Build using ubi go toolset, and run in ubi-minimal (#351)

* Build using ubi go toolset, and run in ubi-minimal

Signed-off-by: James Hart <jhart@uk.ibm.com>

* Move back to scratch with elements of ubi copied across

Signed-off-by: James Hart <jhart@uk.ibm.com>

* Improve comment in Dockerfile

Signed-off-by: James Hart <jhart@uk.ibm.com>

Co-authored-by: Stuart Hayton <sjhx@users.noreply.github.com>

.pre-commit-config.yaml

@@ -5,12 +5,13 @@
 #
 # This line indicates we will use the hook from ibm/detect-secrets to run scan during committing phase.
 # Whitewater/whitewater-detect-secrets would sync code to ibm/detect-secrets upon merge.
+repos:
 - repo: https://github.com/ibm/detect-secrets
   # If you desire to use a specific version of detect-secrets, you can replace `master` with other git revisions such as branch, tag or commit sha.
   # You are encouraged to use static refs such as tags, instead of branch name
   #
   # Running "pre-commit autoupdate" would automatically updates rev to latest tag
-  rev: master
+  rev: 0.13.1+ibm.46.dss
   hooks:
     - id: detect-secrets # pragma: whitelist secret
       # Add options for detect-secrets-hook binary. You can run `detect-secrets-hook --help` to list out all possible options.

.secrets.baseline

@@ -3,14 +3,17 @@
     "files": "go.*|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2021-03-24T13:13:24Z",
+  "generated_at": "2021-09-28T15:42:12Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
     },
     {
       "name": "ArtifactoryDetector"
     },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
     {
       "base64_limit": 4.5,
       "name": "Base64HighEntropyString"
@@ -25,8 +28,12 @@
       "name": "CloudantDetector"
     },
     {
+      "ghe_instance": "github.ibm.com",
       "name": "GheDetector"
     },
+    {
+      "name": "GitHubTokenDetector"
+    },
     {
       "hex_limit": 3,
       "name": "HexHighEntropyString"
@@ -47,6 +54,9 @@
     {
       "name": "MailchimpDetector"
     },
+    {
+      "name": "NpmDetector"
+    },
     {
       "name": "PrivateKeyDetector"
     },
@@ -56,6 +66,9 @@
     {
       "name": "SoftlayerDetector"
     },
+    {
+      "name": "SquareOAuthDetector"
+    },
     {
       "name": "StripeDetector"
     },
@@ -69,23 +82,23 @@
         "hashed_secret": "ad5781cc8192e1e8247b3174bb14b2177c16d71c",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 143,
+        "line_number": 170,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "05baadf86b23d3dafaf432263a7cf24d0287a350",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 200,
+        "line_number": 227,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "13010f67cb54ac2a32bc6c4a5a7ab38133a11fa8",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 203,
+        "line_number": 230,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -641,7 +654,7 @@
       }
     ]
   },
-  "version": "0.13.1+ibm.29.dss",
+  "version": "0.13.1+ibm.46.dss",
   "word_list": {
     "file": null,
     "hash": null

Dockerfile

@@ -1,16 +1,49 @@
-FROM golang:1.16.5 as golang
-
+FROM registry.access.redhat.com/ubi8/go-toolset:1.15.14-10 as gobuild
+# This first stage of the build is purely to build the Golang binary for Portieris
 ARG VERSION=undefined
-WORKDIR /go/src/github.com/IBM/portieris
-RUN mkdir -p /go/src/github.com/IBM/portieris
+# Work within the /opt/app-root/src working directory of the UBI go-toolset image
+WORKDIR /opt/app-root/src/github.com/IBM/portieris
+RUN mkdir -p /opt/app-root/src/github.com/IBM/portieris
+# Create directory to store the built binary
+RUN mkdir -p /opt/app-root/bin
 COPY . ./
 RUN CGO_ENABLED=0 GOOS=linux go build \
     -ldflags="-X github.com/IBM/portieris/internal/info.Version=$VERSION" -a \
-    -tags containers_image_openpgp -o ./bin/portieris ./cmd/portieris
+    -tags containers_image_openpgp -o /opt/app-root/bin/portieris ./cmd/portieris
+
+
+#################################################################################
+# Use another intermediary step to identify and extract the minimum content required for the runtime image.
+# The purpose of this is to keep the image size and attack surface as small as possible,
+#  while providing enough information for vulnerability scanning tools to inspect it.
+FROM registry.access.redhat.com/ubi8/s2i-base:latest as installer
+RUN yum upgrade -y
+# prep target rootfs for scratch container
+WORKDIR /
+RUN mkdir /image && \
+    ln -s usr/bin /image/bin && \
+	ln -s usr/sbin /image/sbin && \
+	ln -s usr/lib64 /image/lib64 && \
+	ln -s usr/lib /image/lib && \
+	mkdir -p /image/{usr/bin,usr/lib64,usr/lib,root,home,proc,etc,sys,var,dev}
+# see files.txt for a list of needed files from the UBI image to copy into our
+# final "FROM scratch" image; this would need to be modified if any additional
+# content was required from UBI for the Portieris binary to function.
+COPY files.txt /tmp
+RUN tar cf /tmp/files.tar -T /tmp/files.txt && tar xf /tmp/files.tar -C /image/ \
+  && strip --strip-unneeded /image/usr/lib64/*[0-9].so
+RUN rpm --root /image --initdb \
+  && PACKAGES=$(rpm -qf $(cat /tmp/files.txt) | grep -v "is not owned by any package" | sort -u) \
+  && echo dnf install -y 'dnf-command(download)' \
+  && dnf download --destdir / ${PACKAGES} \
+  && rpm --root /image -ivh --justdb --nodeps `for i in ${PACKAGES}; do echo $i.rpm; done`
+
 
+#################################################################################
+# Finally, copy the minimal image contents and the built binary into the scratch image
 FROM scratch
-COPY --from=golang /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=golang /go/src/github.com/IBM/portieris/bin/portieris /portieris
+COPY --from=installer /image/ /
+COPY --from=gobuild /opt/app-root/bin/portieris /portieris
 # Create /tmp for logs and /run for working directory
 RUN [ "/portieris", "--mkdir",  "/tmp,/run" ]
 WORKDIR /run

files.txt

@@ -0,0 +1,21 @@
+etc/pki
+root/buildinfo
+usr/lib64/ld-2.28.so
+usr/lib64/ld-linux-x86-64.so.2
+usr/lib64/libc-2.28.so
+usr/lib64/libc.so
+usr/lib64/libc.so.6
+usr/lib64/libssl.so
+usr/lib64/libssl.so.1.1
+usr/lib64/libdl-2.28.so
+usr/lib64/libdl.so
+usr/lib64/libdl.so.2
+usr/lib64/libpthread-2.28.so
+usr/lib64/libpthread.so
+usr/lib64/libpthread.so.0
+usr/lib64/libm-2.28.so
+usr/lib64/libm.so
+usr/lib64/libm.so.6
+etc/ssl/certs
+etc/redhat-release
+usr/share/zoneinfo