Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Docker attestation and provenance #445

Merged
merged 3 commits into from
Feb 23, 2024
Merged

Add Docker attestation and provenance #445

merged 3 commits into from
Feb 23, 2024

Conversation

dkuegler
Copy link
Member

Dockerfile

  • change user to nonroot
  • add the BUILDKIT_SBOM_SCAN_CONTEXT buildarg for proper SBOM creation Docker/build.py
  • add provenance
  • add sbom attestation
  • some formattíng

This is so the FastSurfer docker image satisfies docker scout criteria.

At this point, it might be necessary to check whether the user inside the docker container is manually entered, or otherwise weird things happen (similar to our --allow-root flag).
I will look into that.

@m-reuter m-reuter marked this pull request as draft February 8, 2024 17:33
@dkuegler
Dockerfile
4e45d83 
- change user to nonroot
- add the BUILDKIT_SBOM_SCAN_CONTEXT buildarg for proper SBOM creation
Docker/build.py
- add provenance
- add sbom attestation
- some formattíng
@dkuegler
Docker/Dockerfile
9123515 
- add FREESURFER_URL build-arg and pass the URL to install_fs_pruned.sh
Docker/install_fs_pruned.sh
- add option to download FreeSurfer froma different URL
- optimize upx option for multiple threads
- reorder so upx runs before link are created
Docker/build.py
- add --attest argument
- change building logic, so it works with docker-container
- add attestation logic
@dkuegler dkuegler marked this pull request as ready for review February 19, 2024 18:24
@dkuegler
Copy link
Member Author

I hope this finally works.... unfortunately, the attestation changes mean that people that want to do attestation, need to change a couple of things, such as:

  • change to the containerd image store
  • set up a docker-container buildx builder

but the basic build should still work without that, just attestation are a bit weird :(.

@m-reuter
Copy link
Member

please add some documentation to readme, including attestation requirements.

@dkuegler
build.py
0f08ecd 
- Add action push (no containerd requirement for attestation build)
- TODO: FastSurfer/FreeSurfer are not found by the scanner and thus are not in the SBOM

Docker/README.md
- Add documentation on how to build with attestation
@dkuegler
Copy link
Member Author

Documentation added to Docker/README.md and an additional option that does not require containerd, but a local registry.

Unfortunately, the sbom is incomplete as most the version of Freesurfer as well as Fastsurfer are not included.

@dkuegler dkuegler merged commit cd9ccef into Deep-MI:dev Feb 23, 2024
@dkuegler dkuegler deleted the feature/docker-scout-fixes branch February 23, 2024 19:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dkuegler @m-reuter