Introduces UBI images & packages for hardening. (for MathWorks use)

mathworks-ref-arch · Sep 26, 2023 · 6b15358 · 6b15358
1 parent 9e2c685
commit 6b15358
Show file tree

Hide file tree

Showing 11 changed files with 376 additions and 0 deletions.
diff --git a/.github/workflows/build-and-publish-ubi-hardening-extras.yml b/.github/workflows/build-and-publish-ubi-hardening-extras.yml
@@ -0,0 +1,153 @@
+# Copyright 2023 The MathWorks, Inc.
+
+name: Build and Publish Extra UBI Packages for Hardening
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - 'ubi-hardening-extras/**'
+      - "!ubi-hardening-extras/**.md"
+  schedule:
+    - cron: '0 0 * * *'
+
+env:
+  BASE_IMAGE: almalinux-base
+
+jobs:
+  build-base-image:
+    runs-on: ubuntu-latest
+
+    # This job builds the base image and uploads it to the artifacts.
+    # The following jobs all build from this base image.
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build base image and save as tar archive
+        uses: docker/build-push-action@v5
+        with:
+          context: ./ubi-hardening-extras/${{ env.BASE_IMAGE }}
+          tags: ${{ env.BASE_IMAGE }}:latest
+          outputs: type=docker,dest=/tmp/${{ env.BASE_IMAGE }}.tar
+
+      - name: Upload base image archive to artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ env.BASE_IMAGE }}
+          path: /tmp/${{ env.BASE_IMAGE }}.tar
+          retention-days: 1
+
+
+  build-and-publish-ubi-hardening-extras:
+    runs-on: ubuntu-latest
+
+    needs: build-base-image
+
+    permissions:
+      contents: read
+      packages: write
+
+    strategy:
+      matrix:
+        package: [icewm, novnc, tigervnc, xterm]
+
+    env:
+      IMAGE_NAME: ghcr.io/${{ github.repository }}/ubi-hardening-extras/${{ matrix.package }}
+      RED: \033[0;31m
+      GREEN: \033[0;32m
+      ORANGE: \033[0;33m
+      NC: \033[0m
+
+    # This job builds the Docker image for a specific UBI package.
+    # It then checks if the package is different from the last version published.
+    # Finally, it updates GHCR if the package was updated.
+    # This runs for all packages in the matrix.
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Download base image archive from artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: ${{ env.BASE_IMAGE }}
+          path: /tmp
+
+      - name: Load base image from tar archive
+        run: |
+          docker load --input /tmp/${{ env.BASE_IMAGE }}.tar
+          docker image ls -a
+
+      # Build the package Docker image locally to retrieve the new signature.
+      # We will only push to GHCR if the new package SHA-256 is different from the latest one.
+      - name: Build new UBI package Docker image locally
+        uses: docker/build-push-action@v5
+        with:
+          context: ./ubi-hardening-extras/${{ matrix.package }}
+          build-args: BASE_IMAGE=${{ env.BASE_IMAGE }}
+          outputs: type=local,dest=/tmp/new/
+          push: false
+
+      - name: Login to GitHub Container registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Try to retrieve the latest package pushed to GHCR. 
+      # This will error when running this action for the first time.
+      - name: Pull latest UBI package Docker image from ghcr
+        id: pull_latest
+        continue-on-error: true
+        run: |
+          docker pull ${{ env.IMAGE_NAME }}:latest
+
+      - name: Extract signature and version from latest Docker image
+        id: extract
+        run: |
+          # Extract signature and version files from latest docker image if pull was succesful.
+          if [[ ${{ steps.pull_latest.outcome }} == 'success' ]]; then
+            VERSION=$(bash ./ubi-hardening-extras/workflow/extract_metadata.sh ${{ env.IMAGE_NAME }}:latest)
+            echo -e "${{ env.GREEN }}>> Found ${{ env.IMAGE_NAME }} version ${VERSION}.${{ env.NC }}"
+            NEXT_VERSION=$(bash ./ubi-hardening-extras/workflow/increment_version.sh ${VERSION})
+
+          else
+            echo -e "${{ env.RED }}>> Image ${{ env.IMAGE_NAME }} does not exist.${{ env.NC }}"
+            NEXT_VERSION="v1.0"
+
+          fi
+          echo "next_version=${NEXT_VERSION}" >> $GITHUB_OUTPUT
+
+      - name: Check latest signature against new signature
+        id: check
+        run: |
+          # Compare the SHA-256 signature of the latest published package versus the new build
+          STATUS=$(cmp --silent /tmp/latest/*.sha256 /tmp/new/*.sha256; echo $?)
