Skip to content

Commit

Permalink
MBT docker image mbtci-java17-node16's installation of FOSS tools to …
Browse files Browse the repository at this point in the history 
…enforcement SAP security policies
  • Loading branch information
Young Yang committed Nov 18, 2022
1 parent 85c5dac commit 4c01286
Show file tree
Hide file tree
Showing 2 changed files with 173 additions and 77 deletions.
22 changes: 11 additions & 11 deletions .circleci/config.yml
View file
Expand Up @@ -161,7 +161,7 @@ jobs:
name: "build Java 17 & Node 16 image"
command: |
MBT_VERSION=$(cat ./VERSION)
sh $PWD/scripts/build_image 17 16.18.0 ${MBT_VERSION}
sh $PWD/scripts/build_image 17 16.18.1 ${MBT_VERSION}
- run:
name: publish image
command: |
Expand All @@ -173,11 +173,16 @@ jobs:
echo "Image release: ${MBT_VERSION}"
#Push to Docker Hub
echo "$DOCKER_HUB_TOKEN" | docker login --username $DOCKER_HUB_USER --password-stdin
sh $PWD/scripts/publish_image 17 16.18.0 ${MBT_VERSION} "devxci"
sh $PWD/scripts/publish_image 17 16.18.1 ${MBT_VERSION} "devxci"
#Push to GitHub Container Registry
echo "$CLOUD_MTA_BOT_GITHUB_TOKEN" | docker login "ghcr.io" --username $CLOUD_MTA_BOT_USER --password-stdin
sh $PWD/scripts/publish_image 17 16.18.0 ${MBT_VERSION} "ghcr.io/sap"
sh $PWD/scripts/publish_image 17 16.18.1 ${MBT_VERSION} "ghcr.io/sap"
- run:
# This won't run if previous commands have failed so the tag should be removed **manually**
name: remove dummy release tag
command: |
git push https://github.com/SAP/cloud-mta-build-tool.git --delete release
publish-to-npm:
docker:
Expand All @@ -203,11 +208,6 @@ jobs:
npm install
npm run ci
npm publish
- run:
# This won't run if previous commands have failed so the tag should be removed **manually**
name: remove dummy release tag
command: |
git push https://github.com/SAP/cloud-mta-build-tool.git --delete release
workflows:
version: 2
Expand Down Expand Up @@ -288,17 +288,17 @@ workflows:
only: /release/
branches:
ignore: /.*/
- publish-to-dockerhub:
- publish-to-npm:
requires:
- release-to-github
filters:
tags:
only: /release/
branches:
ignore: /.*/
- publish-to-npm:
- publish-to-dockerhub:
requires:
- publish-to-dockerhub
- publish-to-npm
filters:
tags:
only: /release/
Expand Down
228 changes: 162 additions & 66 deletions Dockerfile_mbtci_java17
View file
@@ -1,93 +1,189 @@
FROM sapmachine:17
FROM debian:bullseye-slim

# Build time arguments
ARG MTA_USER="mta"
ARG MTA_USER_HOME=/home/mta
ARG MBT_VERSION=1.2.19
ARG GO_VERSION=1.15.6
# node version as found in https://nodejs.org/dist/ e.g: "v16.15.0"
ARG GO_VERSION=1.19.3
ARG NODE_VERSION=NODE_VERSION_TEMPLATE
ARG MAVEN_VERSION=3.6.3
ARG MAVEN_VERSION=3.8.6
ARG MAVEN_BASE_URL=https://downloads.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries
ARG SAPMACHINE_VERSION=17.0.5

# Environment variables
ENV PYTHON /usr/bin/python3
ENV M2_HOME=/opt/maven/apache-maven-${MAVEN_VERSION}
ENV MAVEN_HOME /usr/share/maven
ENV M2_HOME ${MAVEN_HOME}
ENV GOPATH /go
ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
ENV CGO_ENABLED=0
ENV GOOS=linux
ENV DEBIAN_FRONTEND=noninteractive

# create user account and using openssl to create password
RUN set -ex \
&& apt-get update \
&& apt-get install -y openssl --no-install-recommends \
&& rm -rf /var/lib/apt/lists/* \
# smoke test
&& openssl version \
&& useradd --home-dir ${MTA_USER_HOME} \
--create-home \
--shell /bin/bash \
--user-group \
--uid 1000 \
--comment 'Cloud MTA Build Tool' \
--password "$(echo weUseMta | openssl passwd -1 -stdin)" ${MTA_USER} \
# allow anybody to write into the image user home directory
&& chmod a+w ${MTA_USER_HOME}

ADD http://aia.pki.co.sap.com/aia/SAP%20Global%20Root%20CA.crt \
/etc/ssl/certs/SAP_Global_Root_CA.crt

# Download required env tools
RUN apt-get update && \
apt-get install --yes --no-install-recommends \
ca-certificates \
git \
curl && \

