Merge pull request #1931 from mercedes-benz/feature-1536-sechub-docke…

…rfile-alpine Feature 1536 sechub dockerfile alpine
mercedes-benz · Feb 13, 2023 · 4ef5a9e · 4ef5a9e
2 parents 58a709e + ae04caf
commit 4ef5a9e
Show file tree

Hide file tree

Showing 14 changed files with 326 additions and 7 deletions.
diff --git a/.gitignore b/.gitignore
@@ -55,3 +55,7 @@ java-gen/
 
 # macOS
 .DS_Store
+
+# Containerized solutions
+copy/
+!copy/README.adoc
diff --git a/sechub-solution/01-start-single-docker-compose-alpine.sh b/sechub-solution/01-start-single-docker-compose-alpine.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: MIT
+
+ENVIRONMENT_FILE=".env-single"
+
+resource_limits_enabled="$1"
+compose_file="docker-compose_sechub-alpine"
+
+cd $(dirname "$0")
+source "0000-helper.sh"
+
+# Only variables from .env can be used in the Docker-Compose file
+# all other variables are only available in the container
+setup_environment_file ".env" "env"
+setup_environment_file "$ENVIRONMENT_FILE" "env-sechub"
+
+# Use Docker BuildKit
+export BUILDKIT_PROGRESS=plain
+export DOCKER_BUILDKIT=1
+
+if [[ "$resource_limits_enabled" == "yes" ]]
+then
+    compose_file="docker-compose_sechub_resource_limits"
+fi
+
+echo "Compose file: $compose_file"
+docker-compose --file "$compose_file.yaml" up --build --remove-orphans
diff --git a/sechub-solution/docker-compose_sechub-alpine.yaml b/sechub-solution/docker-compose_sechub-alpine.yaml
@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: MIT
+
+version: "3"
+services:
+  sechub:
+    build:
+      args:
+        - BASE_IMAGE=alpine:3.17
+        - BUILD_TYPE=${BUILD_TYPE}
+        - JAVA_DISTRIBUTION=${JAVA_DISTRIBUTION}
+        - JAVA_VERSION=${JAVA_VERSION}
+        - SECHUB_VERSION=${SECHUB_VERSION}
+        - TAG=${TAG}
+        - BRANCH=${BRANCH}
+      context: docker/
+      dockerfile: SecHub-Alpine.dockerfile
+    container_name: sechub
+    hostname: sechub
+    env_file:
+      - .env
+      - .env-single
+    ports:
+      - "127.0.0.1:8443:8443"
+      - "127.0.0.1:15023:15023"
+    networks:
+      - sechub
+networks:
+  sechub:
+    name: sechub
diff --git a/sechub-solution/docker/SecHub-Alpine.dockerfile b/sechub-solution/docker/SecHub-Alpine.dockerfile
@@ -0,0 +1,175 @@
+# SPDX-License-Identifier: MIT
+
+#-------------------
+# Global Variables
+#-------------------
+
+# The image argument needs to be placed on top
+ARG BASE_IMAGE
+
+# Build args
+ARG BUILD_TYPE="download"
+
+ARG SECHUB_VERSION
+ARG TAG=""
+ARG BRANCH=""
+
+# possible values: temurin, openj9, openjdk
+ARG JAVA_DISTRIBUTION="openjdk"
+
+# possible values are 11, 17
+ARG JAVA_VERSION="11"
+
+# Artifact folder
+ARG SECHUB_ARTIFACT_FOLDER="/artifacts"
+
+#-------------------
+# Builder Build
+#-------------------
+
+FROM ${BASE_IMAGE} AS builder-build
+
+# Build args
+ARG GO
+ARG SECHUB_ARTIFACT_FOLDER
+ARG JAVA_VERSION
+ARG JAVA_DISTRIBUTION
+ARG TAG
+ARG BRANCH
+
+ARG BUILD_FOLDER="/build"
+ARG GIT_URL="https://github.com/mercedes-benz/sechub.git"
+
+ENV DOWNLOAD_FOLDER="/downloads"
+ENV PATH="/usr/local/go/bin:$PATH"
+
+RUN echo "Builder: Build"
+
+RUN mkdir --parent "$SECHUB_ARTIFACT_FOLDER" "$DOWNLOAD_FOLDER"
+
+RUN apk update && \
+    apk add wget git && \
+    apk cache clean
+
+COPY --chmod=755 install-java/ "$DOWNLOAD_FOLDER/install-java/"
+
+# Install Java
+RUN cd "$DOWNLOAD_FOLDER/install-java/" && \
+    ./install-java.sh "$JAVA_DISTRIBUTION" "$JAVA_VERSION" jdk
+
+# Copy clone script
+COPY --chmod=755 clone.sh "$BUILD_FOLDER/clone.sh"
+
+# Build SecHub
+RUN mkdir --parent "$BUILD_FOLDER" && \
+    cd "$BUILD_FOLDER" && \
+    # execute the clone script
+    ./clone.sh "$GIT_URL" "$BRANCH" "$TAG" && \
+    cd "sechub" && \
+    # Java version
+    java --version && \
+    # Build SecHub
+    "./buildExecutables" && \
+    cp sechub-server/build/libs/sechub-server-*.jar --target-directory "$SECHUB_ARTIFACT_FOLDER"
+
+#-------------------
+# Builder Download
+#-------------------
+
+FROM ${BASE_IMAGE} AS builder-download
+
+ARG SECHUB_ARTIFACT_FOLDER
+ARG SECHUB_VERSION
+
+RUN echo "Builder: Download"
+
+RUN mkdir --parent "$SECHUB_ARTIFACT_FOLDER"
+
+RUN apk update && \
+    apk add wget
+
+# Download the SecHub server
+RUN cd "$SECHUB_ARTIFACT_FOLDER" && \
+    # download checksum file
+    wget --no-verbose "https://github.com/mercedes-benz/sechub/releases/download/v$SECHUB_VERSION-server/sechub-server-$SECHUB_VERSION.jar.sha256sum" && \
+    # download pds
+    wget --no-verbose "https://github.com/mercedes-benz/sechub/releases/download/v$SECHUB_VERSION-server/sechub-server-$SECHUB_VERSION.jar" && \
+    # verify that the checksum and the checksum of the file are same
+    sha256sum -c "sechub-server-$SECHUB_VERSION.jar.sha256sum"
+
+#-------------------
+# Builder Copy Jar
+#-------------------
+
+FROM ${BASE_IMAGE} AS builder-copy
+
+ARG SECHUB_ARTIFACT_FOLDER
+ARG SECHUB_VERSION
+
+RUN echo "Builder: Copy"
+
+RUN mkdir --parent "$SECHUB_ARTIFACT_FOLDER"
+
+# Copy
+COPY copy/sechub-server-*.jar "$SECHUB_ARTIFACT_FOLDER"
+
+#-------------------
+# Builder
+#-------------------
+
+FROM builder-${BUILD_TYPE} as builder
+
+#-------------------
+# SecHub Server Image
+#-------------------
+
+FROM ${BASE_IMAGE} AS sechub
+
+LABEL maintainer="SecHub FOSS Team"
+
+ARG SECHUB_ARTIFACT_FOLDER
+ARG JAVA_DISTRIBUTION
+ARG JAVA_VERSION
+
+# env vars in container
+ENV USER="sechub"
+ENV UID="7474"
+ENV GID="${UID}"
+ENV SECHUB_STORAGE_SHAREDVOLUME_UPLOAD_DIR="/shared_volumes/uploads"
+
+ARG SECHUB_FOLDER="/sechub"
+
+# non-root user
+# using fixed group and user ids
+RUN addgroup --gid "$GID" "$USER"
+RUN adduser --uid "$UID" --ingroup "$USER" --disabled-password "$USER"
+
+RUN mkdir --parent "$SECHUB_FOLDER" "$SECHUB_STORAGE_SHAREDVOLUME_UPLOAD_DIR"
+COPY --from=builder "$SECHUB_ARTIFACT_FOLDER" "$SECHUB_FOLDER"
+
+COPY --chmod=755 install-java/alpine "$SECHUB_FOLDER/install-java/"
+
+# Update container
+RUN apk update
+
+# Install Java
+RUN cd "$SECHUB_FOLDER/install-java/" && \
+    ./install-java.sh "$JAVA_DISTRIBUTION" "$JAVA_VERSION" jre
+
+# Copy run script into container
+COPY run.sh /run.sh
+
+# Set execute permissions for scripts
+RUN chmod +x /run.sh
+
+# Set permissions and remove install scripts
+RUN chown --recursive "$USER:$USER" "$SECHUB_FOLDER" "$SECHUB_STORAGE_SHAREDVOLUME_UPLOAD_DIR" && \
+    rm -rf "$SECHUB_FOLDER/install-java/"
+
+# Set workspace
+WORKDIR "$SECHUB_FOLDER"
+
+# Switch from root to non-root user
+USER "$USER"
+
+CMD ["/run.sh"]
diff --git a/sechub-solution/docker/SecHub-Debian.dockerfile b/sechub-solution/docker/SecHub-Debian.dockerfile
@@ -68,7 +68,7 @@ RUN cd "$DOWNLOAD_FOLDER" && \
     # remove go tar.gz
     rm "$GO"
 
-COPY --chmod=755 install-java/ "$DOWNLOAD_FOLDER/install-java/"
+COPY --chmod=755 install-java/debian "$DOWNLOAD_FOLDER/install-java/"
 
 # Install Java
 RUN cd "$DOWNLOAD_FOLDER/install-java/" && \
@@ -172,7 +172,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
     apt-get upgrade --assume-yes --quiet && \
     apt-get clean
 
-COPY --chmod=755 install-java/ "$SECHUB_FOLDER/install-java/"
+COPY --chmod=755 install-java/debian/ "$SECHUB_FOLDER/install-java/"
 
 # Install Java
 RUN cd "$SECHUB_FOLDER/install-java/" && \

diff --git a/sechub-solution/docker/copy/README.adoc b/sechub-solution/docker/copy/README.adoc
@@ -1,4 +1,6 @@
 // SPDX-License-Identifier: MIT
+
 . Place a single SecHub Jar into this folder. 
 . Name it `sechub-server-0.0.0.jar`
-. Run `03-start-single-docker-compose-copy.sh` to start the container
+. Change the `BUILD_TYPE` in the `.env` file to `copy`
+. Run one of the scripts starting with `01-*` to start the container
diff --git a/sechub-solution/docker/install-java/alpine/install-java.sh b/sechub-solution/docker/install-java/alpine/install-java.sh
@@ -0,0 +1,51 @@
+#!/usr/bin/env sh
+# SPDX-License-Identifier: MIT
+
+print_error() {
+    message="$1"
+
+    echo "$message" 1>&2
+}
+
+JAVA_DISTRIBUTION="$1"
+JAVA_VERSION="$2"
+JAVA_RUNTIME="$3"
+
+JAVA_DIR="/opt/java"
+
+if [ -z "$JAVA_DISTRIBUTION" ]
+then
+    print_error "ERROR: No Java distribution provided!"
+    exit 1
+fi
+
+if [ -z "$JAVA_VERSION" ]
+then
+    print_error "ERROR: No Java version provided!"
+    exit 1
+fi
+
+if [ -z "$JAVA_RUNTIME" ]
+then
+    print_error "ERROR: No Java runtime provided!"
+    print_error "Possible values: jre and jdk"
+    exit 1
+fi
+
+case "$JAVA_DISTRIBUTION" in
+  openjdk)
+    ./install-openjdk.sh "$JAVA_VERSION" "$JAVA_RUNTIME"
+  ;;
+  openj9)
+    print_error "OpenJ9 is not supported for Alpine"
+    exit 1
+  ;;
+  temurin)
+    ./install-temurin.sh "$JAVA_VERSION" "$JAVA_RUNTIME"
+  ;;
+  *)
+    print_error "Java distribution $JAVA_DISTRIBUTION not supported!"
+    print_error "Possible values: openj9, openjdk, temurin"
+    exit 1
+  ;;
+esac
diff --git a/sechub-solution/docker/install-java/alpine/install-openjdk.sh b/sechub-solution/docker/install-java/alpine/install-openjdk.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env sh
+# SPDX-License-Identifier: MIT
+
+JAVA_VERSION="$1"
+JAVA_RUNTIME="$2"
+
+if [ "$JAVA_RUNTIME" == "jdk" ]
+then
+    echo "Installing JDK"
+    apk add "openjdk$JAVA_VERSION-jdk"
+else
+    echo "Installing JRE"
+    apk add "openjdk$JAVA_VERSION-jre-headless"
+fi
diff --git a/sechub-solution/docker/install-java/alpine/install-temurin.sh b/sechub-solution/docker/install-java/alpine/install-temurin.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env sh
+# SPDX-License-Identifier: MIT
+
+JAVA_VERSION="$1"
+JAVA_RUNTIME="$2"
+
+apk add wget
+
+wget -O /etc/apk/keys/adoptium.rsa.pub https://packages.adoptium.net/artifactory/api/security/keypair/public/repositories/apk
+echo 'https://packages.adoptium.net/artifactory/apk/alpine/main' >> /etc/apk/repositories
+
+# Temurin does not have JRE build in the Linux packages: https://github.com/adoptium/installer/issues/430
+apk add temurin-"${JAVA_VERSION}-${JAVA_RUNTIME}"
diff --git a/...ution/docker/install-java/install-java.sh → ...ocker/install-java/debian/install-java.sh b/...ution/docker/install-java/install-java.sh → ...ocker/install-java/debian/install-java.sh
diff --git a/...ion/docker/install-java/install-openj9.sh → ...ker/install-java/debian/install-openj9.sh b/...ion/docker/install-java/install-openj9.sh → ...ker/install-java/debian/install-openj9.sh
@@ -38,5 +38,8 @@ rm ibm-semeru-open-*.tar.gz*
 # link to java installation
 ln --symbolic $JAVA_DIR/j*/bin/java /usr/bin/java
 
