VOL-3970 lock down deploy image
- use distroless base image for deployment
- use nonroot user/group for image
- update Makefile to support dev/prod docker image builds
- clean up makefile including auto generated help
Change-Id: I14836d4b8595718d86ad07307d7c7cfe8f97acba
diff --git a/Makefile b/Makefile
index abf615f..a213c83 100644
--- a/Makefile
+++ b/Makefile
@@ -32,6 +32,7 @@
DOCKER_REGISTRY ?=
DOCKER_REPOSITORY ?=
DOCKER_TAG ?= ${VERSION}$(shell [[ ${DOCKER_LABEL_VCS_DIRTY} == "true" ]] && echo "-dirty" || true)
+DOCKER_TARGET ?= prod
RWCORE_IMAGENAME := ${DOCKER_REGISTRY}${DOCKER_REPOSITORY}voltha-rw-core
TYPE ?= minimal
@@ -62,56 +63,39 @@
GOLANGCI_LINT = docker run --rm --user $$(id -u):$$(id -g) -v ${CURDIR}:/app $(shell test -t 0 && echo "-it") -v gocache:/.cache -v gocache-${VOLTHA_TOOLS_VERSION}:/go/pkg voltha/voltha-ci-tools:${VOLTHA_TOOLS_VERSION}-golangci-lint golangci-lint
HADOLINT = docker run --rm --user $$(id -u):$$(id -g) -v ${CURDIR}:/app $(shell test -t 0 && echo "-it") voltha/voltha-ci-tools:${VOLTHA_TOOLS_VERSION}-hadolint hadolint
-.PHONY: rw_core local-protos
+.PHONY: docker-build local-protos local-lib-go help
+.DEFAULT_GOAL := help
-# This should to be the first and default target in this Makefile
-help:
- @echo "Usage: make [<target>]"
- @echo "where available targets are:"
- @echo
- @echo "build : Build the docker images."
- @echo " - If this is the first time you are building, choose 'make build' option."
- @echo "rw_core : Build the rw_core docker image"
- @echo "clean : Remove files created by the build and tests"
- @echo "distclean : Remove sca directory and clean"
- @echo "docker-push : Push the docker images to an external repository"
- @echo "lint-dockerfile : Perform static analysis on Dockerfiles"
- @echo "lint-mod : Verify the integrity of the 'mod' files"
- @echo "lint : Shorthand for lint-style & lint-sanity"
- @echo "sca : Runs various SCA through golangci-lint tool"
- @echo "test : Generate reports for all go tests"
- @echo
## Local Development Helpers
-local-protos:
+local-protos: ## Copies a local version of the voltha-protos dependency into the vendor directory
ifdef LOCAL_PROTOS
+ rm -rf vendor/github.com/opencord/voltha-protos/v4/go
mkdir -p vendor/github.com/opencord/voltha-protos/v4/go
cp -r ${LOCAL_PROTOS}/go/* vendor/github.com/opencord/voltha-protos/v4/go
endif
## Local Development Helpers
-local-lib-go:
+local-lib-go: ## Copies a local version of the voltha-lib-go dependency into the vendor directory
ifdef LOCAL_LIB_GO
+ rm -rf vendor/github.com/opencord/voltha-lib-go/v4/pkg
mkdir -p vendor/github.com/opencord/voltha-lib-go/v4/pkg
cp -r ${LOCAL_LIB_GO}/pkg/* vendor/github.com/opencord/voltha-lib-go/v4/pkg/
endif
## Docker targets
+build: docker-build ## Alias for 'docker-build'
-build: docker-build
-
-docker-build: rw_core
-
-rw_core: local-protos local-lib-go
- docker build $(DOCKER_BUILD_ARGS) -t ${RWCORE_IMAGENAME}:${DOCKER_TAG} -f docker/Dockerfile.rw_core .
+docker-build: local-protos local-lib-go ## Build core docker image (set BUILD_PROFILED=true to also build the profiled image)
+ docker build $(DOCKER_BUILD_ARGS) -t ${RWCORE_IMAGENAME}:${DOCKER_TAG} --target ${DOCKER_TARGET} -f docker/Dockerfile.rw_core .
ifdef BUILD_PROFILED
- docker build $(DOCKER_BUILD_ARGS) --build-arg EXTRA_GO_BUILD_TAGS="-tags profile" -t ${RWCORE_IMAGENAME}:${DOCKER_TAG}-profile -f docker/Dockerfile.rw_core .
