From 1042116cc90aa0a4741e93fd8f97912dbeb99a8b Mon Sep 17 00:00:00 2001 From: Mathew Merrick Date: Thu, 19 May 2022 11:06:48 -0700 Subject: [PATCH 1/3] skopeo save --- .pipelines/containers/container-template.yaml | 93 ++++++++++--------- 1 file changed, 50 insertions(+), 43 deletions(-) diff --git a/.pipelines/containers/container-template.yaml b/.pipelines/containers/container-template.yaml index 8eb3d34f20..78fdecd1b1 100644 --- a/.pipelines/containers/container-template.yaml +++ b/.pipelines/containers/container-template.yaml @@ -5,51 +5,58 @@ parameters: tag: "" steps: -- task: Docker@2 - displayName: Login - inputs: - containerRegistry: $(ACR_SERVICE_CONNECTION) - command: 'login' - addPipelineData: false + - task: Docker@2 + displayName: Login + inputs: + containerRegistry: $(ACR_SERVICE_CONNECTION) + command: "login" + addPipelineData: false -- script: | - set -e - sudo podman run --rm --privileged multiarch/qemu-user-static --reset -p yes - name: container_env - displayName: Prepare Environment + - script: | + set -e + sudo podman run --rm --privileged multiarch/qemu-user-static --reset -p yes + name: container_env + displayName: Prepare Environment -- script: | - set -e - export PLATFORM_TAG=$(make container-platform-tag TAG=${{ parameters.tag }} PLATFORM=${{ parameters.os }}/${{ parameters.arch }}) - make ${{ parameters.name }}-image OS=${{ parameters.os }} ARCH=${{ parameters.arch }} PLATFORM=${{ parameters.os }}/${{ parameters.arch }} TAG=$PLATFORM_TAG - name: image_build - displayName: Image Build - retryCountOnTaskFailure: 3 + - script: | + set -e + export PLATFORM_TAG=$(make container-platform-tag TAG=${{ parameters.tag }} PLATFORM=${{ parameters.os }}/${{ parameters.arch }}) + make ${{ parameters.name }}-image OS=${{ parameters.os }} ARCH=${{ parameters.arch }} PLATFORM=${{ parameters.os }}/${{ parameters.arch }} TAG=$PLATFORM_TAG + name: image_build + displayName: Image Build + retryCountOnTaskFailure: 3 -- script: | - set -e - export PLATFORM_TAG=$(make container-platform-tag TAG=${{ parameters.tag }} PLATFORM=${{ parameters.os }}/${{ parameters.arch }}) - export REF=$(IMAGE_REGISTRY)/$(make ${{ parameters.name }}-image-name):$PLATFORM_TAG - skopeo copy containers-storage:$REF docker-daemon:$REF - wget https://github.com/aquasecurity/trivy/releases/download/v0.18.1/trivy_0.18.1_Linux-64bit.tar.gz - tar -zxvf trivy*.tar.gz - mkdir -p ./trivy-cache - sudo ./trivy --exit-code 1 --cache-dir ./trivy-cache --severity HIGH,CRITICAL $REF - name: trivy - displayName: Vulnerability Scan + - script: | + set -e + export PLATFORM_TAG=$(make container-platform-tag TAG=${{ parameters.tag }} PLATFORM=${{ parameters.os }}/${{ parameters.arch }}) + export REF=$(IMAGE_REGISTRY)/$(make ${{ parameters.name }}-image-name):$PLATFORM_TAG + skopeo copy containers-storage:$REF docker-daemon:$REF + skopeo copy containers-storage:$REF docker-archive:$(Build.ArtifactStagingDirectory)/$REF.tar + wget https://github.com/aquasecurity/trivy/releases/download/v0.18.1/trivy_0.18.1_Linux-64bit.tar.gz + tar -zxvf trivy*.tar.gz + mkdir -p ./trivy-cache + sudo ./trivy --exit-code 1 --cache-dir ./trivy-cache --severity HIGH,CRITICAL $REF + name: trivy + displayName: Vulnerability Scan and Save -- script: | - set -e - export PLATFORM_TAG=$(make container-platform-tag TAG=${{ parameters.tag }} PLATFORM=${{ parameters.os }}/${{ parameters.arch }}) - make ${{ parameters.name }}-image-push PLATFORM=${{ parameters.os }}/${{ parameters.arch }} TAG=$PLATFORM_TAG - make ${{ parameters.name }}-image-pull PLATFORM=${{ parameters.os }}/${{ parameters.arch }} TAG=$PLATFORM_TAG - retryCountOnTaskFailure: 3 - name: image_push - displayName: Push Images + - task: PublishBuildArtifacts@1 + inputs: + artifactName: "output" + pathtoPublish: "$(Build.ArtifactStagingDirectory)" + condition: succeeded() -- task: Docker@2 - displayName: Logout - inputs: - containerRegistry: $(ACR_SERVICE_CONNECTION) - command: 'logout' - addPipelineData: false + - script: | + set -e + export PLATFORM_TAG=$(make container-platform-tag TAG=${{ parameters.tag }} PLATFORM=${{ parameters.os }}/${{ parameters.arch }}) + make ${{ parameters.name }}-image-push PLATFORM=${{ parameters.os }}/${{ parameters.arch }} TAG=$PLATFORM_TAG + make ${{ parameters.name }}-image-pull PLATFORM=${{ parameters.os }}/${{ parameters.arch }} TAG=$PLATFORM_TAG + retryCountOnTaskFailure: 3 + name: image_push + displayName: Push Images + + - task: Docker@2 + displayName: Logout + inputs: + containerRegistry: $(ACR_SERVICE_CONNECTION) + command: "logout" + addPipelineData: false From f82548fc60ba7614c27b94b492f7f06331936686 Mon Sep 17 00:00:00 2001 From: Mathew Merrick Date: Thu, 19 May 2022 11:55:43 -0700 Subject: [PATCH 2/3] move to manifest template --- .pipelines/containers/container-template.yaml | 93 +++++++++---------- .pipelines/containers/manifest-template.yaml | 79 ++++++++-------- 2 files changed, 84 insertions(+), 88 deletions(-) diff --git a/.pipelines/containers/container-template.yaml b/.pipelines/containers/container-template.yaml index 78fdecd1b1..8eb3d34f20 100644 --- a/.pipelines/containers/container-template.yaml +++ b/.pipelines/containers/container-template.yaml @@ -5,58 +5,51 @@ parameters: tag: "" steps: - - task: Docker@2 - displayName: Login - inputs: - containerRegistry: $(ACR_SERVICE_CONNECTION) - command: "login" - addPipelineData: false +- task: Docker@2 + displayName: Login + inputs: + containerRegistry: $(ACR_SERVICE_CONNECTION) + command: 'login' + addPipelineData: false - - script: | - set -e - sudo podman run --rm --privileged multiarch/qemu-user-static --reset -p yes - name: container_env - displayName: Prepare Environment +- script: | + set -e + sudo podman run --rm --privileged multiarch/qemu-user-static --reset -p yes + name: container_env + displayName: Prepare Environment - - script: | - set -e - export PLATFORM_TAG=$(make container-platform-tag TAG=${{ parameters.tag }} PLATFORM=${{ parameters.os }}/${{ parameters.arch }}) - make ${{ parameters.name }}-image OS=${{ parameters.os }} ARCH=${{ parameters.arch }} PLATFORM=${{ parameters.os }}/${{ parameters.arch }} TAG=$PLATFORM_TAG - name: image_build - displayName: Image Build - retryCountOnTaskFailure: 3 +- script: | + set -e + export PLATFORM_TAG=$(make container-platform-tag TAG=${{ parameters.tag }} PLATFORM=${{ parameters.os }}/${{ parameters.arch }}) + make ${{ parameters.name }}-image OS=${{ parameters.os }} ARCH=${{ parameters.arch }} PLATFORM=${{ parameters.os }}/${{ parameters.arch }} TAG=$PLATFORM_TAG + name: image_build + displayName: Image Build + retryCountOnTaskFailure: 3 - - script: | - set -e - export PLATFORM_TAG=$(make container-platform-tag TAG=${{ parameters.tag }} PLATFORM=${{ parameters.os }}/${{ parameters.arch }}) - export