Refactor image building (e.g. using Buildah instead of Docker) (#66)

n-thumann · web-flow · commit a80b45f710dc · 2024-11-13T09:46:45.000+01:00
* Change: Use Podman / Buildah to build, test and push images

* Change: Pin workflow dependencies

* Change: Fix build by specifying containerfiles

* Change: Fix build by dropping redundant image tag

* Change: Disable upgrade by default

* Remove: No longer needed update toggle

* Add: Require Slackware current to be updated

* Change: Fix baseimage for Slackware

* Change: Include registry in baseimage names
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -124,7 +124,6 @@ jobs:
             TAG: "24.03-lts"
           - CONTEXT: operating_systems/oraclelinux
             TAG: "5"
-            UPDATED: false
           - CONTEXT: operating_systems/oraclelinux
             TAG: "6"
           - CONTEXT: operating_systems/oraclelinux
@@ -136,59 +135,45 @@ jobs:
           - CONTEXT: operating_systems/rhel
             BASEIMAGE: registry.access.redhat.com/ubi7
             TAG: "7.6"
-            UPDATED: false
           - CONTEXT: operating_systems/rhel
             BASEIMAGE: registry.access.redhat.com/ubi7
             TAG: "7.7"
-            UPDATED: false
           - CONTEXT: operating_systems/rhel
             BASEIMAGE: registry.access.redhat.com/ubi7
             TAG: "7.8"
-            UPDATED: false
           - CONTEXT: operating_systems/rhel
             BASEIMAGE: registry.access.redhat.com/ubi7
             TAG: "7.9"
-            UPDATED: false
           - CONTEXT: operating_systems/rhel
             BASEIMAGE: registry.access.redhat.com/ubi8
             TAG: "8.0"
-            UPDATED: false
           - CONTEXT: operating_systems/rhel
             BASEIMAGE: registry.access.redhat.com/ubi8
             TAG: "8.1"
-            UPDATED: false
           - CONTEXT: operating_systems/rhel
             BASEIMAGE: registry.access.redhat.com/ubi8
             TAG: "8.2"
-            UPDATED: false
           - CONTEXT: operating_systems/rhel
             BASEIMAGE: registry.access.redhat.com/ubi8
             TAG: "8.3"
-            UPDATED: false
           - CONTEXT: operating_systems/rhel
             BASEIMAGE: registry.access.redhat.com/ubi8
             TAG: "8.4"
-            UPDATED: false
           - CONTEXT: operating_systems/rhel
             BASEIMAGE: registry.access.redhat.com/ubi8
             TAG: "8.5"
-            UPDATED: false
           - CONTEXT: operating_systems/rhel
             BASEIMAGE: registry.access.redhat.com/ubi8
             TAG: "8.6"
-            UPDATED: false
           - CONTEXT: operating_systems/rhel
             BASEIMAGE: registry.access.redhat.com/ubi8
             TAG: "8.7"
-            UPDATED: false
           - CONTEXT: operating_systems/rhel
             BASEIMAGE: registry.access.redhat.com/ubi9
             TAG: "9.0.0"
-            UPDATED: false
           - CONTEXT: operating_systems/rhel
             BASEIMAGE: registry.access.redhat.com/ubi9
             TAG: "9.1.0"
-            UPDATED: false
           - CONTEXT: operating_systems/rockylinux
             TAG: "8.5"
           - CONTEXT: operating_systems/rockylinux
@@ -217,6 +202,7 @@ jobs:
             TAG: "15.0"
           - CONTEXT: operating_systems/slackware
             TAG: current
+            UPDATED: true
           - CONTEXT: operating_systems/ubuntu
             TAG: "10.04"
           - CONTEXT: operating_systems/ubuntu
@@ -273,9 +259,9 @@ jobs:
             TAG: "24.10"
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Login to Docker Registry
-        uses: docker/login-action@v3
+        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -295,29 +281,26 @@ jobs:
           echo "EOF" >> $GITHUB_ENV
 
       - name: Build Docker image
-        uses: docker/build-push-action@v6
+        uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
         with:
           context: ${{ matrix.CONTEXT }}
-          load: true
+          containerfiles: ${{ matrix.CONTEXT }}/Dockerfile
           tags: ${{ env.IMAGE }}
           build-args: ${{ env.BUILD_ARGS }}
 
       - name: Test Docker image
         run: |
-          docker run --rm -d --name target -p 2222:22 ${{ env.IMAGE }}
+          podman run --rm -d --name target -p 2222:22 ${{ env.IMAGE }}
           sshpass -p demo ssh \
             -o "StrictHostKeyChecking no" \
             -o "KexAlgorithms $(ssh -Q kex | tr '\n' ',' | head -c -1)" \
             -o "Ciphers $(ssh -Q ciphers | tr '\n' ',' | head -c -1)" \
             -o "HostKeyAlgorithms $(ssh -Q key | tr '\n' ',' | head -c -1)" \
             demo@localhost -p 2222 echo "Hello from \$(whoami)@\$(cat /etc/hostname)"
-          docker stop target
+          podman stop target
 