+ docker build $(DOCKER_BUILD_ARGS) --target ${DOCKER_TARGET} --build-arg EXTRA_GO_BUILD_TAGS="-tags profile" -t ${RWCORE_IMAGENAME}:${DOCKER_TAG}-profile -f docker/Dockerfile.rw_core .
endif
ifdef BUILD_RACE
- docker build $(DOCKER_BUILD_ARGS) --build-arg GOLANG_IMAGE=golang:1.13.8-buster --build-arg DEPLOY_IMAGE=debian:buster-slim --build-arg EXTRA_GO_BUILD_TAGS="--race" -t ${RWCORE_IMAGENAME}:${DOCKER_TAG}-rd -f docker/Dockerfile.rw_core .
+ docker build $(DOCKER_BUILD_ARGS) --target ${DOCKER_TARGET} --build-arg GOLANG_IMAGE=golang:1.13.8-buster --build-arg DEPLOY_IMAGE=debian:buster-slim --build-arg EXTRA_GO_BUILD_TAGS="--race" -t ${RWCORE_IMAGENAME}:${DOCKER_TAG}-rd -f docker/Dockerfile.rw_core .
endif
-docker-push:
+docker-push: ## Push the docker images to an external repository
docker push ${RWCORE_IMAGENAME}:${DOCKER_TAG}
ifdef BUILD_PROFILED
docker push ${RWCORE_IMAGENAME}:${DOCKER_TAG}-profile
@@ -119,18 +103,18 @@
ifdef BUILD_RACE
docker push ${RWCORE_IMAGENAME}:${DOCKER_TAG}-rd
endif
-docker-kind-load:
+docker-kind-load: ## Load docker images into a KinD cluster
@if [ "`kind get clusters | grep voltha-$(TYPE)`" = '' ]; then echo "no voltha-$(TYPE) cluster found" && exit 1; fi
kind load docker-image ${RWCORE_IMAGENAME}:${DOCKER_TAG} --name=voltha-$(TYPE) --nodes $(shell kubectl get nodes --template='{{range .items}}{{.metadata.name}},{{end}}' | rev | cut -c 2- | rev)
## lint and unit tests
-lint-dockerfile:
+lint-dockerfile: ## Perform static analysis on Dockerfile
@echo "Running Dockerfile lint check..."
@${HADOLINT} $$(find . -name "Dockerfile.*")
@echo "Dockerfile lint check OK"
-lint-mod:
+lint-mod: ## Verify the Go dependencies
@echo "Running dependency check..."
@${GO} mod verify
@echo "Dependency check OK. Running vendor check..."
@@ -145,9 +129,9 @@
@echo "Vendor check OK."
-lint: lint-mod lint-dockerfile
+lint: lint-mod lint-dockerfile ## Run all lint targets
-sca:
+sca: ## Runs static code analysis with the golangci-lint tool
@rm -rf ./sca-report
@mkdir -p ./sca-report
@echo "Running static code analysis..."
@@ -155,7 +139,7 @@
@echo ""
@echo "Static code analysis OK"
-test: local-lib-go
+test: local-lib-go ## Run unit tests
@mkdir -p ./tests/results
@${GO} test -mod=vendor -v -coverprofile ./tests/results/go-test-coverage.out -covermode count ./... 2>&1 | tee ./tests/results/go-test-results.out ;\
RETURN=$$? ;\
@@ -163,14 +147,22 @@
${GOCOVER_COBERTURA} < ./tests/results/go-test-coverage.out > ./tests/results/go-test-coverage.xml ;\
exit $$RETURN
-clean: distclean
+clean: distclean ## Removes any local filesystem artifacts generated by a build
-distclean:
+distclean: ## Removes any local filesystem artifacts generated by a build or test run
rm -rf ./sca-report
-mod-update:
+mod-update: ## Update go mod files
${GO} mod tidy
${GO} mod vendor
-fmt:
+fmt: ## Formats the soure code to go best practice style
@go fmt ${PACKAGES}
+
+# For each makefile target, add ## <description> on the target line and it will be listed by 'make help'
+help: ## Print help for each Makefile target
+ @echo "Usage: make [<target>]"
+ @echo "where available targets are:"
+ @echo
+ @grep '^[[:alpha:]_-]*:.* ##' $(MAKEFILE_LIST) \
+ | sort | awk 'BEGIN {FS=":.* ## "}; {printf "%-25s : %s\n", $$1, $$2};'
diff --git a/VERSION b/VERSION
index dbe5900..edfc322 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.8.1
+2.8.2-dev
diff --git a/docker/Dockerfile.rw_core b/docker/Dockerfile.rw_core
index 4c2603f..986d1ba 100644
--- a/docker/Dockerfile.rw_core
+++ b/docker/Dockerfile.rw_core
@@ -15,13 +15,10 @@
