connectedcars · tlbdk · Sep 26, 2022 · Sep 20, 2022 · Sep 20, 2022 · Sep 20, 2022
diff --git a/Dockerfile b/Dockerfile
@@ -2,7 +2,7 @@ ARG NODE_VERSION=16.0.0
 ARG NPM_VERSION=6.0.0
 ARG YARN_VERSION=1.6.0
 
-FROM ubuntu:20.04 as downloader
+FROM ubuntu:22.04 as downloader
 
 ARG NODE_VERSION
 ARG YARN_VERSION
@@ -69,10 +69,12 @@ RUN tar -xzf yarn-v$YARN_VERSION.tar.gz -C /opt/ --no-same-owner
 #
 # Build a common base image for both node-base and node-builder
 #
-FROM ubuntu:20.04 as common
+FROM ubuntu:22.04 as common
 
 ARG NODE_VERSION
 ARG YARN_VERSION
+ARG TARGETOS
+ARG TARGETARCH
 
 # Make sure we run latest ubuntu and install some basic packages
 RUN apt-get update -qq && \
@@ -108,6 +110,31 @@ RUN npm config set '//registry.npmjs.org/:_authToken' '${NPM_TOKEN}' --global
 COPY --chown=root:root files/opt/connectedcars/bin /opt/connectedcars/bin
 ENV PATH /opt/connectedcars/bin:$PATH
 
+# Make sure we can install mysql-server from Ubuntu 18.04 as this is the last
+# version with mysql 5.7, also pin mysql-server to Ubuntu 18.04 as we have 
+# some repos that install it expecting mysql 5.7
+COPY --chown=root:root files/etc/apt/ /etc/apt/
+RUN if [ "$TARGETOS/${TARGETARCH}" = "linux/amd64" ]; then \
+		echo Addding bionic for amd64 binaies; \
+		rm -f /etc/apt/sources.list.d/bionic-ports.list; \
+	elif [ "$TARGETOS/${TARGETARCH}" = "linux/arm64" ]; then \
+		echo Addding bionic Downloading arm64 binaies; \
+		rm -f /etc/apt/sources.list.d/bionic.list; \
+	else \
+		echo "Unsupported target os and platform $TARGETOS/${TARGETARCH}"; \
+		exit 1; \
+	fi;
+
+# Install common libs from older ubuntu versions so most binaies would work
+RUN apt-get update -qq && \
+	apt-get install -qq -y --no-install-recommends libssl1.1 && \
+	rm -rf /var/lib/apt/lists/*
+
+# Work arround issues for older node versions:
+# https://github.com/nodejs/node/discussions/43184
+# https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#dll-hijacking-on-windows-high-cve-2022-32223
+RUN sed -i 's/^providers = provider_sect.*/#&/' /etc/ssl/openssl.cnf
+
 #
 # Build node-base image
 #
@@ -131,35 +158,15 @@ WORKDIR /app
 FROM common as builder
 
 ARG NODE_VERSION
-ARG TARGETOS
-ARG TARGETARCH
 
 RUN echo "Building builder image with node version: ${NODE_VERSION}"
 
 # Install basic build tools
 RUN apt-get update -qq && \
-	apt-get install -qq -y --no-install-recommends build-essential python git openssh-client software-properties-common && \
+	apt-get install -qq -y --no-install-recommends build-essential python3 git openssh-client && \
 	rm -rf /var/lib/apt/lists/*
 
-# Make sure we use mysql-server from Ubuntu 18.04 as this is the last version with mysql 5.7
-RUN if [ "$TARGETOS/${TARGETARCH}" = "linux/amd64" ]; then \
-		echo Downloading amd64 binaies; \
-		add-apt-repository "deb http://mirrors.kernel.org/ubuntu/ bionic main"; \
-		add-apt-repository "deb http://mirrors.kernel.org/ubuntu/ bionic-security main"; \
-	elif [ "$TARGETOS/${TARGETARCH}" = "linux/arm64" ]; then \
-		echo Downloading arm64 binaies; \
-		add-apt-repository "deb http://ports.ubuntu.com/ubuntu-ports bionic main"; \
-		add-apt-repository "deb http://ports.ubuntu.com/ubuntu-ports bionic-security main"; \
-	else \
-		echo "Unsupported target os and platform $TARGETOS/${TARGETARCH}"; \
-		exit 1; \
-	fi;
-RUN echo 'Package: mysql-server\n\
-Pin: release n=bionic\n\
-Pin-Priority: 1001\n' > /etc/apt/preferences.d/mysql 
-
-
-# Install mysql 5.7 and 8.x dependencies and download both version to /opt
+# Install mysql 5.7 and 8.x dependencies and download both versions to /opt
 RUN apt-get update -qq && \
 	apt-get install -qq -y --no-install-recommends mysql-client-core-8.0 && \
 	apt-get install -qq -y --no-install-recommends $(apt-cache depends mysql-server-core-5.7 mysql-server-core-8.0 | grep Depends | sed "s/.*ends:\ //" | tr '\n' ' ') && \