       - name: Publish Docker image
-        uses: docker/build-push-action@v6
+        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
         if: ${{ github.event_name == 'push' }}
         with:
-          context: ${{ matrix.CONTEXT }}
-          push: true
           tags: ${{ env.IMAGE }}
-          build-args: ${{ env.BUILD_ARGS }}
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -9,4 +9,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Dependency Review'
-        uses: greenbone/actions/dependency-review@v3
+        uses: greenbone/actions/dependency-review@a1883bd24d2d921426b3f06413e84606ecd43bdd # v3.27.11
diff --git a/.github/workflows/sbom-upload.yml b/.github/workflows/sbom-upload.yml
@@ -11,4 +11,4 @@ jobs:
       contents: write
     steps:
       - name: 'SBOM upload'
-        uses: greenbone/actions/sbom-upload@v3
+        uses: greenbone/actions/sbom-upload@a1883bd24d2d921426b3f06413e84606ecd43bdd # v3.27.11
diff --git a/README.md b/README.md
@@ -164,8 +164,8 @@ To build e.g. the image for Mageia 8 use:
 docker build operating_systems/mageia --build-arg=TAG=8 -t mageia:8
 ```
 
-If not specified otherwise, the image will be built with its packages explicitly updated. This is available for most images. To build the image for Oracle Linux 5 (non-updated) use:
+If not specified otherwise, the image will be built with its packages explicitly not updated. This is available for most images. To build the image for Oracle Linux 5 (updated) use:
 
