Merge pull request #8 from dubo-dubon-duponey/work

Work
dubo-dubon-duponey · Mar 17, 2024 · 40ffa73 · 40ffa73
2 parents 7abca8f + 04daa3e
commit 40ffa73
Show file tree

Hide file tree

Showing 20 changed files with 224 additions and 162 deletions.
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -5,17 +5,17 @@ on: [push, pull_request]
 jobs:
   test:
     # The type of runner that the job will run on
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       - name: Checks-out repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           submodules: true
 
       - name: Enable cache
-        uses: actions/cache@v2.1.1
+        uses: actions/cache@v4
         with:
           path: $GITHUB_WORKSPACE/cache
           key: cache
@@ -28,11 +28,11 @@ jobs:
           sudo chown -R 2000:root "$GITHUB_WORKSPACE/cache/apt"
           sudo chown -R 2000:root "$GITHUB_WORKSPACE/cache/certs"
           sudo chown -R $(id -u) "$GITHUB_WORKSPACE/cache/bin"
+          sudo chmod g+w "$GITHUB_WORKSPACE/cache"
+          sudo chown $(id -u) "$GITHUB_WORKSPACE/cache"
 
       - name: Start apt proxy
         run: |
-          # Hiding the read-only token base64 to avoid github disabling it...
-          echo OWMyMGVhYzk4N2NhYWQxYmI3MzhmNTZkODNmOGMwOGJjZjlhNDc4YQo= | base64 -d | docker login ghcr.io -u dubo-dubon-duponey --password-stdin
           docker run --rm -d --expose 443 --expose 80 --pull always \
             --name apt-front \
             --read-only \
@@ -47,12 +47,13 @@ jobs:
             --env ADDITIONAL_DOMAINS=*.debian.org \
             --volume "$GITHUB_WORKSPACE/cache/certs":/certs \
             --volume "$GITHUB_WORKSPACE/cache/apt":/data \
-            ghcr.io/dubo-dubon-duponey/aptutil:bullseye-2021-08-01
+            docker.io/dubodubonduponey/aptutil:bullseye-2021-08-01
 
       - name: test
         run: |
           # Set the path and install the tools
-          BIN_LOCATION="$GITHUB_WORKSPACE/cache/bin" source ./hack/helpers/install-tools.sh
+          export PATH="$HOME/bin:$PATH"
+          ./hack/helpers/install-tools.sh
           # Start buildkit
           bkaddr="$(./hack/helpers/start-buildkit.sh 2>/dev/null)"
           # Sanity check

diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,4 @@
 .DS_Store
 /.idea
-*/cache/*
-cache
+cache/
+/xxx-*
diff --git a/Dockerfile.auditor b/Dockerfile.auditor
@@ -1,5 +1,5 @@
-ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-09-01@sha256:7231d833660dd4fe1ec0aa4b4484cde1e538fe77b0b6871f8ea55197c56cf692
+ARG           FROM_REGISTRY=docker.io/dubodubonduponey
+ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2024-03-01
 
 # XXX a new experimental image meant for auditing shit
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
@@ -12,19 +12,19 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=NETRC \
               --mount=type=secret,id=APT_SOURCES \
               --mount=type=secret,id=APT_CONFIG \
-              packages=(); \
-              for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
+              for architecture in arm64 amd64; do \
                 dpkg --add-architecture "$architecture"; \
-                packages+=(libc6:"$architecture"=2.31-13); \
               done; \
               apt-get update -qq; \
               apt-get install -qq --no-install-recommends \
-                curl=7.74.0-1.3+b1 file=1:5.39-3 binutils=2.35.2-2 schroot=1.6.10-12 patchelf=0.12-1 \
-                procps=2:3.3.17-5 iproute2=5.10.0-4 libcap2-bin=1:2.44-1 \
-                dnsutils=1:9.16.15-1 iputils-ping=3:20210202-1 \
-                lynis=3.0.2-1 devscripts=2.21.3; \
-              apt-get install -qq --no-install-recommends \
-                "${packages[@]}"; \
+                curl=7.88.1-10+deb12u5 file=1:5.44-3 binutils=2.40-2 schroot=1.6.13-3+b2 patchelf=0.14.3-1+b1 \
+                procps=2:4.0.2-3 iproute2=6.1.0-3 libcap2-bin=1:2.66-4 \
+                dnsutils=1:9.18.24-1 iputils-ping=3:20221126-1 \
+                lynis=3.0.8-1.1 devscripts=2.23.4+deb12u1; \
+              for architecture in arm64 amd64; do \
+                apt-get install -qq --no-install-recommends \
+                  libc6:"$architecture"=2.36-9+deb12u4; \
+              done; \
               apt-get -qq autoremove; \
               apt-get -qq clean; \
               rm -rf /var/lib/apt/lists/*; \