# Change security level as the SAP npm repo doesnt support buster new security upgrade
# the default configuration for OpenSSL in Buster explicitly requires using more secure ciphers and protocols,
# and the server running at http://npm.sap.com/ is running software configured to only provide insecure, older ciphers.
# This causes SSL connections using OpenSSL from a Buster based installation to fail
# Should be remove once SAP npm repo will patch the security level
# see - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912759
sed -i -E 's/(CipherString\s*=\s*DEFAULT@SECLEVEL=)2/\11/' /etc/ssl/openssl.cnf && \

# install node
NODE_HOME=/opt/nodejs; mkdir -p ${NODE_HOME} && \
curl --fail --silent --output - "https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-linux-x64.tar.gz" \
| tar -xzv -f - -C "${NODE_HOME}" && \
ln -s "${NODE_HOME}/node-${NODE_VERSION}-linux-x64/bin/node" /usr/local/bin/node && \
ln -s "${NODE_HOME}/node-${NODE_VERSION}-linux-x64/bin/npm" /usr/local/bin/npm && \
ln -s "${NODE_HOME}/node-${NODE_VERSION}-linux-x64/bin/npx" /usr/local/bin/ && \
npm install --prefix /usr/local/ -g grunt-cli && \

# install ui5-cli temporay solution
npm install --prefix /usr/local/ -g @ui5/cli && \
RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \
&& case "${dpkgArch##*-}" in \
amd64) ARCH='x64';; \
ppc64el) ARCH='ppc64le';; \
s390x) ARCH='s390x';; \
arm64) ARCH='arm64';; \
armhf) ARCH='armv7l';; \
i386) ARCH='x86';; \
*) echo "unsupported architecture"; exit 1 ;; \
esac \
&& set -ex \
&& apt-get update \
&& apt-get install -y ca-certificates curl gnupg dirmngr xz-utils libatomic1 --no-install-recommends \
&& rm -rf /var/lib/apt/lists/* \
&& for key in \
4ED778F539E3634C779C87C6D7062848A1AB005C \
141F07595B7B3FFE74309A937405533BE57C7D57 \
74F12602B6F1C4E913FAA37AD3A89613643B6201 \
61FC681DFB92A079F1685E77973F295594EC4689 \
8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \
C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 \
890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \
C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \
108F52B48DB57BB0CC439B2997B01419BD92F80A \
; do \
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys "$key" ; \
done \
# check downloaded archive matches the checksum
&& curl -fsSLO --compressed "https://nodejs.org/dist/$NODE_VERSION/node-$NODE_VERSION-linux-$ARCH.tar.gz" \
&& curl -fsSLO --compressed "https://nodejs.org/dist/$NODE_VERSION/SHASUMS256.txt" \
&& grep " node-$NODE_VERSION-linux-$ARCH.tar.gz\$" SHASUMS256.txt | sha256sum -c - \
# check downloaded checksum file signature
&& curl -fsSLO --compressed "https://nodejs.org/dist/$NODE_VERSION/SHASUMS256.txt.sig" \
&& gpg --verify SHASUMS256.txt.sig SHASUMS256.txt \
&& tar -zxv -f "node-$NODE_VERSION-linux-$ARCH.tar.gz" -C /usr/local --strip-components=1 --no-same-owner \
&& rm "node-$NODE_VERSION-linux-$ARCH.tar.gz" SHASUMS256.txt.sig SHASUMS256.txt \
&& apt-mark auto '.*' > /dev/null \
&& find /usr/local -type f -executable -exec ldd '{}' ';' \
| awk '/=>/ { print $(NF-1) }' \
| sort -u \
| xargs -r dpkg-query --search \
| cut -d: -f1 \
| sort -u \
| xargs -r apt-mark manual \
&& apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
&& ln -s /usr/local/bin/node /usr/local/bin/nodejs \
# smoke tests
&& echo "node ${NODE_VERSION} install smoke tests!" \
&& node --version \
&& npm --version

# installing Golang
curl -O https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz && tar -xvf go${GO_VERSION}.linux-amd64.tar.gz && \
mv go /usr/local && \
mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" && \
mkdir -p ${GOPATH}/src ${GOPATH}/bin && \
# install ui5-cli temporay solution
RUN set -ex \
&& npm install --prefix /usr/local/ -g @ui5/cli \
&& npm cache clean -g --force \
# smoke tests
&& echo "ui5 install smoke tests!" \
&& ui5 --version

# update maven home
M2_BASE="$(dirname ${M2_HOME})" && \
mkdir -p "${M2_BASE}" && \
curl --fail --silent --output - "https://apache.osuosl.org/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz" \
| tar -xzvf - -C "${M2_BASE}" && \
ln -s "${M2_HOME}/bin/mvn" /usr/local/bin/mvn && \
chmod --recursive a+w "${M2_HOME}"/conf/* && \
# install Golang
RUN set -ex \
&& apt-get update \
&& apt-get install -y ca-certificates curl --no-install-recommends \
&& rm -rf /var/lib/apt/lists/* \
&& curl -O https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz \
&& tar -xvf go${GO_VERSION}.linux-amd64.tar.gz \
&& rm -rf /usr/local/go \
&& mv go /usr/local \
&& mkdir -p "$GOPATH/src" "$GOPATH/bin" \
&& chmod -R 777 "$GOPATH" \
&& mkdir -p ${GOPATH}/src ${GOPATH}/bin \
# smoke tests
&& echo "go ${GO_VERSION} install smoke tests!" \
&& go version