# -------------
# Build stage
-ARG GOLANG_IMAGE=golang:1.13.8-alpine3.11
-ARG DEPLOY_IMAGE=alpine:3.11.3
-# hadolint ignore=DL3006
-FROM $GOLANG_IMAGE AS build-env
+FROM --platform=linux/amd64 golang:1.13.8-alpine3.11 AS dev
# Install required packages
-RUN if command -v apk; then apk add --no-cache build-base=0.5-r1; fi
+RUN apk add --no-cache build-base=0.5-r1
# Use Standard go build directory structure
WORKDIR /go/src
@@ -46,31 +43,30 @@
# Build
WORKDIR /go/src/rw_core
-# Need to ignore DL4006 as depending on the image being used different
-# shell may be used and there is no known way to parameterize the
-# Dockerfile SHELL command as build args did not seems to work
-# hadolint ignore=DL4006
-RUN go build $EXTRA_GO_BUILD_TAGS -mod=vendor -o /go/bin/rw_core \
- -ldflags \
- "-X github.com/opencord/voltha-lib-go/v4/pkg/version.version=$org_label_schema_version \
- -X github.com/opencord/voltha-lib-go/v4/pkg/version.vcsRef=$org_label_schema_vcs_ref \
- -X github.com/opencord/voltha-lib-go/v4/pkg/version.vcsDirty=$org_opencord_vcs_dirty \
- -X github.com/opencord/voltha-lib-go/v4/pkg/version.goVersion=$(go version 2>&1 | sed -E 's/.*go([0-9]+\.[0-9]+\.[0-9]+).*/\1/g') \
- -X github.com/opencord/voltha-lib-go/v4/pkg/version.os=$(go env GOHOSTOS) \
- -X github.com/opencord/voltha-lib-go/v4/pkg/version.arch=$(go env GOHOSTARCH) \
- -X github.com/opencord/voltha-lib-go/v4/pkg/version.buildTime=$org_label_schema_build_date"
+SHELL ["/bin/ash", "-o", "pipefail", "-c"]
+RUN \
+CGO_ENABLED=0 go build $EXTRA_GO_BUILD_TAGS -mod=vendor -o /app/rw_core \
+-ldflags \
+"-X github.com/opencord/voltha-lib-go/v4/pkg/version.version=$org_label_schema_version \
+-X github.com/opencord/voltha-lib-go/v4/pkg/version.vcsRef=$org_label_schema_vcs_ref \
+-X github.com/opencord/voltha-lib-go/v4/pkg/version.vcsDirty=$org_opencord_vcs_dirty \
+-X github.com/opencord/voltha-lib-go/v4/pkg/version.goVersion=$(go version 2>&1 | sed -E 's/.*go([0-9]+\.[0-9]+\.[0-9]+).*/\1/g') \
+-X github.com/opencord/voltha-lib-go/v4/pkg/version.os=$(go env GOHOSTOS) \
+-X github.com/opencord/voltha-lib-go/v4/pkg/version.arch=$(go env GOHOSTARCH) \
+-X github.com/opencord/voltha-lib-go/v4/pkg/version.buildTime=$org_label_schema_build_date" \
+.
+
+WORKDIR /app
# -------------
# Image creation stage
-
-# hadolint ignore=DL3006
-FROM $DEPLOY_IMAGE
+FROM --platform=linux/amd64 gcr.io/distroless/static:nonroot as prod
# Set the working directory
WORKDIR /app
# Copy required files
-COPY --from=build-env /go/bin/rw_core /app/
+COPY --from=dev /app/rw_core /app/rw_core
# Label image
ARG org_label_schema_version=unknown
@@ -80,11 +76,14 @@
ARG org_opencord_vcs_commit_date=unknown
ARG org_opencord_vcs_dirty=unknown
-LABEL org.label-schema.schema-version=1.0 \
- org.label-schema.name=voltha-rw-core \
- org.label-schema.version=$org_label_schema_version \
- org.label-schema.vcs-url=$org_label_schema_vcs_url \
- org.label-schema.vcs-ref=$org_label_schema_vcs_ref \
- org.label-schema.build-date=$org_label_schema_build_date \
- org.opencord.vcs-commit-date=$org_opencord_vcs_commit_date \
- org.opencord.vcs-dirty=$org_opencord_vcs_dirty
+LABEL \
+org.label-schema.schema-version=1.0 \
+org.label-schema.name=voltha-rw-core \
+org.label-schema.version=$org_label_schema_version \
+org.label-schema.vcs-url=$org_label_schema_vcs_url \
+org.label-schema.vcs-ref=$org_label_schema_vcs_ref \
+org.label-schema.build-date=$org_label_schema_build_date \
+org.opencord.vcs-commit-date=$org_opencord_vcs_commit_date \
+org.opencord.vcs-dirty=$org_opencord_vcs_dirty
+
+USER nonroot:nonroot