Merge 48406d5 into be87db6

NBISweden · Sep 19, 2018 · a7786d7 · a7786d7
2 parents be87db6 + 48406d5
commit a7786d7
Show file tree

Hide file tree

Showing 11 changed files with 204 additions and 164 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -33,7 +33,21 @@ jobs:
         - cd docker
       script:
         - echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USER" --password-stdin
-        - make -C images all
+        - git diff --exit-code --name-only ${TRAVIS_COMMIT_RANGE}! | grep docker/images/os/Dockerfile >/dev/null
+        - osdocker=$?
+        - if [[ "$osdocker" == "0" ]]; then
+            echo "OS base image changed, building new OS image" ;
+            make -C images os
+            docker push nbisweden/ega-os
+          fi
+        - git diff --exit-code --name-only ${TRAVIS_COMMIT_RANGE} | grep docker/images/openssh/Dockerfile >/dev/null
+        - opensshdocker=$?
+        - if [[ "$opensshdocker" == "0" ]]; then
+            echo "OpenSSH inbox image changed, building new OpenSSH inbox image" ;
+            make -C images openssh
+            docker push nbisweden/ega-openssh
+          fi
+        - make -C images base inbox
         - docker push nbisweden/ega-base:dev
         - docker push nbisweden/ega-inbox:dev
     - stage: integration tests

diff --git a/docker/bootstrap/cega.sh b/docker/bootstrap/cega.sh
@@ -217,7 +217,7 @@ echomsg "Generating passwords for the Message Broker"
 
 mkdir -p ${PRIVATE}/cega/mq
 cat > ${PRIVATE}/cega/mq/defs.json <<EOF
-{"rabbit_version":"3.6.11",
+{"rabbit_version":"3.6.14",
  "users":[{"name":"lega","password_hash":"$(${PASS_HASH} ${CEGA_MQ_PASSWORD})","hashing_algorithm":"rabbit_password_hashing_sha256","tags":"administrator"}],
  "vhosts":[{"name":"lega"}],
  "permissions":[{"user":"lega", "vhost":"lega", "configure":".*", "write":".*", "read":".*"}],

diff --git a/docker/images/Makefile b/docker/images/Makefile
@@ -18,19 +18,28 @@ endif
 
 TARGET_PREFIX=nbisweden/ega
 
-BUILD_ARGS=--build-arg checkout=$(CHECKOUT)
+.PHONY: all erase delete clean cleanall base os inbox push openssh
 
-.PHONY: all erase delete clean cleanall base inbox push
+all: os base openssh inbox
 
-all: base inbox
+os:
+	docker build --build-arg DEV_PACKAGES="$(DEV_PACKAGES)" \
+                     --cache-from $(TARGET_PREFIX)-$@:latest \
+                     --tag $(TARGET_PREFIX)-$@:latest \
+                     $@
+
+openssh:
+	docker build --build-arg AUTH_BRANCH=cega-ids \
+                     --cache-from $(TARGET_PREFIX)-$@:latest \
+                     --tag $(TARGET_PREFIX)-$@:latest \
+                     $@
 
-base: BUILD_ARGS+=--build-arg DEV_PACKAGES="$(DEV_PACKAGES)"
-inbox: BUILD_ARGS+=--build-arg AUTH_BRANCH=cega-ids
-base inbox:
+base: BUILD_ARGS+=--build-arg checkout=$(CHECKOUT)
+inbox base:
 	docker build ${BUILD_ARGS} \
                      --cache-from $(TARGET_PREFIX)-$@:latest \
                      --tag $(TARGET_PREFIX)-$@:$(TAG) \
-										 --tag $(TARGET_PREFIX)-$@:dev \
+                     --tag $(TARGET_PREFIX)-$@:dev \
                      --tag $(TARGET_PREFIX)-$@:latest \
                      $@
 
@@ -48,4 +57,6 @@ erase: # erasing all including base
 
 push:
 	docker push $(TARGET_PREFIX)-base:latest
+	docker push $(TARGET_PREFIX)-os:latest
 	docker push $(TARGET_PREFIX)-inbox:latest
+	docker push $(TARGET_PREFIX)-openssh:latest
diff --git a/docker/images/base/Dockerfile b/docker/images/base/Dockerfile
@@ -1,68 +1,14 @@
-FROM centos:7.4.1708
-LABEL maintainer "NBIS System Developers"
+FROM nbisweden/ega-os
 
