fix(images): address all CVEs in images
diff --git a/images/Earthfile b/images/Earthfile
index 21cd0d8..1141ecd 100644
--- a/images/Earthfile
+++ b/images/Earthfile
@@ -23,9 +23,10 @@
CREATE_PROJECT_USER:
COMMAND
ARG PROJECT
+ ARG SHELL=/usr/sbin/nologin
RUN \
groupadd -g 42424 ${PROJECT} && \
- useradd -u 42424 -g 42424 -M -d /var/lib/${PROJECT} -s /usr/sbin/nologin -c "${PROJECT} User" ${PROJECT} && \
+ useradd -u 42424 -g 42424 -M -d /var/lib/${PROJECT} -s ${SHELL} -c "${PROJECT} User" ${PROJECT} && \
mkdir -p /etc/${PROJECT} /var/log/${PROJECT} /var/lib/${PROJECT} /var/cache/${PROJECT} && \
chown -Rv ${PROJECT}:${PROJECT} /etc/${PROJECT} /var/log/${PROJECT} /var/lib/${PROJECT} /var/cache/${PROJECT}
diff --git a/images/base/Earthfile b/images/base/Earthfile
index 8d3c3b4..f34cf37 100644
--- a/images/base/Earthfile
+++ b/images/base/Earthfile
@@ -7,3 +7,8 @@
# https://avd.aquasec.com/nvd/cve-2024-22365
DO ../+APT_INSTALL \
--PACKAGES "libpam0g libpam-modules libpam-modules-bin libpam-runtime"
+ # TODO(mnaser): Remove this when a new image that includes 3.7.3-4ubuntu1.4 is released.
+ # https://avd.aquasec.com/nvd/cve-2024-0553
+ # https://avd.aquasec.com/nvd/cve-2024-0567
+ DO ../+APT_INSTALL \
+ --PACKAGES "libgnutls30"
diff --git a/images/kubernetes-entrypoint/Earthfile b/images/kubernetes-entrypoint/Earthfile
index 2191e77..6844da2 100644
--- a/images/kubernetes-entrypoint/Earthfile
+++ b/images/kubernetes-entrypoint/Earthfile
@@ -12,7 +12,8 @@
patch -p1
ARG GOARCH
RUN \
- --mount=type=cache,mode=0755,target=/go/pkg/mod \
+ --mount=type=cache,target=/root/.cache/go-build \
+ --mount=type=cache,target=/go/pkg/mod \
CGO_ENABLED=0 GOOS=linux go build -o /main
SAVE ARTIFACT /main
diff --git a/images/netoffload/Earthfile b/images/netoffload/Earthfile
new file mode 100644
index 0000000..557a394
--- /dev/null
+++ b/images/netoffload/Earthfile
@@ -0,0 +1,27 @@
+VERSION 0.7
+
+ARG --global PROJECT=netoffload
+ARG --global RELEASE=main
+ARG --global PROJECT_REF=94b8c0fdb0b83bd1b7e14b9a58077a047c78a800
+
+build:
+ FROM golang:1.20
+ WORKDIR /src
+ GIT CLONE --branch ${PROJECT_REF} https://github.com/vexxhost/netoffload /src
+ RUN \
+ --mount=type=cache,target=/root/.cache/go-build \
+ --mount=type=cache,target=/go/pkg/mod \
+ go build -v -o offloadctl cmd/offloadctl/main.go
+ SAVE ARTIFACT offloadctl
+
+platform-image:
+ FROM ../base+image
+ DO ../+APT_INSTALL --PACKAGES="jq mstflint"
+ COPY +build/offloadctl /usr/local/bin/offloadctl
+ ENTRYPOINT ["/usr/local/bin/offloadctl"]
+ SAVE IMAGE --push \
+ ghcr.io/vexxhost/atmosphere/${PROJECT}:${RELEASE} \
+ ghcr.io/vexxhost/atmosphere/${PROJECT}:${PROJECT_REF}
+
+image:
+ BUILD --platform linux/amd64 --platform linux/arm64 +platform-image
diff --git a/images/nova-ssh/Earthfile b/images/nova-ssh/Earthfile
index 9988902..7572665 100644
--- a/images/nova-ssh/Earthfile
+++ b/images/nova-ssh/Earthfile
@@ -1,14 +1,16 @@
VERSION 0.7
-clone:
- FROM ../builder+image
- GIT CLONE --branch a2e563b08ae633d75084c1bb40c97dbf1a539950 https://opendev.org/openstack/openstack-helm-images /src
- WORKDIR /src
- SAVE ARTIFACT /src
-
platform-image:
- FROM DOCKERFILE -f +clone/src/nova-ssh/Dockerfile.ubuntu_focal +clone/src/nova-ssh
- LABEL org.opencontainers.image.source=https://github.com/vexxhost/atmosphere
+ FROM ../base+image
+ DO ../+CREATE_PROJECT_USER \
+ --PROJECT=nova \
+ --SHELL=/bin/bash
+ DO ../+APT_INSTALL \
+ --PACKAGES "openssh-server openssh-client"
+ RUN \
+ chown -R nova: /etc/ssh && \
+ mkdir /var/run/sshd && \
+ chmod 0755 /var/run/sshd
SAVE IMAGE --push ghcr.io/vexxhost/atmosphere/nova-ssh:latest
image:
diff --git a/images/openstack-service/Earthfile b/images/openstack-service/Earthfile
index 7320910..323d050 100644
