From 6ed10b2a6b7045c69700c446292a3782179aad68 Mon Sep 17 00:00:00 2001
From: Pat Ledgerwood <pat.ledgerwood@statcan.gc.ca>
Date: Tue, 20 Aug 2024 15:43:28 -0400
Subject: [PATCH 01/10] fix: remove failing databricks-python image

---
 databricks-python/Dockerfile | 9 ---------
 1 file changed, 9 deletions(-)
 delete mode 100644 databricks-python/Dockerfile

diff --git a/databricks-python/Dockerfile b/databricks-python/Dockerfile
deleted file mode 100644
index 6c782ac..0000000
--- a/databricks-python/Dockerfile
+++ /dev/null
@@ -1,9 +0,0 @@
-# Image for executing python workloads, provided by databricks
-#
-# https://github.com/databricks/containers/blob/master/ubuntu/python/Dockerfile
-
-FROM databricksruntime/python
-
-RUN groupadd -g 1000 jovyan && useradd -u 1000 jovyan -g jovyan
-
-USER jovyan:jovyan

From bc76f81fa81d1824fe4e4aeeb9a44a9cba79a63e Mon Sep 17 00:00:00 2001
From: Pat Ledgerwood <pat.ledgerwood@statcan.gc.ca>
Date: Tue, 20 Aug 2024 16:08:14 -0400
Subject: [PATCH 02/10] feat: add new mpi-operator based image

---
 mpi-operator/Dockerfile  | 65 ++++++++++++++++++++++++++++++++++++++++
 mpi-operator/sshd_config |  3 ++
 2 files changed, 68 insertions(+)
 create mode 100644 mpi-operator/Dockerfile
 create mode 100644 mpi-operator/sshd_config

diff --git a/mpi-operator/Dockerfile b/mpi-operator/Dockerfile
new file mode 100644
index 0000000..777d056
--- /dev/null
+++ b/mpi-operator/Dockerfile
@@ -0,0 +1,65 @@
+# Base mpi-operator dockerfile from https://github.com/kubeflow/mpi-operator/blob/master/build/base/Dockerfile
+# Added open-mpi https://github.com/kubeflow/mpi-operator/blob/master/build/base/openmpi.Dockerfile
+# Added configuration for OpenM++ from https://github.com/openmpp/docker/blob/master/ompp-run-debian/Dockerfile
+# Added kubectl cli for interacting with kubeapi server from containers
+
+FROM debian:bullseye
+
+ARG port=2222
+
+RUN apt update && apt install -y --no-install-recommends \
+			openssh-server \
+			openssh-client \
+            libcap2-bin \
+            openmpi-bin \
+            sqlite3 \
+		&& rm -rf /var/lib/apt/lists/*
+
+# Add priviledge separation directoy to run sshd as root.
+RUN mkdir -p /var/run/sshd
+
+# Add capability to run sshd as non-root.
+RUN setcap CAP_NET_BIND_SERVICE=+eip /usr/sbin/sshd
+RUN apt remove libcap2-bin -y
+
+# Allow OpenSSH to talk to containers without asking for confirmation
+# by disabling StrictHostKeyChecking.
+# mpi-operator mounts the .ssh folder from a Secret. For that to work, we need
+# to disable UserKnownHostsFile to avoid write permissions.
+# Disabling StrictModes avoids directory and files read permission checks.
+RUN sed -i "s/[ #]\(.*StrictHostKeyChecking \).*/ \1no/g" /etc/ssh/ssh_config \
+    && echo "    UserKnownHostsFile /dev/null" >> /etc/ssh/ssh_config \
+    && sed -i "s/[ #]\(.*Port \).*/ \1$port/g" /etc/ssh/ssh_config \
+    && sed -i "s/#\(StrictModes \).*/\1no/g" /etc/ssh/sshd_config \
+    && sed -i "s/#\(Port \).*/\1$port/g" /etc/ssh/sshd_config
+
+# Install kubectl cli to be able to utilize file transfer functionality between containers
+ARG KUBECTL_VERSION=v1.28.2
+ARG KUBECTL_URL=https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl
+ARG KUBECTL_SHA=c922440b043e5de1afa3c1382f8c663a25f055978cbc6e8423493ec157579ec5
+
+RUN curl -LO "${KUBECTL_URL}" \
+    && echo "${KUBECTL_SHA} kubectl" | sha256sum -c - \
+    && chmod +x ./kubectl \
+    && mv ./kubectl /usr/local/bin/kubectl
+
+# Set local openM++ timezone, default ulimit
+RUN rm -f /etc/localtime && \
+ln -s /usr/share/zoneinfo/America/Toronto /etc/localtime && \
+echo "ulimit -S -s 65536" >> etc/bash.bashrc
+
+# Add non-root user
+RUN useradd -m mpiuser
+WORKDIR /home/mpiuser
+
+# Configurations for running sshd as non-root.
+COPY --chown=mpiuser sshd_config .sshd_config
+RUN echo "Port $port" >> /home/mpiuser/.sshd_config
+
+# Stepdown to non-root user
+USER mpiuser
+
+SHELL ["/bin/bash"]
+
+# default command check MPIEXEC verson, when used as a kubernetes container override with custom mpiexec execution
+CMD mpiexec -V && ulimit -S -s
\ No newline at end of file
diff --git a/mpi-operator/sshd_config b/mpi-operator/sshd_config
new file mode 100644
index 0000000..fb011d7
--- /dev/null
+++ b/mpi-operator/sshd_config
@@ -0,0 +1,3 @@
+PidFile /home/mpiuser/sshd.pid
+HostKey /home/mpiuser/.ssh/id_rsa
+StrictModes no
\ No newline at end of file

