Skip to content

Commit

Permalink
feat(explain_manifest): add ability to test docker images as well
Browse files Browse the repository at this point in the history
  • Loading branch information
@fffonion
fffonion committed Aug 15, 2023
1 parent ef81680 commit f4f980f
Show file tree
Hide file tree
Showing 20 changed files with 364 additions and 259 deletions.
45 changes: 39 additions & 6 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -260,9 +260,9 @@ jobs:
path: bazel-bin/pkg
retention-days: 3

build-packages-verify-manifest:
verify-manifest-packages:
needs: [metadata, build-packages]
name: Verify Manifest - ${{ matrix.label }}
name: Verify Manifest - Package ${{ matrix.label }}
runs-on: ubuntu-22.04

strategy:
Expand Down Expand Up @@ -389,8 +389,41 @@ jobs:
Docker image available `${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ github.sha }}`
Artifacts available https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
scan:
name: Scan - ${{ matrix.label }}
verify-manifest-images:
needs: [metadata, build-images]
name: Verify Manifest - Image ${{ matrix.label }}
runs-on: ubuntu-22.04

strategy:
fail-fast: false
matrix:
include: "${{ fromJSON(needs.metadata.outputs.matrix)['build-images'] }}"

steps:
- uses: actions/checkout@v3

- name: Install Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
cache: 'pip' # caching pip dependencies

- name: Verify
run: |
cd scripts/explain_manifest
# docker image verify requires sudo to set correct permissions, so we
# also install deps for root
sudo -E pip install -r requirements.txt
IMAGE=${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ github.sha }}-${{ matrix.label }}
sudo -E python ./main.py --image $IMAGE -f docker_image_filelist.txt -s docker-image
if [[ ! -z "${{ matrix.docker-platforms }}" ]]; then
DOCKER_DEFAULT_PLATFORM=linux/arm64 sudo -E python ./main.py --image $IMAGE -f docker_image_filelist.txt -s docker-image
fi
scan-images:
name: Scan Images - ${{ matrix.label }}
needs: [metadata, build-images]
runs-on: ubuntu-22.04
if: |-
Expand Down Expand Up @@ -443,15 +476,15 @@ jobs:
uses: Kong/public-shared-actions/security-actions/scan-docker-image@v1
with:
asset_prefix: kong-${{ github.sha }}-${{ matrix.label }}-linux-amd64
image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.amd64_sha }}
image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ github.sha }}-${{ matrix.label }}

- name: Scan ARM64 Image digest
if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != ''
id: sbom_action_arm64
uses: Kong/public-shared-actions/security-actions/scan-docker-image@v1
with:
asset_prefix: kong-${{ github.sha }}-${{ matrix.label }}-linux-arm64
image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.arm64_sha }}
image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ github.sha }}-${{ matrix.label }}

smoke-tests:
name: Smoke Tests - ${{ matrix.label }}
Expand Down
201 changes: 120 additions & 81 deletions scripts/explain_manifest/config.py
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
from copy import deepcopy

from globmatch import glob_match

from main import FileInfo
from expect import ExpectSuite
from suites import arm64_suites
from suites import common_suites, libc_libcpp_suites, arm64_suites, docker_suites