REF=$(IMAGE_REGISTRY)/$(make ${{ parameters.name }}-image-name):$PLATFORM_TAG - skopeo copy containers-storage:$REF docker-daemon:$REF - skopeo copy containers-storage:$REF docker-archive:$(Build.ArtifactStagingDirectory)/$REF.tar - wget https://github.com/aquasecurity/trivy/releases/download/v0.18.1/trivy_0.18.1_Linux-64bit.tar.gz - tar -zxvf trivy*.tar.gz - mkdir -p ./trivy-cache - sudo ./trivy --exit-code 1 --cache-dir ./trivy-cache --severity HIGH,CRITICAL $REF - name: trivy - displayName: Vulnerability Scan and Save +- script: | + set -e + export PLATFORM_TAG=$(make container-platform-tag TAG=${{ parameters.tag }} PLATFORM=${{ parameters.os }}/${{ parameters.arch }}) + export REF=$(IMAGE_REGISTRY)/$(make ${{ parameters.name }}-image-name):$PLATFORM_TAG + skopeo copy containers-storage:$REF docker-daemon:$REF + wget https://github.com/aquasecurity/trivy/releases/download/v0.18.1/trivy_0.18.1_Linux-64bit.tar.gz + tar -zxvf trivy*.tar.gz + mkdir -p ./trivy-cache + sudo ./trivy --exit-code 1 --cache-dir ./trivy-cache --severity HIGH,CRITICAL $REF + name: trivy + displayName: Vulnerability Scan - - task: PublishBuildArtifacts@1 - inputs: - artifactName: "output" - pathtoPublish: "$(Build.ArtifactStagingDirectory)" - condition: succeeded() +- script: | + set -e + export PLATFORM_TAG=$(make container-platform-tag TAG=${{ parameters.tag }} PLATFORM=${{ parameters.os }}/${{ parameters.arch }}) + make ${{ parameters.name }}-image-push PLATFORM=${{ parameters.os }}/${{ parameters.arch }} TAG=$PLATFORM_TAG + make ${{ parameters.name }}-image-pull PLATFORM=${{ parameters.os }}/${{ parameters.arch }} TAG=$PLATFORM_TAG + retryCountOnTaskFailure: 3 + name: image_push + displayName: Push Images - - script: | - set -e - export PLATFORM_TAG=$(make container-platform-tag TAG=${{ parameters.tag }} PLATFORM=${{ parameters.os }}/${{ parameters.arch }}) - make ${{ parameters.name }}-image-push PLATFORM=${{ parameters.os }}/${{ parameters.arch }} TAG=$PLATFORM_TAG - make ${{ parameters.name }}-image-pull PLATFORM=${{ parameters.os }}/${{ parameters.arch }} TAG=$PLATFORM_TAG - retryCountOnTaskFailure: 3 - name: image_push - displayName: Push Images - - - task: Docker@2 - displayName: Logout - inputs: - containerRegistry: $(ACR_SERVICE_CONNECTION) - command: "logout" - addPipelineData: false +- task: Docker@2 + displayName: Logout + inputs: + containerRegistry: $(ACR_SERVICE_CONNECTION) + command: 'logout' + addPipelineData: false diff --git a/.pipelines/containers/manifest-template.yaml b/.pipelines/containers/manifest-template.yaml index c5772d1a70..1d5d5ed9ca 100644 --- a/.pipelines/containers/manifest-template.yaml +++ b/.pipelines/containers/manifest-template.yaml @@ -4,47 +4,50 @@ parameters: tag: "" steps: -- task: Docker@2 - displayName: Login - inputs: - containerRegistry: $(ACR_SERVICE_CONNECTION) - command: 'login' - addPipelineData: false + - task: Docker@2 + displayName: Login + inputs: + containerRegistry: $(ACR_SERVICE_CONNECTION) + command: "login" + addPipelineData: false -- script: | - set -e - make ${{ parameters.name }}-multiarch-manifest-create PLATFORMS="${{ parameters.platforms }}" TAG=${{ parameters.tag }} - make ${{ parameters.name }}-image-info TAG=${{ parameters.tag }} - name: manifest_build - displayName: Manifest Build + - script: | + set -e + make ${{ parameters.name }}-multiarch-manifest-create PLATFORMS="${{ parameters.platforms }}" TAG=${{ parameters.tag }} + make ${{ parameters.name }}-image-info TAG=${{ parameters.tag }} + name: manifest_build + displayName: Manifest Build -- script: | - set -e - make multiarch-manifest-push IMAGE=$(make ${{ parameters.name }}-image-name) TAG=${{ parameters.tag }} - make container-pull IMAGE=$(make ${{ parameters.name }}-image-name) TAG=${{ parameters.tag }} - name: manifest_push - displayName: Manifest Push + - script: | + set -e + export IMAGE=$(make ${{ parameters.name }}-image-name) + export TAG=${{ parameters.tag }} + make multiarch-manifest-push IMAGE=$IMAGE TAG=$TAG + make container-pull IMAGE=$IMAGE TAG=$TAG + skopeo copy --all docker://$IMAGE_REGISTRY/$IMAGE:$TAG oci-archive:$(Build.ArtifactStagingDirectory)/$IMAGE-$TAG.tar + name: manifest_push + displayName: Manifest Push -- task: Docker@2 - displayName: Logout - inputs: - containerRegistry: $(ACR_SERVICE_CONNECTION) - command: 'logout' - addPipelineData: false + - task: Docker@2 + displayName: Logout + inputs: + containerRegistry: $(ACR_SERVICE_CONNECTION) + command: "logout" + addPipelineData: false -- task: CopyFiles@2 - inputs: - sourceFolder: "output" - targetFolder: $(Build.ArtifactStagingDirectory) - condition: succeeded() + - task: CopyFiles@2 + inputs: + sourceFolder: "output" + targetFolder: $(Build.ArtifactStagingDirectory) + condition: succeeded() -- task: ManifestGeneratorTask@0 - displayName: "Add SBOM Generator tool" - inputs: - BuildDropPath: '$(Build.ArtifactStagingDirectory)' + - task: ManifestGeneratorTask@0 + displayName: "Add SBOM Generator tool" + inputs: + BuildDropPath: "$(Build.ArtifactStagingDirectory)" -- task: PublishBuildArtifacts@1 - inputs: - artifactName: "output" - pathtoPublish: "$(Build.ArtifactStagingDirectory)" - condition: succeeded() + - task: PublishBuildArtifacts@1 + inputs: + artifactName: "output" + pathtoPublish: "$(Build.ArtifactStagingDirectory)" + condition: succeeded() From 20fa2f47b306774e5cbfbe553ae047f611c9952b Mon Sep 17 00:00:00 2001 From: Mathew Merrick Date: Thu, 19 May 2022 15:01:19 -0700 Subject: [PATCH 3/3] remove image txt files --- .pipelines/containers/manifest-template.yaml | 3 ++- Makefile | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/containers/manifest-template.yaml b/.pipelines/containers/manifest-template.yaml index 1d5d5ed9ca..7405d2c6d6 100644 --- a/.pipelines/containers/manifest-template.yaml +++ b/.pipelines/containers/manifest-template.yaml @@ -24,7 +24,8 @@ steps: export TAG=${{ parameters.tag }} make multiarch-manifest-push IMAGE=$IMAGE TAG=$TAG make container-pull IMAGE=$IMAGE TAG=$TAG - skopeo copy --all docker://$IMAGE_REGISTRY/$IMAGE:$TAG oci-archive:$(Build.ArtifactStagingDirectory)/$IMAGE-$TAG.tar + mkdir -p $(Build.ArtifactStagingDirectory)/images + skopeo copy --all docker://$IMAGE_REGISTRY/$IMAGE:$TAG oci-archive:$(Build.ArtifactStagingDirectory)/images/$IMAGE-$TAG.tar name: manifest_push displayName: Manifest Push diff --git a/Makefile b/Makefile index 209a36745d..ac1350db8d 100644 --- a/Makefile +++ b/Makefile @@ -212,7 +212,6 @@ container-info: # util target to write container info file. do not invoke direct sudo mkdir -p $(IMAGE_DIR) sudo chown -R $$(whoami) $(IMAGE_DIR) sudo chmod -R 777 $(IMAGE_DIR) - echo $(IMAGE):$(TAG) > $(IMAGE_DIR)/$(FILE) cni-manager-image-name: # util target to print the CNI manager image name. @echo $(CNI_IMAGE)