diff --git a/README.md b/README.md
@@ -71,5 +71,16 @@ echo "<encypted key>" | base64 -D | gcloud kms decrypt --plaintext-file=- --ciph
 ``` bash
 export NPM_TOKEN=yournpmtoken
 # Only build specific node version on arm64
-PROJECT_ID=connectedcars-staging NODE_VERSIONS="16.16.0" BUILD_PLATFORMS="linux/arm64" BRANCH_NAME=`git symbolic-ref --short -q HEAD` ./build-all.sh
+PROJECT_ID=connectedcars-staging NODE_VERSIONS="16.16.0" BUILD_PLATFORMS="linux/arm64" COMMIT_SHA=ABCD1234 BRANCH_NAME=`git symbolic-ref --short -q HEAD` ./build-all.sh
 ```
+
+
+## Rollback to older version
+
+``` bash
+export OLD_SHA=abcd1234
+for NODE_VERSION in 18.7.0 16.16.0 14.20.0 12.22.12; do
+  NODE_MAJOR_VERSION=$(echo "$NODE_VERSION" | cut -d. -f1)
+  echo docker buildx imagetools create "gcr.io/connectedcars-staging/node-builder.master:${NODE_VERSION}-${OLD_SHA}" --tag "gcr.io/connectedcars-staging/node-builder.master:${NODE_MAJOR_VERSION}.x"
+done
+```
diff --git a/build-all.sh b/build-all.sh
@@ -10,6 +10,7 @@ BUILD_PLATFORMS=${BUILD_PLATFORMS:='linux/amd64 linux/arm64'}
 # External variables
 PROJECT_ID=${PROJECT_ID:-}
 NPM_TOKEN=${NPM_TOKEN:-}
+COMMIT_SHA=${COMMIT_SHA:-}
 BRANCH_NAME=${BRANCH_NAME:-}
 PUSH=${PUSH:-}
 
@@ -23,6 +24,11 @@ if [[ ! -n "$NPM_TOKEN" ]]; then
     exit 255
 fi
 
+if [[ ! -n "$COMMIT_SHA" ]]; then
+    echo "COMMIT_SHA needs to be set"
+    exit 255
+fi
+
 if [[ ! -n "$BRANCH_NAME" ]]; then
     echo "BRANCH_NAME needs to be set"
     exit 255
@@ -66,20 +72,23 @@ for NODE_VERSION in $NODE_VERSIONS; do
     if [[ -n "$PUSH" ]]; then
         echo Push base images
         docker buildx build --platform="${DOCKER_PLATFORMS}" --progress=plain --target=base ${DOCKER_NODE_BUILD_ARGS} --push \
+        --tag="gcr.io/${PROJECT_ID}/node-base.${BRANCH_NAME}:${NODE_VERSION}-${COMMIT_SHA}" \
         --tag="gcr.io/${PROJECT_ID}/node-base.${BRANCH_NAME}:${NODE_VERSION}" \
-        --tag="gcr.io/${PROJECT_ID}/node-base.${BRANCH_NAME}:$NODE_MAJOR_VERSION.x" \
+        --tag="gcr.io/${PROJECT_ID}/node-base.${BRANCH_NAME}:${NODE_MAJOR_VERSION}.x" \
         .
 