diff --git a/Dockerfile.builder b/Dockerfile.builder
@@ -1,5 +1,5 @@
-ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-09-01@sha256:7231d833660dd4fe1ec0aa4b4484cde1e538fe77b0b6871f8ea55197c56cf692
+ARG           FROM_REGISTRY=docker.io/dubodubonduponey
+ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2024-03-01
 
 #######################
 # Actual "builder" image
@@ -31,24 +31,28 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=NETRC \
               --mount=type=secret,id=APT_SOURCES \
               --mount=type=secret,id=APT_CONFIG \
-              packages=(); \
-              for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
+              for architecture in arm64 amd64; do \
                 dpkg --add-architecture "$architecture"; \
-                packages+=(crossbuild-essential-"$architecture"=12.9 musl-dev:"$architecture"=1.2.2-1 musl:"$architecture"=1.2.2-1 libc6:"$architecture"=2.31-13 libc6-dev:"$architecture"=2.31-13); \
               done; \
               apt-get update -qq; \
               apt-get install -qq --no-install-recommends \
                 build-essential=12.9 \
-                autoconf=2.69-14 \
-                automake=1:1.16.3-2 \
-                libtool=2.4.6-15 \
-		            pkg-config=0.29.2-1 \
+                autoconf=2.71-3 \
+                automake=1:1.16.5-1.3 \
+                libtool=2.4.7-5 \
+		            pkg-config=1.8.1-1 \
                 jq=1.6-2.1 \
-                curl=7.74.0-1.3+b1 \
-                ca-certificates=20210119 \
-                git=1:2.30.2-1; \
-              apt-get install -qq --no-install-recommends \
-                "${packages[@]}"; \
+                curl=7.88.1-10+deb12u5 \
+                ca-certificates=20230311 \
+                git=1:2.39.2-1.1; \
+              for architecture in arm64 amd64; do \
+                apt-get install -qq --no-install-recommends \
+                  crossbuild-essential-"$architecture"=12.9 \
+                  musl-dev:"$architecture"=1.2.3-1 \
+                  musl:"$architecture"=1.2.3-1 \
+                  libc6:"$architecture"=2.36-9+deb12u4 \
+                  libc6-dev:"$architecture"=2.36-9+deb12u4; \
+              done; \
               apt-get -qq autoremove; \
               apt-get -qq clean; \
               rm -rf /var/lib/apt/lists/*; \
@@ -62,7 +66,7 @@ RUN           git config --global advice.detachedHead false
 # Now replaced with proper ca-certificates install (which does pull in openssl <- not a problem for build, but keeping the lightweight deviation for runtime)
 # ADD           ./cache/overlay.tar /
 
-ENV           GOLANG_VERSION=1.16.7
+ENV           GOLANG_VERSION=1.21.8
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
@@ -146,8 +150,8 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME
 ARG           TARGETPLATFORM
 
 # Add node
-ENV           NODE_VERSION=14.17.6
-ENV           YARN_VERSION=1.22.5
+ENV           NODE_VERSION=20.11.1
+ENV           YARN_VERSION=1.22.22
 
 ADD           ./cache/$TARGETPLATFORM/node-$NODE_VERSION.tar.gz /opt
 ADD           ./cache/$TARGETPLATFORM/yarn-$YARN_VERSION.tar.gz /opt
@@ -205,7 +209,7 @@ ENV           GOPATH=/build/golang-current/source
 ENV           GOROOT=/build/golang-current/go
 ENV           PATH=$GOPATH/bin:$GOROOT/bin:$PATH
 
