From e0747db61d4f05f72c3d7eef423affed794dbf0a Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 13 Jan 2022 12:41:17 +0100 Subject: [PATCH] feat: initial commit --- Dockerfile | 40 ++++++++++ Makefile | 25 ++++++ README.md | 9 ++- conf/containers.conf | 12 +++ conf/podman-containers.conf | 4 + conf/registries.conf | 2 + conf/storage.conf | 14 ++++ html.tpl | 148 ++++++++++++++++++++++++++++++++++++ 8 files changed, 252 insertions(+), 2 deletions(-) create mode 100644 Dockerfile create mode 100644 Makefile create mode 100644 conf/containers.conf create mode 100644 conf/podman-containers.conf create mode 100644 conf/registries.conf create mode 100644 conf/storage.conf create mode 100644 html.tpl diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..a46ea40 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,40 @@ +ARG BASE="latest-alpine-jdk11" + +FROM jenkins/inbound-agent:${BASE} + +USER root +RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \ + && apk upgrade -U -a \ + && apk --no-cache add \ + make \ + fuse-overlayfs \ + podman \ + buildah \ + aws-cli \ + trivy + +# Podman tweaks +ADD conf/containers.conf conf/registries.conf conf/storage.conf /etc/containers/ +ADD --chown=jenkins:jenkins conf/podman-containers.conf /home/jenkins/.config/containers/containers.conf + +RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers \ + /var/lib/shared/vfs-images /var/lib/shared/vfs-layers && \ + touch /var/lib/shared/overlay-images/images.lock /var/lib/shared/overlay-layers/layers.lock \ + /var/lib/shared/vfs-images/images.lock /var/lib/shared/vfs-layers/layers.lock + +# Trivy html template +ADD --chown=jenkins:jenkins html.tpl /home/jenkins/ + +# Make docker in Jenkinsfiles work +RUN ln -s /usr/bin/podman /usr/bin/docker + +# Rootless podman +RUN echo jenkins:100000:65536 > /etc/subuid \ + && echo jenkins:100000:65536 > /etc/subgid + +ENV BUILDAH_ISOLATION=rootless + +# Allow container layers to be stored in PVCs +VOLUME /home/jenkins/.local/share/containers + +USER jenkins diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..92a547d --- /dev/null +++ b/Makefile @@ -0,0 +1,25 @@ +VERSION ?= 0.1.0 +BASE ?= latest-alpine-jdk11 +REGISTRY := public.ecr.aws/zero-downtime +REPOSITORY := jenkins-podman +TAG := $(REPOSITORY):v$(VERSION) + +.PHONY: build push clean + +all: build + +build: + podman build --rm --squash-all --build-arg BASE=$(BASE) -t $(TAG) . + +push: + aws ecr-public get-login-password --region us-east-1 | podman login --username AWS --password-stdin $(REGISTRY) + podman tag $(TAG) $(REGISTRY)/$(TAG) + podman push $(REGISTRY)/$(TAG) + +clean: + podman rmi -f $(TAG) + +scan: + podman save $(TAG) -o image.tar + trivy image --input image.tar --format template --template @./html.tpl -o report.html + rm -f image.tar diff --git a/README.md b/README.md index 788b292..9fc696c 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,8 @@ -# jenkins-agent +# jenkins-podman +Public Repo: https://gallery.ecr.aws/zero-downtime/jenkins-podman -Custom Jenkins agent incl. rootless podman / buildah. \ No newline at end of file +# Resources +- https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md +- https://github.com/jenkinsci/docker-agent/blob/master/11/alpine/Dockerfile +- https://github.com/jenkinsci/docker-inbound-agent/tree/master/11/alpine +- https://github.com/aquasecurity/trivy diff --git a/conf/containers.conf b/conf/containers.conf new file mode 100644 index 0000000..220c1f8 --- /dev/null +++ b/conf/containers.conf @@ -0,0 +1,12 @@ +[containers] +netns="host" +userns="host" +ipcns="host" +utsns="host" +cgroupns="host" +cgroups="disabled" +log_driver = "k8s-file" +[engine] +cgroup_manager = "cgroupfs" +events_logger="file" +runtime="crun" diff --git a/conf/podman-containers.conf b/conf/podman-containers.conf new file mode 100644 index 0000000..503cca3 --- /dev/null +++ b/conf/podman-containers.conf @@ -0,0 +1,4 @@ +[containers] +volumes = [ + "/proc:/proc", +] diff --git a/conf/registries.conf b/conf/registries.conf new file mode 100644 index 0000000..004ec42 --- /dev/null +++ b/conf/registries.conf @@ -0,0 +1,2 @@ +# Note that changing the order here may break lazy devs Dockerfile +unqualified-search-registries = [ "gcr.io", "quay.io", "docker.io", "registry.fedoraproject.org"] diff --git a/conf/storage.conf b/conf/storage.conf new file mode 100644 index 0000000..633dfc4 --- /dev/null +++ b/conf/storage.conf @@ -0,0 +1,14 @@ +[storage] +driver = "overlay" +runroot = "/run/containers/storage" +graphroot = "/var/lib/containers/storage" + +[storage.options] +additionalimagestores = [ +"/var/lib/shared", +] + +[storage.options.overlay] +mount_program = "/usr/bin/fuse-overlayfs" +mountopt = "nodev,fsync=0" +[storage.options.thinpool] diff --git a/html.tpl b/html.tpl new file mode 100644 index 0000000..08d240e --- /dev/null +++ b/html.tpl @@ -0,0 +1,148 @@ + + + + +{{- if . }} + + {{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }} + + + +

{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}

+ + {{- range . }} + + {{- if (eq (len .Vulnerabilities) 0) }} + + {{- else }} + + + + + + + + + {{- range .Vulnerabilities }} + + + + + + + + + {{- end }} + {{- end }} + {{- if (eq (len .Misconfigurations ) 0) }} + + {{- else }} + + + + + + + + {{- range .Misconfigurations }} + + + + + + + + {{- end }} + {{- end }} + {{- end }} +
{{ escapeXML .Type }}
No Vulnerabilities found
PackageVulnerability IDSeverityInstalled VersionFixed VersionLinks
{{ escapeXML .PkgName }}{{ escapeXML .VulnerabilityID }}{{ escapeXML .Vulnerability.Severity }}{{ escapeXML .InstalledVersion }}{{ escapeXML .FixedVersion }} + {{- range .Vulnerability.References }} + {{ escapeXML . }} + {{- end }} +
No Misconfigurations found
TypeMisconf IDCheckSeverityMessage
{{ escapeXML .Type }}{{ escapeXML .ID }}{{ escapeXML .Title }}{{ escapeXML .Severity }} + {{ escapeXML .Message }} +
+ {{ escapeXML .PrimaryURL }} +
+
+{{- else }} + + +

Trivy Returned Empty Report

+{{- end }} + +