def transform(f: FileInfo):
Expand Down Expand Up @@ -32,124 +33,162 @@ def transform(f: FileInfo):
name="Alpine Linux (amd64)",
manifest="fixtures/alpine-amd64.txt",
use_rpath=True,
# alpine 3.16: gcc 11.2.1
libcxx_max_version="3.4.29",
cxxabi_max_version="1.3.13",
),
"alpine-arm64": ExpectSuite(
name="Alpine Linux (arm64)",
manifest="fixtures/alpine-arm64.txt",
use_rpath=True,
extra_tests=[arm64_suites],
tests={
common_suites: {},
libc_libcpp_suites: {
# alpine 3.16: gcc 11.2.1
"libcxx_max_version": "3.4.29",
"cxxabi_max_version": "1.3.13",
},
}
),
"amazonlinux-2-amd64": ExpectSuite(
name="Amazon Linux 2 (amd64)",
manifest="fixtures/amazonlinux-2-amd64.txt",
use_rpath=True,
libc_max_version="2.26",
# gcc 7.3.1
libcxx_max_version="3.4.24",
cxxabi_max_version="1.3.11",
tests={
common_suites: {},
libc_libcpp_suites: {
"libc_max_version": "2.26",
# gcc 7.3.1
"libcxx_max_version": "3.4.24",
"cxxabi_max_version": "1.3.11",
},
},
),
"amazonlinux-2023-amd64": ExpectSuite(
name="Amazon Linux 2023 (amd64)",
manifest="fixtures/amazonlinux-2023-amd64.txt",
libxcrypt_no_obsolete_api=True,
libc_max_version="2.34",
# gcc 11.2.1
libcxx_max_version="3.4.29",
cxxabi_max_version="1.3.13",
),
"amazonlinux-2023-arm64": ExpectSuite(
name="Amazon Linux 2023 (arm64)",
manifest="fixtures/amazonlinux-2023-arm64.txt",
# TODO: cross compiled aws2023 uses rpath instead of runpath
use_rpath=True,
libxcrypt_no_obsolete_api=True,
libc_max_version="2.34",
# gcc 11.2.1
libcxx_max_version="3.4.29",
cxxabi_max_version="1.3.13",
extra_tests=[arm64_suites],
tests={
common_suites: {
"libxcrypt_no_obsolete_api": True,
},
libc_libcpp_suites: {
"libc_max_version": "2.34",
# gcc 11.2.1
"libcxx_max_version": "3.4.29",
"cxxabi_max_version": "1.3.13",
},
},
),
"el7-amd64": ExpectSuite(
name="Redhat 7 (amd64)",
manifest="fixtures/el7-amd64.txt",
use_rpath=True,
libc_max_version="2.17",
# gcc 4.8.5
libcxx_max_version="3.4.19",
cxxabi_max_version="1.3.7",
tests={
common_suites: {},
libc_libcpp_suites: {
"libc_max_version": "2.17",
# gcc 4.8.5
"libcxx_max_version": "3.4.19",
"cxxabi_max_version": "1.3.7",
},
}
),
"el8-amd64": ExpectSuite(
name="Redhat 8 (amd64)",
manifest="fixtures/el8-amd64.txt",
use_rpath=True,
libc_max_version="2.28",
# gcc 8.5.0
libcxx_max_version="3.4.25",
cxxabi_max_version="1.3.11",
tests={
common_suites: {},
libc_libcpp_suites: {
"libc_max_version": "2.28",
# gcc 8.5.0
"libcxx_max_version": "3.4.25",
"cxxabi_max_version": "1.3.11",
},
},
),
"el9-amd64": ExpectSuite(
name="Redhat 9 (amd64)",
name="Redhat 8 (amd64)",
manifest="fixtures/el9-amd64.txt",
use_rpath=True,
libxcrypt_no_obsolete_api=True,
libc_max_version="2.34",
# gcc 11.3.1
libcxx_max_version="3.4.29",
cxxabi_max_version="1.3.13",
),
"el9-arm64": ExpectSuite(
name="Redhat 9 (arm64)",
manifest="fixtures/el9-arm64.txt",
use_rpath=True,
libxcrypt_no_obsolete_api=True,
libc_max_version="2.34",
# gcc 11.3.1
libcxx_max_version="3.4.29",
cxxabi_max_version="1.3.13",
extra_tests=[arm64_suites],
tests={
common_suites: {
"libxcrypt_no_obsolete_api": True,
},
libc_libcpp_suites: {
"libc_max_version": "2.34",
# gcc 11.3.1
"libcxx_max_version": "3.4.29",
"cxxabi_max_version": "1.3.13",
},
}
),
"ubuntu-20.04-amd64": ExpectSuite(
name="Ubuntu 20.04 (amd64)",
manifest="fixtures/ubuntu-20.04-amd64.txt",
libc_max_version="2.30",
# gcc 9.3.0
libcxx_max_version="3.4.28",
cxxabi_max_version="1.3.12",
tests={
common_suites: {},
libc_libcpp_suites: {
"libc_max_version": "2.30",
# gcc 9.3.0
"libcxx_max_version": "3.4.28",
"cxxabi_max_version": "1.3.12",
},
}
),
"ubuntu-22.04-amd64": ExpectSuite(
name="Ubuntu 22.04 (amd64)",
manifest="fixtures/ubuntu-22.04-amd64.txt",
libc_max_version="2.35",
# gcc 11.2.0
libcxx_max_version="3.4.29",
cxxabi_max_version="1.3.13",
),
"ubuntu-22.04-arm64": ExpectSuite(
name="Ubuntu 22.04 (arm64)",
manifest="fixtures/ubuntu-22.04-arm64.txt",
libc_max_version="2.35",
# gcc 11.2.0
libcxx_max_version="3.4.29",
cxxabi_max_version="1.3.13",
extra_tests=[arm64_suites],
tests={
common_suites: {},
libc_libcpp_suites: {
"libc_max_version": "2.35",
# gcc 11.2.0
"libcxx_max_version": "3.4.29",
"cxxabi_max_version": "1.3.13",
},
}
),
"debian-10-amd64": ExpectSuite(
name="Debian 10 (amd64)",
manifest="fixtures/debian-10-amd64.txt",
libc_max_version="2.28",
# gcc 8.3.0
libcxx_max_version="3.4.25",
cxxabi_max_version="1.3.11",
tests={
common_suites: {},
libc_libcpp_suites: {
"libc_max_version": "2.28",
# gcc 8.3.0
"libcxx_max_version": "3.4.25",
"cxxabi_max_version": "1.3.11",
},
}
),
"debian-11-amd64": ExpectSuite(
name="Debian 11 (amd64)",
manifest="fixtures/debian-11-amd64.txt",
libc_max_version="2.31",
# gcc 10.2.1
libcxx_max_version="3.4.28",
cxxabi_max_version="1.3.12",
tests={
common_suites: {},
libc_libcpp_suites: {
"libc_max_version": "2.31",
# gcc 10.2.1
"libcxx_max_version": "3.4.28",
"cxxabi_max_version": "1.3.12",
},
}
),
"docker-image": ExpectSuite(
name="Generic Docker Image",
manifest=None,
tests={
docker_suites: {},
}
),
}

