S-109339 Build product images for Redhat certification (#222)

Co-authored-by: Vedran Pugar <[email protected]>

applejack.py

@@ -43,6 +43,7 @@ def applejack():
 @applejack.command(help="Render the templates")
 @shared_opts
 @click.option('--commit', '-c', is_flag=True, help="Commit and tag the generated Dockerfiles.")
+@click.option('--skip_vulnerable_libs', '-s', is_flag=True, help="Remove from the image vulnerable libraries.")
 def render(**kwargs):
     renderer = Renderer(kwargs)
     for product in (kwargs['product'] or all_product_configs()):

applejack/conf/products/central-configuration.yml

@@ -6,6 +6,7 @@ dockerfiles:
     centos: centos/Dockerfile.j2
     amazonlinux: amazonlinux/Dockerfile.j2
     rhel: rhel/Dockerfile.j2
+    redhat: redhat/Dockerfile.j2
     ubuntu: ubuntu/Dockerfile.j2
 repositories:
   nexus: 'https://nexus.xebialabs.com/nexus/service/local/repositories/{repo}/content/ai/digital/config/central-configuration-server/{version}/{product}-server-{version}.zip'
@@ -22,9 +23,11 @@ context:
   license_server: https://download.xebialabs.com
   product: central-configuration
   product_name: Central configuration
+  product_info_url: https://digital.ai/products/deploy/
   product_description: Enterprise-scale Application Release Automation for any environment
   boot_conf: deployit.conf
   wrapper_conf: xlc-wrapper.conf.common
+  skip_vulnerable_libs: false
   central_config_files:
     - deploy-cluster.yaml
     - deploy-metrics.yaml

applejack/conf/products/deploy-task-engine.yml

@@ -3,6 +3,7 @@ dockerfiles:
   default: 'ubuntu'
   os:
     rhel: rhel/Dockerfile.j2
+    redhat: redhat/Dockerfile.j2
     debian-slim: debian-slim/Dockerfile.j2
     centos: centos/Dockerfile.j2
     amazonlinux: amazonlinux/Dockerfile.j2
@@ -21,10 +22,12 @@ context:
   license_server: https://download.xebialabs.com
   product: deploy-task-engine
   product_name: Deploy Worker
+  product_info_url: https://digital.ai/products/deploy/
   boot_conf: deployit.conf
   product_description: Enterprise-scale Application Release Automation for any environment
   license_file: deployit-license.lic
   wrapper_conf: xld-wrapper.conf.common
+  skip_vulnerable_libs: false
   port: 8180
   volumes:
     - "${APP_HOME}/conf"

applejack/conf/products/xl-deploy.yml

@@ -3,6 +3,7 @@ dockerfiles:
   default: 'ubuntu'
   os:
     rhel: rhel/Dockerfile.j2
+    redhat: redhat/Dockerfile.j2
     debian-slim: debian-slim/Dockerfile.j2
     centos: centos/Dockerfile.j2
     amazonlinux: amazonlinux/Dockerfile.j2
@@ -22,10 +23,12 @@ context:
   license_server: https://download.xebialabs.com
   product: xl-deploy
   product_name: XL Deploy
+  product_info_url: https://digital.ai/products/deploy/
   product_description: Enterprise-scale Application Release Automation for any environment
   license_file: deployit-license.lic
   boot_conf: deployit.conf
   wrapper_conf: xld-wrapper.conf.common
+  skip_vulnerable_libs: false
   conf_files:
     - xl-deploy.conf
   central_config_files:

applejack/conf/products/xl-release.yml

@@ -3,6 +3,7 @@ dockerfiles:
   default: 'ubuntu'
   os:
     rhel: rhel/Dockerfile.j2
+    redhat: redhat/Dockerfile.j2
     debian-slim: debian-slim/Dockerfile.j2
     centos: centos/Dockerfile.j2
     amazonlinux: amazonlinux/Dockerfile.j2
@@ -20,10 +21,12 @@ context:
   license_server: https://download.xebialabs.com
   product: xl-release
   product_name: XL Release
+  product_info_url: https://digital.ai/products/release/
   product_description: Automate, orchestrate and get visibility into your release pipelines — at enterprise scale
   license_file: xl-release-license.lic
   boot_conf: xl-release-server.conf
   wrapper_conf: xlr-wrapper-linux.conf
+  skip_vulnerable_libs: false
   conf_files:
   - xl-release.conf
   port: 5516

