VOL-3970 lock down deploy image
- use distroless base image for deployment
- use nonroot user/group for image
Change-Id: Idce62721921168c8bc919c431c4aa2b2eb49243d
diff --git a/Makefile b/Makefile
index 08d9cfe..884693b 100755
--- a/Makefile
+++ b/Makefile
@@ -28,7 +28,8 @@
DOCKER_EXTRA_ARGS ?=
DOCKER_REGISTRY ?=
DOCKER_REPOSITORY ?=
-DOCKER_TAG ?= ${VERSION}
+DOCKER_TAG ?= ${VERSION}$(shell [[ ${DOCKER_LABEL_VCS_DIRTY} == "true" ]] && echo "-dirty" || true)
+DOCKER_TARGET ?= prod
ADAPTER_IMAGENAME := ${DOCKER_REGISTRY}${DOCKER_REPOSITORY}voltha-openonu-adapter-go:${DOCKER_TAG}
TYPE ?= minimal
@@ -57,33 +58,11 @@
GOLANGCI_LINT = docker run --rm --user $$(id -u):$$(id -g) -v ${CURDIR}:/app -v gocache:/.cache -v gocache-${VOLTHA_TOOLS_VERSION}:/go/pkg voltha/voltha-ci-tools:${VOLTHA_TOOLS_VERSION}-golangci-lint golangci-lint
HADOLINT = docker run --rm --user $$(id -u):$$(id -g) -v ${CURDIR}:/app voltha/voltha-ci-tools:${VOLTHA_TOOLS_VERSION}-hadolint hadolint
-.PHONY: docker-build local-protos local-lib-go
-
-# This should to be the first and default target in this Makefile
-help:
- @echo "Usage: make [<target>]"
- @echo "where available targets are:"
- @echo ""
- @echo "clean : Removes any local filesystem artifacts generated by a build"
- @echo "distclean : Removes any local filesystem artifacts generated by a build or test run"
- @echo "build : Build all openonu adapter artifacts"
- @echo "docker-build : Build openonu adapter docker image"
- @echo "docker-push : Push the docker images to an external repository"
- @echo "help : Print this help"
- @echo "lint : Run all lint targets"
- @echo "lint-dockerfile : Perform static analysis on Dockerfiles"
- @echo "lint-mod : Verify the Go dependencies"
- @echo "lint-sanity : Run the Go language sanity tests (vet)"
- @echo "lint-style : Verify the Go standard format of the source"
- @echo "local-protos : Copies a local verison of the VOLTHA protos into the vendor directory"
- @echo "local-lib-go : Copies a local version of the VOTLHA dependencies into the vendor directory"
- @echo "sca : Runs various SCA through golangci-lint tool"
- @echo "test : Run unit tests, if any"
- @echo
+.PHONY: docker-build local-protos local-lib-go help
+.DEFAULT_GOAL := help
## Local Development Helpers
-
-local-protos:
+local-protos: ## Copies a local version of the voltha-protos dependency into the vendor directory
ifdef LOCAL_PROTOS
rm -rf vendor/github.com/opencord/voltha-protos/v4/go
mkdir -p vendor/github.com/opencord/voltha-protos/v4/go
@@ -92,41 +71,41 @@
endif
## Local Development Helpers
-local-lib-go:
+local-lib-go: ## Copies a local version of the voltha-lib-go dependency into the vendor directory
ifdef LOCAL_LIB_GO
+ rm -rf vendor/github.com/opencord/voltha-lib-go/v4/pkg
mkdir -p vendor/github.com/opencord/voltha-lib-go/v4/pkg
cp -r ${LOCAL_LIB_GO}/pkg/* vendor/github.com/opencord/voltha-lib-go/v4/pkg/
endif
+build: docker-build ## Alias for 'docker build'
+
## Docker targets
-
-build: docker-build
-
docker-build: local-protos local-lib-go ## Build openonu adapter docker image (set BUILD_PROFILED=true to also build the profiled image)
- docker build $(DOCKER_BUILD_ARGS) -t ${ADAPTER_IMAGENAME} -f docker/Dockerfile.openonu .
