Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-2860

Introduces a "Docker Builder" Docker Image

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      This issue tracks the work around providing a Docker Image used to ... build Docker images.

      • Need for portability: we want the Docker image build process to works the same way between a local developer machine, or in the CI process
      • Tests should be added, at least "static analysis" and reproducible as well

      => https://github.com/jenkins-infra/docker-builder/

        Attachments

          Issue Links

            Activity

            Hide
            dduportal Damien Duportal added a comment - - edited
            Show
            dduportal Damien Duportal added a comment - - edited Repository created here: https://github.com/jenkins-infra/docker-builder/ Added the team `jenkins-infra/docker` and Gareth Evans as administrators PR to build it on infra. instance : https://github.com/jenkins-infra/charts/pull/711
            Hide
            dduportal Damien Duportal added a comment - - edited

            Updates on this topic, following team meeting and exploratory work:

            • Challenge around testing Docker images:
              • There are 2 kind of tests: checking what is inside the "rootfs" of the image (checking if a a binary exists at a certain path with the right authorizations, check for existence of user, file, folder, etc.), and testing the behavior (e.g. "If we run the command with no parameter, then we expect it to exit with a particular message", "if we run with the argument `--version` then...").
              • Most of the testing tools expects a Docker Engine (or equivalent) to be available, which is an issue in our case. Even though Docker is now able to be run rooless (cf. https://docs.docker.com/engine/security/rootless/), there are still system capabilities required to execute nested container Engines (within containers/pods).
              • Let's try the 1st kind of testing ("what is inside the image") with the tool https://github.com/GoogleContainerTools/container-structure-test , that can be run Docker-less when using the driver `tar`. Even not perfect, it allows us to add validation, ensure non regression of the image content, and fulfill TDD methods.
              • The 2nd kind of testing requires the Jenkins workload to be executed on non-kubernetes agents, but VMs instead. We'll avoid this during the first iterations to stay on "full kubernetes".
              • Others tools that could be useful to check:
            • Challenges Deployment, Credentials and Pipeline trusted execution
              • Pipeline-as-Code + PR triggering builds means that the "Jenkinsfile" must be trusted to access sensitive information such as Docker Registry login.
              • Credentials used to login/push to Docker registries must NOT be available to end users
              • We should not trust outside changes to Jenkinsfile and any "automation tools" it may call such as Make, maven, etc, unless carefully reviewed (or not at all)
                => Need for shared library system
            Show
            dduportal Damien Duportal added a comment - - edited Updates on this topic, following team meeting and exploratory work: Challenges around building Docker images using a workload running in Kubernetes pods: There is a cool article explaining the challenges of building Docker images within containers/pod as unprivleged user, to avoid container breakout, written by Jess Frazelle on this topic: https://blog.jessfraz.com/post/building-container-images-securely-on-kubernetes/ Current shared library is using `img`, the tool by Jess Frazelle: https://github.com/jenkins-infra/pipeline-library/blob/8a4fe3f0636523482537aabf439958593fd3e993/vars/buildDockerAndPublishImage.groovy#L114 . It provide an effective `docker build` step running rootless, but with kernel security (seccomp/apparmor) unconfined. => We want to keep this level of security at least Challenge around testing Docker images: There are 2 kind of tests: checking what is inside the "rootfs" of the image (checking if a a binary exists at a certain path with the right authorizations, check for existence of user, file, folder, etc.), and testing the behavior (e.g. "If we run the command with no parameter, then we expect it to exit with a particular message", "if we run with the argument `--version` then..."). Most of the testing tools expects a Docker Engine (or equivalent) to be available, which is an issue in our case. Even though Docker is now able to be run rooless (cf. https://docs.docker.com/engine/security/rootless/ ), there are still system capabilities required to execute nested container Engines (within containers/pods). Let's try the 1st kind of testing ("what is inside the image") with the tool https://github.com/GoogleContainerTools/container-structure-test , that can be run Docker-less when using the driver `tar`. Even not perfect, it allows us to add validation, ensure non regression of the image content, and fulfill TDD methods. The 2nd kind of testing requires the Jenkins workload to be executed on non-kubernetes agents, but VMs instead. We'll avoid this during the first iterations to stay on "full kubernetes". Others tools that could be useful to check: https://github.com/aelsabbahy/goss with the "dgoss" wrapper for Docker [⚠️ requires a Docker Engine] https://github.com/open-policy-agent/conftest to be executed as a "Dockerfile" analyzer Challenges Deployment, Credentials and Pipeline trusted execution Pipeline-as-Code + PR triggering builds means that the "Jenkinsfile" must be trusted to access sensitive information such as Docker Registry login. Credentials used to login/push to Docker registries must NOT be available to end users We should not trust outside changes to Jenkinsfile and any "automation tools" it may call such as Make, maven, etc, unless carefully reviewed (or not at all) => Need for shared library system
            Hide
            dduportal Damien Duportal added a comment -

            Work already done, setting the foundational ground:

            Work in progress:

            Show
            dduportal Damien Duportal added a comment - Work already done, setting the foundational ground: Add a testing phase with Google container-struct-test with a really simple test harness - https://github.com/jenkins-infra/docker-builder/pull/1 and https://github.com/jenkins-infra/docker-builder/pull/4 Add a deploy step to bootstrap the first image - https://github.com/jenkins-infra/docker-builder/pull/2 and https://github.com/jenkins-infra/docker-builder/pull/5 Add a `Makefile` to hold the logic - https://github.com/jenkins-infra/docker-builder/pull/3 Work in progress: Moving to a shared library (pipeline to scripted + Makefile) - https://github.com/jenkins-infra/docker-builder/pull/6
            Hide
            dduportal Damien Duportal added a comment -

            Update:

            Work in Progress:

            • Adding test checks into the "cst.yml" file
            Show
            dduportal Damien Duportal added a comment - Update: Effort to switch to scripted is crazy and does not provide additional value as we do not have the need to run a step separately. Keeping a declarative syntax is also helping readability and lowers the bar for future contribution Additional work had been done on adding hadolint to the image ( https://github.com/jenkins-infra/docker-builder/pull/8 ) , and use it to fix self-warnings ( https://github.com/jenkins-infra/docker-builder/pull/9 ) with the help of Kara de la Marck The PR https://github.com/jenkins-infra/pipeline-library/pull/176 had been opened in the jenkins infra's pipeline library repository to contribute back the build/test process, including documentation Validated by https://github.com/jenkins-infra/docker-builder/pull/10 Work in Progress: Adding test checks into the "cst.yml" file
            Hide
            dduportal Damien Duportal added a comment -

            Assigning to Kara de la Marck as she is working on adding the tests

            Show
            dduportal Damien Duportal added a comment - Assigning to Kara de la Marck as she is working on adding the tests
            Hide
            dduportal Damien Duportal added a comment -

            Opened PR for adding structural tests: https://github.com/jenkins-infra/docker-builder/pull/11

            Show
            dduportal Damien Duportal added a comment - Opened PR for adding structural tests: https://github.com/jenkins-infra/docker-builder/pull/11
            Hide
            dduportal Damien Duportal added a comment -

            All PR on this repo closed, and the build on the principal branch succeeded with the updated shared library.

            Show
            dduportal Damien Duportal added a comment - All PR on this repo closed, and the build on the principal branch succeeded with the updated shared library.

              People

              Assignee:
              dduportal Damien Duportal
              Reporter:
              dduportal Damien Duportal
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: