tools: introduce dockerfile-from-checker

this tool checks for inconsistencies in `FROM` in Dockerfiles and reports them Signed-off-by: Christoph Ostarek <christoph@zededa.com>
lf-edge · Oct 11, 2024 · c8e8151 · c8e8151
1 parent 527cd64
commit c8e8151
Show file tree

Hide file tree

Showing 7 changed files with 380 additions and 22 deletions.
diff --git a/.github/workflows/check-docker-hashes-consistency.yml b/.github/workflows/check-docker-hashes-consistency.yml
@@ -0,0 +1,38 @@
+# Copyright (c) 2024, Zededa, Inc.
+# SPDX-License-Identifier: Apache-2.0
+---
+name: Check Docker Hashes Consistency
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - "master"
+      - "[0-9]+.[0-9]+"
+      - "[0-9]+.[0-9]+-stable"
+    paths-ignore:
+      - '**/*.md'
+      - '.github/**'
+  pull_request:
+    branches:
+      - "master"
+      - "[0-9]+.[0-9]+"
+      - "[0-9]+.[0-9]+-stable"
+    paths-ignore:
+      - '**/*.md'
+      - '.github/**'
+
+jobs:
+  test:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Check Docker Hashes Consistency
+        run: |
+          make check-docker-hashes-consistency
+      - name: Store raw test results
+        if: ${{ always() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: 'check-docker-hashes-consistency-report'
+          path: ${{ github.workspace }}/dist
diff --git a/Makefile b/Makefile
@@ -342,6 +342,9 @@ COMPARE_SOURCE=./tools/compare-sbom-sources
 GET_DEPS_DIR=./tools/get-deps
 GET_DEPS=./tools/get-deps/get-deps
 
+DOCKERFILE_FROM_CHECKER_DIR=./tools/dockerfile-from-checker/
+DOCKERFILE_FROM_CHECKER=$(DOCKERFILE_FROM_CHECKER_DIR)/dockerfile-from-checker
+
 SYFT_VERSION:=v0.85.0
 SYFT_IMAGE:=docker.io/anchore/syft:$(SYFT_VERSION)
 
@@ -450,6 +453,19 @@ pillar-%: $(GOBUILDER) | $(DIST)
 clean:
 	rm -rf $(DIST) images/out pkg-deps.mk
 
+$(DOCKERFILE_FROM_CHECKER): $(DOCKERFILE_FROM_CHECKER)
+	make -C $(DOCKERFILE_FROM_CHECKER_DIR)
+
+.PHONY: check-docker-hashes-consistency
+check-docker-hashes-consistency: $(DOCKERFILE_FROM_CHECKER)
+	@echo "Checking Dockerfiles for inconsistencies"
+	$(DOCKERFILE_FROM_CHECKER) ./ \
+		-i ./eve-tools/bpftrace-compiler/Dockerfile \
+		-i pkg/bsp-imx/Dockerfile \
+		-i pkg/vtpm/Dockerfile \
+		-i pkg/optee-os/Dockerfile \
+		-i pkg/installer/Dockerfile
+
 yetus:
 	@echo Running yetus
 	mkdir -p yetus-output
@@ -1063,28 +1079,29 @@ help:
 	@echo "all the execution is done via qemu."
 	@echo
 	@echo "Commonly used maintenance and development targets:"
-	@echo "   build-vm       prepare a build VM for EVE in qcow2 format"
-	@echo "   test           run EVE tests"
-	@echo "   test-profiling run pillar tests with memory profiler"
-	@echo "   clean          clean build artifacts in a current directory (doesn't clean Docker)"
-	@echo "   release        prepare branch for a release (VERSION=x.y.z required)"
-	@echo "   rc-release     make a rc release on a current branch (must be a release branch)"
-	@echo "                  If the latest lts tag is 14.4.0 then running make rc-release will"
-	@echo "                  create 14.4.0-rc1 tag and if the latest tag is 14.4.1-lts then"
-	@echo "   lts-release    make a lts release on a current branch (must be a release branch)"
-	@echo "                  If the latest lts tag is 14.4.0-lts then running make lts-release
-	@echo "                  will create a new lts release 14.4.1-lts"
-	@echo "   proto          generates Go and Python source from protobuf API definitions"
-	@echo "   proto-vendor   update vendored API in packages that require it (e.g. pkg/pillar)"
-	@echo "   shell          drop into docker container setup for Go development"
-	@echo "   yetus          run Apache Yetus to check the quality of the source tree"
-	@echo "   mini-yetus     run Apache Yetus to check the quality of the source tree"
-	@echo "                  only on the files that have changed in the source branch"
-	@echo "                  compared to the destination branch, by default master is"
-	@echo "                  the source and current branch the destination, but this"
-	@echo "                  can be changed by setting the MYETUS_SBRANCH and"
-	@echo "                  MYETUS_DBRANCH, in addition if MYETUS_VERBOSE is set to"
-	@echo "                  Y, the output will be echoed to the console"
+	@echo "   build-vm                         prepare a build VM for EVE in qcow2 format"
+	@echo "   test                             run EVE tests"
+	@echo "   test-profiling                   run pillar tests with memory profiler"
+	@echo "   clean                            clean build artifacts in a current directory (doesn't clean Docker)"
+	@echo "   release                          prepare branch for a release (VERSION=x.y.z required)"
+	@echo "   rc-release                       make a rc release on a current branch (must be a release branch)"
+	@echo "                                    If the latest lts tag is 14.4.0 then running make rc-release will"
+	@echo "                                    create 14.4.0-rc1 tag and if the latest tag is 14.4.1-lts then"
+	@echo "   lts-release                      make a lts release on a current branch (must be a release branch)"
+	@echo "                                    If the latest lts tag is 14.4.0-lts then running make lts-release"
+	@echo "                                    will create a new lts release 14.4.1-lts"
+	@echo "   proto                            generates Go and Python source from protobuf API definitions"
+	@echo "   proto-vendor                     update vendored API in packages that require it (e.g. pkg/pillar)"
+	@echo "   shell                            drop into docker container setup for Go development"
+	@echo "   yetus                            run Apache Yetus to check the quality of the source tree"
+	@echo "   mini-yetus                       run Apache Yetus to check the quality of the source tree"
+	@echo "                                    only on the files that have changed in the source branch"
+	@echo "                                    compared to the destination branch, by default master is"
+	@echo "                                    the source and current branch the destination, but this"
+	@echo "                                    can be changed by setting the MYETUS_SBRANCH and"
+	@echo "                                    MYETUS_DBRANCH, in addition if MYETUS_VERBOSE is set to"
+	@echo "                                    Y, the output will be echoed to the console"
+	@echo "   check-docker-hashes-consistency  check for Dockerfile image inconsistencies"
 	@echo
 	@echo "Seldom used maintenance and development targets:"
 	@echo "   bump-eve-api   bump eve-api in all subprojects"

diff --git a/tools/dockerfile-from-checker/.gitignore b/tools/dockerfile-from-checker/.gitignore
@@ -0,0 +1 @@
+dockerfile-from-checker
diff --git a/tools/dockerfile-from-checker/Makefile b/tools/dockerfile-from-checker/Makefile
@@ -0,0 +1,5 @@
+# Copyright (c) 2024 Zededa, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+dockerfile-from-checker: go.mod go.sum main.go
+	go build -o $@ .
diff --git a/tools/dockerfile-from-checker/go.mod b/tools/dockerfile-from-checker/go.mod
@@ -0,0 +1,26 @@
+module dockerfile-checker
+
+go 1.21
+
+toolchain go1.21.5
+
+require (
+	github.com/moby/buildkit v0.13.0-beta3
+	github.com/spf13/cobra v1.6.1
+)
+
+require (
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/containerd/typeurl/v2 v2.1.1 // indirect
+	github.com/docker/docker v25.0.1+incompatible // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
+	gotest.tools/v3 v3.5.1 // indirect
+)
diff --git a/tools/dockerfile-from-checker/go.sum b/tools/dockerfile-from-checker/go.sum
@@ -0,0 +1,76 @@
+github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
+github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
+github.com/containerd/typeurl/v2 v2.1.1 h1:3Q4Pt7i8nYwy2KmQWIw2+1hTvwTE/6w9FqcttATPO/4=
+github.com/containerd/typeurl/v2 v2.1.1/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0=
+github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/docker/docker v25.0.1+incompatible h1:k5TYd5rIVQRSqcTwCID+cyVA0yRg86+Pcrz1ls0/frA=
+github.com/docker/docker v25.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
+github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
+github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/moby/buildkit v0.13.0-beta3 h1:eefOGE6SsWYHFfymc09Q7VU5i3L9vUs8ZCZVCDXWNOo=
+github.com/moby/buildkit v0.13.0-beta3/go.mod h1:tSWWhq1EDM0eB3ngMNDiH2hOOW9fXTyn2uXuOraCLlE=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI=
+github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA=
+github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
+gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=