From 1b18c80232c127f8459563618439988c68170fb3 Mon Sep 17 00:00:00 2001
From: Pat Ledgerwood <pat.ledgerwood@statcan.gc.ca>
Date: Tue, 20 Aug 2024 16:18:38 -0400
Subject: [PATCH 03/10] fix: need curl for kubectl install

---
 mpi-operator/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mpi-operator/Dockerfile b/mpi-operator/Dockerfile
index 777d056..dd40a39 100644
--- a/mpi-operator/Dockerfile
+++ b/mpi-operator/Dockerfile
@@ -13,6 +13,7 @@ RUN apt update && apt install -y --no-install-recommends \
             libcap2-bin \
             openmpi-bin \
             sqlite3 \
+            curl \
 		&& rm -rf /var/lib/apt/lists/*
 
 # Add priviledge separation directoy to run sshd as root.

From b4398e85723236efbd7ad9b9008b9b435f2ba378 Mon Sep 17 00:00:00 2001
From: Pat Ledgerwood <pat.ledgerwood@statcan.gc.ca>
Date: Tue, 20 Aug 2024 16:33:14 -0400
Subject: [PATCH 04/10] fix: add ca-certificates for curl

---
 mpi-operator/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mpi-operator/Dockerfile b/mpi-operator/Dockerfile
index dd40a39..4b56bfd 100644
--- a/mpi-operator/Dockerfile
+++ b/mpi-operator/Dockerfile
@@ -14,6 +14,7 @@ RUN apt update && apt install -y --no-install-recommends \
             openmpi-bin \
             sqlite3 \
             curl \
+            ca-certificates \
 		&& rm -rf /var/lib/apt/lists/*
 
 # Add priviledge separation directoy to run sshd as root.

From 1823dfdba75f5dcb867cd8ef1db4ad7a602ba51d Mon Sep 17 00:00:00 2001
From: Pat Ledgerwood <pat.ledgerwood@statcan.gc.ca>
Date: Tue, 20 Aug 2024 16:41:03 -0400
Subject: [PATCH 05/10] fix: upgrade debian to latested LTS to fix CVEs

---
 mpi-operator/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mpi-operator/Dockerfile b/mpi-operator/Dockerfile
index 4b56bfd..55620e4 100644
--- a/mpi-operator/Dockerfile
+++ b/mpi-operator/Dockerfile
@@ -3,7 +3,7 @@
 # Added configuration for OpenM++ from https://github.com/openmpp/docker/blob/master/ompp-run-debian/Dockerfile
 # Added kubectl cli for interacting with kubeapi server from containers
 
-FROM debian:bullseye
+FROM debian:bookworm
 
 ARG port=2222
 

From 2db7f4f8697305f80c913baa8bbb3d02aefa100f Mon Sep 17 00:00:00 2001
From: Pat Ledgerwood <pat.ledgerwood@statcan.gc.ca>
Date: Tue, 20 Aug 2024 17:03:18 -0400
Subject: [PATCH 06/10] fix: try to upgrade packages to fix CVEs

---
 mpi-operator/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mpi-operator/Dockerfile b/mpi-operator/Dockerfile
index 55620e4..74da9cf 100644
--- a/mpi-operator/Dockerfile
+++ b/mpi-operator/Dockerfile
@@ -15,6 +15,7 @@ RUN apt update && apt install -y --no-install-recommends \
             sqlite3 \
             curl \
             ca-certificates \
+        &&  apt-get upgrade -y \
 		&& rm -rf /var/lib/apt/lists/*
 
