VOL-3970 lock down deploy image
- use distroless base image for deployment
- use nonroot user/group for image
Change-Id: Ic79455b86e1b03dee3f8918858ecf9bd82976252
diff --git a/Makefile b/Makefile
index 4e41897..0be6996 100644
--- a/Makefile
+++ b/Makefile
@@ -29,6 +29,7 @@
DOCKER_REGISTRY ?=
DOCKER_REPOSITORY ?=
DOCKER_TAG ?= ${VERSION}$(shell [[ ${DOCKER_LABEL_VCS_DIRTY} == "true" ]] && echo "-dirty" || true)
+DOCKER_TARGET ?= prod
ADAPTER_IMAGENAME := ${DOCKER_REGISTRY}${DOCKER_REPOSITORY}voltha-ofagent-go
## Docker labels. Only set ref and commit date if committed
@@ -58,58 +59,47 @@
GOLANGCI_LINT = docker run --rm --user $$(id -u):$$(id -g) -v ${CURDIR}:/app $(shell test -t 0 && echo "-it") -v gocache:/.cache -v gocache-${VOLTHA_TOOLS_VERSION}:/go/pkg voltha/voltha-ci-tools:${VOLTHA_TOOLS_VERSION}-golangci-lint golangci-lint
HADOLINT = docker run --rm --user $$(id -u):$$(id -g) -v ${CURDIR}:/app $(shell test -t 0 && echo "-it") voltha/voltha-ci-tools:${VOLTHA_TOOLS_VERSION}-hadolint hadolint
-.PHONY: local-protos local-voltha
-
-# This should to be the first and default target in this Makefile
-help:
- @echo "Usage: make [<target>]"
- @echo "where available targets are:"
- @echo
- @echo "build : Build ofagent-go docker image"
- @echo "docker-build : Build ofagent-go docker image"
- @echo "help : Print this help"
- @echo "docker-push : Push the docker images to an external repository"
- @echo "lint : Run lint verification, depenancy, gofmt and reference check"
- @echo "sca : Runs various SCA through golangci-lint tool"
- @echo "test : Run unit tests, if any"
- @echo
-
+.PHONY: docker-build local-protos local-lib-go local-voltha help
+.DEFAULT_GOAL := help
## Local Development Helpers
-local-protos:
+local-protos: ## Copies a local version of the voltha-protos dependency into the vendor directory
ifdef LOCAL_PROTOS
+ rm -rf vendor/github.com/opencord/voltha-protos/go
mkdir -p vendor/github.com/opencord/voltha-protos/go
cp -r ${GOPATH}/src/github.com/opencord/voltha-protos/go/* vendor/github.com/opencord/voltha-protos/go
endif
## Local Development Helpers
-local-lib-go:
+local-lib-go: ## Copies a local version of the voltha-lib-go dependency into the vendor directory
ifdef LOCAL_LIB_GO
+ rm -rf vendor/github.com/opencord/voltha-lib-go/v4/pkg
mkdir -p vendor/github.com/opencord/voltha-lib-go/v4/pkg
cp -r ${LOCAL_LIB_GO}/pkg/* vendor/github.com/opencord/voltha-lib-go/v4/pkg/
endif
-local-voltha:
+local-voltha: ## Copies a local version of the voltha-go dependency into the vendor directory
ifdef LOCAL_VOLTHA
+ rm -rf vendor/github.com/opencord/voltha-go/
mkdir -p vendor/github.com/opencord/voltha-go/
cp -rf ${GOPATH}/src/github.com/opencord/voltha-go/ vendor/github.com/opencord/
rm -rf vendor/github.com/opencord/voltha-go/vendor
endif
## Docker targets
-build: docker-build
+build: docker-build ## Alias for 'docker-build'
## Docker targets
-docker-build: local-protos local-voltha local-lib-go
- docker build $(DOCKER_BUILD_ARGS) -t ${ADAPTER_IMAGENAME}:${DOCKER_TAG} -f docker/Dockerfile.ofagent-go .
+docker-build: local-protos local-voltha local-lib-go ## Build docker image (set BUILD_PROFILED=true to also build the profiled image)
+ docker build $(DOCKER_BUILD_ARGS) --target=${DOCKER_TARGET} -t ${ADAPTER_IMAGENAME}:${DOCKER_TAG} -f docker/Dockerfile.ofagent-go .
ifdef BUILD_PROFILED
- docker build $(DOCKER_BUILD_ARGS) --build-arg EXTRA_GO_BUILD_TAGS="-tags profile" -t ${ADAPTER_IMAGENAME}:${DOCKER_TAG}-profile -f docker/Dockerfile.ofagent-go .
+ docker build $(DOCKER_BUILD_ARGS) --target=${DOCKER_TARGET} --build-arg EXTRA_GO_BUILD_TAGS="-tags profile" -t ${ADAPTER_IMAGENAME}:${DOCKER_TAG}-profile -f docker/Dockerfile.ofagent-go .
endif
-docker-push:
+docker-push: ## Push the docker images to an external repository
docker push ${ADAPTER_IMAGENAME}:${DOCKER_TAG}
ifdef BUILD_PROFILED
docker push ${ADAPTER_IMAGENAME}:${DOCKER_TAG}-profile
@@ -117,12 +107,12 @@
## lint and unit tests
-lint-dockerfile:
+lint-dockerfile: ## Perform static analysis on Dockerfile
@echo "Running Dockerfile lint check..."
@${HADOLINT} $$(find . -name "Dockerfile.*")
@echo "Dockerfile lint check OK"
-lint-mod:
+lint-mod: ## Verify the Go dependencies
@echo "Running dependency check..."