# Download MBT
curl -L "https://github.com/SAP/cloud-mta-build-tool/releases/download/v${MBT_VERSION}/cloud-mta-build-tool_${MBT_VERSION}_Linux_amd64.tar.gz" | tar -zx -C /usr/local/bin && \
chown root:root /usr/local/bin/mbt && \
# install sapmachine
RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \
&& case "${dpkgArch##*-}" in \
amd64) ARCH='amd64';; \
*) echo "unsupported architecture"; exit 1 ;; \
esac \
&& set -ex \
&& apt-get update \
&& apt-get install -y --no-install-recommends wget ca-certificates gnupg \
&& export GNUPGHOME="$(mktemp -d)" \
&& wget -q -O - https://dist.sapmachine.io/debian/sapmachine.old.key | gpg --batch --import \
&& gpg --batch --export --armor 'DA4C 00C1 BDB1 3763 8608 4E20 C7EB 4578 740A EEA2' > /etc/apt/trusted.gpg.d/sapmachine.old.gpg.asc \
&& wget -q -O - https://dist.sapmachine.io/debian/sapmachine.key | gpg --batch --import \
&& gpg --batch --export --armor 'CACB 9FE0 9150 307D 1D22 D829 6275 4C3B 3ABC FE23' > /etc/apt/trusted.gpg.d/sapmachine.gpg.asc \
&& gpgconf --kill all \
&& rm -rf "$GNUPGHOME" \
&& echo "deb http://dist.sapmachine.io/debian/amd64/ ./" > /etc/apt/sources.list.d/sapmachine.list \
&& apt-get update \
&& apt-get install -y sapmachine-$(echo ${SAPMACHINE_VERSION} | cut -d. -f1)-jdk=${SAPMACHINE_VERSION} --no-install-recommends \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get remove --purge --autoremove -y ca-certificates gnupg wget \
# smoke test
&& echo "sapmachine ${SAPMACHINE_VERSION} install smoke tests!" \
&& java --version

# handle users permission
useradd --home-dir "${MTA_USER_HOME}" \
--create-home \
--shell /bin/bash \
--user-group \
--uid 1000 \
--comment 'Cloud MTA Build Tool' \
--password "$(echo weUseMta |openssl passwd -1 -stdin)" mta && \
# allow anybody to write into the images HOME
chmod a+w "${MTA_USER_HOME}" && \
# install maven
RUN set -ex \
&& apt-get update \
&& apt-get install -y ca-certificates curl gnupg dirmngr --no-install-recommends \
&& rm -rf /var/lib/apt/lists/* \
&& curl -fsSLO --compressed ${MAVEN_BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz \
&& curl -fsSLO --compressed ${MAVEN_BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc \
&& for key in \
6A814B1F869C2BBEAB7CB7271A2A1C94BDE89688 \
; do \
gpg --batch --keyserver hkps://pgp.surf.nl --recv-keys "$key" || \
gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys "$key" ; \
done \
&& gpg --batch --verify apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc apache-maven-${MAVEN_VERSION}-bin.tar.gz \
&& mkdir -p ${MAVEN_HOME} ${MAVEN_HOME}/ref \
&& tar -xzf apache-maven-${MAVEN_VERSION}-bin.tar.gz -C ${MAVEN_HOME} --strip-components=1 \
&& rm -f apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc apache-maven-${MAVEN_VERSION}-bin.tar.gz \
&& chmod --recursive a+w ${MAVEN_HOME}/conf/* \
&& ln -s ${MAVEN_HOME}/bin/mvn /usr/bin/mvn \
&& apt-get remove --purge --autoremove -y ca-certificates curl gnupg dirmngr \
# smoke tests
&& echo "mvn ${MAVEN_VERSION} smoke tests!" \
&& mvn --version

# Install essential build tools and python, required for building db modules
apt-get install --yes --no-install-recommends \
build-essential \
python2.7 \
python3 && \

# remove build env tools
apt-get remove --purge --autoremove --yes \
curl && \
# Install MBT
RUN set -ex \
&& npm install -g --unsafe-perm @young-yang217/mbt@${MBT_VERSION} \
&& npm cache clean -g --force \
# smoke tests
&& echo "mbt ${MBT_VERSION} install smoke tests!" \
&& mbt --version

rm -rf /var/lib/apt/lists/*
# Install essential build tools and python
RUN set -ex \
&& apt-get update \
&& apt-get install -y ca-certificates build-essential python2.7 python3 --no-install-recommends \
&& rm -rf /var/lib/apt/lists/* \
# smoke tests
&& echo "python install smoke tests!" \
&& python2.7 --version \
&& python3 --version

ENV PATH=$PATH:./node_modules/.bin HOME=${MTA_USER_HOME}
WORKDIR /project
USER mta
USER ${MTA_USER}

0 comments on commit 4c01286

Please sign in to comment.