 # Add priviledge separation directoy to run sshd as root.

From 40bb4c3735b41b24bc907dd1139ffd55c0f96b3c Mon Sep 17 00:00:00 2001
From: Pat Ledgerwood <pat.ledgerwood@statcan.gc.ca>
Date: Tue, 20 Aug 2024 17:18:11 -0400
Subject: [PATCH 07/10] fix: force latest package minizip for cve

---
 mpi-operator/Dockerfile | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/mpi-operator/Dockerfile b/mpi-operator/Dockerfile
index 74da9cf..9f59dac 100644
--- a/mpi-operator/Dockerfile
+++ b/mpi-operator/Dockerfile
@@ -7,7 +7,9 @@ FROM debian:bookworm
 
 ARG port=2222
 
-RUN apt update && apt install -y --no-install-recommends \
+RUN apt update \
+        && apt-get upgrade -y \
+        && apt install -y --no-install-recommends \
 			openssh-server \
 			openssh-client \
             libcap2-bin \
@@ -15,7 +17,7 @@ RUN apt update && apt install -y --no-install-recommends \
             sqlite3 \
             curl \
             ca-certificates \
-        &&  apt-get upgrade -y \
+            minizip \
 		&& rm -rf /var/lib/apt/lists/*
 
 # Add priviledge separation directoy to run sshd as root.

From 098c1070547db278087851788e700af7bba71445 Mon Sep 17 00:00:00 2001
From: Pat Ledgerwood <pat.ledgerwood@statcan.gc.ca>
Date: Tue, 20 Aug 2024 17:28:00 -0400
Subject: [PATCH 08/10] fix: remove package with CVE

---
 mpi-operator/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mpi-operator/Dockerfile b/mpi-operator/Dockerfile
index 9f59dac..85d6372 100644
--- a/mpi-operator/Dockerfile
+++ b/mpi-operator/Dockerfile
@@ -17,7 +17,7 @@ RUN apt update \
             sqlite3 \
             curl \
             ca-certificates \
-            minizip \
+        && apt remove zlib1g \
 		&& rm -rf /var/lib/apt/lists/*
 
 # Add priviledge separation directoy to run sshd as root.

From 3e04882845d1b080054714d2e1f067c7bdbd21df Mon Sep 17 00:00:00 2001
From: Pat Ledgerwood <pat.ledgerwood@statcan.gc.ca>
Date: Tue, 20 Aug 2024 17:37:57 -0400
Subject: [PATCH 09/10] fix: restore zlib package

---
 mpi-operator/Dockerfile | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/mpi-operator/Dockerfile b/mpi-operator/Dockerfile
index 85d6372..55620e4 100644
--- a/mpi-operator/Dockerfile
+++ b/mpi-operator/Dockerfile
@@ -7,9 +7,7 @@ FROM debian:bookworm
 
 ARG port=2222
 
-RUN apt update \
-        && apt-get upgrade -y \
-        && apt install -y --no-install-recommends \
+RUN apt update && apt install -y --no-install-recommends \
 			openssh-server \
 			openssh-client \
             libcap2-bin \
@@ -17,7 +15,6 @@ RUN apt update \
             sqlite3 \
             curl \
             ca-certificates \
-        && apt remove zlib1g \
 		&& rm -rf /var/lib/apt/lists/*
 
 # Add priviledge separation directoy to run sshd as root.

From a6e31c8ff9078bff8ab5028ed751454979ac7443 Mon Sep 17 00:00:00 2001
From: Pat Ledgerwood <pat.ledgerwood@statcan.gc.ca>
Date: Thu, 22 Aug 2024 09:03:47 -0400
Subject: [PATCH 10/10] add trivyignore to workflow

---
 .github/workflows/build.yml   | 1 +
 .github/workflows/publish.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2656f43..56a5de0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -49,6 +49,7 @@ jobs:
     # Scan image for vulnerabilities
     - name: Aqua Security Trivy image scan
       run: |
+        printf ${{ secrets.CVE_ALLOWLIST }} > .trivyignore
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
         trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 2f9a2eb..10a56be 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -63,6 +63,7 @@ jobs:
     # Scan image for vulnerabilities
     - name: Aqua Security Trivy image scan
       run: |
+        printf ${{ secrets.CVE_ALLOWLIST }} > .trivyignore
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
         trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL