Skip to content

Commit

Permalink
feat: NVSHAS-9490 support controller SLSA L3
Browse files Browse the repository at this point in the history 
1. Provide cross platform/standalone Dockerfile for controller
   and enforcer.
2. Release.yml to publish SLSA-capable artifacts
3. Make sure third party checksum is checked.
4. Provide build target, test-image, build-image and push-image to sync
   with rancher.
5. Switch to golang:1.22 as its base image
  • Loading branch information
@holyspectral
holyspectral committed Dec 10, 2024
1 parent 1a48cd0 commit 8646aba
Show file tree
Hide file tree
Showing 11 changed files with 496 additions and 1 deletion.
73 changes: 73 additions & 0 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
name: Release

on:
push:
tags:
- 'v*'

jobs:

publish:
runs-on: ubuntu-latest
permissions:
contents: read
# write is needed for:
# - OIDC for cosign's use in ecm-distro-tools/publish-image.
# - Read vault secrets in rancher-eio/read-vault-secrets.
id-token: write

strategy:
matrix:
include:
- target: controller
rancher_target: neuvector-controller
make-target: push-controller-image
platforms: linux/amd64,linux/arm64
- target: enforcer
rancher_target: neuvector-enforcer
make-target: push-enforcer-image
platforms: linux/amd64,linux/arm64

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Load Secrets from Vault
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
- name: Get controller
env:
GH_TOKEN: ${{ secrets.ACCESS_TOKEN }}
run: |
gh release download ${{ github.ref_name }} -D controller/ -p controller-amd64 -R neuvector/neuvector-private
gh release download ${{ github.ref_name }} -D controller/ -p controller-arm64 -R neuvector/neuvector-private
gh release download ${{ github.ref_name }} -D controller/ -p sha256sum-controller-amd64 -R neuvector/neuvector-private
gh release download ${{ github.ref_name }} -D controller/ -p sha256sum-controller-arm64 -R neuvector/neuvector-private
cd controller
cat sha256sum-controller-amd64 | sha256sum --check
cat sha256sum-controller-arm64 | sha256sum --check
- name: Publish manifest
uses: rancher/ecm-distro-tools/actions/publish-image@master
with:
image: ${{ matrix.rancher_target }}
tag: ${{ github.ref_name }}
platforms: ${{ matrix.platforms }}
make-target: ${{ matrix.make-target }}

public-registry: docker.io
public-repo: neuvector
public-username: ${{ env.DOCKER_USERNAME }}
public-password: ${{ env.DOCKER_PASSWORD }}

prime-registry: ${{ env.PRIME_REGISTRY }}
prime-repo: rancher
prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
85 changes: 85 additions & 0 deletions Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Legacy Makefile. Keep for backward compatibility
.PHONY: fleet

STAGE_DIR = stage
Expand Down Expand Up @@ -151,3 +152,87 @@ fleet:
@echo "Making $@ ..."
@docker pull neuvector/build_fleet:${BUILD_IMAGE_TAG}
@docker run --rm -ia STDOUT --name build -e NV_BUILD_TARGET=$(NV_BUILD_TARGET) --net=none -v $(CURDIR):/go/src/github.com/neuvector/neuvector -w /go/src/github.com/neuvector/neuvector --entrypoint ./make_fleet.sh neuvector/build_fleet:${BUILD_IMAGE_TAG}

# Newer Makefile

RUNNER := docker
IMAGE_BUILDER := $(RUNNER) buildx
MACHINE := neuvector
BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max --cache-to type=gha --cache-from type=gha
DEFAULT_PLATFORMS := linux/amd64,linux/arm64,linux/x390s,linux/riscv64

COMMIT = $(shell git rev-parse --short HEAD)
ifeq ($(VERSION),)
# Define VERSION, which is used for image tags or to bake it into the
# compiled binary to enable the printing of the application version,
# via the --version flag.
CHANGES = $(shell git status --porcelain --untracked-files=no)
ifneq ($(CHANGES),)
DIRTY = -dirty
endif

COMMIT = $(shell git rev-parse --short HEAD)
VERSION = $(COMMIT)$(DIRTY)

GIT_TAG = $(shell git tag -l --contains HEAD | head -n 1)

# Override VERSION with the Git tag if the current HEAD has a tag pointing to
# it AND the worktree isn't dirty.
ifneq ($(GIT_TAG),)
ifeq ($(DIRTY),)
VERSION = $(GIT_TAG)
endif
endif
endif

ifeq ($(TAG),)
TAG = $(VERSION)
ifneq ($(DIRTY),)
TAG = dev
endif
endif

TARGET_PLATFORMS ?= linux/amd64,linux/arm64
REPO ?= neuvector
CONTROLLER_IMAGE = $(REPO)/controller:$(TAG)
ENFORCER_IMAGE = $(REPO)/enforcer:$(TAG)
BUILD_ACTION = --load

buildx-machine:
docker buildx ls
@docker buildx ls | grep $(MACHINE) || \
docker buildx create --name=$(MACHINE) --platform=$(DEFAULT_PLATFORMS)

