diff --git a/.pipelines/azure_pipeline_dev.yaml b/.pipelines/azure_pipeline_dev.yaml index 9147501ba..eed3bdc57 100644 --- a/.pipelines/azure_pipeline_dev.yaml +++ b/.pipelines/azure_pipeline_dev.yaml @@ -115,14 +115,14 @@ jobs: az acr login -n ${{ variables.containerRegistry }} if [ "$(Build.Reason)" != "PullRequest" ]; then - docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg IMAGE_TAG=$(linuxImagetag) --push . + docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg IMAGE_TAG=$(linuxImagetag) --build-arg GOLANG_BASE_IMAGE=$(GOLANG_BASE_IMAGE) --build-arg CI_BASE_IMAGE=$(CI_BASE_IMAGE) --push . docker pull ${{ variables.repoImageName }}:$(linuxImagetag) else - docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg IMAGE_TAG=$(linuxImagetag) . + docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg IMAGE_TAG=$(linuxImagetag) --build-arg GOLANG_BASE_IMAGE=$(GOLANG_BASE_IMAGE) --build-arg CI_BASE_IMAGE=$(CI_BASE_IMAGE) . # load the multi-arch image to run tests - docker buildx build --tag ${{ variables.repoImageName }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg IMAGE_TAG=$(linuxImagetag) --load . + docker buildx build --tag ${{ variables.repoImageName }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg IMAGE_TAG=$(linuxImagetag) --build-arg GOLANG_BASE_IMAGE=$(GOLANG_BASE_IMAGE) --build-arg CI_BASE_IMAGE=$(CI_BASE_IMAGE) --load . fi curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin @@ -135,14 +135,14 @@ jobs: condition: eq(variables.IS_PR, true) inputs: BuildDropPath: '$(Build.ArtifactStagingDirectory)/linux' - DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04' + DockerImagesToScan: '$(GOLANG_BASE_IMAGE), $(CI_BASE_IMAGE)' - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 displayName: 'Generation Task' condition: eq(variables.IS_PR, false) inputs: BuildDropPath: '$(Build.ArtifactStagingDirectory)/linux' - DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04, ${{ variables.repoImageName }}:$(linuxImagetag)' + DockerImagesToScan: '$(GOLANG_BASE_IMAGE), $(CI_BASE_IMAGE), ${{ variables.repoImageName }}:$(linuxImagetag)' - task: PublishBuildArtifacts@1 inputs: diff --git a/.pipelines/azure_pipeline_prod.yaml b/.pipelines/azure_pipeline_prod.yaml index 5e22bdd3b..74650914e 100644 --- a/.pipelines/azure_pipeline_prod.yaml +++ b/.pipelines/azure_pipeline_prod.yaml @@ -119,14 +119,14 @@ jobs: az acr login -n ${{ variables.containerRegistry }} if [ "$(Build.Reason)" != "PullRequest" ]; then - docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageNameLinux }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --push . + docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageNameLinux }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg GOLANG_BASE_IMAGE=$(GOLANG_BASE_IMAGE) --build-arg CI_BASE_IMAGE=$(CI_BASE_IMAGE) --push . docker pull ${{ variables.repoImageNameLinux }}:$(linuxImagetag) else - docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageNameLinux }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json . + docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageNameLinux }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg GOLANG_BASE_IMAGE=$(GOLANG_BASE_IMAGE) --build-arg CI_BASE_IMAGE=$(CI_BASE_IMAGE) . # load the multi-arch image to run tests - docker buildx build --tag ${{ variables.repoImageNameLinux }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --load . + docker buildx build --tag ${{ variables.repoImageNameLinux }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg GOLANG_BASE_IMAGE=$(GOLANG_BASE_IMAGE) --build-arg CI_BASE_IMAGE=$(CI_BASE_IMAGE) --load . fi curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin @@ -138,14 +138,14 @@ jobs: condition: eq(variables.IS_PR, true) inputs: BuildDropPath: '$(Build.ArtifactStagingDirectory)/linux' - DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04' + DockerImagesToScan: '$(GOLANG_BASE_IMAGE), $(CI_BASE_IMAGE)' - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 displayName: 'Generation Task' condition: eq(variables.IS_PR, false) inputs: BuildDropPath: '$(Build.ArtifactStagingDirectory)/linux' - DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04, ${{ variables.repoImageNameLinux }}:$(linuxImagetag)' + DockerImagesToScan: '$(GOLANG_BASE_IMAGE), $(CI_BASE_IMAGE), ${{ variables.repoImageNameLinux }}:$(linuxImagetag)' - task: PublishBuildArtifacts@1 inputs: diff --git a/.trivyignore b/.trivyignore index f8c029116..56ac504d5 100644 --- a/.trivyignore +++ b/.trivyignore @@ -16,4 +16,4 @@ CVE-2021-31799 CVE-2021-28965 #dpkg vulnerability in ubuntu -CVE-2022-1664 \ No newline at end of file +CVE-2022-1304 \ No newline at end of file diff --git a/README.md b/README.md index 6e51d256b..60ed39901 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ Feel free to contact engineering team owners in case you have any questions abou ## Common - [Visual Studio Code](https://code.visualstudio.com/) for authoring -- [Go lang](https://golang.org/) for building go code. Go lang version 1.15.14 (both Linux & Windows) +- [Go lang](https://golang.org/) for building go code. Go lang version 1.18.3 (both Linux & Windows) > Note: If you are using WSL2, make sure you have cloned the code onto ubuntu not onto windows @@ -121,7 +121,7 @@ We recommend using [Visual Studio Code](https://code.visualstudio.com/) for auth ### Install Pre-requisites -1. Install go1.15.14, dotnet, powershell, docker and build dependencies to build go code for both Linux and Windows platforms +1. Install go1.18.3, dotnet, powershell, docker and build dependencies to build go code for both Linux and Windows platforms ``` bash ~/Docker-Provider/scripts/build/linux/install-build-pre-requisites.sh ``` @@ -143,31 +143,34 @@ bash ~/Docker-Provider/scripts/build/linux/install-build-pre-requisites.sh > Note: If you are using WSL2, ensure `Docker for windows` running with Linux containers mode on your windows machine to build Linux agent image successfully +> Note: format of the imagetag will be `ci`. possible values for release are test, dev, preview, dogfood, prod etc. Please use MCR urls while building internally. + +Preferred Way: You can build and push images for multiple architectures. This is powered by docker buildx +Directly use the docker buildx commands (the MCR images can be found in our internal wiki to be used as arguments) +``` +# multiple platforms +cd ~/Docker-Provider +docker buildx build --platform linux/arm64/v8,linux/amd64 -t /: --build-arg IMAGE_TAG= --build-arg CI_BASE_IMAGE= --build-arg GOLANG_BASE_IMAGE= -f kubernetes/linux/Dockerfile.multiarch --push . + +# single platform +cd ~/Docker-Provider +docker buildx build --platform linux/amd64 -t /: --build-arg IMAGE_TAG= --build-arg CI_BASE_IMAGE= --build-arg GOLANG_BASE_IMAGE= -f kubernetes/linux/Dockerfile.multiarch --push . +``` + +Using the build and publish script + ``` cd ~/Docker-Provider/kubernetes/linux/dockerbuild sudo docker login # if you want to publish the image to acr then login to acr via `docker login ` # build provider, docker image and publish to docker image -bash build-and-publish-docker-image.sh --image /: +bash build-and-publish-docker-image.sh --image /: --ubuntu --golang ``` -> Note: format of the imagetag will be `ci`. possible values for release are test, dev, preview, dogfood, prod