CASMCMS-8918: Get SLES packages from artifactory instead of slemaster

Cray-HPE · Feb 22, 2024 · e193277 · e193277
1 parent 3e01989
commit e193277
Show file tree

Hide file tree

Showing 3 changed files with 121 additions and 50 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 - Disabled concurrent Jenkins builds on same branch/commit
 - Added build timeout to avoid hung builds
+- CASMCMS-8918: Get SLES packages from `artifactory` instead of `slemaster` to avoid build problems
 
 ### Removed
 - Removed defunct files leftover from previous versioning system

diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,7 @@
 #
 # MIT License
 #
-# (C) Copyright 2020-2022 Hewlett Packard Enterprise Development LP
+# (C) Copyright 2020-2022, 2024 Hewlett Packard Enterprise Development LP
 #
 # Permission is hereby granted, free of charge, to any person obtaining a
 # copy of this software and associated documentation files (the "Software"),
@@ -26,44 +26,16 @@
 # Build will be where we build the go binary
 FROM artifactory.algol60.net/csm-docker/stable/registry.suse.com/suse/sle15:15.4 as build
 
-# The current sles15sp4 base image starts with a lock on coreutils, but this prevents a necessary
-# security patch from being applied. Thus, adding this command to remove the lock if it is
-# present.
-RUN zypper --non-interactive removelock coreutils || true
-
-ARG SLES_MIRROR=https://slemaster.us.cray.com/SUSE
+ARG SP=4
 ARG ARCH=x86_64
-RUN set -eux \
-  && zypper --non-interactive rr --all \
-  && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Basesystem/15-SP4/${ARCH}/product/ sles15sp4-Module-Basesystem-product \
-  && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Basesystem/15-SP4/${ARCH}/update/ sles15sp4-Module-Basesystem-update \
-  && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Development-Tools/15-SP4/${ARCH}/product/ sles15sp4-Module-Development-Tools-product \
-  && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Development-Tools/15-SP4/${ARCH}/update/ sles15sp4-Module-Development-Tools-update \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Containers/15-SP4/${ARCH}/product/ sles15sp4-Module-Containers-product \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Containers/15-SP4/${ARCH}/update/ sles15sp4-Module-Containers-update \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Desktop-Applications/15-SP4/${ARCH}/product/ sles15sp4-Module-Desktop-Applications-product \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Desktop-Applications/15-SP4/${ARCH}/update/ sles15sp4-Module-Desktop-Applications-update \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-HPC/15-SP4/${ARCH}/product/ sles15sp4-Module-HPC-product \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-HPC/15-SP4/${ARCH}/update/ sles15sp4-Module-HPC-update \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Legacy/15-SP4/${ARCH}/product/ sles15sp4-Module-Legacy-product \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Legacy/15-SP4/${ARCH}/update/ sles15sp4-Module-Legacy-update \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Public-Cloud/15-SP4/${ARCH}/product/ sles15sp4-Module-Public-Cloud-product \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Public-Cloud/15-SP4/${ARCH}/update/ sles15sp4-Module-Public-Cloud-update \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Python2/15-SP4/${ARCH}/product/ sles15sp4-Module-Python2-product \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Python2/15-SP4/${ARCH}/update/ sles15sp4-Module-Python2-update \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Server-Applications/15-SP4/${ARCH}/product/ sles15sp4-Module-Server-Applications-product \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Server-Applications/15-SP4/${ARCH}/update/ sles15sp4-Module-Server-Applications-update \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Module-Web-Scripting/15-SP4/${ARCH}/product/ sles15sp4-Module-Web-Scripting-product \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Module-Web-Scripting/15-SP4/${ARCH}/update/ sles15sp4-Module-Web-Scripting-update \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Products/SLE-Product-SLES/15-SP4/${ARCH}/product/ sles15sp4-Product-SLES-product \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-Product-SLES/15-SP4/${ARCH}/update/ sles15sp4-Product-SLES-update \
-#  && zypper --non-interactive ar ${SLES_MIRROR}/Updates/SLE-INSTALLER/15-SP4/${ARCH}/update/ sles15sp4-SLE-INSTALLER-update \
-  && zypper --non-interactive clean \
-  && zypper --non-interactive install go1.19
 
-# Apply security patches
+# Do zypper operations using a wrapper script, to isolate the necessary artifactory authentication
+COPY zypper-docker-build.sh /
+# The above script calls the following script, so we need to copy it as well
 COPY zypper-refresh-patch-clean.sh /
-RUN /zypper-refresh-patch-clean.sh && rm /zypper-refresh-patch-clean.sh
+RUN --mount=type=secret,id=ARTIFACTORY_READONLY_USER --mount=type=secret,id=ARTIFACTORY_READONLY_TOKEN \
+    ./zypper-docker-build.sh go1.19 && \
+    rm /zypper-docker-build.sh /zypper-refresh-patch-clean.sh
 
 # Configure go env - installed as package but not quite configured
 ENV GOPATH=/usr/local/golib
@@ -96,22 +68,16 @@ RUN set -ex \
 # Start with a fresh image so build tools are not included
 FROM arti.hpc.amslabs.hpecorp.net/baseos-docker-master-local/sles15sp4:sles15sp4 as base
 
-# The current sles15sp4 base image starts with a lock on coreutils, but this prevents a necessary
-# security patch from being applied. Thus, adding this command to remove the lock if it is
-# present.
-RUN zypper --non-interactive removelock coreutils || true
-
-# Install conman application from package
-RUN set -eux \
-    && zypper --non-interactive install conman less vi openssh jq curl tar
-
-# NOTE: polkit is not needed but is included with one of the above packages.
-#  It has frequent security issues so just remove it here.
-RUN zypper --non-interactive rm polkit
+ARG SP=4
+ARG ARCH=x86_64
 
