microsoft · pfrcks · Jun 27, 2022 · Jun 10, 2022 · Jun 10, 2022 · Jun 10, 2022
@@ -115,14 +115,14 @@ jobs:
         az acr login -n ${{ variables.containerRegistry }}
 
         if [ "$(Build.Reason)" != "PullRequest" ]; then
-          docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg IMAGE_TAG=$(linuxImagetag) --push .
+          docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg IMAGE_TAG=$(linuxImagetag) --build-arg GOLANG_BASE_IMAGE=$(GOLANG_BASE_IMAGE) --build-arg CI_BASE_IMAGE=$(CI_BASE_IMAGE) --push .
 
           docker pull ${{ variables.repoImageName }}:$(linuxImagetag)
         else
-          docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg IMAGE_TAG=$(linuxImagetag) .
+          docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg IMAGE_TAG=$(linuxImagetag) --build-arg GOLANG_BASE_IMAGE=$(GOLANG_BASE_IMAGE) --build-arg CI_BASE_IMAGE=$(CI_BASE_IMAGE) .
 
           # load the multi-arch image to run tests
-          docker buildx build --tag ${{ variables.repoImageName }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg IMAGE_TAG=$(linuxImagetag) --load .
+          docker buildx build --tag ${{ variables.repoImageName }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg IMAGE_TAG=$(linuxImagetag) --build-arg GOLANG_BASE_IMAGE=$(GOLANG_BASE_IMAGE) --build-arg CI_BASE_IMAGE=$(CI_BASE_IMAGE) --load .
         fi
 
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
@@ -135,14 +135,14 @@ jobs:
     condition: eq(variables.IS_PR, true)
     inputs:
       BuildDropPath: '$(Build.ArtifactStagingDirectory)/linux'
-      DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04'
+      DockerImagesToScan: '$(GOLANG_BASE_IMAGE), $(CI_BASE_IMAGE)'
 
   - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
     displayName: 'Generation Task'
     condition: eq(variables.IS_PR, false)
     inputs:
       BuildDropPath: '$(Build.ArtifactStagingDirectory)/linux'
-      DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04, ${{ variables.repoImageName }}:$(linuxImagetag)'
+      DockerImagesToScan: '$(GOLANG_BASE_IMAGE), $(CI_BASE_IMAGE), ${{ variables.repoImageName }}:$(linuxImagetag)'
 
   - task: PublishBuildArtifacts@1
     inputs:

@@ -119,14 +119,14 @@ jobs:
         az acr login -n ${{ variables.containerRegistry }}
 
         if [ "$(Build.Reason)" != "PullRequest" ]; then
-          docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageNameLinux }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --push .
+          docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageNameLinux }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg GOLANG_BASE_IMAGE=$(GOLANG_BASE_IMAGE) --build-arg CI_BASE_IMAGE=$(CI_BASE_IMAGE) --push .
 
           docker pull ${{ variables.repoImageNameLinux }}:$(linuxImagetag)
         else
-          docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageNameLinux }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json .
+          docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageNameLinux }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg GOLANG_BASE_IMAGE=$(GOLANG_BASE_IMAGE) --build-arg CI_BASE_IMAGE=$(CI_BASE_IMAGE) .
 
           # load the multi-arch image to run tests
-          docker buildx build --tag ${{ variables.repoImageNameLinux }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --load .
+          docker buildx build --tag ${{ variables.repoImageNameLinux }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg GOLANG_BASE_IMAGE=$(GOLANG_BASE_IMAGE) --build-arg CI_BASE_IMAGE=$(CI_BASE_IMAGE) --load .
         fi
 
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
@@ -138,14 +138,14 @@ jobs:
     condition: eq(variables.IS_PR, true)
     inputs:
       BuildDropPath: '$(Build.ArtifactStagingDirectory)/linux'
-      DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04'
+      DockerImagesToScan: '$(GOLANG_BASE_IMAGE), $(CI_BASE_IMAGE)'
 
   - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
     displayName: 'Generation Task'
     condition: eq(variables.IS_PR, false)
     inputs:
       BuildDropPath: '$(Build.ArtifactStagingDirectory)/linux'
-      DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04, ${{ variables.repoImageNameLinux }}:$(linuxImagetag)'
+      DockerImagesToScan: '$(GOLANG_BASE_IMAGE), $(CI_BASE_IMAGE), ${{ variables.repoImageNameLinux }}:$(linuxImagetag)'
 
   - task: PublishBuildArtifacts@1
     inputs:

@@ -16,4 +16,4 @@ CVE-2021-31799
 CVE-2021-28965
 
 #dpkg vulnerability in ubuntu
-CVE-2022-1664
+CVE-2022-1304
@@ -10,7 +10,7 @@ Feel free to contact engineering team owners in case you have any questions abou
 
