Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
MBT docker image mbtci-java17-node16's installation of FOSS tools to …
…enforcement SAP security policies
- Loading branch information
Young Yang
committed
Nov 18, 2022
1 parent
85c5dac
commit 4c01286
Showing
2 changed files
with
173 additions
and
77 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,93 +1,189 @@ | ||
FROM sapmachine:17 | ||
FROM debian:bullseye-slim | ||
|
||
# Build time arguments | ||
ARG MTA_USER="mta" | ||
ARG MTA_USER_HOME=/home/mta | ||
ARG MBT_VERSION=1.2.19 | ||
ARG GO_VERSION=1.15.6 | ||
# node version as found in https://nodejs.org/dist/ e.g: "v16.15.0" | ||
ARG GO_VERSION=1.19.3 | ||
ARG NODE_VERSION=NODE_VERSION_TEMPLATE | ||
ARG MAVEN_VERSION=3.6.3 | ||
ARG MAVEN_VERSION=3.8.6 | ||
ARG MAVEN_BASE_URL=https://downloads.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries | ||
ARG SAPMACHINE_VERSION=17.0.5 | ||
|
||
# Environment variables | ||
ENV PYTHON /usr/bin/python3 | ||
ENV M2_HOME=/opt/maven/apache-maven-${MAVEN_VERSION} | ||
ENV MAVEN_HOME /usr/share/maven | ||
ENV M2_HOME ${MAVEN_HOME} | ||
ENV GOPATH /go | ||
ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH | ||
ENV CGO_ENABLED=0 | ||
ENV GOOS=linux | ||
ENV DEBIAN_FRONTEND=noninteractive | ||
|
||
# create user account and using openssl to create password | ||
RUN set -ex \ | ||
&& apt-get update \ | ||
&& apt-get install -y openssl --no-install-recommends \ | ||
&& rm -rf /var/lib/apt/lists/* \ | ||
# smoke test | ||
&& openssl version \ | ||
&& useradd --home-dir ${MTA_USER_HOME} \ | ||
--create-home \ | ||
--shell /bin/bash \ | ||
--user-group \ | ||
--uid 1000 \ | ||
--comment 'Cloud MTA Build Tool' \ | ||
--password "$(echo weUseMta | openssl passwd -1 -stdin)" ${MTA_USER} \ | ||
# allow anybody to write into the image user home directory | ||
&& chmod a+w ${MTA_USER_HOME} | ||
|
||
ADD http://aia.pki.co.sap.com/aia/SAP%20Global%20Root%20CA.crt \ | ||
/etc/ssl/certs/SAP_Global_Root_CA.crt | ||
|
||
# Download required env tools | ||
RUN apt-get update && \ | ||
apt-get install --yes --no-install-recommends \ | ||
ca-certificates \ | ||
git \ | ||
curl && \ | ||
|
||
# Change security level as the SAP npm repo doesnt support buster new security upgrade | ||
# the default configuration for OpenSSL in Buster explicitly requires using more secure ciphers and protocols, | ||
# and the server running at http://npm.sap.com/ is running software configured to only provide insecure, older ciphers. | ||
# This causes SSL connections using OpenSSL from a Buster based installation to fail | ||
# Should be remove once SAP npm repo will patch the security level | ||
# see - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912759 | ||
sed -i -E 's/(CipherString\s*=\s*DEFAULT@SECLEVEL=)2/\11/' /etc/ssl/openssl.cnf && \ | ||
|
||
# install node | ||
NODE_HOME=/opt/nodejs; mkdir -p ${NODE_HOME} && \ | ||
curl --fail --silent --output - "https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-linux-x64.tar.gz" \ | ||
| tar -xzv -f - -C "${NODE_HOME}" && \ | ||
ln -s "${NODE_HOME}/node-${NODE_VERSION}-linux-x64/bin/node" /usr/local/bin/node && \ | ||
ln -s "${NODE_HOME}/node-${NODE_VERSION}-linux-x64/bin/npm" /usr/local/bin/npm && \ | ||
ln -s "${NODE_HOME}/node-${NODE_VERSION}-linux-x64/bin/npx" /usr/local/bin/ && \ | ||
npm install --prefix /usr/local/ -g grunt-cli && \ | ||
|
||
# install ui5-cli temporay solution | ||
npm install --prefix /usr/local/ -g @ui5/cli && \ | ||
RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \ | ||
&& case "${dpkgArch##*-}" in \ | ||
amd64) ARCH='x64';; \ | ||
ppc64el) ARCH='ppc64le';; \ | ||
s390x) ARCH='s390x';; \ | ||
arm64) ARCH='arm64';; \ | ||
armhf) ARCH='armv7l';; \ | ||
i386) ARCH='x86';; \ | ||
*) echo "unsupported architecture"; exit 1 ;; \ | ||
esac \ | ||
&& set -ex \ | ||
&& apt-get update \ | ||
&& apt-get install -y ca-certificates curl gnupg dirmngr xz-utils libatomic1 --no-install-recommends \ | ||
