From 2889275a74fc60687a6f04298d0ae7c2294cba8e Mon Sep 17 00:00:00 2001 From: James Petersen Date: Tue, 17 Aug 2021 13:16:05 -0600 Subject: [PATCH 1/5] Update docker entrypoint with correct cert path Use the `python3 -m certifi` command which returns the path of the certifi cacert.pem file. This means the script doesn't need to be changed whenever the python version for the container is changed. Signed-off-by: James Petersen --- docker-entrypoint.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index bb614897c..8d459ea94 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -1,7 +1,5 @@ #!/usr/bin/env bash -SITE_PKG_DIR=${SITE_PKG_DIR:="$(python3 -c 'import site; print(site.getsitepackages())')"} - if [[ "${SET_HOSTID_TO_HOSTNAME}" == "true" ]]; then echo "Setting ANCHORE_HOST_ID to ${HOSTNAME}" export ANCHORE_HOST_ID=${HOSTNAME} @@ -12,7 +10,7 @@ if [[ -d "/home/anchore/certs" ]] && [[ ! -z "$(ls -A /home/anchore/certs)" ]]; mkdir -p /home/anchore/certs_override/python mkdir -p /home/anchore/certs_override/os ### for python - cp $SITE_PKG_DIR/certifi/cacert.pem /home/anchore/certs_override/python/cacert.pem + cp "$(python3 -m certifi)" /home/anchore/certs_override/python/cacert.pem for file in /home/anchore/certs/*; do if grep -q 'BEGIN CERTIFICATE' "${file}"; then cat "${file}" >> /home/anchore/certs_override/python/cacert.pem From 173875aec32905742a266c959e2016e6ab5d94e0 Mon Sep 17 00:00:00 2001 From: Ryan Brady Date: Tue, 17 Aug 2021 14:49:40 -0400 Subject: [PATCH 2/5] Update docker entrypoint with exact cert path The previous fix to this file dynamically found the Python version, but assumed the rest of the path to the certificate. This patch uses the `python3 -m certifi` command which returns the exact path of the certifi cacert.pem file. This will be resilient through Python version changes. Co-Authored-By: James Petersen Co-Authored-By: Vijay Pillai Signed-off-by: Ryan Brady --- docker-entrypoint.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index bb614897c..99fa2596d 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -1,18 +1,16 @@ #!/usr/bin/env bash -SITE_PKG_DIR=${SITE_PKG_DIR:="$(python3 -c 'import site; print(site.getsitepackages())')"} - if [[ "${SET_HOSTID_TO_HOSTNAME}" == "true" ]]; then echo "Setting ANCHORE_HOST_ID to ${HOSTNAME}" export ANCHORE_HOST_ID=${HOSTNAME} fi # check if /home/anchore/certs/ exists & has files in it -if [[ -d "/home/anchore/certs" ]] && [[ ! -z "$(ls -A /home/anchore/certs)" ]]; then +if [[ -d "/home/anchore/certs" ]] && [[ -n "$(ls -A /home/anchore/certs)" ]]; then mkdir -p /home/anchore/certs_override/python mkdir -p /home/anchore/certs_override/os ### for python - cp $SITE_PKG_DIR/certifi/cacert.pem /home/anchore/certs_override/python/cacert.pem + cp "$(python3 -m certifi)" /home/anchore/certs_override/python/cacert.pem for file in /home/anchore/certs/*; do if grep -q 'BEGIN CERTIFICATE' "${file}"; then cat "${file}" >> /home/anchore/certs_override/python/cacert.pem From 732c1f5bccb6ab8a6ad5b6b2e684b8c441a0440c Mon Sep 17 00:00:00 2001 From: James Petersen Date: Tue, 17 Aug 2021 13:29:30 -0600 Subject: [PATCH 3/5] Use set to fail script on error Use `set` to fail the script if there are any errors in the entrypoint https://www.gnu.org/software/bash/manual/html_node/The-Set-Builtin.html Signed-off-by: James Petersen --- docker-entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 8d459ea94..63322ba4e 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -1,5 +1,7 @@ #!/usr/bin/env bash +set -euo pipefail + if [[ "${SET_HOSTID_TO_HOSTNAME}" == "true" ]]; then echo "Setting ANCHORE_HOST_ID to ${HOSTNAME}" export ANCHORE_HOST_ID=${HOSTNAME} From 222a7c0458e8f129e7a688cf573dd77841f11ab3 Mon Sep 17 00:00:00 2001 From: James Petersen Date: Tue, 17 Aug 2021 13:38:28 -0600 Subject: [PATCH 4/5] Remove double negative SC2236 update with [SC2236](https://github.com/koalaman/shellcheck/wiki/SC2236) change to remove double negative. Signed-off-by: James Petersen --- docker-entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 63322ba4e..91d980e5d 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -8,7 +8,7 @@ if [[ "${SET_HOSTID_TO_HOSTNAME}" == "true" ]]; then fi # check if /home/anchore/certs/ exists & has files in it -if [[ -d "/home/anchore/certs" ]] && [[ ! -z "$(ls -A /home/anchore/certs)" ]]; then +if [[ -d "/home/anchore/certs" ]] && [[ -n "$(ls -A /home/anchore/certs)" ]]; then mkdir -p /home/anchore/certs_override/python mkdir -p /home/anchore/certs_override/os ### for python From be0698d730f7d15fef0db91694d999aa9adbe887 Mon Sep 17 00:00:00 2001 From: James Petersen Date: Tue, 17 Aug 2021 13:29:30 -0600 Subject: [PATCH 5/5] Use set to fail script on error Use `set` to fail the script if there are any errors in the entrypoint https://www.gnu.org/software/bash/manual/html_node/The-Set-Builtin.html Signed-off-by: James Petersen --- docker-entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 99fa2596d..91d980e5d 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -1,5 +1,7 @@ #!/usr/bin/env bash +set -euo pipefail + if [[ "${SET_HOSTID_TO_HOSTNAME}" == "true" ]]; then echo "Setting ANCHORE_HOST_ID to ${HOSTNAME}" export ANCHORE_HOST_ID=${HOSTNAME}