Changed the docker image to run as the user nobody (#20)

- Changed the docker image to run as user 65534 (aka nobody) - Made Dockerfile.testing independent from the Dockerfile - Removed the coverage step and changed the unittest step to always be a coverage run. - Changed the Jenkins build to use the --no-cache option for all docker builds including unstable ones. - Changed python script to work with python3 - Added clean target to the Makefile Jira: CASMHMS-5010
Cray-HPE · Sep 20, 2021 · f602405 · f602405
1 parent 8301989
commit f602405
Show file tree

Hide file tree

Showing 16 changed files with 84 additions and 118 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,19 @@
 .idea/
+
+# helm files
 kubernetes/.packaged/
 kubernetes/cray-hms-scsd/charts/
+
+# runIntegration.sh creates the following soft links to the real files under Test/
+Dockerfile.fake-hsm
+Dockerfile.fake-rfep
+Dockerfile.fake-vault
+Dockerfile.scsd_functest
+Dockerfile.testscsd
+docker-compose-functest.yaml
+
+# runIntegration.sh generates these log files
+scsdtest_scsd_*.logs*
+
+# vim files
+*.swp
diff --git a/.version b/.version
@@ -1 +1 @@
-1.7.5
+1.7.6
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).\
 
+## [1.7.6] - 2021-09-08
+
+### Changed
+
+- Changed the docker image to run as the user nobody
+
 ## [1.7.5] - 2021-08-19
 
 ### Changed

diff --git a/Dockerfile b/Dockerfile
@@ -22,12 +22,16 @@
 
 # Dockerfile for building HMS SCSD.
 
+### Build Base Stage ###
+
 FROM arti.dev.cray.com/baseos-docker-master-local/golang:1.16-alpine3.13 AS build-base
 
 RUN set -ex \
     && apk -U upgrade \
     && apk add build-base
 
+### Base Stage ###
+
 FROM build-base AS base
 
 RUN go env -w GO111MODULE=auto
@@ -66,5 +70,8 @@ ENV VAULT_SKIP_VERIFY="true"
 COPY --from=builder /go/scsd /usr/local/bin
 COPY .version /var/run/scsd_version.txt
 
+# nobody 65534:65534
+USER 65534:65534
+
 # Set up the command to start the service, the run the init script.
 CMD scsd
diff --git a/Dockerfile.build-base b/Dockerfile.build-base
diff --git a/Dockerfile.coverage b/Dockerfile.coverage
diff --git a/Dockerfile.testing b/Dockerfile.testing
@@ -20,8 +20,28 @@
 # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
 # OTHER DEALINGS IN THE SOFTWARE.
 
-FROM cray/hms-scsd-build-base
+### Build Base Stage ###
+# Build base has the packages installed that we need.
+FROM arti.dev.cray.com/baseos-docker-master-local/golang:1.16-alpine3.13 AS build-base
+
+RUN set -ex \
+    && apk -U upgrade \
+    && apk add build-base
+
+### Base Stage ###
+
+FROM build-base as base
+
+RUN go env -w GO111MODULE=auto
+
+# Copy all the necessary files to the image.
+COPY cmd $GOPATH/src/github.com/Cray-HPE/hms-scsd/cmd
+COPY vendor $GOPATH/src/github.com/Cray-HPE/hms-scsd/vendor
+
+### Final Stage ###
+
+FROM base
 
 # Run unit tests...
 RUN set -ex \
-    && go test -v -o scsd github.com/Cray-HPE/hms-scsd/cmd/scsd
+    && go test -cover -v -o scsd github.com/Cray-HPE/hms-scsd/cmd/scsd
diff --git a/Jenkinsfile.github b/Jenkinsfile.github
@@ -16,6 +16,7 @@ pipeline {
         IS_STABLE = getBuildIsStable()
         VERSION = getDockerBuildVersion(isStable: env.IS_STABLE)
         DOCKER_ARGS = getDockerBuildArgs(name: "hms-scsd", description: env.DESCRIPTION, version: env.VERSION)
+        NO_CACHE = "--no-cache"
         CHART_NAME = "cray-hms-scsd"
         CHART_VERSION = getChartVersion(version: env.VERSION)
     }
@@ -40,12 +41,6 @@ pipeline {
             }
         }
 
-        stage("Run Coverage Tests") {
-            steps {
-                sh "make coverage"
-            }
-        }
-
         stage("Integration") {
             steps {
                 sh "make integration"

diff --git a/Makefile b/Makefile
@@ -26,10 +26,10 @@ CHART_PATH ?= kubernetes
 CHART_NAME ?= cray-hms-scsd
 CHART_VERSION ?= $(shell cat .version)
 