+# link to keytool installation
+ln --symbolic $JAVA_DIR/j*/bin/keytool /usr/bin/keytool
+
 apt-get remove --assume-yes --quiet wget
 apt-get clean
diff --git a/...on/docker/install-java/install-openjdk.sh → ...er/install-java/debian/install-openjdk.sh b/...on/docker/install-java/install-openjdk.sh → ...er/install-java/debian/install-openjdk.sh
diff --git a/...on/docker/install-java/install-temurin.sh → ...er/install-java/debian/install-temurin.sh b/...on/docker/install-java/install-temurin.sh → ...er/install-java/debian/install-temurin.sh
@@ -16,6 +16,6 @@ echo "deb [signed-by=/etc/apt/keyrings/adoptium.asc] https://packages.adoptium.n
 apt-get update
 
 # Temurin does not have JRE build in the Linux packages: https://github.com/adoptium/installer/issues/430
-apt-get install --assume-yes --quiet temurin-"${JAVA_VERSION}-jdk"
+apt-get install --assume-yes --quiet temurin-"${JAVA_VERSION}-${JAVA_RUNTIME}"
 apt-get remove --assume-yes --quiet wget
 apt-get clean
diff --git a/sechub-solution/env b/sechub-solution/env
@@ -10,15 +10,16 @@ CPU_LIMIT=1.0
 BUILD_TYPE=download
 
 # The SecHub version used if the BUILD_TYPE is set to `download` 
-SECHUB_VERSION="0.35.2"
+SECHUB_VERSION="0.37.0"
 
 # Go version used
-GO="go1.19.linux-amd64.tar.gz"
+GO="go1.19.5.linux-amd64.tar.gz"
 
 # possible values: temurin, openj9, openjdk
 JAVA_DISTRIBUTION="openjdk"
 
-# The Java version used
+# Which Java version to use
+# Not all Java versions are available
 JAVA_VERSION="11"
 
 # Git information if the BUILD_TYPE is set to `build`