-ENV           GOLANG_VERSION=1.16.7
+ENV           GOLANG_VERSION=1.21.8
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
@@ -245,9 +249,9 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq; \
               apt-get install -qq --no-install-recommends \
-                curl=7.74.0-1.3+b1 \
-                ca-certificates=20210119 \
-                git=1:2.30.2-1; \
+                curl=7.88.1-10+deb12u5 \
+                ca-certificates=20230311 \
+                git=1:2.39.2-1.1; \
               apt-get -qq autoremove; \
               apt-get -qq clean; \
               rm -rf /var/lib/apt/lists/*; \

diff --git a/Dockerfile.downloader b/Dockerfile.downloader
@@ -1,5 +1,5 @@
-ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-09-01@sha256:7231d833660dd4fe1ec0aa4b4484cde1e538fe77b0b6871f8ea55197c56cf692
+ARG           FROM_REGISTRY=docker.io/dubodubonduponey
+ARG           FROM_IMAGE_BUILDER=debian:bookworm-2024-03-01
 
 #######################
 # Downloader is here only to retrieve and validate upstream tarballs
@@ -8,26 +8,13 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_BUILDER
 
 ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 
-ENV           NODE_VERSION=14.17.6
-ENV           YARN_VERSION=1.22.5
+ENV           NODE_VERSION=20.11.1
+ENV           YARN_VERSION=1.22.22
 
-ENV           GOLANG_VERSION 1.16.7
-ENV           GOLANG_LINUX_AMD64_SHA512 349f846599ca816f95f57adc41f789fdd6ade0ffcd325076de4fc3dcf06c72ae1474170ed5760e505a54a3ab10b1aa65d127f14a63cba27dec6672a1bcd2fbc6
-ENV           GOLANG_LINUX_ARM64_SHA512 e575baeeb848a87511566bfbf385b57b75bed67d22b1c799141e876775e5f339c06d0eb021509501f323a3b98807b510455e5202c3433cfdc4b7a057a3c5171b
-ENV           GOLANG_LINUX_ARM_V7_SHA512 d36259ccba93e4bef4c566f7c59998fba4108ab32c2c897524add88c092e5f39345091661a425d67f6c8c7dfe4246bf7e416ab8477302f4bc706249180ccfd4e
-ENV           GOLANG_LINUX_ARM_V6_SHA512 d36259ccba93e4bef4c566f7c59998fba4108ab32c2c897524add88c092e5f39345091661a425d67f6c8c7dfe4246bf7e416ab8477302f4bc706249180ccfd4e
-ENV           GOLANG_LINUX_386_SHA512 66b0dc8f5f3afcd838656e49470f257613089489994d70eab61f23ffa548d967bdf8c185480a3c595cb3f50e56ae087a43bbc31b0d7ba6cccaac3a7b65d2a24a
-ENV           GOLANG_LINUX_S390X_SHA512 154f3f478fd526c0b3a1b6ba24f0080096e7f46e07b8cfa25a19842127464984771cc060d734b5d2a7a66ee8d8a2f0ee5c23a2529436fac3e2789e6363a65b3c
-ENV           GOLANG_LINUX_PPC64LE_SHA512 f8822a0a127e2dfc194d90485bd5fae82db46269277a55a583113e8e714ea9e80c421347d7d31dcf9ff34f7ddfc1da18242eb66f9c844406d56c7ea59bb29c23
-
-#ENV           GOLANG_OLD_VERSION 1.15.13
-#ENV           GOLANG_OLD_LINUX_AMD64_SHA512 866aa22f9ecdba3c250f206d71ced5857aee67bf8da470b68447c11488dc80e243e985c9baeedf56476ddc113320bf0ed5efe8453bd3da071c4aa3abb58e142d
-#ENV           GOLANG_OLD_LINUX_ARM64_SHA512 362499cd4640bd7a9a7358afbcdd89783c0af5ac2a2209a37e8f15dc2e1392fa1d4704ec33cdf28fa00c09a13b36568e639634b8fa89b958ee7fa9237f1f3e93
-#ENV           GOLANG_OLD_LINUX_ARM_V7_SHA512 26eff19aeef922554f6582767488182bf16e3278e0c124f6d0c6524db441465b6c1432976c4c6e88b84a2aab385280e1dd374428c2ac0070806593e108f2ad54
-#ENV           GOLANG_OLD_LINUX_ARM_V6_SHA512 26eff19aeef922554f6582767488182bf16e3278e0c124f6d0c6524db441465b6c1432976c4c6e88b84a2aab385280e1dd374428c2ac0070806593e108f2ad54
-#ENV           GOLANG_OLD_LINUX_386_SHA512 6c92732fb2ce75b084cb925e9813d45d626cae8193a1fa4a8f057e65bef1ff6bb64ac68d417dedae51ebae1182b54fb9365ac82dcc42751b2fc697aad015625a
-#ENV           GOLANG_OLD_LINUX_S390X_SHA512 0739486667d6a9ea9514dce309afb28a38505ae49337fc3223dcff038685858afbe1f507b6d4d4b89872874e01d01ceac7f0f814f439fbdf4734a212188ee4c9
-#ENV           GOLANG_OLD_LINUX_PPC64LE_SHA512 c8a7de65d4f633ee7c058070c6ebd01c3ebcfc9119e2371d18bb775b72b1961c705579df59c69c781eba29b0bbec901080c296ea568a12b610f70c65e2109cf4
+ENV           GOLANG_VERSION 1.21.8
+ENV           GOLANG_LINUX_AMD64_SHA512 c22d4623dede427057852ef939e593f6ed86b2a873f1cf7cc76bf52713df1e9df5c6dfde98a3185c633eb51a382118d4fc59dd29fd42a6c15123f93cbb0442ea
+ENV           GOLANG_LINUX_ARM64_SHA512 847bc80817d1e55f39d03a18259826167ef7fda50596427266015c30555f07d2cc799bf1ccca0ed5d3d5126b3c23fa23c1f7e7fb29990206b00407e79140f25f
+ENV           GOLANG_LINUX_ARM_V7_SHA512 b3c2ae224c3f3c2c555fb618a7921188fdf024f33cc7199ec956a9827af6c663b7ada6ef226eb82646dcbdd01e772f3c72569d6560912528c27dbbedb51d3bc7
 