test-controller-image:
# Instead of loading image, target all platforms, effectivelly testing
# the build for the target architectures.
$(MAKE) build-controller-image BUILD_ACTION="--platform=$(TARGET_PLATFORMS)"

build-controller-image: buildx-machine ## build (and load) the container image targeting the current platform.
$(IMAGE_BUILDER) build -f package/Dockerfile.controller \
--builder $(MACHINE) $(IMAGE_ARGS) \
--build-arg VERSION=$(VERSION) -t "$(CONTROLLER_IMAGE)" $(BUILD_ACTION) .
@echo "Built $(CONTROLLER_IMAGE)"

push-controller-image: buildx-machine
$(IMAGE_BUILDER) build -f package/Dockerfile.controller \
--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \
--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/neuvector-controller:$(TAG)" --push .
@echo "Pushed $(REPO)/controller:$(TAG)"

test-enforcer-image:
# Instead of loading image, target all platforms, effectivelly testing
# the build for the target architectures.
$(MAKE) build-enforcer-image BUILD_ACTION="--platform=$(TARGET_PLATFORMS)"

build-enforcer-image: buildx-machine ## build (and load) the container image targeting the current platform.
$(IMAGE_BUILDER) build -f package/Dockerfile.enforcer \
--builder $(MACHINE) $(IMAGE_ARGS) \
--build-arg VERSION=$(VERSION) -t "$(ENFORCER_IMAGE)" $(BUILD_ACTION) .
@echo "Built $(ENFORCER_IMAGE)"

push-enforcer-image: buildx-machine
$(IMAGE_BUILDER) build -f package/Dockerfile.enforcer \
--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \
--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/neuvector-enforcer:$(TAG)" --push .
@echo "Pushed $(REPO)/enforcer:$(TAG)"
89 changes: 89 additions & 0 deletions package/Dockerfile.controller
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
#
# Builder
#
FROM registry.suse.com/bci/golang:1.22 AS builder

ARG VERSION

ENV GOPATH=/go
ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin

# Setup build dependencies
RUN zypper install -y pcre-devel

# Build controller
COPY agent/ /src/agent
COPY controller/ /src/controller
COPY db/ /src/db
COPY monitor/ /src/monitor
COPY package/ /src/package
COPY tools/ /src/tools
COPY share/ /src/share
COPY scripts/ /src/scripts
COPY templates/ /src/templates
COPY upgrader/ /src/upgrader
COPY vendor /src/vendor
COPY go.mod go.sum base.h defs.h genlic.sh /src/
WORKDIR /src
RUN sed -i -e 's/interim.*xxxx/'"${VERSION:1}"'/g' ./controller/version.go
RUN bash package/build_controller.sh

#
# Base image
#
FROM registry.suse.com/bci/bci-micro:15.6 AS micro
FROM registry.suse.com/bci/bci-base:15.6 AS base

ARG TARGETOS
ARG TARGETARCH

COPY --from=micro / /chroot/

RUN zypper --non-interactive install --no-recommends unzip

# Runtime dependencies
RUN zypper refresh && zypper --non-interactive --installroot /chroot install --no-recommends \
ca-certificates iproute2 ethtool lsof procps curl jq iptables grep tar awk libpcre2-posix3 && \
zypper --non-interactive --installroot /chroot clean -a && \
rm -rf /chroot/var/log/

RUN touch /chroot/usr/local/bin/.nvcontainer
RUN mkdir -p /chroot/etc/neuvector/certs/internal/

COPY package/deps /deps/

ARG CONSUL_VERSION=1.20.1
RUN curl -fL https://releases.hashicorp.com/consul/${CONSUL_VERSION}/consul_${CONSUL_VERSION}_${TARGETOS}_${TARGETARCH}.zip -o consul.zip \
&& cat /deps/${TARGETOS}_${TARGETARCH}/consul.checksum | sha256sum --check --status && unzip consul.zip -d /chroot/usr/local/bin/

ARG OPA_VERSION=v0.69.0
RUN curl -fL https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_${TARGETOS}_${TARGETARCH}_static -o opa \
&& cat /deps/${TARGETOS}_${TARGETARCH}/opa.checksum | sha256sum --check --status && chmod +x opa && mv opa /chroot/usr/local/bin

RUN cd /chroot/usr/bin/ && rm -rf basename chcon chgrp chmod chown chroot cksum dd df dircolors dirname du install install-info join locale localedef mkdir mkfifo mknod mktemp paste pathchk readlink realpath sync smidiff smidump smilink smiquery smistrip smixlate tee tiemout tload top truncate unlink watch

#
# Artifact
#
FROM micro
ARG VERSION
ARG COMMIT
WORKDIR /
COPY --from=base /chroot/ /
COPY --from=builder /src/stage /


LABEL "name"="controller" \
"vendor"="SUSE Security" \
"neuvector.image"="neuvector/controller" \
"neuvector.role"="controller" \
"neuvector.rev"="${COMMIT}" \
"io.artifacthub.package.logo-url"=https://avatars2.githubusercontent.com/u/19367275 \
"io.artifacthub.package.readme-url"="https://raw.githubusercontent.com/neuvector/neuvector/${VERSION}/README.md" \
"org.opencontainers.image.description"="SUSE Security Controller" \
"org.opencontainers.image.title"="SUSE Security Controller" \
"org.opencontainers.image.source"="https://github.com/neuvector/neuvector/" \
"org.opencontainers.image.version"="${VERSION}" \
"org.opensuse.reference"="neuvector/controller:${VERSION}"

