From 10b583a516c3ba372320f4072386b2f0359cd2fb Mon Sep 17 00:00:00 2001 From: "Mitch Harding (the weird one)" Date: Thu, 22 Feb 2024 16:51:08 -0500 Subject: [PATCH] CASMCMS-8918: Get SLES packages from artifactory instead of slemaster --- CHANGELOG.md | 1 + Dockerfile | 66 +++++++-------------------- zypper-docker-build.sh | 100 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 117 insertions(+), 50 deletions(-) create mode 100755 zypper-docker-build.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 2b64225..7616a3c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed - Disabled concurrent Jenkins builds on same branch/commit - Added build timeout to avoid hung builds +- CASMCMS-8918: Get SLES packages from `artifactory` instead of `slemaster` to avoid build problems ### Removed - Removed defunct files leftover from previous versioning system diff --git a/Dockerfile b/Dockerfile index 1ee6c4e..469ab03 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # # MIT License # -# (C) Copyright 2020-2022 Hewlett Packard Enterprise Development LP +# (C) Copyright 2020-2022, 2024 Hewlett Packard Enterprise Development LP # # Permission is hereby granted, free of charge, to any person obtaining a # copy of this software and associated documentation files (the "Software"), @@ -26,44 +26,16 @@ # Build will be where we build the go binary FROM artifactory.algol60.net/csm-docker/stable/registry.suse.com/suse/sle15:15.4 as build -# The current sles15sp4 base image starts with a lock on coreutils, but this prevents a necessary -# security patch from being applied. Thus, adding this command to remove the lock if it is -# present. -RUN zypper --non-interactive removelock coreutils || true - -ARG SLES_MIRROR=https://slemaster.us.cray.com/SUSE +ARG SP=4 ARG ARCH=x86_64 -RUN set -eux \ - && zypper --non-interactive rr --all \ - && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Basesystem/15-SP4/${ARCH}/product/ sles15sp4-Module-Basesystem-product \ - && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Basesystem/15-SP4/${ARCH}/update/ sles15sp4-Module-Basesystem-update \ - && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Development-Tools/15-SP4/${ARCH}/product/ sles15sp4-Module-Development-Tools-product \ - && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Development-Tools/15-SP4/${ARCH}/update/ sles15sp4-Module-Development-Tools-update \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Containers/15-SP4/${ARCH}/product/ sles15sp4-Module-Containers-product \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Containers/15-SP4/${ARCH}/update/ sles15sp4-Module-Containers-update \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Desktop-Applications/15-SP4/${ARCH}/product/ sles15sp4-Module-Desktop-Applications-product \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Desktop-Applications/15-SP4/${ARCH}/update/ sles15sp4-Module-Desktop-Applications-update \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-HPC/15-SP4/${ARCH}/product/ sles15sp4-Module-HPC-product \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-HPC/15-SP4/${ARCH}/update/ sles15sp4-Module-HPC-update \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Legacy/15-SP4/${ARCH}/product/ sles15sp4-Module-Legacy-product \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Legacy/15-SP4/${ARCH}/update/ sles15sp4-Module-Legacy-update \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Public-Cloud/15-SP4/${ARCH}/product/ sles15sp4-Module-Public-Cloud-product \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Public-Cloud/15-SP4/${ARCH}/update/ sles15sp4-Module-Public-Cloud-update \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Python2/15-SP4/${ARCH}/product/ sles15sp4-Module-Python2-product \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Python2/15-SP4/${ARCH}/update/ sles15sp4-Module-Python2-update \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Server-Applications/15-SP4/${ARCH}/product/ sles15sp4-Module-Server-Applications-product \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Server-Applications/15-SP4/${ARCH}/update/ sles15sp4-Module-Server-Applications-update \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Web-Scripting/15-SP4/${ARCH}/product/ sles15sp4-Module-Web-Scripting-product \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Web-Scripting/15-SP4/${ARCH}/update/ sles15sp4-Module-Web-Scripting-update \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Product-SLES/15-SP4/${ARCH}/product/ sles15sp4-Product-SLES-product \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Product-SLES/15-SP4/${ARCH}/update/ sles15sp4-Product-SLES-update \ -# && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-INSTALLER/15-SP4/${ARCH}/update/ sles15sp4-SLE-INSTALLER-update \ - && zypper --non-interactive clean \ - && zypper --non-interactive install go1.19 -# Apply security patches +# Do zypper operations using a wrapper script, to isolate the necessary artifactory authentication +COPY zypper-docker-build.sh / +# The above script calls the following script, so we need to copy it as well COPY zypper-refresh-patch-clean.sh / -RUN /zypper-refresh-patch-clean.sh && rm /zypper-refresh-patch-clean.sh +RUN --mount=type=secret,id=ARTIFACTORY_READONLY_USER --mount=type=secret,id=ARTIFACTORY_READONLY_TOKEN \ + ./zypper-docker-build.sh go1.19 && \ + rm /zypper-docker-build.sh /zypper-refresh-patch-clean.sh # Configure