 ```
-docker build operating_systems/oraclelinux --build-arg=TAG=5 --build-arg=UPDATED=false -t oraclelinux:5
+docker build operating_systems/oraclelinux --build-arg=TAG=5 --build-arg=UPDATED=true -t oraclelinux:5
 ```
diff --git a/applications/generic/Dockerfile b/applications/generic/Dockerfile
@@ -2,7 +2,7 @@ ARG BASEIMAGE
 ARG TAG
 
 FROM ghcr.io/greenbone/vt-test-environments/${BASEIMAGE}:${TAG}
-ARG UPDATED=true
+ARG UPDATED=false
 ARG TAG
 
 # Install dependencies
diff --git a/applications/home-assistant/Dockerfile b/applications/home-assistant/Dockerfile
@@ -1,4 +1,4 @@
-ARG BASEIMAGE=homeassistant/home-assistant
+ARG BASEIMAGE=docker.io/homeassistant/home-assistant
 ARG TAG
 
 FROM ${BASEIMAGE}:${TAG}
diff --git a/applications/oracle-weblogic/10.3.6.0-2017/Dockerfile b/applications/oracle-weblogic/10.3.6.0-2017/Dockerfile
@@ -1,8 +1,8 @@
-ARG BASEIMAGE=vulhub/weblogic
+ARG BASEIMAGE=docker.io/vulhub/weblogic
 ARG TAG=10.3.6.0-2017
 
 FROM ${BASEIMAGE}:${TAG}
-ARG UPDATED=true
+ARG UPDATED=false
 
 ENV DEBIAN_FRONTEND=noninteractive
 RUN ( \
diff --git a/applications/oracle-weblogic/12.2.1.3-2018/Dockerfile b/applications/oracle-weblogic/12.2.1.3-2018/Dockerfile
@@ -1,8 +1,8 @@
-ARG BASEIMAGE=vulhub/weblogic
+ARG BASEIMAGE=docker.io/vulhub/weblogic
 ARG TAG=12.2.1.3-2018
 
 FROM ${BASEIMAGE}:${TAG}
-ARG UPDATED=true
+ARG UPDATED=false
 
 USER root
 
diff --git a/operating_systems/almalinux/Dockerfile b/operating_systems/almalinux/Dockerfile
@@ -1,8 +1,8 @@
-ARG BASEIMAGE=almalinux
+ARG BASEIMAGE=docker.io/library/almalinux
 ARG TAG
 
 FROM ${BASEIMAGE}:${TAG}
-ARG UPDATED=true
+ARG UPDATED=false
 ARG TAG
 
 # Lock releasever to the tag to pin the minor release
diff --git a/operating_systems/amazonlinux/Dockerfile b/operating_systems/amazonlinux/Dockerfile
@@ -1,8 +1,8 @@
-ARG BASEIMAGE=amazonlinux
+ARG BASEIMAGE=docker.io/library/amazonlinux
 ARG TAG
 
 FROM ${BASEIMAGE}:${TAG}
-ARG UPDATED=true
+ARG UPDATED=false
 
 RUN if [ "$UPDATED" = true ]; then yum upgrade -y; fi \
     && yum install -y openssh-server passwd \
diff --git a/operating_systems/debian/Dockerfile b/operating_systems/debian/Dockerfile
@@ -1,8 +1,8 @@
-ARG BASEIMAGE=debian
+ARG BASEIMAGE=docker.io/library/debian
 ARG TAG
 
 FROM ${BASEIMAGE}:${TAG}
-ARG UPDATED=true
+ARG UPDATED=false
 
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update \
diff --git a/operating_systems/euleros/Dockerfile b/operating_systems/euleros/Dockerfile
@@ -1,5 +1,5 @@
 # Don't use anything RHEL 9-based. It'll break the RPM GPG key.
-FROM rockylinux:8.6 as builder
+FROM docker.io/library/rockylinux:8.6 as builder
 
 ARG TAG
 WORKDIR /tmp
diff --git a/operating_systems/fedora/Dockerfile b/operating_systems/fedora/Dockerfile
@@ -1,8 +1,8 @@
-ARG BASEIMAGE=fedora
+ARG BASEIMAGE=docker.io/library/fedora
 ARG TAG
 
 FROM ${BASEIMAGE}:${TAG}
-ARG UPDATED=true
+ARG UPDATED=false
 
 RUN if [ "$UPDATED" = true ]; then dnf upgrade -y; fi \
     && dnf install -y openssh-server \
diff --git a/operating_systems/mageia/Dockerfile b/operating_systems/mageia/Dockerfile
@@ -1,8 +1,8 @@
-ARG BASEIMAGE=mageia
+ARG BASEIMAGE=docker.io/library/mageia
 ARG TAG
 
 FROM ${BASEIMAGE}:${TAG}
-ARG UPDATED=true
+ARG UPDATED=false
 
 RUN if [ "$UPDATED" = true ]; then dnf upgrade -y; fi \
     && dnf install -y openssh-server \
diff --git a/operating_systems/openeuler/Dockerfile b/operating_systems/openeuler/Dockerfile
@@ -1,8 +1,8 @@
-ARG BASEIMAGE=openeuler/openeuler
+ARG BASEIMAGE=docker.io/openeuler/openeuler
 ARG TAG
 
 FROM ${BASEIMAGE}:${TAG}
-ARG UPDATED=true
+ARG UPDATED=false
 
 RUN if [ "$UPDATED" = true ]; then dnf upgrade -y; fi \
     && dnf install -y openssh-server passwd \
diff --git a/operating_systems/oraclelinux/Dockerfile b/operating_systems/oraclelinux/Dockerfile
@@ -1,8 +1,8 @@
-ARG BASEIMAGE=oraclelinux
+ARG BASEIMAGE=docker.io/library/oraclelinux
 ARG TAG
 
 FROM ${BASEIMAGE}:${TAG}
-ARG UPDATED=true
+ARG UPDATED=false
 
 RUN if [ "$UPDATED" = true ]; then yum upgrade -y && yum clean all; fi \
     && useradd demo \
diff --git a/operating_systems/rockylinux/Dockerfile b/operating_systems/rockylinux/Dockerfile
@@ -1,8 +1,8 @@
-ARG BASEIMAGE=rockylinux
+ARG BASEIMAGE=docker.io/library/rockylinux
 ARG TAG
 
 FROM ${BASEIMAGE}:${TAG}
-ARG UPDATED=true
+ARG UPDATED=false
 ARG TAG
 
 # Lock releasever to the tag to pin the minor release
diff --git a/operating_systems/slackware/Dockerfile b/operating_systems/slackware/Dockerfile
@@ -1,8 +1,8 @@
-ARG BASEIMAGE=vbatts/slackware
+ARG BASEIMAGE=docker.io/vbatts/slackware
 ARG TAG
 
 FROM ${BASEIMAGE}:${TAG}
-ARG UPDATED=true
+ARG UPDATED=false
 
 RUN slackpkg update \
     # When updating, we need to upgrade slackpkg itself first. Otherwise upgrade-all will abort.
diff --git a/operating_systems/ubuntu/Dockerfile b/operating_systems/ubuntu/Dockerfile
@@ -1,8 +1,8 @@
-ARG BASEIMAGE=ubuntu
+ARG BASEIMAGE=docker.io/library/ubuntu
 ARG TAG
 
 FROM ${BASEIMAGE}:${TAG}
-ARG UPDATED=true
+ARG UPDATED=false
 
 ENV DEBIAN_FRONTEND=noninteractive
 RUN ( \

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-ARG BASEIMAGE=homeassistant/home-assistant`
	`1`	`+ARG BASEIMAGE=docker.io/homeassistant/home-assistant`
`2`	`2`	`ARG TAG`
`3`	`3`
`4`	`4`	`FROM ${BASEIMAGE}:${TAG}`