--- a/images/openstack-service/Earthfile
+++ b/images/openstack-service/Earthfile
@@ -26,8 +26,12 @@
BUILD_VENV:
COMMAND
ARG PROJECT
+ ARG PROJECT_REPO=https://github.com/openstack/${PROJECT}
ARG PROJECT_REF
- DO +GIT_CHECKOUT --PROJECT=${PROJECT} --PROJECT_REF=${PROJECT_REF}
+ DO +GIT_CHECKOUT \
+ --PROJECT=${PROJECT} \
+ --PROJECT_REPO=${PROJECT_REPO} \
+ --PROJECT_REF=${PROJECT_REF}
ARG EXTRAS=""
ARG PIP_PACKAGES=""
DO +PIP_INSTALL --PACKAGES "/src${EXTRAS} ${PIP_PACKAGES}"
@@ -43,15 +47,20 @@
END
GIT CLONE --branch ${BRANCH} https://github.com/openstack/requirements /src
RUN \
+ sed -i 's/cryptography===36.0.2/cryptography===41.0.7/' /src/upper-constraints.txt && \
sed -i 's/cryptography===40.0.2/cryptography===41.0.7/' /src/upper-constraints.txt && \
- sed -i 's/Flask===2.2.3/Flask===2.2.5/' /src/upper-constraints.txt && \
sed -i 's/Django===3.2.18/Django===3.2.23/' /src/upper-constraints.txt && \
+ sed -i 's/Flask===2.2.3/Flask===2.2.5/' /src/upper-constraints.txt && \
sed -i 's/Jinja2===3.1.2/Jinja2===3.1.3/' /src/upper-constraints.txt && \
+ sed -i 's/paramiko===2.11.0/paramiko===3.4.0/' /src/upper-constraints.txt && \
sed -i 's/paramiko===3.1.0/paramiko===3.4.0/' /src/upper-constraints.txt && \
sed -i 's/pyOpenSSL===23.1.1/pyOpenSSL===23.3.0/' /src/upper-constraints.txt && \
+ sed -i 's/requests===2.28.1/requests===2.31.0/' /src/upper-constraints.txt && \
sed -i 's/requests===2.28.2/requests===2.31.0/' /src/upper-constraints.txt && \
- sed -i 's/Werkzeug===2.2.3/Werkzeug===2.3.8/' /src/upper-constraints.txt && \
+ sed -i 's/sqlparse===0.4.2/sqlparse===0.4.4/' /src/upper-constraints.txt && \
+ sed -i 's/urllib3===1.26.12/urllib3===1.26.18/' /src/upper-constraints.txt && \
sed -i 's/urllib3===1.26.15/urllib3===1.26.18/' /src/upper-constraints.txt && \
+ sed -i 's/Werkzeug===2.2.3/Werkzeug===2.3.8/' /src/upper-constraints.txt && \
sed -i '/glance-store/d' /src/upper-constraints.txt && \
sed -i '/horizon/d' /src/upper-constraints.txt
SAVE ARTIFACT /src/upper-constraints.txt
diff --git a/images/staffeln/Earthfile b/images/staffeln/Earthfile
new file mode 100644
index 0000000..9be3407
--- /dev/null
+++ b/images/staffeln/Earthfile
@@ -0,0 +1,19 @@
+VERSION 0.7
+
+ARG --global PROJECT=staffeln
+ARG --global RELEASE=master
+ARG --global PROJECT_REF=v2.2.3
+
+build:
+ FROM ../openstack-service+builder --RELEASE=${RELEASE}
+ DO ../openstack-service+BUILD_VENV \
+ --PROJECT=${PROJECT} \
+ --PROJECT_REPO=https://github.com/vexxhost/${PROJECT} \
+ --PROJECT_REF=${PROJECT_REF}
+
+image:
+ FROM ../openstack-service+image --RELEASE ${RELEASE} --PROJECT ${PROJECT}
+ COPY +build/venv /var/lib/openstack
+ SAVE IMAGE --push \
+ ghcr.io/vexxhost/atmosphere/${PROJECT}:${RELEASE} \
+ ghcr.io/vexxhost/atmosphere/${PROJECT}:${PROJECT_REF}
diff --git a/images/trivy/.trivyignore b/images/trivy/.trivyignore
new file mode 100644
index 0000000..5057f16
--- /dev/null
+++ b/images/trivy/.trivyignore
@@ -0,0 +1,17 @@
+# NOTE(mnaser): OpenStack used to be versioned based on years and Trivy gets
+# confused since something like 2014.1.3 > 23.0.1.dev6 therefore
+# we ignore those old CVEs.
+CVE-2012-3542
+CVE-2012-4413
+CVE-2013-2256
+CVE-2013-4179
+CVE-2014-3517
+CVE-2014-3608
+CVE-2014-3641
+CVE-2014-3708
+CVE-2015-0259
+CVE-2015-3221
+CVE-2015-3280
+CVE-2015-5251
+CVE-2015-5286
+CVE-2015-7713
diff --git a/images/trivy/Earthfile b/images/trivy/Earthfile
new file mode 100644
index 0000000..8f68625
--- /dev/null
+++ b/images/trivy/Earthfile
@@ -0,0 +1,8 @@
+VERSION 0.7
+
+image:
+ FROM aquasec/trivy:0.48.3
+ COPY .trivyignore /.trivyignore
+ # TODO(mnaser): Add automatic updates
+ RUN trivy image --download-db-only
+ RUN trivy image --download-java-db-only