ENTRYPOINT ["/usr/local/bin/monitor", "-c"]
95 changes: 95 additions & 0 deletions package/Dockerfile.enforcer
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
#
# Builder
#
FROM registry.suse.com/bci/golang:1.22 AS builder

ARG VERSION
ARG TARGETOS
ARG TARGETARCH

RUN zypper ref && \
zypper install -y --no-recommends gcc13 gcc13-c++ make glibc-devel glibc-devel-static \
automake autoconf libtool libpcap-devel pcre-devel pcre2-devel curl wget zip git \
libnfnetlink-devel libnetfilter_queue-devel libmnl-devel liburcu-devel libjansson-devel \
jemalloc-devel && \
update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-13 10 && \
update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-13 10

# Install hyperscan
RUN zypper addrepo https://download.opensuse.org/repositories/isv:SUSE:neuvector/15.6/isv:SUSE:neuvector.repo && \
rpm --import https://download.opensuse.org/repositories/isv:SUSE:neuvector/15.6/repodata/repomd.xml.key && \
zypper --non-interactive refresh && \
zypper install -y libhs5-vectorscan5 vectorscan-devel

ENV GOPATH=/go
ENV DEBIAN_FRONTEND=noninteractive
ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin

COPY . /src
WORKDIR /src
RUN sed -i -e 's/interim.*xxxx/'"${VERSION:1}"'/g' ./agent/version.go
RUN bash package/build_enforcer.sh

#
# Base image
#
FROM registry.suse.com/bci/bci-micro:15.6 AS micro
FROM registry.suse.com/bci/bci-base:15.6 AS base

ARG TARGETOS
ARG TARGETARCH

RUN zypper -n in --no-recommends unzip

COPY --from=micro / /chroot/
RUN zypper refresh && zypper --installroot /chroot -n in --no-recommends \
ca-certificates iproute2 ethtool lsof procps curl jq iptables grep tar awk tcpdump sed kmod wget unzip \
libnetfilter_queue-devel liburcu-devel libpcap-devel pcre2-devel libjansson-devel libmnl-devel jemalloc-devel

# Install yq and vectorscan
RUN zypper addrepo https://download.opensuse.org/repositories/isv:SUSE:neuvector/15.6/isv:SUSE:neuvector.repo && \
rpm --import https://download.opensuse.org/repositories/isv:SUSE:neuvector/15.6/repodata/repomd.xml.key && \
zypper -n refresh && \
zypper --installroot /chroot install -y yq libhs5-vectorscan5 vectorscan-devel

RUN zypper --installroot /chroot clean -a && \
rm -rf /chroot/var/log/

RUN touch /chroot/usr/local/bin/.nvcontainer && mkdir -p /chroot/etc/neuvector/certs/internal/

COPY package/deps /deps/

ARG CONSUL_VERSION=1.20.1
RUN curl -fL https://releases.hashicorp.com/consul/${CONSUL_VERSION}/consul_${CONSUL_VERSION}_linux_${TARGETARCH}.zip -o consul.zip \
&& cat /deps/${TARGETOS}_${TARGETARCH}/consul.checksum | sha256sum --check --status && unzip consul.zip -d /chroot/usr/local/bin/

RUN cd /usr/bin/ && rm -rf basename chcon chgrp chmod chown chroot cksum dd df dircolors dirname du install install-info join locale localedef mkdir mkfifo mknod mktemp paste pathchk readlink realpath sync smidiff smidump smilink smiquery smistrip smixlate tee tiemout tload top truncate unlink watch

#
# Artifact
#
FROM micro

ARG COMMIT
ARG VERSION

WORKDIR /
COPY --from=base /chroot/ /
COPY --from=builder /src/stage /

RUN ln -s /usr/lib64/libpcap.so /usr/lib64/libpcap.so.0.8

LABEL "name"="enforcer" \
"vendor"="SUSE Security" \
"neuvector.image"="neuvector/enforcer" \
"neuvector.role"="enforcer" \
"neuvector.rev"="${COMMIT}" \
"io.artifacthub.package.logo-url"=https://avatars2.githubusercontent.com/u/19367275 \
"io.artifacthub.package.readme-url"="https://raw.githubusercontent.com/neuvector/neuvector/${VERSION}/README.md" \
"org.opencontainers.image.description"="SUSE Security Enforcer" \
"org.opencontainers.image.title"="SUSE Security Enforcer" \
"org.opencontainers.image.source"="https://github.com/neuvector/neuvector/" \
"org.opencontainers.image.version"="${VERSION}" \
"org.opensuse.reference"="neuvector/enforcer:${VERSION}"

ENTRYPOINT ["/usr/local/bin/monitor", "-r"]
Loading

0 comments on commit 8646aba

Please sign in to comment.