diff --git a/Dockerfile.dapper b/Dockerfile.dapper index c948f3c..b91e5ff 100644 --- a/Dockerfile.dapper +++ b/Dockerfile.dapper @@ -1,9 +1,24 @@ -FROM registry.suse.com/bci/bci-base:15.4.27.14.56 +FROM ghcr.io/oracle/oraclelinux:7-slim ARG DAPPER_HOST_ARCH ENV ARCH $DAPPER_HOST_ARCH -RUN zypper -n install docker git +# Prepare Go env +ENV GOPATH /go + +RUN yum-config-manager --enable ol7_optional_latest && \ + yum-config-manager --enable ol7_addons + +RUN yum update -y && \ + # NOTE - psmisc is needed for "killall" command, which Rancher uses to kill the proxy container on helm operation pods + yum install -y bash git gcc docker-cli vim less file curl wget psmisc + +RUN yum install -y oracle-golang-release-el7 && \ + yum-config-manager --enable ol7_developer_golang117 && \ + yum install -y golang-1.17.5 && \ + yum-config-manager --add-repo https://yum.oracle.com/repo/OracleLinux/OL7/olcne13/x86_64/ && \ + yum -y install docker-engine-19.03.11.ol-13.el7.x86_64 && \ + yum clean all ENV DAPPER_ENV REPO TAG DRONE_TAG CROSS ENV DAPPER_SOURCE /shell diff --git a/Makefile b/Makefile index acae2f0..ab5e7bc 100644 --- a/Makefile +++ b/Makefile @@ -1,14 +1,22 @@ TARGETS := $(shell ls scripts) -.dapper: - @echo Downloading dapper - @curl -sL https://releases.rancher.com/dapper/latest/dapper-$$(uname -s)-$$(uname -m) > .dapper.tmp - @@chmod +x .dapper.tmp - @./.dapper.tmp -v - @mv .dapper.tmp .dapper - -$(TARGETS): .dapper - ./.dapper $@ +GO ?= CGO_ENABLED=0 GO111MODULE=on go +DAPPER_VERSION = v0.6.0-v8o-1 + +# find or download dapper +DAPPER_PATH := $(shell eval go env GOPATH) +.PHONY: dapper +dapper: +ifeq (, $(shell command -v dapper)) + $(GO) install github.com/verrazzano/rancher-dapper@${DAPPER_VERSION} + mv ${DAPPER_PATH}/bin/rancher-dapper $(DAPPER_PATH)/bin/dapper + $(eval DAPPER=$(DAPPER_PATH)/bin/dapper) +else + $(eval DAPPER=$(shell command -v dapper)) +endif + +$(TARGETS): dapper + dapper $@ .DEFAULT_GOAL := ci diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..4c1f259 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,17 @@ +# Reporting Security Vulnerabilities + +Oracle values the independent security research community and believes that responsible disclosure of security vulnerabilities helps us ensure the security and privacy of all our users. + +Please do NOT raise a GitHub Issue to report a security vulnerability. If you believe you have found a security vulnerability, please submit a report to secalert_us@oracle.com preferably with a proof of concept. We provide additional information on [how to report security vulnerabilities to Oracle](https://www.oracle.com/corporate/security-practices/assurance/vulnerability/reporting.html) which includes public encryption keys for secure email. + +We ask that you do not use other channels or contact project contributors directly. + +Non-vulnerability related security issues such as new great new ideas for security features are welcome on GitHub Issues. + +## Security Updates, Alerts and Bulletins + +Security updates will be released on a regular cadence. Many of our projects will typically release security fixes in conjunction with the [Oracle Critical Patch Update](https://www.oracle.com/security-alerts/) program. Security updates are released on the Tuesday closest to the 17th day of January, April, July and October. A pre-release announcement will be published on the Thursday preceding each release. Additional information, including past advisories, is available on our [Security Alerts](https://www.oracle.com/security-alerts/) page. + +## Security-Related Information + +We will provide security related information such as a threat model, considerations for secure use, or any known security issues in our documentation. Please note that labs and sample code are intended to demonstrate a concept and may not be sufficiently hardened for production use. \ No newline at end of file diff --git a/THIRD_PARTY_LICENSES.txt b/THIRD_PARTY_LICENSES.txt new file mode 100644 index 0000000..32e709b --- /dev/null +++ b/THIRD_PARTY_LICENSES.txt @@ -0,0 +1,4 @@ + +-------- Copyrights + (no copyright notices found) + diff --git a/package/Dockerfile b/package/Dockerfile index d7b2c0b..25ffa80 100644 --- a/package/Dockerfile +++ b/package/Dockerfile @@ -1,26 +1,49 @@ -FROM registry.suse.com/bci/golang:1.19-20.13 AS helm -RUN zypper -n install git -RUN git -C / clone --branch release-v3.11.3 --depth=1 https://github.com/rancher/helm -RUN make -C /helm +FROM ghcr.io/oracle/oraclelinux:7-slim as helm +ARG HELM_VERSION=3.9.0-rancher1 +RUN yum install -y make && \ + yum install -y oracle-golang-release-el7 && \ + yum-config-manager --enable ol7_developer_golang119 && \ + yum install -y golang-1.19-1.0.1.el7.x86_64 && \ + # software collections repo needed for git 2.x on OL7 + yum-config-manager --add-repo=http://yum.oracle.com/repo/OracleLinux/OL7/SoftwareCollections/x86_64 && \ + yum install -y rh-git227 && \ + # Set up needed to ensure git 2.27 from rh-git227 is on the path (gitjob original v0.1.30 image uses git version 2.35.3) + ln /opt/rh/rh-git227/enable /etc/profile.d/git.sh && \ + source /etc/profile.d/git.sh && \ + git version && \ + # Rancher uses its own Helm fork - build and install our BFS of that fork. + git -C / clone --branch oracle/release/${HELM_VERSION} --depth=1 https://github.com/verrazzano/helm && \ + make -C /helm -FROM registry.suse.com/bci/bci-base:15.4.27.14.56 AS build +FROM ghcr.io/oracle/oraclelinux:7-slim as build ARG ARCH=amd64 -RUN zypper -n install curl gzip tar -ENV KUBECTL_VERSION v1.24.13 -ENV K9S_VERSION=v0.27.4 -ENV KUSTOMIZE_VERSION=v5.0.2 +RUN yum-config-manager --enable ol7_optional_latest && \ + yum-config-manager --enable ol7_addons && \ + yum update -y && \ + yum install -y bash curl gzip tar + +ENV KUSTOMIZE_VERSION v5.0.2 ENV KUSTOMIZE_URL=https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_${ARCH}.tar.gz -RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl && \ - chmod +x kubectl -RUN curl -sfL https://github.com/derailed/k9s/releases/download/${K9S_VERSION}/k9s_Linux_${ARCH}.tar.gz | tar xvzf - +ENV K9S_VERSION v0.26.7 +RUN if [ "${ARCH}" = "amd64" ]; then ARCH=x86_64; fi && \ + curl -sfL https://github.com/derailed/k9s/releases/download/${K9S_VERSION}/k9s_Linux_${ARCH}.tar.gz | tar xvzf - RUN if [ "${ARCH}" = "amd64" ] || [ "${ARCH}" = "arm64" ] || [ "${ARCH}" = "s390x" ]; then \ curl -sLf ${KUSTOMIZE_URL} | tar -xzf - && chmod +x kustomize; \ fi -FROM registry.suse.com/bci/bci-base:15.4.27.14.56 -RUN zypper -n update && \ - zypper -n install bash-completion gzip jq tar unzip vim wget && \ - zypper clean -a && rm -rf /tmp/* /var/tmp/* /usr/share/doc/packages/* /usr/share/doc/manual/* /var/log/* +FROM ghcr.io/oracle/oraclelinux:7-slim + +RUN yum-config-manager --enable ol7_optional_latest && \ + yum-config-manager --enable ol7_addons && \ + yum update -y && \ + # NOTE - psmisc is needed for "killall" command, which Rancher uses to kill the proxy container on helm operation pods + yum install -y bash bash-completion gzip jq tar unzip vim wget psmisc && \ + yum-config-manager --add-repo https://yum.oracle.com/repo/OracleLinux/OL7/olcne16/x86_64 && \ + yum -y install kubectl-1.25.11-1.el7.x86_64 && \ + yum clean all && \ + ln -s /usr/bin/vim /usr/bin/vi && \ + rm -rf /tmp/* /var/tmp/* /usr/share/doc/packages/* /usr/share/doc/manual/* /var/log/* + RUN echo 'shell:x:1000:1000:shell,,,:/home/shell:/bin/bash' > /etc/passwd && \ echo 'shell:x:1000:' > /etc/group && \ mkdir /home/shell && \ @@ -32,11 +55,14 @@ RUN echo 'shell:x:1000:1000:shell,,,:/home/shell:/bin/bash' > /etc/passwd && \ echo 'PS1="> "' >> /home/shell/.bashrc && \ mkdir /home/shell/.kube && \ chown -R shell /home/shell && \ - chmod 700 /run + chmod 700 /run && \ + mkdir -p /LICENSES + COPY --from=helm ./helm/bin/helm /usr/local/bin/ -COPY --from=build /kubectl /k9s ./kustomize* /usr/local/bin/ +COPY --from=build /k9s ./kustomize* /usr/local/bin/ COPY package/helm-cmd package/welcome /usr/local/bin/ COPY kustomize.sh /home/shell/ +COPY THIRD_PARTY_LICENSES.txt LICENSE SECURITY.md /LICENSES/ USER 1000 WORKDIR /home/shell CMD ["welcome"]