 ## Common
 - [Visual Studio Code](https://code.visualstudio.com/) for authoring
-- [Go lang](https://golang.org/) for building go code. Go lang version 1.15.14 (both Linux & Windows)
+- [Go lang](https://golang.org/) for building go code. Go lang version 1.18.3 (both Linux & Windows)
 
 > Note: If you are using WSL2, make sure you have cloned the code onto ubuntu not onto windows
 
@@ -121,7 +121,7 @@ We recommend using [Visual Studio Code](https://code.visualstudio.com/) for auth
 
 ### Install Pre-requisites
 
-1. Install go1.15.14, dotnet, powershell, docker and build dependencies to build go code for both Linux and Windows platforms
+1. Install go1.18.3, dotnet, powershell, docker and build dependencies to build go code for both Linux and Windows platforms
 ```
 bash ~/Docker-Provider/scripts/build/linux/install-build-pre-requisites.sh
 ```
@@ -143,31 +143,34 @@ bash ~/Docker-Provider/scripts/build/linux/install-build-pre-requisites.sh
 
 > Note: If you are using WSL2, ensure `Docker for windows` running with Linux containers mode on your windows machine to build Linux agent image successfully
 
+> Note: format of the imagetag will be `ci<release><MMDDYYYY>`. possible values for release are test, dev, preview, dogfood, prod etc. Please use MCR urls while building internally.
+
+Preferred Way: You can build and push images for multiple architectures. This is powered by docker buildx
+Directly use the docker buildx commands (the MCR images can be found in our internal wiki to be used as arguments)
+```
+# multiple platforms
+cd ~/Docker-Provider
+docker buildx build --platform linux/arm64/v8,linux/amd64 -t <repo>/<imagename>:<imagetag> --build-arg IMAGE_TAG=<imagetag> --build-arg CI_BASE_IMAGE=<ciimage> --build-arg GOLANG_BASE_IMAGE=<golangimage> -f kubernetes/linux/Dockerfile.multiarch --push .
+
+# single platform
+cd ~/Docker-Provider
+docker buildx build --platform linux/amd64 -t <repo>/<imagename>:<imagetag> --build-arg IMAGE_TAG=<imagetag> --build-arg CI_BASE_IMAGE=<ciimage> --build-arg GOLANG_BASE_IMAGE=<golangimage> -f kubernetes/linux/Dockerfile.multiarch --push .
+```
+
+Using the build and publish script
+
 ```
 cd ~/Docker-Provider/kubernetes/linux/dockerbuild
 sudo docker login # if you want to publish the image to acr then login to acr via `docker login <acr-name>`
 # build provider, docker image and publish to docker image
-bash build-and-publish-docker-image.sh --image <repo>/<imagename>:<imagetag>
+bash build-and-publish-docker-image.sh --image <repo>/<imagename>:<imagetag> --ubuntu <ubuntu image url> --golang <golang image url>
 ```
-> Note: format of the imagetag will be `ci<release><MMDDYYYY>`. possible values for release are test, dev, preview, dogfood, prod etc.
 
-You can also build and push images for multiple architectures. This is powered by docker buildx
 ```
 cd ~/Docker-Provider/kubernetes/linux/dockerbuild
 sudo docker login # if you want to publish the image to acr then login to acr via `docker login <acr-name>`
 # build and publish using docker buildx
-bash build-and-publish-docker-image.sh --image <repo>/<imagename>:<imagetag> --multiarch
-```
-
-or directly use the docker buildx commands
-```
-# multiple platforms
-cd ~/Docker-Provider
-docker buildx build --platform linux/arm64/v8,linux/amd64 -t <repo>/<imagename>:<imagetag> --build-arg IMAGE_TAG=<imagetag> -f kubernetes/linux/Dockerfile.multiarch --push .
-
-# single platform
-cd ~/Docker-Provider
-docker buildx build --platform linux/amd64 -t <repo>/<imagename>:<imagetag> --build-arg IMAGE_TAG=<imagetag> -f kubernetes/linux/Dockerfile.multiarch --push .
+bash build-and-publish-docker-image.sh --image <repo>/<imagename>:<imagetag> --ubuntu <ubuntu image url> --golang <golang image url> --multiarch
 ```
 
 If you prefer to build docker provider shell bundle and image separately, then you can follow below instructions
@@ -182,7 +185,7 @@ make
 
 ```
 cd ~/Docker-Provider/kubernetes/linux/
-docker build -t <repo>/<imagename>:<imagetag> --build-arg IMAGE_TAG=<imagetag> .
+docker build -t <repo>/<imagename>:<imagetag> --build-arg IMAGE_TAG=<imagetag> --build-arg CI_BASE_IMAGE=<ciimage> .
 docker push <repo>/<imagename>:<imagetag>
 ```
 ## Windows Agent