+          if [[ "${STATUS}" == '0' ]]; then
+            echo -e "${{ env.GREEN }}>> ${{ matrix.package }} has not changed, nothing to do.${{ env.NC }}"
+          else
+            echo -e "${{ env.ORANGE }}>> ${{ matrix.package }} has changed, updating the artifacts.${{ env.NC }}"
+          fi
+          echo "is_identical=${STATUS}" >> $GITHUB_OUTPUT
+
+      # Rebuild the same package Docker image from step "Build new UBI package Docker image locally"
+      # this time storing the new version number and pushing to GHCR (since we now know if something has changed). 
+      # The build relies on the docker build cache to simply update the version and push.
+      - name: Build and push to GitHub Container Registry if package has changed
+        uses: docker/build-push-action@v5
+        if: ${{ steps.check.outputs.is_identical != '0' }}
+        with:
+          context: ./ubi-hardening-extras/${{ matrix.package }}
+          build-args: |
+            BASE_IMAGE=${{ env.BASE_IMAGE }}
+            VERSION=${{ steps.extract.outputs.next_version }}
+          tags: |
+            ${{ env.IMAGE_NAME }}:latest
+            ${{ env.IMAGE_NAME }}:${{ steps.extract.outputs.next_version }}
+          push: true
diff --git a/ubi-hardening-extras/README.md b/ubi-hardening-extras/README.md
@@ -0,0 +1,9 @@
+# Red Hat Universal Base Images Packages for Hardening
+
+This repository is for MathWorks&reg; internal use and not intended for end users.
+
+----
+
+Copyright 2023 The MathWorks, Inc.
+
+----
diff --git a/ubi-hardening-extras/almalinux-base/Dockerfile b/ubi-hardening-extras/almalinux-base/Dockerfile
@@ -0,0 +1,16 @@
+# Copyright 2023 The MathWorks, Inc.
+ARG BASE_IMAGE=almalinux
+ARG BASE_TAG=8.8
+
+FROM ${BASE_IMAGE}:${BASE_TAG}
+
+LABEL maintainer="The MathWorks"
+
+ARG LOCATION_ROOT=/tmp
+
+COPY base-dependencies.txt ${LOCATION_ROOT}
+ARG DNF="dnf --disableplugin subscription-manager --assumeyes"
+RUN ${DNF} update && \
+    ${DNF} install $(cat ${LOCATION_ROOT}/base-dependencies.txt)
+
+RUN ${DNF} install dnf-plugins-core epel-release
diff --git a/ubi-hardening-extras/almalinux-base/base-dependencies.txt b/ubi-hardening-extras/almalinux-base/base-dependencies.txt
@@ -0,0 +1,31 @@
+libX11
+libXext
+libXrender
+libXt
+libX11-xcb
+libXcomposite
+libXcursor
+libXdamage
+libXfixes
+libXft
+libXi
+libXinerama
+libXrandr
+libXtst
+libXxf86vm
+cairo
+pango
+nss
+cups-libs
+gdk-pixbuf2
+atk
+libffi
+alsa-lib
+net-tools
+at-spi2-atk
+mesa-libgbm
+at-spi2-core
+wget
+python2
+initscripts
+java-1.8.0-openjdk
diff --git a/ubi-hardening-extras/icewm/Dockerfile b/ubi-hardening-extras/icewm/Dockerfile
@@ -0,0 +1,27 @@
+# Copyright 2023 The MathWorks, Inc.
+ARG BASE_IMAGE
+
+ARG LOCATION_ROOT=/tmp/deps
+
+FROM ${BASE_IMAGE} as rpm-install
+ARG LOCATION_ROOT
+
+# Package iceWM dependencies
+ARG LOCATION=${LOCATION_ROOT}/icewm
+WORKDIR ${LOCATION}
+ENV DNF="dnf --disableplugin subscription-manager --assumeyes"
+RUN ${DNF} download icewm --resolve && \
+    ${DNF} localinstall *.rpm && \
+    tar --sort=name --owner=root:0 --group=root:0 --mtime='UTC 1984-12-07' -cf - *.rpm | gzip --no-name > ${LOCATION}.rpm.tar.gz && \
+    sha256sum ${LOCATION}.rpm.tar.gz > ${LOCATION}.sha256
+ARG VERSION=v1.x
+RUN echo "${VERSION}" > ${LOCATION}.version
+
+FROM scratch AS export-stage
+ARG LOCATION_ROOT
+
+LABEL maintainer="The MathWorks"
+
+COPY --from=rpm-install ${LOCATION_ROOT}/*.gz /
+COPY --from=rpm-install ${LOCATION_ROOT}/*.sha256 /
+COPY --from=rpm-install ${LOCATION_ROOT}/*.version /
diff --git a/ubi-hardening-extras/novnc/Dockerfile b/ubi-hardening-extras/novnc/Dockerfile
@@ -0,0 +1,32 @@
+# Copyright 2023 The MathWorks, Inc.
+ARG BASE_IMAGE
+
+ARG LOCATION_ROOT=/tmp/deps
+
+FROM ${BASE_IMAGE} as rpm-install
+ARG LOCATION_ROOT
+
+# Package noVNC dependencies
+ARG LOCATION=${LOCATION_ROOT}/novnc
+WORKDIR ${LOCATION}
+RUN echo "Install noVNC - HTML5 based VNC viewer" && \
+    mkdir -p ${LOCATION}/utils/websockify && \
+    wget -qO- https://github.com/novnc/noVNC/archive/v1.0.0.tar.gz | tar xz --strip 1 -C ${LOCATION} && \
+    # use older version of websockify to prevent hanging connections on offline containers, see https://github.com/ConSol/docker-headless-vnc-container/issues/50
+    wget -qO- https://github.com/novnc/websockify/archive/v0.6.1.tar.gz | tar xz --strip 1 -C ${LOCATION}/utils/websockify && \
+    chmod +x -v ${LOCATION}/utils/*.sh && \
+    ## create index.html to forward automatically to `vnc_lite.html`
+    ln -s $LOCATION/vnc.html $LOCATION/index.html && \
+    tar --sort=name --owner=root:0 --group=root:0 --mtime='UTC 1984-12-07' -cf - . | gzip --no-name > ${LOCATION}.tar.gz && \
+    sha256sum ${LOCATION}.tar.gz > ${LOCATION}.sha256
+ARG VERSION=v1.x
+RUN echo "${VERSION}" > ${LOCATION}.version
+
+FROM scratch AS export-stage
+ARG LOCATION_ROOT
+
+LABEL maintainer="The MathWorks"
+
+COPY --from=rpm-install ${LOCATION_ROOT}/*.gz /
+COPY --from=rpm-install ${LOCATION_ROOT}/*.sha256 /
+COPY --from=rpm-install ${LOCATION_ROOT}/*.version /
diff --git a/ubi-hardening-extras/tigervnc/Dockerfile b/ubi-hardening-extras/tigervnc/Dockerfile
@@ -0,0 +1,27 @@
+# Copyright 2023 The MathWorks, Inc.
+ARG BASE_IMAGE
+
+ARG LOCATION_ROOT=/tmp/deps
+
+FROM ${BASE_IMAGE} as rpm-install
+ARG LOCATION_ROOT
+
+# Package tiger-vnc dependencies
+ARG LOCATION=${LOCATION_ROOT}/tiger-vnc
+WORKDIR ${LOCATION}
+ENV DNF="dnf --disableplugin subscription-manager --assumeyes"
+RUN ${DNF} download tigervnc-server-minimal --resolve && \
+    ${DNF} localinstall *.rpm && \
+    tar --sort=name --owner=root:0 --group=root:0 --mtime='UTC 1984-12-07' -cf - *.rpm | gzip --no-name > ${LOCATION}.rpm.tar.gz && \
+    sha256sum ${LOCATION}.rpm.tar.gz > ${LOCATION}.sha256
+ARG VERSION=v1.x
+RUN echo "${VERSION}" > ${LOCATION}.version
+
+FROM scratch AS export-stage
+ARG LOCATION_ROOT
+
+LABEL maintainer="The MathWorks"
+
+COPY --from=rpm-install ${LOCATION_ROOT}/*.gz /
+COPY --from=rpm-install ${LOCATION_ROOT}/*.sha256 /
+COPY --from=rpm-install ${LOCATION_ROOT}/*.version /
diff --git a/ubi-hardening-extras/workflow/extract_metadata.sh b/ubi-hardening-extras/workflow/extract_metadata.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+#
+# Copyright 2023 The MathWorks Inc.
