricky - yes we should have license for each pkg entry. However, the global license is what license the container image itself is being posted under.
rchincha
force-pushed
the
sbom
branch
3 times, most recently
from
5737a56 to
f526245
Compare
A new bind-mount /stacker-artifacts is added to a container into which all artifacts including sbom can be added. Once the container image is built, then in the publish phase we push sbom along with the image as a OCI dist-spec "reference". Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
BREAKING CHANGE: Some paths per earlier stacker conventions are now changed as follows. /stacker/imports : ro mount for imports /stacker/artifacts : rw mount to store output of next step /stacker/tools : /proc/self mounted as /stacker/tools/bom /stacker/oci-labels : where OCI label generation logic now resides NOTE: Making this a separate commit if we want to revert Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
What type of PR is this?
Which issue does this PR fix:
What does this PR do / Why do we need it:
If an issue # is not available please add repro steps and logs showing the issue:
Testing done on this change:
Automation added to e2e:
Will this break upgrades or downgrades?
Does this PR introduce any user-facing change?:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.