         echo Push builder images
         docker buildx build --platform="${DOCKER_PLATFORMS}" --progress=plain --target=builder ${DOCKER_NODE_BUILD_ARGS} --push \
-        --tag="gcr.io/${PROJECT_ID}/node-builder.${BRANCH_NAME}:$NODE_VERSION.x" \
-        --tag="gcr.io/${PROJECT_ID}/node-builder.${BRANCH_NAME}:$NODE_MAJOR_VERSION.x" \
+        --tag="gcr.io/${PROJECT_ID}/node-builder.${BRANCH_NAME}:${NODE_VERSION}-${COMMIT_SHA}" \
+        --tag="gcr.io/${PROJECT_ID}/node-builder.${BRANCH_NAME}:${NODE_VERSION}" \
+        --tag="gcr.io/${PROJECT_ID}/node-builder.${BRANCH_NAME}:${NODE_MAJOR_VERSION}.x" \
         .
 
         echo Push fat-base images
         docker buildx build --platform="${DOCKER_PLATFORMS}" --progress=plain --target=fat-base ${DOCKER_NODE_BUILD_ARGS} --push \
+        --tag="gcr.io/${PROJECT_ID}/node-fat-base.${BRANCH_NAME}:${NODE_VERSION}-${COMMIT_SHA}" \
         --tag="gcr.io/${PROJECT_ID}/node-fat-base.${BRANCH_NAME}:${NODE_VERSION}" \
-        --tag="gcr.io/${PROJECT_ID}/node-fat-base.${BRANCH_NAME}:$NODE_MAJOR_VERSION.x" \
+        --tag="gcr.io/${PROJECT_ID}/node-fat-base.${BRANCH_NAME}:${NODE_MAJOR_VERSION}.x" \
         .
     fi
 done
diff --git a/cloudbuild.yaml b/cloudbuild.yaml
@@ -12,7 +12,7 @@ steps:
   - name: 'gcr.io/cloud-builders/docker'
     entrypoint: 'bash'
     args: ['-c', './build-all.sh']
-    env: ['BRANCH_NAME=${BRANCH_NAME}','PROJECT_ID=${PROJECT_ID}', 'PUSH=y']
+    env: ['COMMIT_SHA=${COMMIT_SHA}','BRANCH_NAME=${BRANCH_NAME}','PROJECT_ID=${PROJECT_ID}', 'PUSH=y']
     secretEnv: ['NPM_TOKEN']
     timeout: 7200s
 secrets:

diff --git a/files/etc/apt/preferences.d/mysql b/files/etc/apt/preferences.d/mysql
@@ -0,0 +1,3 @@
+Package: mysql-server
+Pin: release n=bionic
+Pin-Priority: 1001
diff --git a/files/etc/apt/sources.list.d/bionic-ports.list b/files/etc/apt/sources.list.d/bionic-ports.list
@@ -0,0 +1,4 @@
+deb http://ports.ubuntu.com/ubuntu-ports bionic main
+# deb-src http://ports.ubuntu.com/ubuntu-ports bionic main
+deb http://ports.ubuntu.com/ubuntu-ports bionic-security main
+# deb-src http://ports.ubuntu.com/ubuntu-ports bionic-security main
diff --git a/files/etc/apt/sources.list.d/bionic.list b/files/etc/apt/sources.list.d/bionic.list
@@ -0,0 +1,4 @@
+deb http://mirrors.kernel.org/ubuntu bionic main
+# deb-src http://mirrors.kernel.org/ubuntu bionic main
+deb http://mirrors.kernel.org/ubuntu bionic-security main
+# deb-src http://mirrors.kernel.org/ubuntu bionic-security main
diff --git a/files/etc/apt/trusted.gpg.d/bionic.gpg b/files/etc/apt/trusted.gpg.d/bionic.gpg
diff --git a/keys/updatekeys.sh b/keys/updatekeys.sh
@@ -1,4 +1,4 @@
-#/bin/bash
+#!/bin/bash
 
 # gpg keys listed at https://github.com/nodejs/node#release-team
 NODE_KEYS="4ED778F539E3634C779C87C6D7062848A1AB005C

diff --git a/test/Dockerfile b/test/Dockerfile
@@ -37,6 +37,9 @@ RUN npm install
 
 RUN npm test
 
+# Install a binary dependency to see if gyp works
+RUN npm install --loglevel verbose node-expat
+
 FROM gcr.io/connectedcars-staging/node-base.$BRANCH_NAME:$NODE_VERSION
 
 WORKDIR /app