 ENV           FAIL_WHEN_OUTDATED=true
 
@@ -40,12 +27,11 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_SOURCES \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq; \
-              apt-cache show curl gnupg dirmngr ca-certificates; \
               apt-get install -qq --no-install-recommends \
-                curl=7.74.0-1.3+b1 \
-                gnupg=2.2.27-2 \
-                dirmngr=2.2.27-2 \
-                ca-certificates=20210119
+                curl=7.88.1-10+deb12u5 \
+                gnupg=2.2.40-1.1 \
+                dirmngr=2.2.40-1.1 \
+                ca-certificates=20230311
 
 COPY          ./scripts /scripts
 

diff --git a/Dockerfile.runtime b/Dockerfile.runtime
@@ -1,6 +1,6 @@
-ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-09-01@sha256:7231d833660dd4fe1ec0aa4b4484cde1e538fe77b0b6871f8ea55197c56cf692
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-09-01@sha256:7231d833660dd4fe1ec0aa4b4484cde1e538fe77b0b6871f8ea55197c56cf692
+ARG           FROM_REGISTRY=docker.io/dubodubonduponey
+ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2024-03-01
+ARG           FROM_IMAGE_BUILDER=debian:bookworm-2024-03-01
 
 #######################
 # Overlay
@@ -23,7 +23,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq; \
               apt-get install -qq --no-install-recommends \
-                ca-certificates=20210119
+                ca-certificates=20230311
 
 RUN           update-ca-certificates
 
@@ -52,6 +52,24 @@ COPY          --from=overlay-builder /overlay.tar /overlay.tar
 #######################
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS runtime
 
+RUN           --mount=type=secret,uid=100,id=CA \
+              --mount=type=secret,uid=100,id=CERTIFICATE \
+              --mount=type=secret,uid=100,id=KEY \
+              --mount=type=secret,uid=100,id=GPG.gpg \
+              --mount=type=secret,id=NETRC \
+              --mount=type=secret,id=APT_SOURCES \
+              --mount=type=secret,id=APT_CONFIG \
+              apt-get update -qq && \
+              apt-get install -qq --no-install-recommends bash-static=5.2.15-2+b2 && \
+              mkdir -p /boot/bin && \
+              cp /bin/bash-static /boot/bin/bash && \
+              apt-get -qq purge bash-static && \
+              apt-get -qq autoremove      && \
+              apt-get -qq clean           && \
+              rm -rf /var/lib/apt/lists/* && \
+              rm -rf /tmp/*               && \
+              rm -rf /var/tmp/*
+
 # We use this to set mtime on newly created folders
 ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 
@@ -154,4 +172,16 @@ ONBUILD RUN   [ "$BUILD_UID" == "2000" ] || { \
 # Finally downgrade to system user
 ONBUILD USER  dubo-dubon-duponey
 