 #################################################
 ##
-## Upgrade CentOS 7, and install Python 3.6
+## Install LocalEGA and LocalEGA-cryptor
 ##
 #################################################
 
-ARG DEV_PACKAGES=
-RUN yum -y install https://centos7.iuscommunity.org/ius-release.rpm && \
-    yum -y install epel-release && \
-    yum -y update && \
-    yum -y install git gcc make bzip2 curl ${DEV_PACKAGES} \
-                   zlib-devel bzip2-devel unzip \
-		   wget dpkg \
-                   openssl \
-		   python36u python36u-pip
-
-RUN [[ -e /lib64/libpython3.6m.so ]] || ln -s /lib64/libpython3.6m.so.1.0 /lib64/libpython3.6m.so
-
 RUN pip3.6 install --upgrade pip && \
     pip3.6 install PyYaml
 
-#################################################
-##
-## Install GOSU
-##
-#################################################
-
-ENV GOSU_VERSION 1.10
-ENV GPG_KEYS B42F6819007F00F88E364FD4036A9C25BF357DD4
-RUN set -ex && \
-    dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" && \
-    wget -O /usr/bin/gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${dpkgArch}" && \
-    wget -O /tmp/gosu.asc "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${dpkgArch}.asc"
-
-# verify the signature
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    (gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPG_KEYS" \
-    || gpg --keyserver pgp.mit.edu --recv-keys "$GPG_KEYS" \
-    || gpg --keyserver keyserver.pgp.com --recv-keys "$GPG_KEYS") && \
-    gpg --keyserver hkps://hkps.pool.sks-keyservers.net --recv-keys  && \
-    gpg --batch --verify /tmp/gosu.asc /usr/bin/gosu && \
-    rm -r "$GNUPGHOME" /tmp/gosu.asc && \
-    chmod +x /usr/bin/gosu
-
-# verify that the binary works
-RUN gosu nobody true && \
-    yum -y remove dpkg
-
-#################################################
-# Clean up
-
-RUN yum clean all && rm -rf /var/cache/yum
-
-#################################################
-##
-## Install LocalEGA stuff
-##
-#################################################
-
-RUN groupadd -r lega && \
-    useradd -M -r -g lega lega
-
 ARG checkout=dev
 
 RUN pip3.6 install -r https://raw.githubusercontent.com/NBISweden/LocalEGA/${checkout}/requirements.txt

diff --git a/docker/images/inbox/Dockerfile b/docker/images/inbox/Dockerfile
@@ -1,106 +1,15 @@
-FROM nbisweden/ega-base
+FROM nbisweden/ega-base as localega
 LABEL maintainer "NBIS System Developers"
 
-EXPOSE 9000
-VOLUME /ega/inbox
-
-RUN yum -y install autoconf patch openssl-devel pam-devel libcurl-devel nss-tools readline-devel
-#    	   	   nc nmap tcpdump lsof strace bash-completion bash-completion-extras
-
-#################################################
-##
-## Install SQLite 3.24
-##
-#################################################
-ARG SQLITE_VERSION=3240000
-RUN cd && wget https://sqlite.org/2018/sqlite-autoconf-${SQLITE_VERSION}.tar.gz && \
-    tar xzf sqlite-autoconf-${SQLITE_VERSION}.tar.gz && \
-    cd sqlite-autoconf-${SQLITE_VERSION} && \
-    ./configure && \
-    make && make install && \
-    echo '/usr/local/lib' >> /etc/ld.so.conf.d/ega.conf && \
-    cd && rm -rf sqlite-autoconf-${SQLITE_VERSION}{,.tar.gz}
-
-
-#################################################
-##
-## Install EGA NSS+PAM
-##
-#################################################
-ARG AUTH_BRANCH=master
-RUN mkdir -p /usr/local/lib/ega && \
-    echo '/usr/local/lib/ega' >> /etc/ld.so.conf.d/ega.conf && \
-    echo 'Welcome to Local EGA' > /ega/banner && \
-    cp /etc/nsswitch.conf /etc/nsswitch.conf.bak && \
-    sed -i -e 's/^passwd:\(.*\)files/passwd:\1files ega/' /etc/nsswitch.conf && \
-    git clone https://github.com/NBISweden/LocalEGA-auth /root/ega-auth && \
-    cd /root/ega-auth/src && \
-    git checkout ${AUTH_BRANCH} && \
-    make install clean
-
-#################################################
-##
-## Install OpenSSH from sources
-##
-#################################################
-ARG OPENSSH_DIR=/opt/openssh
-ARG SSHD_UID=74
-ARG SSHD_GID=74
-ARG OPENSSH_TAG=V_7_7_P1
-
-RUN getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :
-RUN getent group sshd || groupadd -g ${SSHD_GID} -r sshd
-
-# RUN mkdir -p /var/empty && \
-#     useradd -c "Privilege-separated SSH" \
-#             -u ${SSHD_UID} \
-# 	    -g sshd \
-# 	    -s /sbin/nologin \
-# 	    -r \
-# 	    -m -d /var/empty/sshd sshd
-#### Weird.... useradd does segfault.
+FROM nbisweden/ega-openssh
 