go env - installed as package but not quite configured ENV GOPATH=/usr/local/golib @@ -96,22 +68,16 @@ RUN set -ex \ # Start with a fresh image so build tools are not included FROM arti.hpc.amslabs.hpecorp.net/baseos-docker-master-local/sles15sp4:sles15sp4 as base -# The current sles15sp4 base image starts with a lock on coreutils, but this prevents a necessary -# security patch from being applied. Thus, adding this command to remove the lock if it is -# present. -RUN zypper --non-interactive removelock coreutils || true - -# Install conman application from package -RUN set -eux \ - && zypper --non-interactive install conman less vi openssh jq curl tar - -# NOTE: polkit is not needed but is included with one of the above packages. -# It has frequent security issues so just remove it here. -RUN zypper --non-interactive rm polkit +ARG SP=4 +ARG ARCH=x86_64 -# Apply security patches +# Do zypper operations using a wrapper script, to isolate the necessary artifactory authentication +COPY zypper-docker-build.sh / +# The above script calls the following script, so we need to copy it as well COPY zypper-refresh-patch-clean.sh / -RUN /zypper-refresh-patch-clean.sh && rm /zypper-refresh-patch-clean.sh +RUN --mount=type=secret,id=ARTIFACTORY_READONLY_USER --mount=type=secret,id=ARTIFACTORY_READONLY_TOKEN \ + ./zypper-docker-build.sh conman less vi openssh jq curl tar --remove polkit && \ + rm /zypper-docker-build.sh /zypper-refresh-patch-clean.sh # Copy in the needed files COPY --from=build /app/console_node /app/ diff --git a/zypper-docker-build.sh b/zypper-docker-build.sh new file mode 100755 index 0000000..f16725d --- /dev/null +++ b/zypper-docker-build.sh @@ -0,0 +1,100 @@ +#!/bin/bash +# +# MIT License +# +# (C) Copyright 2024 Hewlett Packard Enterprise Development LP +# +# Permission is hereby granted, free of charge, to any person obtaining a +# copy of this software and associated documentation files (the "Software"), +# to deal in the Software without restriction, including without limitation +# the rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Software, and to permit persons to whom the +# Software is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included +# in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR +# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +# OTHER DEALINGS IN THE SOFTWARE. +# + +# This script is called during the Docker image build. +# It isolates the zypper operations, some of which require artifactory authentication, +# and scrubs the zypper environment after the necessary operations are completed. + +# Preconditions: +# 1. Following variables have been set in the Dockerfile: SP ARCH +# 2. zypper-refresh-patch-clean.sh script has also been copied into the current directory + +# Usage: +# zypper-docker-build.sh [ ...] [--remove ...] +# Adds the repos, installs the specified packages, removes the specified packages, applies security patches + +# Based on the script of the same name in the csm-config repo + +set -e +xv +trap "rm -rf /root/.zypp" EXIT + +INSTALL_LIST=() +REMOVE_LIST=() +while [[ $# -gt 0 ]]; do + if [[ $1 == "--remove" ]]; then + shift + REMOVE_LIST=( "$@" ) + break + fi + INSTALL_LIST+=( "$1" ) + shift +done + +# Get artifactory credentials and use them to set the csm-rpms stable sles15sp$SP repository URI +ARTIFACTORY_USERNAME=$(test -f /run/secrets/ARTIFACTORY_READONLY_USER && cat /run/secrets/ARTIFACTORY_READONLY_USER) +ARTIFACTORY_PASSWORD=$(test -f /run/secrets/ARTIFACTORY_READONLY_TOKEN && cat /run/secrets/ARTIFACTORY_READONLY_TOKEN) +CREDS=${ARTIFACTORY_USERNAME:-} +# Append ":" to credentials variable, if a password is set +[[ -z ${ARTIFACTORY_PASSWORD} ]] || CREDS="${CREDS}:${ARTIFACTORY_PASSWORD}" +SLES_MIRROR_URL="https://${CREDS}@artifactory.algol60.net/artifactory/sles-mirror" +SLES_PRODUCTS_URL="${SLES_MIRROR_URL}/Products" +SLES_UPDATES_URL="${SLES_MIRROR_URL}/Updates" + +function add_zypper_repos { + local label + label=$1 + zypper --non-interactive ar "${SLES_PRODUCTS_URL}/SLE-${label}/15-SP${SP}/${ARCH}/product/?auth=basic" "sles15sp${SP}-${label}-product" + zypper --non-interactive ar "${SLES_UPDATES_URL}/SLE-${label}/15-SP${SP}/${ARCH}/update/?auth=basic" "sles15sp${SP}-${label}-update" +} + +if [[ ${SP} -eq 4 ]]; then + # The current sles15sp4 base image starts with a lock on coreutils, but this prevents a necessary + # security patch from being applied. Thus, adding this command to remove the lock if it is + # present. + zypper --non-interactive removelock coreutils || true +fi + +zypper --non-interactive rr --all +zypper --non-interactive clean -a +for MODULE in Basesystem Certifications Containers Desktop-Applications Development-Tools HPC Legacy Packagehub-Subpackages \ + Public-Cloud Python3 Server-Applications Web-Scripting +do + add_zypper_repos "Module-${MODULE}" +done +for PRODUCT in HA HPC SLED SLES SLES_SAP WE; do + add_zypper_repos "Product-${PRODUCT}" +done +zypper --non-interactive --gpg-auto-import-keys refresh +if [[ ${#INSTALL_LIST[@]} -gt 0 ]]; then + zypper --non-interactive in -f --no-confirm "${INSTALL_LIST[@]}" +fi +if [[ ${#REMOVE_LIST[@]} -gt 0 ]]; then + zypper --non-interactive rm --no-confirm "${REMOVE_LIST[@]}" +fi +# Apply security patches (this script also does a zypper clean) +./zypper-refresh-patch-clean.sh +# Remove all repos & scrub the zypper directory +zypper --non-interactive rr --all +rm -f /etc/zypp/repos.d/*