+ docker build $(DOCKER_BUILD_ARGS) --target=${DOCKER_TARGET} -t ${ADAPTER_IMAGENAME} -f docker/Dockerfile.openonu .
ifdef BUILD_PROFILED
- docker build $(DOCKER_BUILD_ARGS) --build-arg EXTRA_GO_BUILD_TAGS="-tags profile" -t ${ADAPTER_IMAGENAME}-profile -f docker/Dockerfile.openonu .
+ docker build $(DOCKER_BUILD_ARGS) --target=${DOCKER_TARGET} --build-arg EXTRA_GO_BUILD_TAGS="-tags profile" -t ${ADAPTER_IMAGENAME}-profile -f docker/Dockerfile.openonu .
endif
-docker-push:
+docker-push: ## Push the docker images to an external repository
docker push ${ADAPTER_IMAGENAME}
ifdef BUILD_PROFILED
docker push ${ADAPTER_IMAGENAME}-profile
endif
-docker-kind-load:
+docker-kind-load: ## Load docker images into a KinD cluster
@if [ "`kind get clusters | grep voltha-$(TYPE)`" = '' ]; then echo "no voltha-$(TYPE) cluster found" && exit 1; fi
kind load docker-image ${ADAPTER_IMAGENAME} --name=voltha-$(TYPE) --nodes $(shell kubectl get nodes --template='{{range .items}}{{.metadata.name}},{{end}}' | sed 's/,$$//')
## lint and unit tests
-lint-dockerfile:
+lint-dockerfile: ## Perform static analysis on Dockerfile
@echo "Running Dockerfile lint check ..."
@${HADOLINT} $$(find . -name "Dockerfile.*")
@echo "Dockerfile lint check OK"
-lint-style:
+lint-style: ## Perform lint style checks on source code
@echo "Running style check..."
@gofmt_out="$$(${GOFMT} -l $$(find . -name '*.go' -not -path './vendor/*'))" ;\
if [ ! -z "$$gofmt_out" ]; then \
@@ -136,12 +115,12 @@
fi
@echo "Style check OK"
-lint-sanity:
+lint-sanity: ## Perform basic code checks on source
@echo "Running sanity check..."
@${GO} vet -mod=vendor ./...
@echo "Sanity check OK"
-lint-mod:
+lint-mod: ## Verify the Go dependencies
@echo "Running dependency check..."
@${GO} mod verify
@echo "Dependency check OK. Running vendor check..."
@@ -155,9 +134,9 @@
@[[ `git ls-files --exclude-standard --others go.mod go.sum vendor` == "" ]] || (echo "ERROR: Untracked files detected after running go mod tidy / go mod vendor" && echo "`git status`" && exit 1)
@echo "Vendor check OK."
-lint: local-lib-go lint-style lint-sanity lint-mod lint-dockerfile
+lint: local-lib-go lint-style lint-sanity lint-mod lint-dockerfile ## Run all lint targets
-test: lint
+test: lint ## Run unit tests
@mkdir -p ./tests/results
@${GO} test -mod=vendor -v -coverprofile ./tests/results/go-test-coverage.out -covermode count ./... 2>&1 | tee ./tests/results/go-test-results.out ;\
RETURN=$$? ;\
@@ -165,17 +144,25 @@
${GOCOVER_COBERTURA} < ./tests/results/go-test-coverage.out > ./tests/results/go-test-coverage.xml ;\
exit $$RETURN
-sca:
+sca: ## Runs static code analysis with the golangci-lint tool
@mkdir -p ./sca-report
@echo "Running static code analysis..."