-ENTRYPOINT  ["/boot/entrypoint.sh"]
+# Disable weak cryptography in GNUTLS
+ENV           GNUTLS_FORCE_FIPS_MODE=1
+
+# https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
+ENV           XDG_DATA_HOME=/data
+ENV           XDG_DATA_DIRS=/data
+ENV           XDG_CONFIG_HOME=/tmp/config
+ENV           XDG_CONFIG_DIRS=/config
+ENV           XDG_RUNTIME_DIR=/tmp/runtime
+ENV           XDG_STATE_HOME=/tmp/state
+ENV           XDG_CACHE_HOME=/tmp/cache
+
+ENTRYPOINT    ["/boot/entrypoint.sh"]
diff --git a/README.md b/README.md
@@ -1,48 +1,62 @@
 # Base images
 
-Provides base images (builder and runtime) used by all our images.
+Provides base images (builder, auditor, golang, node, runtime) used by all our images.
 
-Currently, on linux amd64, 386, arm64, arm/v7, arm/v6, s390x, ppc64le:
+Currently, on linux amd64, arm64:
 
-* `dubodubonduponey/base:runtime-latest` and `dubodubonduponey/base:runtime-$SUITE-$DATE`
-  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-08-01`)
+* `docker.io/dubodubonduponey/base:runtime-latest` and `docker.io/dubodubonduponey/base:runtime-$SUITE-$DATE`
+  * based on our debootstrapped version of Debian Bookworm (currently `DATE=2024-03-01`)
   * labels
   * ca-certificates copied over
   * ONBUILD instructions to copy over runtime folders
   * user creation
   * entrypoint definition
-* `dubodubonduponey/base:builder-latest` and `dubodubonduponey/base:builder-$SUITE-$DATE`
-  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-08-01`)
-  * golang, python, and essential dev & build tools
-* `dubodubonduponey/base:node-latest` and `dubodubonduponey/base:node-$SUITE-$DATE`
+* `docker.io/dubodubonduponey/base:builder-latest` and `docker.io/dubodubonduponey/base:builder-$SUITE-$DATE`
+  * based on our debootstrapped version of Debian Bookworm (currently `DATE=2024-03-01`)
+  * golang, python, and essential cross compilation dev & build tools
+* `docker.io/dubodubonduponey/base:node-latest` and `docker.io/dubodubonduponey/base:node-$SUITE-$DATE`
   * +nodejs +yarnpkg
+* `docker.io/dubodubonduponey/base:golang-latest` and `docker.io/dubodubonduponey/base:golang-$SUITE-$DATE`
+  * just golang and git
+* `docker.io/dubodubonduponey/base:auditor-latest` and `docker.io/dubodubonduponey/base:auditor-$SUITE-$DATE`
+  * test and security hardening tools
 
 ## TL;DR
 
-```bash
+Point to your buildkit host or use the helper to start one
 
-# Download golang, node, yarn (once)
-./hack/build.sh downloader
+```bash
+export BUILDKIT_HOST=$(./hack/helpers/start-buildkit.sh 2>/dev/null)
+```
 
+```bash
 # Build the overlay
 ./hack/build.sh overlay
 
+# Download golang, node, yarn (once)
+./hack/build.sh downloader
+
 # Build and push the builders and runtime images
-./hack/build.sh builder --inject tags=registry.com/name/image:tag
-./hack/build.sh node --inject tags=registry.com/name/image:tag
-./hack/build.sh runtime --inject tags=registry.com/name/image:tag
+./hack/build.sh builder
+./hack/build.sh node
+./hack/build.sh golang
+./hack/build.sh runtime
+./hack/build.sh auditor
 ```
 
+Note that the above will by default try to push to `docker.io/dubodubonduponey/base`.
+Edit `recipe.cue`, or better, use an `env.cue` file (see [advanced](ADVANCED.md) for that) to control
+the push destination.
+
 ## Configuration
 
 You can control additional aspects of the build passing arguments:
 
-```
+```bash
 # Control base image, target platforms, and cache
 ./hack/build.sh runtime \
-  --inject from_image="ghcr.io/dubo-dubon-duponey/debian:bullseye-2021-08-01" \
-  --inject platforms="linux/arm/v6" \
-  --inject cache_base=type=registry,ref=somewhere.com/cache/foo
+  --inject platforms="linux/arm64" \
+  --inject registry="private.registry/yourname"
 ```
 
 ## Notes