@@ -1,4 +1,5 @@
-FROM ubuntu:18.04
+ARG CI_BASE_IMAGE=
+FROM ${CI_BASE_IMAGE}
 MAINTAINER OMSContainers@microsoft.com
 LABEL vendor=Microsoft\ Corp \
     com.microsoft.product="Azure Monitor for containers"

@@ -1,4 +1,8 @@
-FROM --platform=$BUILDPLATFORM golang:1.15.14 AS builder
+# Default base images. If you update them don't forgot to update variables in our build pipelines. Default values can be found in internal wiki. External can use ubuntu 18.04 and golang 1.18.3
+ARG GOLANG_BASE_IMAGE=
+ARG CI_BASE_IMAGE=
+
+FROM --platform=$BUILDPLATFORM ${GOLANG_BASE_IMAGE} AS builder
 ARG TARGETOS TARGETARCH
 RUN /usr/bin/apt-get update && /usr/bin/apt-get install git g++ make pkg-config libssl-dev libpam0g-dev rpm librpm-dev uuid-dev libkrb5-dev python sudo gcc-aarch64-linux-gnu -y
 
@@ -7,7 +11,7 @@ COPY source /src/source
 RUN cd /src/build/linux && make arch=${TARGETARCH}
 
 
-FROM ubuntu:18.04 AS base_image
+FROM ${CI_BASE_IMAGE} AS base_image
 ARG TARGETOS TARGETARCH
 MAINTAINER OMSContainers@microsoft.com
 LABEL vendor=Microsoft\ Corp \
@@ -38,8 +42,8 @@ RUN chmod 775 $tmpdir/*.sh; sync; $tmpdir/setup.sh ${TARGETARCH}
 
 # Do vulnerability scan in a seperate stage to avoid adding layer
 FROM base_image AS vulnscan
-COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
 COPY .trivyignore .trivyignore
+RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.28.1
 RUN trivy rootfs --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --skip-files "/usr/local/bin/trivy" /
 RUN trivy rootfs --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM /usr/lib
 RUN trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --skip-files "/usr/local/bin/trivy" / > /dev/null 2>&1 && trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM /usr/lib > /dev/null 2>&1

@@ -13,8 +13,8 @@ usage()
     local basename=`basename $0`
     echo
     echo "Build and publish docker image:"
-    echo "$basename --image <name of docker image> "
-    echo "$basename --image <name of docker image> --multiarch"
+    echo "$basename --image <name of docker image> --ubuntu <mcr url of ubuntu image> --golang <mcr url of golang image>"
+    echo "$basename --image <name of docker image> --ubuntu <mcr url of ubuntu image> --golang <mcr url of golang image> --multiarch"
 }
 
 parse_args()
@@ -32,14 +32,16 @@ for arg in "$@"; do
   case "$arg" in
     "--image")  set -- "$@" "-i" ;;
     "--multiarch")  set -- "$@" "-m" ;;
+    "--ubuntu")  set -- "$@" "-u" ;;
+    "--golang")  set -- "$@" "-g" ;;
     "--"*)   usage ;;
     *)        set -- "$@" "$arg"
   esac
 done
 
 local OPTIND opt
 
-while getopts 'hi:m' opt; do
+while getopts 'hi:u:g:m' opt; do
     case "$opt" in
       h)
       usage
@@ -54,7 +56,12 @@ while getopts 'hi:m' opt; do
         multi=1
         echo "using multiarch dockerfile"
         ;;
-
+      u)
+        ci_base_image=$OPTARG
+        ;;
+      g)
+        golang_base_image=$OPTARG
+        ;;
       ?)
         usage
         exit 1
@@ -69,6 +76,16 @@ while getopts 'hi:m' opt; do
     exit 1
  fi
 
+ if [ -z "$ci_base_image" ]; then
+    echo "-e invalid ubuntu image url. please try with valid values from internal wiki. do not use 3P entries"
+    exit 1
+ fi
+
+ if [ -z "$golang_base_image" ]; then
+    echo "-e invalid golang image url. please try with valid values from internal wiki. do not use 3P entries"
+    exit 1
+ fi
+
  # extract image tag
  imageTag=$(echo ${image} | sed "s/.*://")
 
@@ -89,39 +106,6 @@ fi
 
 }
 
-build_docker_provider()
-{
-  echo "building docker provider shell bundle"
-  cd $buildDir
-  echo "trigger make to build docker build provider shell bundle"
-  make
-  echo "building docker provider shell bundle completed"
-}
-
-login_to_docker()
-{
-  echo "login to docker with provided creds"
-  # sudo docker login --username=$dockerUser
-  sudo docker login
-  echo "login to docker with provided creds completed"
-}
-
-build_docker_image()
-{
-  echo "build docker image: $image and image tage is $imageTag"
-  cd $baseDir/kubernetes/linux
-  sudo docker build -t $image --build-arg IMAGE_TAG=$imageTag  .
-
-  echo "build docker image completed"
-}
-
-publish_docker_image()
-{
-  echo "publishing docker image: $image"
-  sudo docker push  $image
-  echo "publishing docker image: $image done."
-}
-
 # parse and validate args
 parse_args $@
 
