forked from anchore/anchore-engine
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
199 lines (157 loc) · 7.85 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
FROM registry.access.redhat.com/ubi8/ubi:8.4 as anchore-engine-builder
######## This is stage1 where anchore wheels, binary deps, and any items from the source tree get staged to /build_output ########
ARG CLI_COMMIT
ENV LANG=en_US.UTF-8 LC_ALL=C.UTF-8
ENV GOPATH=/go
ENV SKOPEO_VERSION=v1.2.1
COPY . /buildsource
WORKDIR /buildsource
RUN set -ex && \
mkdir -p /build_output /build_output/deps /build_output/configs /build_output/wheels
RUN set -ex && \
echo "installing OS dependencies" && \
yum update -y && \
yum module disable -y python36 && yum module enable -y python38 && \
yum install -y gcc make python38 git python38-wheel python38-devel go
# create anchore binaries
RUN set -ex && \
echo "installing anchore" && \
pip3 wheel --wheel-dir=/build_output/wheels . && \
pip3 wheel --wheel-dir=/build_output/wheels/ git+git://github.com/anchore/anchore-cli.git@$CLI_COMMIT\#egg=anchorecli && \
cp ./LICENSE /build_output/ && \
cp ./conf/default_config.yaml /build_output/configs/default_config.yaml && \
cp ./docker-entrypoint.sh /build_output/configs/docker-entrypoint.sh && \
cp -R ./conf/clamav /build_output/configs/
# stage anchore dependency binaries
RUN set -ex && \
echo "installing GO" && \
mkdir -p /go
RUN set -ex && \
echo "installing Skopeo" && \
git clone --branch "$SKOPEO_VERSION" https://github.com/containers/skopeo ${GOPATH}/src/github.com/containers/skopeo && \
cd ${GOPATH}/src/github.com/containers/skopeo && \
make install-binary DISABLE_CGO=1 && \
cp /usr/bin/skopeo /build_output/deps/ && \
cp default-policy.json /build_output/configs/skopeo-policy.json
RUN set -ex && \
echo "installing Syft" && \
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /build_output/deps v0.15.1
RUN set -ex && \
echo "installing Grype" && \
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /build_output/deps v0.11.0
# stage RPM dependency binaries
RUN yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
yum install -y --downloadonly --downloaddir=/build_output/deps/ dpkg clamav clamav-update
RUN tar -z -c -v -C /build_output -f /anchore-buildblob.tgz .
# Build setup section
FROM registry.access.redhat.com/ubi8/ubi:8.4 as anchore-engine-final
######## This is stage2 which does setup and install entirely from items from stage1's /build_output ########
ARG CLI_COMMIT
ARG ANCHORE_COMMIT
ARG ANCHORE_ENGINE_VERSION="0.9.4"
ARG ANCHORE_ENGINE_RELEASE="r0"
# Copy skopeo artifacts from build step
COPY --from=anchore-engine-builder /build_output /build_output
# Container metadata section
MAINTAINER [email protected]
LABEL anchore_cli_commit=$CLI_COMMIT \
anchore_commit=$ANCHORE_COMMIT \
name="anchore-engine" \
maintainer="[email protected]" \
vendor="Anchore Inc." \
version=$ANCHORE_ENGINE_VERSION \
release=$ANCHORE_ENGINE_RELEASE \
summary="Anchore Engine - container image scanning service for policy-based security, best-practice and compliance enforcement." \
description="Anchore is an open platform for container security and compliance that allows developers, operations, and security teams to discover, analyze, and certify container images on-premises or in the cloud. Anchore Engine is the on-prem, OSS, API accessible service that allows ops and developers to perform detailed analysis, run queries, produce reports and define policies on container images that can be used in CI/CD pipelines to ensure that only containers that meet your organization’s requirements are deployed into production."