&& rm -rf /var/lib/apt/lists/* \ | ||
&& for key in \ | ||
4ED778F539E3634C779C87C6D7062848A1AB005C \ | ||
141F07595B7B3FFE74309A937405533BE57C7D57 \ | ||
74F12602B6F1C4E913FAA37AD3A89613643B6201 \ | ||
61FC681DFB92A079F1685E77973F295594EC4689 \ | ||
8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ | ||
C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 \ | ||
890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ | ||
C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ | ||
108F52B48DB57BB0CC439B2997B01419BD92F80A \ | ||
; do \ | ||
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \ | ||
gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys "$key" ; \ | ||
done \ | ||
# check downloaded archive matches the checksum | ||
&& curl -fsSLO --compressed "https://nodejs.org/dist/$NODE_VERSION/node-$NODE_VERSION-linux-$ARCH.tar.gz" \ | ||
&& curl -fsSLO --compressed "https://nodejs.org/dist/$NODE_VERSION/SHASUMS256.txt" \ | ||
&& grep " node-$NODE_VERSION-linux-$ARCH.tar.gz\$" SHASUMS256.txt | sha256sum -c - \ | ||
# check downloaded checksum file signature | ||
&& curl -fsSLO --compressed "https://nodejs.org/dist/$NODE_VERSION/SHASUMS256.txt.sig" \ | ||
&& gpg --verify SHASUMS256.txt.sig SHASUMS256.txt \ | ||
&& tar -zxv -f "node-$NODE_VERSION-linux-$ARCH.tar.gz" -C /usr/local --strip-components=1 --no-same-owner \ | ||
&& rm "node-$NODE_VERSION-linux-$ARCH.tar.gz" SHASUMS256.txt.sig SHASUMS256.txt \ | ||
&& apt-mark auto '.*' > /dev/null \ | ||
&& find /usr/local -type f -executable -exec ldd '{}' ';' \ | ||
| awk '/=>/ { print $(NF-1) }' \ | ||
| sort -u \ | ||
| xargs -r dpkg-query --search \ | ||
| cut -d: -f1 \ | ||
| sort -u \ | ||
| xargs -r apt-mark manual \ | ||
&& apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \ | ||
&& ln -s /usr/local/bin/node /usr/local/bin/nodejs \ | ||
# smoke tests | ||
&& echo "node ${NODE_VERSION} install smoke tests!" \ | ||
&& node --version \ | ||
&& npm --version | ||
|
||
# installing Golang | ||
curl -O https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz && tar -xvf go${GO_VERSION}.linux-amd64.tar.gz && \ | ||
mv go /usr/local && \ | ||
mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" && \ | ||
mkdir -p ${GOPATH}/src ${GOPATH}/bin && \ | ||
# install ui5-cli temporay solution | ||
RUN set -ex \ | ||
&& npm install --prefix /usr/local/ -g @ui5/cli \ | ||
&& npm cache clean -g --force \ | ||
# smoke tests | ||
&& echo "ui5 install smoke tests!" \ | ||
&& ui5 --version | ||
|
||
# update maven home | ||
M2_BASE="$(dirname ${M2_HOME})" && \ | ||
mkdir -p "${M2_BASE}" && \ | ||
curl --fail --silent --output - "https://apache.osuosl.org/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz" \ | ||
| tar -xzvf - -C "${M2_BASE}" && \ | ||
ln -s "${M2_HOME}/bin/mvn" /usr/local/bin/mvn && \ | ||
chmod --recursive a+w "${M2_HOME}"/conf/* && \ | ||
# install Golang | ||
RUN set -ex \ | ||
&& apt-get update \ | ||
&& apt-get install -y ca-certificates curl --no-install-recommends \ | ||
&& rm -rf /var/lib/apt/lists/* \ | ||
&& curl -O https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz \ | ||
&& tar -xvf go${GO_VERSION}.linux-amd64.tar.gz \ | ||
&& rm -rf /usr/local/go \ | ||
&& mv go /usr/local \ | ||
&& mkdir -p "$GOPATH/src" "$GOPATH/bin" \ | ||
&& chmod -R 777 "$GOPATH" \ | ||
&& mkdir -p ${GOPATH}/src ${GOPATH}/bin \ | ||
# smoke tests | ||
&& echo "go ${GO_VERSION} install smoke tests!" \ | ||
&& go version | ||
|
||
# Download MBT | ||
curl -L "https://github.com/SAP/cloud-mta-build-tool/releases/download/v${MBT_VERSION}/cloud-mta-build-tool_${MBT_VERSION}_Linux_amd64.tar.gz" | tar -zx -C /usr/local/bin && \ | ||
chown root:root /usr/local/bin/mbt && \ | ||
# install sapmachine | ||
RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \ | ||
&& case "${dpkgArch##*-}" in \ | ||
amd64) ARCH='amd64';; \ | ||
*) echo "unsupported architecture"; exit 1 ;; \ | ||