applejack/renderer.py

@@ -11,6 +11,7 @@ def __init__(self, commandline_args):
         self.commit = commandline_args['commit']
         self.registry = commandline_args['registry']
         self.version = commandline_args['xl_version']
+        self.skip_vulnerable_libs = commandline_args['skip_vulnerable_libs']
         self.image_version = image_version(commandline_args['xl_version'], commandline_args['suffix'])
 
     def __render_jinja_template(self, templates_path, template_file, target_file, context):
@@ -24,23 +25,26 @@ def __render_jinja_template(self, templates_path, template_file, target_file, co
     def render(self, target_os, product_conf):
         self.__generate_dockerfile(target_os, product_conf)
         for dir in product_conf['resources']['dirs']:
-            self.__copy_render_resources(dir, product_conf)
+            self.__copy_render_resources(dir, product_conf, target_os)
 
     def __generate_dockerfile(self, target_os, product_conf):
         target_path = self.__get_target_path(target_os, product_conf['name'])
-        context = self.__build_render_context(product_conf)
+        context = self.__build_render_context(product_conf, target_os)
         self.__render_jinja_template(Path('templates') / 'dockerfiles', product_conf['dockerfiles']['os'][target_os], target_path / 'Dockerfile', context)
         print("Dockerfile template for '%s' rendered" % target_os)
 
-    def __build_render_context(self, product_conf):
+    def __build_render_context(self, product_conf, target_os):
         context = dict(product_conf['context'])
         context['image_version'] = self.image_version
         context['xl_version'] = self.version
         context['registry'] = self.registry
+        if self.skip_vulnerable_libs:
+            context['skip_vulnerable_libs'] = self.skip_vulnerable_libs
+        context['target_os'] = target_os
         context['today'] = datetime.now().strftime('%Y-%m-%d')
         return context
 
-    def __copy_render_resources(self, source_dir, product_conf):
+    def __copy_render_resources(self, source_dir, product_conf, target_os):
         template_path = Path('templates') / 'resources'
         source_path = template_path / source_dir
         dest_path = target_path(product_conf['name'], self.version) / 'resources'
@@ -56,7 +60,7 @@ def __copy_render_resources(self, source_dir, product_conf):
             elif p.is_file() and '.j2' in p.suffixes:
                 # Render J2 template
                 render_dest = dest_path / relative.parent / relative.stem
-                context = self.__build_render_context(product_conf)
+                context = self.__build_render_context(product_conf, target_os)
                 self.__render_jinja_template(template_path, Path(source_dir) / relative, render_dest, context)
             elif p.is_file():
                 p.copy(dest_path / relative)

templates/dockerfiles/central-configuration/install.j2

@@ -39,11 +39,14 @@ RUN chmod +x /tmp/modify-wrapper-linux-conf.gawk && \
     mv /tmp/{{ wrapper_conf }} ${APP_HOME}/default-conf/{{ wrapper_conf }} && \
     rm /tmp/modify-wrapper-linux-conf.gawk
 