-RUN sed -i -e '/sshd/ d' /etc/passwd && \
-    echo "sshd:x:${SSHD_UID}:${SSHD_GID}:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin" >> /etc/passwd && \
-    mkdir -p /var/empty/sshd && chmod 700 /var/empty/sshd
+WORKDIR /
+COPY --from=localega /usr/lib/python3.6 /usr/lib/python3.6
+COPY --from=localega /usr/lib64/python3.6 /usr/lib64/python3.6
+COPY --from=localega /usr/bin /usr/bin
 
-RUN git clone --branch ${OPENSSH_TAG} git://anongit.mindrot.org/openssh.git /root/openssh && \
-    cd /root/openssh && \
-    autoreconf && \
-    ./configure \
-        --prefix=${OPENSSH_DIR} \
-	--with-privsep-path=/var/empty/sshd \
-        --with-privsep-user=sshd \
-        --with-ssl-engine \
-	--disable-strip \
-	--without-smartcard \
-        --with-pam \
-        --without-selinux \
-	--without-kerberos5 \
-        --without-libedit
-
-COPY notify_cega.patch /root/openssh/notify_cega.patch
-
-RUN cd /root/openssh && \
-    patch -p0 < notify_cega.patch && \
-    make && make install
-
-RUN rm -f /etc/ssh/ssh_host_{rsa,dsa,ecdsa,ed25519}_key && \
-    ${OPENSSH_DIR}/bin/ssh-keygen -t rsa     -N '' -f /etc/ssh/ssh_host_rsa_key && \
-    ${OPENSSH_DIR}/bin/ssh-keygen -t dsa     -N '' -f /etc/ssh/ssh_host_dsa_key && \
-    ${OPENSSH_DIR}/bin/ssh-keygen -t ecdsa   -N '' -f /etc/ssh/ssh_host_ecdsa_key && \
-    ${OPENSSH_DIR}/bin/ssh-keygen -t ed25519 -N '' -f /etc/ssh/ssh_host_ed25519_key
-
-RUN rm -rf /root/openssh && \
-    cp ${OPENSSH_DIR}/sbin/sshd ${OPENSSH_DIR}/sbin/ega
-
-#################################################
-
-RUN ldconfig -v
-
-COPY banner /ega/banner
-COPY pam.ega /etc/pam.d/ega
-COPY sshd_config /etc/ega/sshd_config
+EXPOSE 9000
+VOLUME /ega/inbox
 
 COPY entrypoint.sh /usr/local/bin/entrypoint.sh
 RUN chmod 755 /usr/local/bin/entrypoint.sh