etc. -You can also build and push images for multiple architectures. This is powered by docker buildx ``` cd ~/Docker-Provider/kubernetes/linux/dockerbuild sudo docker login # if you want to publish the image to acr then login to acr via `docker login ` # build and publish using docker buildx -bash build-and-publish-docker-image.sh --image /: --multiarch -``` - -or directly use the docker buildx commands -``` -# multiple platforms -cd ~/Docker-Provider -docker buildx build --platform linux/arm64/v8,linux/amd64 -t /: --build-arg IMAGE_TAG= -f kubernetes/linux/Dockerfile.multiarch --push . - -# single platform -cd ~/Docker-Provider -docker buildx build --platform linux/amd64 -t /: --build-arg IMAGE_TAG= -f kubernetes/linux/Dockerfile.multiarch --push . +bash build-and-publish-docker-image.sh --image /: --ubuntu --golang --multiarch ``` If you prefer to build docker provider shell bundle and image separately, then you can follow below instructions @@ -182,7 +185,7 @@ make ``` cd ~/Docker-Provider/kubernetes/linux/ -docker build -t /: --build-arg IMAGE_TAG= . +docker build -t /: --build-arg IMAGE_TAG= --build-arg CI_BASE_IMAGE= . docker push /: ``` ## Windows Agent diff --git a/kubernetes/linux/Dockerfile b/kubernetes/linux/Dockerfile index 6f68f664e..a2e77d78e 100644 --- a/kubernetes/linux/Dockerfile +++ b/kubernetes/linux/Dockerfile @@ -1,4 +1,5 @@ -FROM ubuntu:18.04 +ARG CI_BASE_IMAGE= +FROM ${CI_BASE_IMAGE} MAINTAINER OMSContainers@microsoft.com LABEL vendor=Microsoft\ Corp \ com.microsoft.product="Azure Monitor for containers" diff --git a/kubernetes/linux/Dockerfile.multiarch b/kubernetes/linux/Dockerfile.multiarch index fd0330d5d..74b01be7b 100644 --- a/kubernetes/linux/Dockerfile.multiarch +++ b/kubernetes/linux/Dockerfile.multiarch @@ -1,4 +1,8 @@ -FROM --platform=$BUILDPLATFORM golang:1.15.14 AS builder +# Default base images. If you update them don't forgot to update variables in our build pipelines. Default values can be found in internal wiki. External can use ubuntu 18.04 and golang 1.18.3 +ARG GOLANG_BASE_IMAGE= +ARG CI_BASE_IMAGE= + +FROM --platform=$BUILDPLATFORM ${GOLANG_BASE_IMAGE} AS builder ARG TARGETOS TARGETARCH RUN /usr/bin/apt-get update && /usr/bin/apt-get install git g++ make pkg-config libssl-dev libpam0g-dev rpm librpm-dev uuid-dev libkrb5-dev python sudo gcc-aarch64-linux-gnu -y @@ -7,7 +11,7 @@ COPY source /src/source RUN cd /src/build/linux && make arch=${TARGETARCH} -FROM ubuntu:18.04 AS base_image +FROM ${CI_BASE_IMAGE} AS base_image ARG TARGETOS TARGETARCH MAINTAINER OMSContainers@microsoft.com LABEL vendor=Microsoft\ Corp \ @@ -38,8 +42,8 @@ RUN chmod 775 $tmpdir/*.sh; sync; $tmpdir/setup.sh ${TARGETARCH} # Do vulnerability scan in a seperate stage to avoid adding layer FROM base_image AS vulnscan -COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy COPY .trivyignore .trivyignore +RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.28.1 RUN trivy rootfs --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --skip-files "/usr/local/bin/trivy" / RUN trivy rootfs --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM /usr/lib RUN trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --skip-files "/usr/local/bin/trivy" / > /dev/null 2>&1 && trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM /usr/lib > /dev/null 2>&1 diff --git a/kubernetes/linux/dockerbuild/build-and-publish-docker-image.sh b/kubernetes/linux/dockerbuild/build-and-publish-docker-image.sh index 638236507..40ce83cd4 100755 --- a/kubernetes/linux/dockerbuild/build-and-publish-docker-image.sh +++ b/kubernetes/linux/dockerbuild/build-and-publish-docker-image.sh @@ -13,8 +13,8 @@ usage() local basename=`basename $0` echo echo "Build and publish docker image:" - echo "$basename --image " - echo "$basename --image --multiarch" + echo "$basename --image --ubuntu --golang " + echo "$basename --image --ubuntu --golang --multiarch" } parse_args() @@ -32,6 +32,8 @@ for arg in "$@"; do case "$arg" in "--image") set -- "$@" "-i" ;; "--multiarch") set -- "$@" "-m" ;; + "--ubuntu") set -- "$@" "-u" ;; + "--golang") set -- "$@" "-g" ;; "--"*) usage ;; *) set -- "$@" "$arg" esac @@ -39,7 +41,7 @@ done local OPTIND opt -while getopts 'hi:m' opt; do +while getopts 'hi:u:g:m' opt; do case "$opt" in h) usage @@ -54,7 +56,12 @@ while getopts 'hi:m' opt; do multi=1 echo "using multiarch dockerfile" ;; - + u) + ci_base_image=$OPTARG + ;; + g) + golang_base_image=$OPTARG + ;; ?) usage exit 1 @@ -69,6 +76,16 @@ while getopts 'hi:m' opt; do exit 1 fi + if [ -z "$ci_base_image" ]; then + echo "-e invalid ubuntu image url. please try with valid values from internal wiki. do not use 3P entries" + exit 1 + fi + + if [ -z "$golang_base_image" ]; then + echo "-e invalid golang image url. please try with valid values from internal wiki. do not use 3P entries" + exit 1 + fi + # extract image tag imageTag=$(echo ${image} | sed "s/.*://") @@ -89,39 +106,6 @@ fi } -build_docker_provider() -{ - echo "building docker provider shell bundle" - cd $buildDir - echo "trigger make to build docker build provider shell bundle" - make - echo "building docker provider shell bundle completed" -} - -login_to_docker() -{ - echo "login to docker with provided creds" - # sudo docker login --username=$dockerUser - sudo docker login - echo "login to docker with provided creds completed" -} - -build_docker_image() -{ - echo "build docker image: $image and image tage is $imageTag" - cd $baseDir/kubernetes/linux - sudo docker build -t $image --build-arg IMAGE_TAG=$imageTag . - - echo "build docker image completed" -} - -publish_docker_image() -{ - echo "publishing docker image: $image" - sudo docker push $image - echo "publishing docker image: $image done." -} - # parse and validate args parse_args $@ @@ -138,22 +122,18 @@ echo "source code base directory: $baseDir" echo "build directory for docker provider: $buildDir" echo "docker file directory: $dockerFileDir" +echo "build docker image: $image and image tage is $imageTag" + if [ -n "$multi" ] && [ "$multi" -eq "1" ]; then echo "building multiarch" cd $baseDir - docker buildx build --platform linux/arm64/v8,linux/amd64 -t $image --build-arg IMAGE_TAG=$imageTag -f $linuxDir/Dockerfile.multiarch --push . - exit 0 + docker buildx build --platform linux/arm64/v8,linux/amd64 -t $image --build-arg IMAGE_TAG=$imageTag --build-arg CI_BASE_IMAGE="$ci_base_image" --build-arg GOLANG_BASE_IMAGE="$golang_base_image" -f $linuxDir/Dockerfile.multiarch --push . +else + echo "building amd64" + cd $baseDir + docker buildx build --platform linux/amd64 -t $image --build-arg IMAGE_TAG=$imageTag --build-arg CI_BASE_IMAGE="$ci_base_image" --build-arg GOLANG_BASE_IMAGE="$golang_base_image" -f $linuxDir/Dockerfile.multiarch --push . fi -# build docker provider shell bundle -build_docker_provider - -# build docker image -build_docker_image - -# publish docker image -publish_docker_image - -cd $currentDir - +echo "build and push docker image completed" +cd $currentDir \ No newline at end of file diff --git a/scripts/build/linux/install-build-pre-requisites.sh b/scripts/build/linux/install-build-pre-requisites.sh index b85e54fc4..88f9fbef9 100644 --- a/scripts/build/linux/install-build-pre-requisites.sh +++ b/scripts/build/linux/install-build-pre-requisites.sh @@ -8,17 +8,17 @@ TEMP_DIR=temp-$RANDOM install_go_lang() { export goVersion="$(echo $(go version))" - if [[ $goVersion == *go1.15.14* ]] ; then - echo "found existing installation of go version 1.15.14 so skipping the installation of go" + if [[ $goVersion == *go1.18.3* ]] ; then + echo "found existing installation of go version 1.18.3 so skipping the installation of go" else - echo "installing go 1.15.14 version ..." - sudo curl -O https://dl.google.com/go/go1.15.14.linux-amd64.tar.gz - sudo tar -xvf go1.15.14.linux-amd64.tar.gz + echo "installing go 1.18.3 version ..." + sudo curl -O https://dl.google.com/go/go1.18.3.linux-amd64.tar.gz + sudo tar -xvf go1.18.3.linux-amd64.tar.gz sudo mv -f go /usr/local echo "set file permission for go bin" sudo chmod 744 /usr/local/go/bin - echo "installation of go 1.15.14 completed." - echo "installation of go 1.15.14 completed." + echo "installation of go 1.18.3 completed." + echo "installation of go 1.18.3 completed." fi } @@ -173,4 +173,4 @@ sudo rm -rf $TEMP_DIR # set go env vars install_go_env_vars -echo "installing build pre-requisites python, go 1.15.14, dotnet, powershell, build dependencies and docker completed" +echo "installing build pre-requisites python, go 1.18.3, dotnet, powershell, build dependencies and docker completed" diff --git a/scripts/build/windows/install-build-pre-requisites.ps1 b/scripts/build/windows/install-build-pre-requisites.ps1 index 235f6ace9..1ceeda353 100644 --- a/scripts/build/windows/install-build-pre-requisites.ps1 +++ b/scripts/build/windows/install-build-pre-requisites.ps1 @@ -13,8 +13,8 @@ function Install-Go { exit 1 } - $url = "https://go.dev/dl/go1.15.14.windows-amd64.msi" - $output = Join-Path -Path $tempGo -ChildPath "go1.15.14.windows-amd64.msi" + $url = "https://go.dev/dl/go1.18.3.windows-amd64.msi" + $output = Join-Path -Path $tempGo -ChildPath "go1.18.3.windows-amd64.msi" Write-Host("downloading go msi into directory path : " + $output + " ...") Invoke-WebRequest -Uri $url -OutFile $output -ErrorAction Stop Write-Host("downloading of go msi into directory path : " + $output + " completed") @@ -137,7 +137,7 @@ function Install-Docker() { # https://stackoverflow.com/questions/28682642/powershell-why-is-using-invoke-webrequest-much-slower-than-a-browser-download $ProgressPreference = 'SilentlyContinue' -Write-Host "Install GO 1.15.14 version" +Write-Host "Install GO 1.18.3 version" Install-Go Write-Host "Install Build dependencies" Build-Dependencies diff --git a/test/e2e/src/core/Dockerfile b/test/e2e/src/core/Dockerfile index 52bcd7cf8..ba73e74f7 100644 --- a/test/e2e/src/core/Dockerfile +++ b/test/e2e/src/core/Dockerfile @@ -1,4 +1,6 @@ -FROM python:3.6 +# default value can be found in internal wiki. External can use python 3.6 base image +ARG PYTHON_BASE_IMAGE= +FROM ${PYTHON_BASE_IMAGE} RUN pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org pytest pytest-xdist filelock requests kubernetes adal msrestazure @@ -11,14 +13,14 @@ RUN apt-get update && apt-get -y upgrade && \ CLI_REPO=$(lsb_release -cs) && \ echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ ${CLI_REPO} main" \ > /etc/apt/sources.list.d/azure-cli.list && \ + curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg && \ + echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list && \ apt-get update && \ - apt-get install -y azure-cli && \ + apt-get install -y azure-cli kubectl && \ rm -rf /var/lib/apt/lists/* RUN python3 -m pip install junit_xml -COPY --from=lachlanevenson/k8s-kubectl:v1.20.5 /usr/local/bin/kubectl /usr/local/bin/kubectl - COPY ./core/e2e_tests.sh / COPY ./core/setup_failure_handler.py / COPY ./core/pytest.ini /e2etests/