From d8324c22d78dbdb692ba1bf881995ad73259babb Mon Sep 17 00:00:00 2001 From: Amol Agrawal Date: Mon, 21 Mar 2022 23:50:59 +0000 Subject: [PATCH 1/5] selective push + trivy test --- .pipelines/azure_pipeline_dev.yaml | 21 +++++++++++++++++---- .pipelines/azure_pipeline_prod.yaml | 2 +- kubernetes/linux/Dockerfile.multiarch | 6 +++++- 3 files changed, 23 insertions(+), 6 deletions(-) diff --git a/.pipelines/azure_pipeline_dev.yaml b/.pipelines/azure_pipeline_dev.yaml index ba8a530fc..e016144f3 100644 --- a/.pipelines/azure_pipeline_dev.yaml +++ b/.pipelines/azure_pipeline_dev.yaml @@ -14,13 +14,14 @@ variables: subscription: '9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb' containerRegistry: 'containerinsightsprod' repoImageName: '${{ variables.containerRegistry }}.azurecr.io/public/azuremonitor/containerinsights/cidev' + IS_PR: $[eq(variables['Build.Reason'], 'PullRequest')] steps: - bash: | commit=$(git rev-parse --short HEAD) echo "##vso[task.setvariable variable=commit;]$commit" - datetime=$(date +'%Y%m%d%s') + datetime=$(date +'%m%d%Y') echo "##vso[task.setvariable variable=datetime;]$datetime" cd $(Build.SourcesDirectory)/deployment/multiarch-agent-deployment/ServiceGroupRoot/Scripts @@ -42,7 +43,7 @@ steps: inputs: SourceFolder: "$(Build.SourcesDirectory)/.pipelines" Contents: | - *.sh + **/*.sh TargetFolder: '$(Build.ArtifactStagingDirectory)/build' - task: CopyFiles@2 @@ -88,12 +89,24 @@ steps: az account set -s ${{ variables.subscription }} az acr login -n ${{ variables.containerRegistry }} - docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --build-arg IMAGE_TAG=$(datetime)-$(commit) --push . + if [ "$(Build.Reason)" != "PullRequest" ]; then + docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --build-arg IMAGE_TAG=$(datetime)-$(commit) --push . - docker pull ${{ variables.repoImageName }}:$(datetime)-$(commit) + docker pull ${{ variables.repoImageName }}:$(datetime)-$(commit) + else + docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --build-arg IMAGE_TAG=$(datetime)-$(commit) . + fi - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 displayName: 'Generation Task' + condition: eq(variables.IS_PR, true) + inputs: + BuildDropPath: '$(Build.ArtifactStagingDirectory)' + DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04' + +- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 + displayName: 'Generation Task' + condition: eq(variables.IS_PR, false) inputs: BuildDropPath: '$(Build.ArtifactStagingDirectory)' DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04, ${{ variables.repoImageName }}:$(datetime)-$(commit)' diff --git a/.pipelines/azure_pipeline_prod.yaml b/.pipelines/azure_pipeline_prod.yaml index 6f5d8bd45..0c8bf1ace 100644 --- a/.pipelines/azure_pipeline_prod.yaml +++ b/.pipelines/azure_pipeline_prod.yaml @@ -20,7 +20,7 @@ steps: commit=$(git rev-parse --short HEAD) echo "##vso[task.setvariable variable=commit;]$commit" - datetime=$(date +'%Y%m%d%s') + datetime=$(date +'%m%d%Y') echo "##vso[task.setvariable variable=datetime;]$datetime" cd $(Build.SourcesDirectory)/deployment/multiarch-agent-deployment/ServiceGroupRoot/Scripts diff --git a/kubernetes/linux/Dockerfile.multiarch b/kubernetes/linux/Dockerfile.multiarch index df8b04d19..ce26cad85 100644 --- a/kubernetes/linux/Dockerfile.multiarch +++ b/kubernetes/linux/Dockerfile.multiarch @@ -35,5 +35,9 @@ ENV AGENT_VERSION ${IMAGE_TAG} WORKDIR ${tmpdir} RUN chmod 775 $tmpdir/*.sh; sync; $tmpdir/setup.sh ${TARGETARCH} -CMD [ "/opt/main.sh" ] +COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy +RUN trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL --skip-files "/usr/sbin/telegraf" --skip-files "/opt/telegraf" --skip-files "/usr/local/bin/trivy" / +RUN rm /usr/local/bin/trivy + +CMD [ "/opt/main.sh" ] \ No newline at end of file From 9741b3723d2b85f42b6dea46aada0e113e4ba348 Mon Sep 17 00:00:00 2001 From: Amol Agrawal Date: Tue, 22 Mar 2022 00:44:05 +0000 Subject: [PATCH 2/5] keep size down --- .gitignore | 2 +- kubernetes/linux/Dockerfile.multiarch | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index b0467519c..b6e2f8979 100644 --- a/.gitignore +++ b/.gitignore @@ -23,7 +23,7 @@ intermediate *.dll *.obj # ignore docker provider shell bundle -kubernetes/linux/Linux_ULINUX_1.0_x64_64_Release +kubernetes/linux/Linux_ULINUX_1.0_*_64_Release # ignore generated .h files for go source/plugins/go/src/*.h *_mock.go diff --git a/kubernetes/linux/Dockerfile.multiarch b/kubernetes/linux/Dockerfile.multiarch index ce26cad85..e94bf71bb 100644 --- a/kubernetes/linux/Dockerfile.multiarch +++ b/kubernetes/linux/Dockerfile.multiarch @@ -36,8 +36,11 @@ WORKDIR ${tmpdir} RUN chmod 775 $tmpdir/*.sh; sync; $tmpdir/setup.sh ${TARGETARCH} +# Do vulnerability scan in a seperate stage to avoid adding layer +FROM base_image AS vulnscan COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy RUN trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL --skip-files "/usr/sbin/telegraf" --skip-files "/opt/telegraf" --skip-files "/usr/local/bin/trivy" / -RUN rm /usr/local/bin/trivy +# Revert to base layer before vulnscan +FROM base_image AS ContainerInsights CMD [ "/opt/main.sh" ] \ No newline at end of file From 6ba218603c0795c04c760cf993db61aae816e881 Mon Sep 17 00:00:00 2001 From: Amol Agrawal Date: Tue, 22 Mar 2022 18:42:58 +0000 Subject: [PATCH 3/5] improve CI and PR builds --- .pipelines/azure_pipeline_dev.yaml | 10 +++++++++- .pipelines/azure_pipeline_prod.yaml | 28 +++++++++++++++++++++++++--- 2 files changed, 34 insertions(+), 4 deletions(-) diff --git a/.pipelines/azure_pipeline_dev.yaml b/.pipelines/azure_pipeline_dev.yaml index e016144f3..395fafebf 100644 --- a/.pipelines/azure_pipeline_dev.yaml +++ b/.pipelines/azure_pipeline_dev.yaml @@ -4,7 +4,15 @@ # https://aka.ms/yaml trigger: -- ci_dev + batch: true + branches: + include: + - ci_dev + +pr: + branches: + include: + - ci_dev pool: name: Azure-Pipelines-CI-Test-EO diff --git a/.pipelines/azure_pipeline_prod.yaml b/.pipelines/azure_pipeline_prod.yaml index 0c8bf1ace..93e6e8ac3 100644 --- a/.pipelines/azure_pipeline_prod.yaml +++ b/.pipelines/azure_pipeline_prod.yaml @@ -4,7 +4,15 @@ # https://aka.ms/yaml trigger: -- ci_prod + batch: true + branches: + include: + - ci_prod + +pr: + branches: + include: + - ci_prod pool: name: Azure-Pipelines-CI-Prod-EO @@ -14,6 +22,7 @@ variables: subscription: '30c56c3a-54da-46ea-b004-06eb33432687' containerRegistry: 'containerinsightsbuild' repoImageName: '${{ variables.containerRegistry }}.azurecr.io/official/linux' + IS_PR: $[eq(variables['Build.Reason'], 'PullRequest')] steps: - bash: | @@ -88,12 +97,25 @@ steps: az account set -s ${{ variables.subscription }} az acr login -n ${{ variables.containerRegistry }} - docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --build-arg IMAGE_TAG=ciprod-$(datetime)-$(commit) --push . + if [ "$(Build.Reason)" != "PullRequest" ]; then + docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --build-arg IMAGE_TAG=ciprod-$(datetime)-$(commit) --push . + + docker pull ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) + else + docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --build-arg IMAGE_TAG=ciprod-$(datetime)-$(commit) . + fi - docker pull ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 displayName: 'Generation Task' + condition: eq(variables.IS_PR, true) + inputs: + BuildDropPath: '$(Build.ArtifactStagingDirectory)' + DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04' + +- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 + displayName: 'Generation Task' + condition: eq(variables.IS_PR, false) inputs: BuildDropPath: '$(Build.ArtifactStagingDirectory)' DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04, ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit)' From 4d53f1412c6714dc4e0d773edc1c89cc6fd1ea74 Mon Sep 17 00:00:00 2001 From: Amol Agrawal Date: Wed, 23 Mar 2022 16:36:15 +0000 Subject: [PATCH 4/5] improve checks --- kubernetes/linux/dockerbuild/build-and-publish-docker-image.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/linux/dockerbuild/build-and-publish-docker-image.sh b/kubernetes/linux/dockerbuild/build-and-publish-docker-image.sh index 580b158c9..638236507 100755 --- a/kubernetes/linux/dockerbuild/build-and-publish-docker-image.sh +++ b/kubernetes/linux/dockerbuild/build-and-publish-docker-image.sh @@ -138,7 +138,7 @@ echo "source code base directory: $baseDir" echo "build directory for docker provider: $buildDir" echo "docker file directory: $dockerFileDir" -if [ "$multi" -eq "1" ]; then +if [ -n "$multi" ] && [ "$multi" -eq "1" ]; then echo "building multiarch" cd $baseDir docker buildx build --platform linux/arm64/v8,linux/amd64 -t $image --build-arg IMAGE_TAG=$imageTag -f $linuxDir/Dockerfile.multiarch --push . From 48fe93c43b65b5b6b39cdffb14467d15bc3c45a9 Mon Sep 17 00:00:00 2001 From: Amol Agrawal Date: Tue, 29 Mar 2022 17:52:52 +0000 Subject: [PATCH 5/5] remove IMAGE_TAG build_arg from prod pipeline --- .pipelines/azure_pipeline_prod.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/azure_pipeline_prod.yaml b/.pipelines/azure_pipeline_prod.yaml index 93e6e8ac3..e1c3a9db2 100644 --- a/.pipelines/azure_pipeline_prod.yaml +++ b/.pipelines/azure_pipeline_prod.yaml @@ -98,11 +98,11 @@ steps: az acr login -n ${{ variables.containerRegistry }} if [ "$(Build.Reason)" != "PullRequest" ]; then - docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --build-arg IMAGE_TAG=ciprod-$(datetime)-$(commit) --push . + docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --push . docker pull ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) else - docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --build-arg IMAGE_TAG=ciprod-$(datetime)-$(commit) . + docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json . fi