diff --git a/docker/images/openssh/Dockerfile b/docker/images/openssh/Dockerfile
@@ -0,0 +1,100 @@
+FROM nbisweden/ega-os
+
+RUN yum -y install autoconf patch openssl-devel pam-devel libcurl-devel nss-tools readline-devel
+#    	   	   nc nmap tcpdump lsof strace bash-completion bash-completion-extras
+
+#################################################
+##
+## Install SQLite 3.24
+##
+#################################################
+ARG SQLITE_VERSION=3240000
+RUN cd && wget https://sqlite.org/2018/sqlite-autoconf-${SQLITE_VERSION}.tar.gz && \
+    tar xzf sqlite-autoconf-${SQLITE_VERSION}.tar.gz && \
+    cd sqlite-autoconf-${SQLITE_VERSION} && \
+    ./configure && \
+    make && make install && \
+    echo '/usr/local/lib' >> /etc/ld.so.conf.d/ega.conf && \
+    cd && rm -rf sqlite-autoconf-${SQLITE_VERSION}{,.tar.gz}
+
+
+#################################################
+##
+## Install EGA NSS+PAM
+##
+#################################################
+ARG AUTH_BRANCH=master
+RUN mkdir -p /usr/local/lib/ega && \
+    mkdir -p /ega && \
+    echo '/usr/local/lib/ega' >> /etc/ld.so.conf.d/ega.conf && \
+    echo 'Welcome to Local EGA' > /ega/banner && \
+    cp /etc/nsswitch.conf /etc/nsswitch.conf.bak && \
+    sed -i -e 's/^passwd:\(.*\)files/passwd:\1files ega/' /etc/nsswitch.conf && \
+    git clone https://github.com/NBISweden/LocalEGA-auth /root/ega-auth && \
+    cd /root/ega-auth/src && \
+    git checkout ${AUTH_BRANCH} && \
+    make install clean
+
+#################################################
+##
+## Install OpenSSH from sources
+##
+#################################################
+ARG OPENSSH_DIR=/opt/openssh
+ARG SSHD_UID=74
+ARG SSHD_GID=74
+ARG OPENSSH_TAG=V_7_7_P1
+
+RUN getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :
+RUN getent group sshd || groupadd -g ${SSHD_GID} -r sshd
+
+# RUN mkdir -p /var/empty && \
+#     useradd -c "Privilege-separated SSH" \
+#             -u ${SSHD_UID} \
+# 	    -g sshd \
+# 	    -s /sbin/nologin \
+# 	    -r \
+# 	    -m -d /var/empty/sshd sshd
+#### Weird.... useradd does segfault.
+
+RUN sed -i -e '/sshd/ d' /etc/passwd && \
+    echo "sshd:x:${SSHD_UID}:${SSHD_GID}:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin" >> /etc/passwd && \
+    mkdir -p /var/empty/sshd && chmod 700 /var/empty/sshd
+
+RUN git clone --branch ${OPENSSH_TAG} git://anongit.mindrot.org/openssh.git /root/openssh && \
+    cd /root/openssh && \
+    autoreconf && \
+    ./configure \
+        --prefix=${OPENSSH_DIR} \
+	--with-privsep-path=/var/empty/sshd \
+        --with-privsep-user=sshd \
+        --with-ssl-engine \
+	--disable-strip \
+	--without-smartcard \
+        --with-pam \
+        --without-selinux \
+	--without-kerberos5 \
+        --without-libedit
+
+COPY notify_cega.patch /root/openssh/notify_cega.patch
+
+RUN cd /root/openssh && \
+    patch -p0 < notify_cega.patch && \
+    make && make install
+
+RUN rm -f /etc/ssh/ssh_host_{rsa,dsa,ecdsa,ed25519}_key && \
+    ${OPENSSH_DIR}/bin/ssh-keygen -t rsa     -N '' -f /etc/ssh/ssh_host_rsa_key && \
+    ${OPENSSH_DIR}/bin/ssh-keygen -t dsa     -N '' -f /etc/ssh/ssh_host_dsa_key && \
+    ${OPENSSH_DIR}/bin/ssh-keygen -t ecdsa   -N '' -f /etc/ssh/ssh_host_ecdsa_key && \
+    ${OPENSSH_DIR}/bin/ssh-keygen -t ed25519 -N '' -f /etc/ssh/ssh_host_ed25519_key
+
+RUN rm -rf /root/openssh && \
+    cp ${OPENSSH_DIR}/sbin/sshd ${OPENSSH_DIR}/sbin/ega
+
+#################################################
+
+RUN ldconfig -v
+
+COPY banner /ega/banner
+COPY pam.ega /etc/pam.d/ega
+COPY sshd_config /etc/ega/sshd_config
diff --git a/docker/images/inbox/banner → docker/images/openssh/banner b/docker/images/inbox/banner → docker/images/openssh/banner
diff --git a/docker/images/inbox/notify_cega.patch → docker/images/openssh/notify_cega.patch b/docker/images/inbox/notify_cega.patch → docker/images/openssh/notify_cega.patch
diff --git a/docker/images/inbox/pam.ega → docker/images/openssh/pam.ega b/docker/images/inbox/pam.ega → docker/images/openssh/pam.ega
diff --git a/docker/images/inbox/sshd_config → docker/images/openssh/sshd_config b/docker/images/inbox/sshd_config → docker/images/openssh/sshd_config