# populate arm64 and fips suites from amd64 suites

for target in list(targets.keys()):
if target.split("-")[0] in ("alpine", "ubuntu", "debian", "amazonlinux", "el9"):
e = deepcopy(targets[target])
e.manifest = e.manifest.replace("-amd64.txt", "-arm64.txt")
# Ubuntu 22.04 (arm64)
e.name = e.name.replace("(amd64)", "(arm64)")
e.tests[arm64_suites] = {}

# TODO: cross compiled aws2023 uses rpath instead of runpath
if target == "amazonlinux-2023-amd64":
e.use_rpath = True

# ubuntu-22.04-arm64
targets[target.replace("-amd64", "-arm64")] = e
21 changes: 21 additions & 0 deletions scripts/explain_manifest/docker_image_filelist.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
/etc/passwd
/etc/group
/usr/local/kong/**
/usr/local/bin/kong
/usr/local/bin/luarocks
/usr/local/etc/luarocks/**
/usr/local/lib/lua/**
/usr/local/lib/luarocks/**
/usr/local/openresty/**
/usr/local/share/lua/**
/etc/kong/kong.conf.default
/etc/kong/kong.logrotate
/usr/local/kong/include/kong/pluginsocket.proto
/usr/local/kong/include/google/protobuf/**.proto
/usr/local/kong/include/openssl/**.h
/etc/ssl/certs/ca-certificates.crt
/etc/pki/tls/certs/ca-bundle.crt
/etc/ssl/ca-bundle.pem
/etc/pki/tls/cacert.pem
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/etc/ssl/cert.pem
Loading

0 comments on commit f4f980f

Please sign in to comment.