From 4e1072f987b74839c04146e528464b2016903717 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 20 Nov 2023 09:59:01 +0000 Subject: [PATCH 1/6] feat: add non-root user to container --- .devcontainer/Dockerfile | 14 +++++++++++++- .trivyignore | 7 ------- test/testsuite.bats | 4 ++-- 3 files changed, 15 insertions(+), 10 deletions(-) delete mode 100644 .trivyignore diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 42cd02e4..fc772050 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,5 +1,9 @@ FROM ubuntu@sha256:2b7412e6465c3c7fc5bb21d3e6f1917c167358449fecac8176c6e496e5c1f05f +ARG USERNAME=amp +ARG USER_UID=1000 +ARG USER_GID=$USER_UID + ARG BATS_VERSION=1.10.0 ARG CCACHE_VERSION=4.8.3 ARG CLANG_VERSION=16 @@ -12,6 +16,10 @@ ARG DEBIAN_FRONTEND=noninteractive SHELL ["/bin/bash", "-o", "pipefail", "-c"] +# Add a non-root user +RUN groupadd --gid "${USER_GID}" "${USERNAME}" \ + && useradd --uid "${USER_UID}" --gid "${USER_GID}" --shell /bin/bash -m "${USERNAME}" + # Install the base system with all tool dependencies COPY .devcontainer/apt-requirements-base.json /tmp/apt-requirements-base.json # hadolint ignore=DL3008 @@ -85,7 +93,9 @@ RUN batstmp="$(mktemp -d /tmp/bats-core-${BATS_VERSION}.XXXX)" \ && git -C /usr/local clone -b v2.1.0 https://github.com/bats-core/bats-assert.git # Install xwin -RUN wget -qO - "https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-$(uname -m)-unknown-linux-musl.tar.gz" | tar -xzv -C /usr/local/bin --strip-components=1 "xwin-${XWIN_VERSION}-$(uname -m)-unknown-linux-musl/xwin" +RUN wget -qO - "https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-$(uname -m)-unknown-linux-musl.tar.gz" | tar -xzv -C /usr/local/bin --strip-components=1 "xwin-${XWIN_VERSION}-$(uname -m)-unknown-linux-musl/xwin" \ + && mkdir /winsdk + && chown "${USER_UID}:${USER_GID}" /winsdk # Update all tool alternatives to the correct version RUN update-alternatives --install /usr/bin/c++ c++ /usr/bin/g++-12 20 \ @@ -95,3 +105,5 @@ RUN update-alternatives --install /usr/bin/c++ c++ /usr/bin/g++-12 20 \ && update-alternatives --install /usr/bin/mull-runner mull-runner /usr/local/bin/mull-runner-${CLANG_VERSION} 10 \ && update-alternatives --install /usr/lib/mull-ir-frontend mull-ir-frontend /usr/local/lib/mull-ir-frontend-${CLANG_VERSION} 10 \ && update-alternatives --install /usr/bin/python python /usr/bin/python3 10 + +USER "${USERNAME}" diff --git a/.trivyignore b/.trivyignore deleted file mode 100644 index 565467de..00000000 --- a/.trivyignore +++ /dev/null @@ -1,7 +0,0 @@ -# See: https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0002/ -# We allow root access in our container that we use for development purposes -DS002 - -# See: https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0026/ -# We don't require a HEALTHCHECK for our devcontainer -DS026 diff --git a/test/testsuite.bats b/test/testsuite.bats index 6e6d67b1..8ac2d5c4 100644 --- a/test/testsuite.bats +++ b/test/testsuite.bats @@ -16,11 +16,11 @@ setup_file() { xwin --accept-license splat --preserve-ms-arch-notation fi - cp -r .xwin-cache/splat/ /winsdk + cp -r .xwin-cache/splat/* /winsdk/ } teardown_file() { - rm -rf .xwin-hash/ /winsdk + rm -rf .xwin-hash/ /winsdk/* } setup() { From 6f606cb5730d7aa9126c015cbc5359f71204d982 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 20 Nov 2023 10:06:02 +0000 Subject: [PATCH 2/6] fix Dockerfile syntax --- .devcontainer/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index fc772050..9d6a679e 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -94,7 +94,7 @@ RUN batstmp="$(mktemp -d /tmp/bats-core-${BATS_VERSION}.XXXX)" \ # Install xwin RUN wget -qO - "https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-$(uname -m)-unknown-linux-musl.tar.gz" | tar -xzv -C /usr/local/bin --strip-components=1 "xwin-${XWIN_VERSION}-$(uname -m)-unknown-linux-musl/xwin" \ - && mkdir /winsdk + && mkdir /winsdk \ && chown "${USER_UID}:${USER_GID}" /winsdk # Update all tool alternatives to the correct version From 98a27d1e73cfb0226b9b7b9970ac79d0fe9194e5 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 20 Nov 2023 10:17:37 +0000 Subject: [PATCH 3/6] Satisfy Trivy --- .devcontainer/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 9d6a679e..259efb43 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -16,6 +16,8 @@ ARG DEBIAN_FRONTEND=noninteractive SHELL ["/bin/bash", "-o", "pipefail", "-c"] +HEALTHCHECK none + # Add a non-root user RUN groupadd --gid "${USER_GID}" "${USERNAME}" \ && useradd --uid "${USER_UID}" --gid "${USER_GID}" --shell /bin/bash -m "${USERNAME}" From dca3784e6f068817f469ba749b82cc1c4c15b6b3 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 20 Nov 2023 10:19:50 +0000 Subject: [PATCH 4/6] Satisfy Hadolint --- .devcontainer/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 259efb43..c88599d1 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -16,7 +16,7 @@ ARG DEBIAN_FRONTEND=noninteractive SHELL ["/bin/bash", "-o", "pipefail", "-c"] -HEALTHCHECK none +HEALTHCHECK NONE # Add a non-root user RUN groupadd --gid "${USER_GID}" "${USERNAME}" \ From 35d001917e0e57e0863ea92c08848498fb9e546f Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 20 Nov 2023 10:49:50 +0000 Subject: [PATCH 5/6] Fix test execution --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ecb037ba..a7d854c3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -38,7 +38,7 @@ jobs: - name: Run Tests run: | set -Eeuo pipefail - docker run --rm --mount type=bind,src="$(pwd)/test",dst=/ws -w /ws ${{ github.repository }}:test bats --formatter junit testsuite.bats | tee test-report.xml + docker run --rm --mount type=bind,src="$(pwd)/test",dst=/tmp/test -w /tmp/test ${{ github.repository }}:test bats --formatter junit testsuite.bats | tee test-report.xml - uses: EnricoMi/publish-unit-test-result-action@ca89ad036b5fcd524c1017287fb01b5139908408 # v2.11.0 if: always() with: From d03b54d9407e984a9722d020c8e94d4b928b8025 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Thu, 7 Dec 2023 15:00:09 +0000 Subject: [PATCH 6/6] chore: remove duplicate healtcheck --- .devcontainer/Dockerfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index bc4a44e0..bc0ea8a1 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -18,8 +18,6 @@ HEALTHCHECK NONE SHELL ["/bin/bash", "-o", "pipefail", "-c"] -HEALTHCHECK NONE - # Add a non-root user RUN groupadd --gid "${USER_GID}" "${USERNAME}" \ && useradd --uid "${USER_UID}" --gid "${USER_GID}" --shell /bin/bash -m "${USERNAME}"