-# Apply security patches
+# Do zypper operations using a wrapper script, to isolate the necessary artifactory authentication
+COPY zypper-docker-build.sh /
+# The above script calls the following script, so we need to copy it as well
 COPY zypper-refresh-patch-clean.sh /
-RUN /zypper-refresh-patch-clean.sh && rm /zypper-refresh-patch-clean.sh
+RUN --mount=type=secret,id=ARTIFACTORY_READONLY_USER --mount=type=secret,id=ARTIFACTORY_READONLY_TOKEN \
+    ./zypper-docker-build.sh conman less vi openssh jq curl tar --remove polkit && \
+    rm /zypper-docker-build.sh /zypper-refresh-patch-clean.sh
 
 # Copy in the needed files
 COPY --from=build /app/console_node /app/

diff --git a/zypper-docker-build.sh b/zypper-docker-build.sh
@@ -0,0 +1,104 @@
+#!/bin/bash
+#
+# MIT License
+#
+# (C) Copyright 2024 Hewlett Packard Enterprise Development LP
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included
+# in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+# OTHER DEALINGS IN THE SOFTWARE.
+#
+
+# This script is called during the Docker image build.
+# It isolates the zypper operations, some of which require artifactory authentication,
+# and scrubs the zypper environment after the necessary operations are completed.
+
+# Preconditions:
+# 1. Following variables have been set in the Dockerfile: SP ARCH
+# 2. zypper-refresh-patch-clean.sh script has also been copied into the current directory
+
+# Usage:
+# zypper-docker-build.sh [<package1> <package2> ...] [--remove <packagea> <package b> ...]
+# Adds the repos, installs the specified packages, removes the specified packages, applies security patches
+
+# Based on the script of the same name in the csm-config repo
+
+set -e +xv
+trap "rm -rf /root/.zypp" EXIT
+
+INSTALL_LIST=()
+REMOVE_LIST=()
+while [[ $# -gt 0 ]]; do
+    if [[ $1 == "--remove" ]]; then
+        shift
+        REMOVE_LIST=( "$@" )
+        break
+    fi
+    INSTALL_LIST+=( "$1" )
+    shift
+done
+
+# Get artifactory credentials and use them to set the csm-rpms stable sles15sp$SP repository URI
+ARTIFACTORY_USERNAME=$(test -f /run/secrets/ARTIFACTORY_READONLY_USER && cat /run/secrets/ARTIFACTORY_READONLY_USER)
+ARTIFACTORY_PASSWORD=$(test -f /run/secrets/ARTIFACTORY_READONLY_TOKEN && cat /run/secrets/ARTIFACTORY_READONLY_TOKEN)
+CREDS=${ARTIFACTORY_USERNAME:-}
+# Append ":<password>" to credentials variable, if a password is set
+[[ -z ${ARTIFACTORY_PASSWORD} ]] || CREDS="${CREDS}:${ARTIFACTORY_PASSWORD}"
+SLES_MIRROR_URL="https://${CREDS}@artifactory.algol60.net/artifactory/sles-mirror"
+SLES_PRODUCTS_URL="${SLES_MIRROR_URL}/Products"
+SLES_UPDATES_URL="${SLES_MIRROR_URL}/Updates"
+
+function add_zypper_repos {
+    local label
+    label=$1
+    zypper --non-interactive ar "${SLES_PRODUCTS_URL}/SLE-${label}/15-SP${SP}/${ARCH}/product/?auth=basic" "sles15sp${SP}-${label}-product"
+    zypper --non-interactive ar "${SLES_UPDATES_URL}/SLE-${label}/15-SP${SP}/${ARCH}/update/?auth=basic" "sles15sp${SP}-${label}-update"
+}
+
+if [[ ${SP} -eq 4 ]]; then
+    # The current sles15sp4 base image starts with a lock on coreutils, but this prevents a necessary
+    # security patch from being applied. Thus, adding this command to remove the lock if it is
+    # present.
+    zypper --non-interactive removelock coreutils || true
+fi
+
+MODULE_REPOS=""
+PRODUCT_REPOS=""
+
+zypper --non-interactive rr --all
+zypper --non-interactive clean -a
+for MODULE in Basesystem Certifications Containers Desktop-Applications Development-Tools HPC Legacy Packagehub-Subpackages \
+              Public-Cloud Python3 Server-Applications Transactional-Server Web-Scripting
+do
+    add_zypper_repos "Module-${MODULE}"
+done
+for PRODUCT in HA HPC SLED SLES SLES_SAP WE; do
+    add_zypper_repos "Product-${PRODUCT}"
+done
+zypper --non-interactive --gpg-auto-import-keys refresh
+if [[ ${#INSTALL_LIST[@]} -gt 0 ]]; then
+    zypper --non-interactive in -f --no-confirm "${INSTALL_LIST[@]}"
+fi
+if [[ ${#REMOVE_LIST[@]} -gt 0 ]]; then
+    zypper --non-interactive rm -f --no-confirm "${REMOVE_LIST[@]}"
+fi
+zypper --non-interactive in -f --no-confirm go1.19
+# Apply security patches (this script also does a zypper clean)
+./zypper-refresh-patch-clean.sh
+# Remove all repos & scrub the zypper directory
+zypper --non-interactive rr --all
+rm -f /etc/zypp/repos.d/*