@${GO} mod verify
@echo "Dependency check OK. Running vendor check..."
@@ -136,9 +126,9 @@
@[[ `git ls-files --exclude-standard --others go.mod go.sum vendor` == "" ]] || (echo "ERROR: Untracked files detected after running go mod tidy / go mod vendor" && git status -- go.mod go.sum vendor && git checkout -- go.mod go.sum vendor && exit 1)
@echo "Vendor check OK."
-lint: lint-mod lint-dockerfile
+lint: lint-mod lint-dockerfile ## Run all lint targets
-test: local-lib-go
+test: local-lib-go ## Run unit tests
@mkdir -p ./tests/results
@${GO} test -mod=vendor -v -coverprofile ./tests/results/go-test-coverage.out -covermode count ./... 2>&1 | tee ./tests/results/go-test-results.out ;\
RETURN=$$? ;\
@@ -146,7 +136,7 @@
${GOCOVER_COBERTURA} < ./tests/results/go-test-coverage.out > ./tests/results/go-test-coverage.xml ;\
exit $$RETURN
-sca:
+sca: ## Runs static code analysis with the golangci-lint tool
@rm -rf ./sca-report
@mkdir -p ./sca-report
@echo "Running static code analysis..."
@@ -154,12 +144,20 @@
@echo ""
@echo "Static code analysis OK"
-clean:
+clean: ## Removes any local filesystem artifacts generated by a build
rm -rf ./sca-report
-distclean: clean
+distclean: clean ## Removes any local filesystem artifacts generated by a build or test run
rm -rf ${VENVDIR}
-mod-update:
+mod-update: ## Update go mod files
${GO} mod tidy
${GO} mod vendor
+
+# For each makefile target, add ## <description> on the target line and it will be listed by 'make help'
+help: ## Print help for each Makefile target
+ @echo "Usage: make [<target>]"
+ @echo "where available targets are:"
+ @echo
+ @grep '^[[:alpha:]_-]*:.* ##' $(MAKEFILE_LIST) \
+ | sort | awk 'BEGIN {FS=":.* ## "}; {printf "%-25s : %s\n", $$1, $$2};'
diff --git a/docker/Dockerfile.ofagent-go b/docker/Dockerfile.ofagent-go
index 8de0b9b..663a0ae 100644
--- a/docker/Dockerfile.ofagent-go
+++ b/docker/Dockerfile.ofagent-go
@@ -15,15 +15,12 @@
# -------------
# Build stage
-ARG GOLANG_IMAGE=golang:1.13.8-alpine3.11
-ARG DEPLOY_IMAGE=gcr.io/distroless/static:nonroot
-ARG IMAGE_OS=linux
-ARG IMAGE_ARCH=amd64
-# hadolint ignore=DL3006
-FROM --platform=$IMAGE_OS/$IMAGE_ARCH $GOLANG_IMAGE AS build-env
+FROM --platform=linux/amd64 golang:1.13.8-alpine3.11 AS dev
-WORKDIR /src/
-COPY . /src/
+WORKDIR /go/src
+COPY . .
+
+ARG EXTRA_GO_BUILD_TAGS=""
ARG org_label_schema_version=unknown
ARG org_label_schema_vcs_url=unknown
@@ -32,13 +29,10 @@
ARG org_opencord_vcs_commit_date=unknown
ARG org_opencord_vcs_dirty=unknown
-ARG EXTRA_GO_BUILD_TAGS=""
-
-# Build ofagent-go
+# Build
SHELL ["/bin/ash", "-o", "pipefail", "-c"]
RUN \
-CGO_ENABLED=0 GOOS=$IMAGE_OS GOARCH=$IMAGE_ARCH \
-go build $EXTRA_GO_BUILD_TAGS -mod=vendor -o /build/ofagent \
+CGO_ENABLED=0 go build $EXTRA_GO_BUILD_TAGS -mod=vendor -o /app/ofagent \
-ldflags \
"-X github.com/opencord/voltha-lib-go/v2/pkg/version.version=$org_label_schema_version \
-X github.com/opencord/voltha-lib-go/v2/pkg/version.vcsRef=$org_label_schema_vcs_ref \
@@ -49,16 +43,17 @@
-X github.com/opencord/voltha-lib-go/v2/pkg/version.buildTime=$org_label_schema_build_date" \
./cmd/ofagent
+WORKDIR /app
+
# -------------
# Image creation stage
-# hadolint ignore=DL3006
-FROM --platform=$IMAGE_OS/$IMAGE_ARCH $DEPLOY_IMAGE
+FROM --platform=linux/amd64 gcr.io/distroless/static:nonroot AS prod
# Set the working directory
WORKDIR /app
# Copy required files
-COPY --from=build-env /build/ofagent /app/ofagent
+COPY --from=dev /app/ofagent /app/ofagent
# Label image
ARG org_label_schema_version=unknown
@@ -67,8 +62,6 @@
ARG org_label_schema_build_date=unknown
ARG org_opencord_vcs_commit_date=unknown
ARG org_opencord_vcs_dirty=unknown
-ARG IMAGE_USER=nonroot
-ARG IMAGE_GROUP=nonroot
LABEL \
org.label-schema.schema-version=1.0 \
@@ -80,4 +73,4 @@
org.opencord.vcs-commit-date=$org_opencord_vcs_commit_date \
org.opencord.vcs-dirty=$org_opencord_vcs_dirty
-USER $IMAGE_USER:$IMAGE_GROUP
+USER nonroot:nonroot