+
+# This script extracts the .sha256 and .version files from a Docker image.
+# The files are saved to /tmp/latest.
+
+# Get script location and Docker image to extract from
+SCRIPTPATH=$(dirname $0)
+BASE_IMAGE=$1
+
+# Extract signature and version files from Docker image
+docker build \
+  --build-arg BASE_IMAGE=${BASE_IMAGE} \
+  --file ${SCRIPTPATH}/extraction.Dockerfile \
+  --output /tmp/latest/ \
+  ${SCRIPTPATH}
+
+# Output version
+VERSION=$(cat /tmp/latest/*.version)
+echo "${VERSION}"
diff --git a/ubi-hardening-extras/workflow/extraction.Dockerfile b/ubi-hardening-extras/workflow/extraction.Dockerfile
@@ -0,0 +1,11 @@
+# Copyright 2023 The MathWorks, Inc.
+ARG BASE_IMAGE
+
+FROM ${BASE_IMAGE} as base
+
+FROM scratch AS extract-stage
+
+LABEL maintainer="The MathWorks"
+
+COPY --from=base /*.sha256 /
+COPY --from=base /*.version /
diff --git a/ubi-hardening-extras/workflow/increment_version.sh b/ubi-hardening-extras/workflow/increment_version.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+#
+# Copyright 2023 The MathWorks Inc.
+
+# This script increments the minor version in a version number vMAJOR.MINOR
+
+# Retrieve the input
+VERSION=$1
+
+# Test if the input matches the expected format
+if [[ "${VERSION}" =~ ^v([0-9]+).(-?[0-9]+)$ ]]; then
+    # Extract major and minor levels
+    MAJOR="${BASH_REMATCH[1]}"
+    MINOR="${BASH_REMATCH[2]}"
+
+    # Increment minor level
+    echo "v${MAJOR}.$((++MINOR))"
+
+else
+    echo ">> ${VERSION} is not a valid version (expecting vX.X)."
+    exit 1
+fi
diff --git a/ubi-hardening-extras/xterm/Dockerfile b/ubi-hardening-extras/xterm/Dockerfile
@@ -0,0 +1,27 @@
+# Copyright 2023 The MathWorks, Inc.
+ARG BASE_IMAGE
+
+ARG LOCATION_ROOT=/tmp/deps
+
+FROM ${BASE_IMAGE} as rpm-install
+ARG LOCATION_ROOT
+
+# Package xterm dependencies
+ARG LOCATION=${LOCATION_ROOT}/xterm
+WORKDIR ${LOCATION}
+ENV DNF="dnf --disableplugin subscription-manager --assumeyes"
+RUN ${DNF} download xterm --resolve && \
+    ${DNF} localinstall *.rpm && \
+    tar --sort=name --owner=root:0 --group=root:0 --mtime='UTC 1984-12-07' -cf - *.rpm | gzip --no-name > ${LOCATION}.rpm.tar.gz && \
+    sha256sum ${LOCATION}.rpm.tar.gz > ${LOCATION}.sha256
+ARG VERSION=v1.x
+RUN echo "${VERSION}" > ${LOCATION}.version
+
+FROM scratch AS export-stage
+ARG LOCATION_ROOT
+
+LABEL maintainer="The MathWorks"
+
+COPY --from=rpm-install ${LOCATION_ROOT}/*.gz /
+COPY --from=rpm-install ${LOCATION_ROOT}/*.sha256 /
+COPY --from=rpm-install ${LOCATION_ROOT}/*.version /