# Environment variables to be present in running environment
ENV LANG=en_US.UTF-8 LC_ALL=C.UTF-8
# Default values overrideable at runtime of the container
ENV ANCHORE_CONFIG_DIR=/config \
ANCHORE_SERVICE_DIR=/anchore_service \
ANCHORE_LOG_LEVEL=INFO \
ANCHORE_ENABLE_METRICS=false \
ANCHORE_DISABLE_METRICS_AUTH=false \
ANCHORE_INTERNAL_SSL_VERIFY=false \
ANCHORE_WEBHOOK_DESTINATION_URL=null \
ANCHORE_HINTS_ENABLED=false \
ANCHORE_FEEDS_ENABLED=true \
ANCHORE_FEEDS_SSL_VERIFY=true \
ANCHORE_ENDPOINT_HOSTNAME=localhost \
ANCHORE_EVENTS_NOTIFICATIONS_ENABLED=false \
ANCHORE_CATALOG_NOTIFICATION_INTERVAL_SEC=30 \
ANCHORE_FEED_SYNC_INTERVAL_SEC=21600 \
ANCHORE_EXTERNAL_PORT=null \
ANCHORE_EXTERNAL_TLS=false \
ANCHORE_AUTHZ_HANDLER=native \
ANCHORE_EXTERNAL_AUTHZ_ENDPOINT=null \
ANCHORE_ADMIN_PASSWORD=null \
ANCHORE_ADMIN_EMAIL=admin@myanchore \
ANCHORE_HOST_ID="anchore-quickstart" \
ANCHORE_DB_PORT=5432 \
ANCHORE_DB_NAME=postgres \
ANCHORE_DB_USER=postgres \
SET_HOSTID_TO_HOSTNAME=false \
ANCHORE_CLI_USER=admin \
ANCHORE_CLI_PASS=foobar \
ANCHORE_SERVICE_PORT=8228 \
ANCHORE_CLI_URL="http://localhost:8228" \
ANCHORE_FEEDS_URL="https://ancho.re/v1/service/feeds" \
ANCHORE_FEEDS_CLIENT_URL="https://ancho.re/v1/account/users" \
ANCHORE_FEEDS_TOKEN_URL="https://ancho.re/oauth/token" \
ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT=0 \
ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT=0 \
ANCHORE_AUTH_PUBKEY=null \
ANCHORE_AUTH_PRIVKEY=null \
ANCHORE_AUTH_SECRET=null \
ANCHORE_OAUTH_ENABLED=false \
ANCHORE_OAUTH_TOKEN_EXPIRATION=3600 \
ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=false \
AUTHLIB_INSECURE_TRANSPORT=true \
ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB=-1 \
ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC=180 \
ANCHORE_VULNERABILITIES_PROVIDER="legacy" \
ANCHORE_GRYPE_DB_URL="https://toolbox-data.anchore.io/grype/databases/listing.json"
# Insecure transport required in case for things like tls sidecars
# Container run environment settings
#VOLUME /analysis_scratch
EXPOSE ${ANCHORE_SERVICE_PORT}
# Build dependencies
RUN set -ex && \
yum update -y && \
yum module disable -y python36 && yum module enable -y python38 && \
yum install -y python38 python38-wheel procps psmisc
# Setup container default configs and directories
WORKDIR /anchore-engine
# Perform OS setup
RUN set -ex && \
groupadd --gid 1000 anchore && \
useradd --uid 1000 --gid anchore --shell /bin/bash --create-home anchore && \
mkdir /config && \
mkdir /licenses && \
mkdir -p /workspace_preload /var/log/anchore /var/run/anchore /analysis_scratch /workspace /anchore_service/bundles ${ANCHORE_SERVICE_DIR}/bundles /home/anchore/clamav/db && \
cp /build_output/LICENSE /licenses/ && \
cp /build_output/configs/default_config.yaml /config/config.yaml && \
cp /build_output/configs/docker-entrypoint.sh /docker-entrypoint.sh && \
cp /build_output/configs/clamav/freshclam.conf /home/anchore/clamav/ && \
chown -R 1000:0 /workspace_preload /var/log/anchore /var/run/anchore /analysis_scratch /workspace /anchore_service ${ANCHORE_SERVICE_DIR} /home/anchore && \
chmod -R g+rwX /workspace_preload /var/log/anchore /var/run/anchore /analysis_scratch /workspace /anchore_service ${ANCHORE_SERVICE_DIR} /home/anchore && \
chmod -R ug+rw /home/anchore/clamav && \
md5sum /config/config.yaml > /config/build_installed && \
chmod +x /docker-entrypoint.sh
# Perform any base OS specific setup
# Perform the anchore-engine build and install
RUN set -ex && \
pip3 install --no-index --find-links=./ /build_output/wheels/*.whl && \
cp /build_output/deps/skopeo /usr/bin/skopeo && \
cp /build_output/deps/syft /usr/bin/syft && \
cp /build_output/deps/grype /usr/bin/grype && \
mkdir -p /etc/containers && \
cp /build_output/configs/skopeo-policy.json /etc/containers/policy.json && \
yum install -y /build_output/deps/*.rpm && \
rm -rf /build_output /root/.cache
# Container runtime instructions
HEALTHCHECK --start-period=20s \
CMD curl -f http://localhost:8228/health || exit 1
USER 1000
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["anchore-manager", "service", "start", "--all"]