-
 # Set permissions
-RUN addgroup -S -g 10001 xebialabs
-RUN chgrp -R 10001 ${APP_ROOT} && \
+{%- if target_os == "redhat" %}
+RUN groupadd -r -g 10001 xebialabs && \
+{%- else %}
+RUN addgroup -S -g 10001 xebialabs && \
+{%- endif %}
+    chown -R 10001:10001 ${APP_ROOT} && \
     chmod -R g=u ${APP_ROOT} && \
+    chmod u+x ${APP_HOME}/bin/*.sh && \
     chmod g+x ${APP_HOME}/bin/*.sh && \
     chmod a+rwx ${APP_HOME}/centralConfiguration
-

templates/dockerfiles/deploy-task-engine/install.j2

@@ -6,7 +6,11 @@
 COPY resources/{{ product }}-{{ xl_version }}.zip /tmp
 RUN mkdir -p ${APP_ROOT} && \
     unzip /tmp/{{ product }}-{{ xl_version }}.zip -d ${APP_ROOT} && \
-    mv ${APP_ROOT}/{{ product }}-{{ xl_version }} ${APP_HOME}
+    mv ${APP_ROOT}/{{ product }}-{{ xl_version }} ${APP_HOME} && \
+{% if skip_vulnerable_libs %}
+    rm ${APP_HOME}/lib/derby*.jar && \
+{% endif %}
+    true
 
 # Add bin/run-in-container.sh
 COPY resources/bin/run-in-container.sh ${APP_HOME}/bin/
@@ -40,13 +44,17 @@ RUN chmod +x /tmp/modify-wrapper-linux-conf.gawk && \
 
 # Move plugins directory to default-plugins, so that when no external plugins are loaded we can use the default
 RUN mv ${APP_HOME}/plugins ${APP_HOME}/default-plugins && \
-    mkdir ${APP_HOME}/plugins
-
-# Create empty 'repository', 'work', 'export', 'archive' and 'reports' directory
-RUN mkdir ${APP_HOME}/repository ${APP_HOME}/export ${APP_HOME}/archive ${APP_HOME}/work ${APP_HOME}/reports
+    mkdir ${APP_HOME}/plugins && \
+    # Create empty 'repository', 'work', 'export', 'archive' and 'reports' directory
+    mkdir ${APP_HOME}/repository ${APP_HOME}/export ${APP_HOME}/archive ${APP_HOME}/work ${APP_HOME}/reports
 
 # Set permissions
-RUN addgroup -S -g 10001 xebialabs
-RUN chgrp -R 10001 ${APP_ROOT} && \
+{%- if target_os == "redhat" %}
+RUN groupadd -r -g 10001 xebialabs && \
+{%- else %}
+RUN addgroup -S -g 10001 xebialabs && \
+{%- endif %}
+    chown -R 10001:10001 ${APP_ROOT} && \
     chmod -R g=u ${APP_ROOT} && \
+    chmod u+x ${APP_HOME}/bin/*.sh && \
     chmod g+x ${APP_HOME}/bin/*.sh

templates/dockerfiles/deploy-task-engine/variables.j2

@@ -1,3 +1,4 @@
 # Set root folders
-ENV USER_UID=10001 APP_ROOT=/opt/xebialabs
-ENV APP_HOME=${APP_ROOT}/{{ product }}
+ENV USER_UID=10001 \ 
+    APP_ROOT=/opt/xebialabs \
+    APP_HOME=/opt/xebialabs/{{ product }}

templates/dockerfiles/install.j2

@@ -6,7 +6,12 @@
 COPY resources/{{ product }}-{{ xl_version }}-server.zip /tmp
 RUN mkdir -p ${APP_ROOT} && \
     unzip /tmp/{{ product }}-{{ xl_version }}-server.zip -d ${APP_ROOT} && \
-    mv ${APP_ROOT}/{{ product }}-{{ xl_version }}-server ${APP_HOME}
+    mv ${APP_ROOT}/{{ product }}-{{ xl_version }}-server ${APP_HOME} && \
+{%- if skip_vulnerable_libs %}
+    rm ${APP_HOME}/lib/derby*.jar && \
+    rm -fr ${APP_HOME}/derbyns/ && \
+{%- endif %}
+    true
 