-all: image chart unittest coverage integration
+all: image chart unittest integration
 
 image:
-	docker build --pull ${DOCKER_ARGS} --tag '${NAME}:${VERSION}' .
+	docker build ${NO_CACHE} --pull ${DOCKER_ARGS} --tag '${NAME}:${VERSION}' .
 
 chart:
 	helm repo add cray-algol60 https://artifactory.algol60.net/artifactory/csm-helm-charts
@@ -39,9 +39,14 @@ chart:
 unittest:
 	./runUnitTest.sh
 
-coverage:
-	./runCoverage.sh
-
 integration:
 	./runIntegration.sh
 
+clean:
+	# Remove files generated by runIntegation.sh
+	rm -f Dockerfile.fake-hsm Dockerfile.fake-rfep Dockerfile.fake-vault Dockerfile.scsd_functest Dockerfile.testscsd docker-compose-functest.yaml
+	rm -f scsdtest_scsd_*.logs*
+	# Remove files generated by helm
+	rm -rf kubernetes/cray-hms-scsd/charts
+	rm -rf kubernetes/.packaged
+
diff --git a/Test/Dockerfile.testscsd b/Test/Dockerfile.testscsd
@@ -83,5 +83,8 @@ RUN set -ex \
 COPY --from=builder /go/scsd /usr/local/bin
 COPY .version /var/run/scsd_version.txt
 
+# nobody 65534:65534
+USER 65534:65534
+
 # Set up the command to start the service, the run the init script.
 CMD scsd
diff --git a/Test/getnets.py b/Test/getnets.py
@@ -53,5 +53,5 @@
     addr = addy[:-3]
     buf += "--add-host=%s:%s " % (name,addr)
 
-print buf
+print(buf)
 
diff --git a/kubernetes/cray-hms-scsd/Chart.yaml b/kubernetes/cray-hms-scsd/Chart.yaml
@@ -2,4 +2,4 @@ apiVersion: v1
 description: "Kubernetes resources for cray-hms-scsd"
 name: "cray-hms-scsd"
 home: "HMS/hms-scsd"
-version: 1.7.5
+version: 1.7.6
diff --git a/kubernetes/cray-hms-scsd/requirements.lock b/kubernetes/cray-hms-scsd/requirements.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: cray-service
   repository: https://artifactory.algol60.net/artifactory/csm-helm-charts
-  version: 2.8.0
-digest: sha256:4a60684923c7310e8db14a2956c03a18e49bc68261dcf8833e3aaf27e17e406f
-generated: "2021-08-11T15:04:04.713022852-06:00"
+  version: 4.0.0
+digest: sha256:82dad81fa8daa5e931dbfa47d15eca5074e5a2c4dc79b2ac1b9a3f0ec303ab43
+generated: "2021-09-10T11:28:28.314593212-06:00"
diff --git a/kubernetes/cray-hms-scsd/requirements.yaml b/kubernetes/cray-hms-scsd/requirements.yaml
@@ -1,4 +1,4 @@
 dependencies:
 - name: cray-service
-  version: "~2.8.0"
+  version: "~4.0.0"
   repository: "@cray-algol60"
diff --git a/runCoverage.sh b/runCoverage.sh
diff --git a/runUnitTest.sh b/runUnitTest.sh
@@ -22,7 +22,16 @@
 # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
 # OTHER DEALINGS IN THE SOFTWARE.
 
-# Build the build base image
-docker build -t cray/hms-scsd-build-base -f Dockerfile.build-base .
+# Fail on error and print executions
+set -ex
+
+GITSHA=$(git rev-parse HEAD)
+TIMESTAMP=$(date +"%Y-%m-%dT%H-%M-%SZ")
+IMAGE="cray/hms-scsd-coverage"
+# image names must be lower case
+UNIQUE_TAG=$(echo ${IMAGE}_${GITSHA}_${TIMESTAMP} | tr '[:upper:]' '[:lower:]')
+# export NO_CACHE=--no-cache # this will cause docker build to run with no cache; off by default for local builds, enabled in jenkinsfile
+
+DOCKER_BUILDKIT=0 docker build $NO_CACHE -t $UNIQUE_TAG -f Dockerfile.testing .
+docker image rm $UNIQUE_TAG --force
 
-docker build -t cray/hms-scsd-testing -f Dockerfile.testing .