diff --git a/hack/generate-buildah-remote.sh b/hack/generate-buildah-remote.sh index deec2601d0..dc7c05ffc4 100755 --- a/hack/generate-buildah-remote.sh +++ b/hack/generate-buildah-remote.sh @@ -1,7 +1,7 @@ #!/bin/bash SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" -IMG=quay.io/redhat-user-workloads/rhtap-build-tenant/multi-arch-controller/multi-arch-controller:taskgen-e6a24407844cac38b16df363fe2bdf5e23902646 +IMG=quay.io/redhat-user-workloads/rhtap-build-tenant/multi-arch-controller/multi-arch-controller:taskgen-19eee88a173beaa01ad47511a683fb35927f8f96 podman run -v "$SCRIPTDIR"/..:/data:Z $IMG \ --buildah-task=/data/task/buildah/0.1/buildah.yaml \ diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index 3829b2ed9d..b31277073f 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -263,8 +263,8 @@ spec: -f "$dockerfile_path" -t $IMAGE . container=$(buildah from --pull-never $IMAGE) - buildah mount $container | tee /var/workdir/container_path - echo $container > /var/workdir/container_name + buildah mount $container | tee /shared/container_path + echo $container > /shared/container_name # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later if [ -f "/tmp/cachi2/output/bom.json" ]; then @@ -291,6 +291,8 @@ spec: name: varlibcontainers - mountPath: "/entitlement" name: etc-pki-entitlement + - name: shared + mountPath: "/shared" workingDir: /var/workdir - name: sbom-syft-generate @@ -301,17 +303,19 @@ spec: script: | echo "Running syft on the source directory" syft dir:/var/workdir/source --output cyclonedx-json=/var/workdir/sbom-source.json - find $(cat /var/workdir/container_path) -xtype l -delete + find $(cat /shared/container_path) -xtype l -delete echo "Running syft on the image filesystem" - syft dir:$(cat /var/workdir/container_path) --output cyclonedx-json=/var/workdir/sbom-image.json + syft dir:$(cat /shared/container_path) --output cyclonedx-json=/var/workdir/sbom-image.json volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - name: shared + mountPath: "/shared" - name: analyse-dependencies-java-sbom image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77 script: | if [ -f /var/lib/containers/java ]; then - /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /var/workdir/container_path) -s /var/workdir/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) + /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s /var/workdir/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875 else touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path) @@ -319,6 +323,8 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - name: shared + mountPath: "/shared" securityContext: runAsUser: 0 @@ -456,6 +462,8 @@ spec: volumes: - name: varlibcontainers emptyDir: {} + - name: shared + emptyDir: {} - name: workdir emptyDir: {} - name: etc-pki-entitlement diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index 3918534995..f38bc7805c 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -193,6 +193,7 @@ spec: fi rsync -ra /var/workdir/ "$SSH_HOST:$BUILD_DIR/volumes/workdir/" + rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/" rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/tekton-results/" cat >scripts/script-build.sh <<'REMOTESSHEOF' @@ -313,8 +314,8 @@ spec: -f "$dockerfile_path" -t $IMAGE . container=$(buildah from --pull-never $IMAGE) - buildah mount $container | tee /var/workdir/container_path - echo $container > /var/workdir/container_name + buildah mount $container | tee /shared/container_path + echo $container > /shared/container_name # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later if [ -f "/tmp/cachi2/output/bom.json" ]; then @@ -353,6 +354,7 @@ spec: -e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \ -e COMMIT_SHA="$COMMIT_SHA" \ -v "$BUILD_DIR/volumes/workdir:/var/workdir:Z" \ + -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ -v "$BUILD_DIR/tekton-results/:/tekton/results:Z" \ -v $BUILD_DIR/scripts:/script:Z \ @@ -363,8 +365,8 @@ spec: buildah images buildah tag localhost/rhtap-final-image "$IMAGE" container=$(buildah from --pull-never "$IMAGE") - buildah mount "$container" | tee /var/workdir/container_path - echo $container > /var/workdir/container_name + buildah mount "$container" | tee /shared/container_path + echo $container > /shared/container_name securityContext: capabilities: add: @@ -374,6 +376,8 @@ spec: name: varlibcontainers - mountPath: /entitlement name: etc-pki-entitlement + - mountPath: /shared + name: shared - mountPath: /ssh name: ssh readOnly: true @@ -384,19 +388,21 @@ spec: script: | echo "Running syft on the source directory" syft dir:/var/workdir/source --output cyclonedx-json=/var/workdir/sbom-source.json - find $(cat /var/workdir/container_path) -xtype l -delete + find $(cat /shared/container_path) -xtype l -delete echo "Running syft on the image filesystem" - syft dir:$(cat /var/workdir/container_path) --output cyclonedx-json=/var/workdir/sbom-image.json + syft dir:$(cat /shared/container_path) --output cyclonedx-json=/var/workdir/sbom-image.json volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - mountPath: /shared + name: shared workingDir: /var/workdir/source - computeResources: {} image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77 name: analyse-dependencies-java-sbom script: | if [ -f /var/lib/containers/java ]; then - /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /var/workdir/container_path) -s /var/workdir/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) + /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s /var/workdir/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875 else touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path) @@ -406,6 +412,8 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - mountPath: /shared + name: shared - computeResources: {} image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a name: merge-syft-sboms @@ -538,6 +546,8 @@ spec: volumes: - emptyDir: {} name: varlibcontainers + - emptyDir: {} + name: shared - emptyDir: {} name: workdir - name: etc-pki-entitlement diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index df91bb3122..2caa7ade06 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -189,6 +189,8 @@ spec: fi rsync -ra $(workspaces.source.