 # Add bin/run-in-container.sh
 COPY resources/bin/run-in-container.sh ${APP_HOME}/bin/
@@ -17,10 +22,9 @@ COPY resources/jmx-exporter/jmx_prometheus_javaagent.jar ${APP_HOME}/lib/
 # Add (and run) Database driver download script
 COPY resources/bin/db-drivers.sh /tmp
 RUN chmod ugo+x /tmp/db-drivers.sh && \
-    /bin/sh /tmp/db-drivers.sh
-
-# Modify bin/run.sh so that java becomes a child process of dumb-init
-RUN sed -i 's/^\($JAVACMD\)/exec \1/' ${APP_HOME}/bin/run.sh
+    /bin/sh /tmp/db-drivers.sh && \
+    # Modify bin/run.sh so that java becomes a child process of dumb-init
+    sed -i 's/^\($JAVACMD\)/exec \1/' ${APP_HOME}/bin/run.sh
 
 {% if commons.central_configuration_enabled %}
 
@@ -55,23 +59,26 @@ COPY resources/modify-wrapper-linux-conf.gawk /tmp
 RUN chmod +x /tmp/modify-wrapper-linux-conf.gawk && \
     /tmp/modify-wrapper-linux-conf.gawk ${APP_HOME}/default-conf/{{ wrapper_conf }} > /tmp/{{ wrapper_conf}} && \
     mv /tmp/{{ wrapper_conf }} ${APP_HOME}/default-conf/{{ wrapper_conf }} && \
-    rm /tmp/modify-wrapper-linux-conf.gawk
-
-# Create node-specific conf directory and add template for node-specific {{ product }}.conf file
-# The node-specific {{ product }}.conf file provides HOSTNAME, HOSTNAME_SUFFIX & XL_NODE_NAME to the instance, which are then merged with the
-# ${APP_HOME}/conf/{{ product }}.conf file by the xl-platform
-RUN mkdir ${APP_HOME}/node-conf
+    rm /tmp/modify-wrapper-linux-conf.gawk && \
+    # Create node-specific conf directory and add template for node-specific {{ product }}.conf file
+    # The node-specific {{ product }}.conf file provides HOSTNAME, HOSTNAME_SUFFIX & XL_NODE_NAME to the instance, which are then merged with the
+    # ${APP_HOME}/conf/{{ product }}.conf file by the xl-platform
+    mkdir ${APP_HOME}/node-conf
 COPY resources/node-conf ${APP_HOME}/node-conf
 
 # Move plugins directory to default-plugins, so that when no external plugins are loaded we can use the default
 RUN mv ${APP_HOME}/plugins ${APP_HOME}/default-plugins && \
-    mkdir ${APP_HOME}/plugins
-
-# Create empty 'repository', 'work', 'export', 'archive' and 'reports' directory
-RUN mkdir ${APP_HOME}/repository ${APP_HOME}/export ${APP_HOME}/archive ${APP_HOME}/work ${APP_HOME}/reports
+    mkdir ${APP_HOME}/plugins && \
+    # Create empty 'repository', 'work', 'export', 'archive' and 'reports' directory
+    mkdir ${APP_HOME}/repository ${APP_HOME}/export ${APP_HOME}/archive ${APP_HOME}/work ${APP_HOME}/reports
 
 # Set permissions
-RUN addgroup -S -g 10001 xebialabs
-RUN chgrp -R 10001 ${APP_ROOT} && \
+{%- if target_os == "redhat" %}
+RUN groupadd -r -g 10001 xebialabs && \
+{%- else %}
+RUN addgroup -S -g 10001 xebialabs && \
+{%- endif %}
+    chown -R 10001:10001 ${APP_ROOT} && \
     chmod -R g=u ${APP_ROOT} && \
+    chmod u+x ${APP_HOME}/bin/*.sh && \
     chmod g+x ${APP_HOME}/bin/*.sh

templates/dockerfiles/metadata.j2

@@ -1,10 +1,8 @@
-MAINTAINER XebiaLabs Development <docker@xebialabs.com>
 
 LABEL name="xebialabs/{{ product }}" \
-      maintainer="[email protected]" \
-      vendor="XebiaLabs" \
+      vendor="Digital.ai" \
       version="{{ image_version }}" \
       release="1" \
       summary="{{ product_name }}" \
-      description="Enterprise-scale Application Release Automation for any environment" \
-      url="https://www.xebialabs.com/{{ product }}"
+      description="{{ product_description }}" \
+      url="{{ product_info_url }}"