@${GOLANGCI_LINT} run --deadline=6m --out-format junit-xml ./... | tee ./sca-report/sca-report.xml
@echo "Static code analysis OK"
-clean: distclean
+clean: distclean ## Removes any local filesystem artifacts generated by a build
-distclean:
+distclean: ## Removes any local filesystem artifacts generated by a build or test run
rm -rf ./sca-report
-mod-update:
+mod-update: ## Update go mod files
${GO} mod tidy
${GO} mod vendor
+
+# For each makefile target, add ## <description> on the target line and it will be listed by 'make help'
+help: ## Print help for each Makefile target
+ @echo "Usage: make [<target>]"
+ @echo "where available targets are:"
+ @echo
+ @grep '^[[:alpha:]_-]*:.* ##' $(MAKEFILE_LIST) \
+ | sort | awk 'BEGIN {FS=":.* ## "}; {printf "%-25s : %s\n", $$1, $$2};'
diff --git a/docker/Dockerfile.openonu b/docker/Dockerfile.openonu
index 5d50605..26b1c20 100755
--- a/docker/Dockerfile.openonu
+++ b/docker/Dockerfile.openonu
@@ -15,20 +15,13 @@
# -------------
# Build stage
-ARG GOLANG_IMAGE=golang:1.13.8-alpine3.11
-ARG DEPLOY_IMAGE=gcr.io/distroless/static:nonroot
-ARG IMAGE_OS=linux
-ARG IMAGE_ARCH=amd64
-# hadolint ignore=DL3006
-FROM --platform=$IMAGE_OS/$IMAGE_ARCH $GOLANG_IMAGE AS build-env
+FROM --platform=linux/amd64 golang:1.13.8-alpine3.11 AS dev
# Install required packages
RUN apk add --no-cache build-base=0.5-r1
-# Prepare directory structure
-WORKDIR /go/src/github.com/opencord/voltha-openonu-adapter-go
-
-# Copy common files.
+# Use Standard go build directory structure
+WORKDIR /go/src
COPY . .
ARG EXTRA_GO_BUILD_TAGS=""
@@ -40,11 +33,10 @@
ARG org_opencord_vcs_commit_date=unknown
ARG org_opencord_vcs_dirty=unknown
-# Build openonu
+# Build
SHELL ["/bin/ash", "-o", "pipefail", "-c"]
RUN \
-CGO_ENABLED=0 GOOS=$IMAGE_OS GOARCH=$IMAGE_ARCH \
-go build $EXTRA_GO_BUILD_TAGS -mod=vendor -o /go/bin/openonu \
+CGO_ENABLED=0 go build $EXTRA_GO_BUILD_TAGS -mod=vendor -o /app/openonu \
-ldflags \
"-X github.com/opencord/voltha-lib-go/v4/pkg/version.version=$org_label_schema_version \
-X github.com/opencord/voltha-lib-go/v4/pkg/version.vcsRef=$org_label_schema_vcs_ref \
@@ -55,16 +47,18 @@
-X github.com/opencord/voltha-lib-go/v4/pkg/version.buildTime=$org_label_schema_build_date" \
./cmd/openonu-adapter/
+WORKDIR /app
+
# -------------
# Image creation stage
-# hadolint ignore=DL3006
-FROM --platform=$IMAGE_OS/$IMAGE_ARCH $DEPLOY_IMAGE
+
+FROM --platform=linux/amd64 gcr.io/distroless/static:nonroot AS prod
# Set the working directory
WORKDIR /app
# Copy required files
-COPY --from=build-env /go/bin/openonu /app/openonu
+COPY --from=dev /app/openonu /app/openonu
# Label image
ARG org_label_schema_version=unknown
@@ -73,8 +67,6 @@
ARG org_label_schema_build_date=unknown
ARG org_opencord_vcs_commit_date=unknown
ARG org_opencord_vcs_dirty=unknown
-ARG IMAGE_USER=nonroot
-ARG IMAGE_GROUP=nonroot
LABEL \
org.label-schema.schema-version=1.0 \
@@ -86,4 +78,4 @@
org.opencord.vcs-commit-date=$org_opencord_vcs_commit_date \
org.opencord.vcs-dirty=$org_opencord_vcs_dirty
-USER $IMAGE_USER:$IMAGE_GROUP
+USER nonroot:nonroot