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/source/" + rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/" + rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/" rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/tekton-results/" cat >scripts/script-build.sh <<'REMOTESSHEOF' @@ -320,8 +322,8 @@ spec: -f "$dockerfile_path" -t $IMAGE . container=$(buildah from --pull-never $IMAGE) - buildah mount $container | tee /workspace/container_path - echo $container > /workspace/container_name + buildah mount $container | tee /shared/container_path + echo $container > /shared/container_name # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later if [ -f "/tmp/cachi2/output/bom.json" ]; then @@ -361,6 +363,8 @@ spec: -e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \ -e COMMIT_SHA="$COMMIT_SHA" \ -v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \ + -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ + -v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \ -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ -v "$BUILD_DIR/tekton-results/:/tekton/results:Z" \ -v $BUILD_DIR/scripts:/script:Z \ @@ -371,8 +375,8 @@ spec: buildah images buildah tag localhost/rhtap-final-image "$IMAGE" container=$(buildah from --pull-never "$IMAGE") - buildah mount "$container" | tee $(workspaces.source.path)/container_path - echo $container > $(workspaces.source.path)/container_name + buildah mount "$container" | tee /shared/container_path + echo $container > /shared/container_name securityContext: capabilities: add: @@ -380,6 +384,8 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - mountPath: /shared + name: shared - mountPath: /entitlement name: etc-pki-entitlement - mountPath: /mnt/trusted-ca @@ -395,19 +401,21 @@ spec: script: | echo "Running syft on the source directory" syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json - find $(cat /workspace/container_path) -xtype l -delete + find $(cat /shared/container_path) -xtype l -delete echo "Running syft on the image filesystem" - syft dir:$(cat /workspace/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json + syft dir:$(cat /shared/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - mountPath: /shared + name: shared workingDir: $(workspaces.source.path)/source - computeResources: {} image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77 name: analyse-dependencies-java-sbom script: | if [ -f /var/lib/containers/java ]; then - /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /workspace/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) + /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875 else touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path) @@ -417,6 +425,8 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - mountPath: /shared + name: shared - computeResources: {} image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a name: merge-syft-sboms @@ -553,6 +563,8 @@ spec: volumes: - emptyDir: {} name: varlibcontainers + - emptyDir: {} + name: shared - name: etc-pki-entitlement secret: optional: true diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index 061ad9c09a..6744fd6b97 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -272,8 +272,8 @@ spec: -f "$dockerfile_path" -t $IMAGE . container=$(buildah from --pull-never $IMAGE) - buildah mount $container | tee /workspace/container_path - echo $container > /workspace/container_name + buildah mount $container | tee /shared/container_path + echo $container > /shared/container_name # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later if [ -f "/tmp/cachi2/output/bom.json" ]; then @@ -298,6 +298,8 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - mountPath: /shared + name: shared - mountPath: "/entitlement" name: etc-pki-entitlement - name: trusted-ca @@ -313,17 +315,19 @@ spec: script: | echo "Running syft on the source directory" syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json - find $(cat /workspace/container_path) -xtype l -delete + find $(cat /shared/container_path) -xtype l -delete echo "Running syft on the image filesystem" - syft dir:$(cat /workspace/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json + syft dir:$(cat /shared/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - mountPath: /shared + name: shared - name: analyse-dependencies-java-sbom image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77 script: | if [ -f /var/lib/containers/java ]; then - /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /workspace/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) + /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875 else touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path) @@ -331,6 +335,8 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - mountPath: /shared + name: shared securityContext: runAsUser: 0 @@ -472,6 +478,8 @@ spec: volumes: - name: varlibcontainers emptyDir: {} + - name: shared + emptyDir: {} - name: etc-pki-entitlement secret: secretName: $(params.ENTITLEMENT_SECRET)