templates/dockerfiles/redhat/Dockerfile.j2

@@ -0,0 +1,51 @@
+FROM registry.access.redhat.com/ubi8/openjdk-17:latest as installer
+
+# Install dependencies
+USER root
+RUN microdnf update -y && rm -rf /var/cache/yum && \
+   INSTALL_PKGS="curl hostname shadow-utils which unzip gawk" && \
+   microdnf install --nodocs ${INSTALL_PKGS} && \
+   ### Install JQ
+   JQ_LOCATION="/usr/bin/jq" && \
+   curl https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -L > $JQ_LOCATION && chmod +x $JQ_LOCATION && \
+   microdnf clean all
+
+{% if 'deploy-task-engine' in product %}
+    {% include './deploy-task-engine/install.j2' %}
+{% elif 'central-config' in product %}
+    {% include './central-configuration/install.j2' %}
+{% else %}
+    {% include 'install.j2' %}
+{% endif %}
+
+FROM registry.access.redhat.com/ubi8/openjdk-17:latest
+
+{% include 'metadata.j2' %}
+
+### add licenses to this directory
+COPY resources/licenses /licenses
+
+{% if 'deploy-task-engine' in product %}
+    {% include './deploy-task-engine/variables.j2' %}
+{% else %}
+    {% include 'variables.j2' %}
+{% endif %}
+
+# Copy installed {{ product_name }}
+COPY --from=installer ${APP_ROOT} ${APP_ROOT}
+
+ENV OS=redhat
+USER root
+
+RUN microdnf update -y && rm -rf /var/cache/yum && \
+   INSTALL_PKGS="curl hostname shadow-utils which unzip nc" && \
+   microdnf install --nodocs ${INSTALL_PKGS} && \
+   JQ_LOCATION="/usr/bin/jq" && \
+   curl https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -L > $JQ_LOCATION && chmod +x $JQ_LOCATION && \
+   microdnf clean all
+
+{% if 'deploy' in product %}
+    {% include 'terraform.j2' %}
+{% endif %}
+
+{% include 'runtime.j2' %}

templates/dockerfiles/runtime.j2

@@ -1,17 +1,12 @@
+
 # Set ttl for DNS cache
 RUN echo $'\n#\n# Set TTL for DNS cache.\nnetworkaddress.cache.ttl=30' >> $(readlink -f `which java` | sed -e 's:/jre/bin/java::' -e 's:/bin/java::')/conf/security/java.security
 
 COPY resources/amd64/tini ${APP_ROOT}
-RUN chmod ugo+x ${APP_ROOT}/tini
-
-# Don't run as root
-RUN groupadd -r -g 10001 xebialabs
-RUN useradd -r -M -u 10001 -g 0 -G xebialabs xebialabs
-
-# Set permissions
-RUN chown -R 10001 ${APP_ROOT} && \
-    chmod u+x ${APP_HOME}/bin/*.sh &&\
-    chmod -R g=u ${APP_ROOT}
+# Don't run as root and set permissions
+RUN chmod ugo+x ${APP_ROOT}/tini && \
+    groupadd -f -r -g 10001 xebialabs && \
+    useradd -r -M -u 10001 -g 0 -G xebialabs xebialabs
 
 WORKDIR ${APP_HOME}
 

templates/dockerfiles/variables.j2

@@ -1,3 +1,4 @@
 # Set root folders
-ENV USER_UID=10001 APP_ROOT=/opt/xebialabs
-ENV APP_HOME=${APP_ROOT}/{{ product }}-server
+ENV USER_UID=10001 \
+    APP_ROOT=/opt/xebialabs \
+    APP_HOME=/opt/xebialabs/{{ product }}-server