@@ -138,22 +122,18 @@ echo "source code base directory: $baseDir"
 echo "build directory for docker provider: $buildDir"
 echo "docker file directory: $dockerFileDir"
 
+echo "build docker image: $image and image tage is $imageTag"
+
 if [ -n "$multi" ] && [ "$multi" -eq "1" ]; then
   echo "building multiarch"
   cd $baseDir
-  docker buildx build --platform linux/arm64/v8,linux/amd64 -t $image --build-arg IMAGE_TAG=$imageTag -f $linuxDir/Dockerfile.multiarch --push .
-  exit 0
+  docker buildx build --platform linux/arm64/v8,linux/amd64 -t $image --build-arg IMAGE_TAG=$imageTag --build-arg CI_BASE_IMAGE="$ci_base_image" --build-arg GOLANG_BASE_IMAGE="$golang_base_image" -f $linuxDir/Dockerfile.multiarch --push .
+else
+  echo "building amd64"
+  cd $baseDir
+  docker buildx build --platform linux/amd64 -t $image --build-arg IMAGE_TAG=$imageTag --build-arg CI_BASE_IMAGE="$ci_base_image" --build-arg GOLANG_BASE_IMAGE="$golang_base_image" -f $linuxDir/Dockerfile.multiarch --push .
 fi
 
-# build docker provider shell bundle
-build_docker_provider
-
-# build docker image
-build_docker_image
-
-# publish docker image
-publish_docker_image
-
-cd $currentDir
-
+echo "build and push docker image completed"
 
+cd $currentDir
@@ -8,17 +8,17 @@ TEMP_DIR=temp-$RANDOM
 install_go_lang()
 {
   export goVersion="$(echo $(go version))"
-  if [[ $goVersion == *go1.15.14* ]] ; then
-    echo "found existing installation of go version 1.15.14 so skipping the installation of go"
+  if [[ $goVersion == *go1.18.3* ]] ; then
+    echo "found existing installation of go version 1.18.3 so skipping the installation of go"
   else
-    echo "installing go 1.15.14 version ..."
-    sudo curl -O https://dl.google.com/go/go1.15.14.linux-amd64.tar.gz
-    sudo tar -xvf go1.15.14.linux-amd64.tar.gz
+    echo "installing go 1.18.3 version ..."
+    sudo curl -O https://dl.google.com/go/go1.18.3.linux-amd64.tar.gz
+    sudo tar -xvf go1.18.3.linux-amd64.tar.gz
     sudo mv -f go /usr/local
     echo "set file permission for go bin"
     sudo chmod 744 /usr/local/go/bin
-    echo "installation of go 1.15.14 completed."
-    echo "installation of go 1.15.14 completed."
+    echo "installation of go 1.18.3 completed."
+    echo "installation of go 1.18.3 completed."
   fi
 
 }
@@ -173,4 +173,4 @@ sudo rm -rf $TEMP_DIR
 # set go env vars
 install_go_env_vars
 
-echo "installing build pre-requisites python, go 1.15.14, dotnet, powershell, build dependencies and docker completed"
+echo "installing build pre-requisites python, go 1.18.3, dotnet, powershell, build dependencies and docker completed"
@@ -13,8 +13,8 @@ function Install-Go {
         exit 1
     }
 
-   $url = "https://go.dev/dl/go1.15.14.windows-amd64.msi"
-   $output = Join-Path -Path $tempGo -ChildPath "go1.15.14.windows-amd64.msi"
+   $url = "https://go.dev/dl/go1.18.3.windows-amd64.msi"
+   $output = Join-Path -Path $tempGo -ChildPath "go1.18.3.windows-amd64.msi"
    Write-Host("downloading go msi into directory path : " + $output + "  ...")
    Invoke-WebRequest -Uri $url -OutFile $output -ErrorAction Stop
    Write-Host("downloading of go msi into directory path : " + $output + "  completed")
@@ -137,7 +137,7 @@ function Install-Docker() {
 # https://stackoverflow.com/questions/28682642/powershell-why-is-using-invoke-webrequest-much-slower-than-a-browser-download
 $ProgressPreference = 'SilentlyContinue'
 
-Write-Host "Install GO 1.15.14 version"
+Write-Host "Install GO 1.18.3 version"
 Install-Go
 Write-Host "Install Build dependencies"
 Build-Dependencies