esac \ | ||
&& set -ex \ | ||
&& apt-get update \ | ||
&& apt-get install -y --no-install-recommends wget ca-certificates gnupg \ | ||
&& export GNUPGHOME="$(mktemp -d)" \ | ||
&& wget -q -O - https://dist.sapmachine.io/debian/sapmachine.old.key | gpg --batch --import \ | ||
&& gpg --batch --export --armor 'DA4C 00C1 BDB1 3763 8608 4E20 C7EB 4578 740A EEA2' > /etc/apt/trusted.gpg.d/sapmachine.old.gpg.asc \ | ||
&& wget -q -O - https://dist.sapmachine.io/debian/sapmachine.key | gpg --batch --import \ | ||
&& gpg --batch --export --armor 'CACB 9FE0 9150 307D 1D22 D829 6275 4C3B 3ABC FE23' > /etc/apt/trusted.gpg.d/sapmachine.gpg.asc \ | ||
&& gpgconf --kill all \ | ||
&& rm -rf "$GNUPGHOME" \ | ||
&& echo "deb http://dist.sapmachine.io/debian/amd64/ ./" > /etc/apt/sources.list.d/sapmachine.list \ | ||
&& apt-get update \ | ||
&& apt-get install -y sapmachine-$(echo ${SAPMACHINE_VERSION} | cut -d. -f1)-jdk=${SAPMACHINE_VERSION} --no-install-recommends \ | ||
&& rm -rf /var/lib/apt/lists/* \ | ||
&& apt-get remove --purge --autoremove -y ca-certificates gnupg wget \ | ||
# smoke test | ||
&& echo "sapmachine ${SAPMACHINE_VERSION} install smoke tests!" \ | ||
&& java --version | ||
|
||
# handle users permission | ||
useradd --home-dir "${MTA_USER_HOME}" \ | ||
--create-home \ | ||
--shell /bin/bash \ | ||
--user-group \ | ||
--uid 1000 \ | ||
--comment 'Cloud MTA Build Tool' \ | ||
--password "$(echo weUseMta |openssl passwd -1 -stdin)" mta && \ | ||
# allow anybody to write into the images HOME | ||
chmod a+w "${MTA_USER_HOME}" && \ | ||
# install maven | ||
RUN set -ex \ | ||
&& apt-get update \ | ||
&& apt-get install -y ca-certificates curl gnupg dirmngr --no-install-recommends \ | ||
&& rm -rf /var/lib/apt/lists/* \ | ||
&& curl -fsSLO --compressed ${MAVEN_BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz \ | ||
&& curl -fsSLO --compressed ${MAVEN_BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc \ | ||
&& for key in \ | ||
6A814B1F869C2BBEAB7CB7271A2A1C94BDE89688 \ | ||
; do \ | ||
gpg --batch --keyserver hkps://pgp.surf.nl --recv-keys "$key" || \ | ||
gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys "$key" ; \ | ||
done \ | ||
&& gpg --batch --verify apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc apache-maven-${MAVEN_VERSION}-bin.tar.gz \ | ||
&& mkdir -p ${MAVEN_HOME} ${MAVEN_HOME}/ref \ | ||
&& tar -xzf apache-maven-${MAVEN_VERSION}-bin.tar.gz -C ${MAVEN_HOME} --strip-components=1 \ | ||
&& rm -f apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc apache-maven-${MAVEN_VERSION}-bin.tar.gz \ | ||
&& chmod --recursive a+w ${MAVEN_HOME}/conf/* \ | ||
&& ln -s ${MAVEN_HOME}/bin/mvn /usr/bin/mvn \ | ||
&& apt-get remove --purge --autoremove -y ca-certificates curl gnupg dirmngr \ | ||
# smoke tests | ||
&& echo "mvn ${MAVEN_VERSION} smoke tests!" \ | ||
&& mvn --version | ||
|
||
# Install essential build tools and python, required for building db modules | ||
apt-get install --yes --no-install-recommends \ | ||
build-essential \ | ||
python2.7 \ | ||
python3 && \ | ||
|
||
# remove build env tools | ||
apt-get remove --purge --autoremove --yes \ | ||
curl && \ | ||
# Install MBT | ||
RUN set -ex \ | ||
&& npm install -g --unsafe-perm @young-yang217/mbt@${MBT_VERSION} \ | ||
&& npm cache clean -g --force \ | ||
# smoke tests | ||
&& echo "mbt ${MBT_VERSION} install smoke tests!" \ | ||
&& mbt --version | ||
|
||
rm -rf /var/lib/apt/lists/* | ||
# Install essential build tools and python | ||
RUN set -ex \ | ||
&& apt-get update \ | ||
&& apt-get install -y ca-certificates build-essential python2.7 python3 --no-install-recommends \ | ||
&& rm -rf /var/lib/apt/lists/* \ | ||
# smoke tests | ||
&& echo "python install smoke tests!" \ | ||
&& python2.7 --version \ | ||
&& python3 --version | ||
|
||
ENV PATH=$PATH:./node_modules/.bin HOME=${MTA_USER_HOME} | ||
WORKDIR /project | ||
USER mta | ||
USER ${MTA_USER} |