forked from canonical/athena-core
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Build docker images with Ubuntu Pro to get relevant security fixes. If a non-commented "token:" line exists in the secret but the attachment fails, the build will error. However if no token exists it will not error and build without Ubuntu Pro. This is to ensure the GitHub action fails if the token becomes invalid but also allows for local development without a token. For local builds, the file pro-attach-config.yaml is used. Set a token to build with Ubuntu Pro. For GitHub actions, create a secret called PRO_ATTACH_CONFIG with the same contents as as pro-attach-config.yaml file. Closes: canonical#48
- Loading branch information
Showing
5 changed files
with
122 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,57 @@ | ||
|
||
FROM ubuntu:20.04 | ||
LABEL maintainer="Canonical Sustaining Engineering <[email protected]>" | ||
|
||
RUN apt update -yyq && apt -yyq install ca-certificates git xz-utils python3 python3-yaml coreutils bsdmainutils jq bc python3-simplejson | ||
# Reference: https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/howtoguides/enable_in_dockerfile.html | ||
RUN --mount=type=secret,id=pro_attach_config \ | ||
# First we update apt so we install the correct versions of packages in | ||
# the next step | ||
apt-get update \ | ||
# | ||
# Here we install `pro` (ubuntu-advantage-tools) as well as ca-certificates, | ||
# which is required to talk to the Ubuntu Pro authentication server securely. | ||
&& apt-get install --no-install-recommends -y ubuntu-advantage-tools ca-certificates \ | ||
# | ||
# With pro installed, we attach using our attach config file from the | ||
# previous step | ||
&& (if grep -q ^token /run/secrets/pro_attach_config; then pro attach --attach-config /run/secrets/pro_attach_config; fi) \ | ||
# | ||
########################################################################### | ||
# At this point, the container has access to all Ubuntu Pro services | ||
# specified in the attach config file. | ||
########################################################################### | ||
# | ||
# Always upgrade all packages to the latest available version with the Ubuntu Pro | ||
# services enabled. | ||
&& apt-get upgrade -y \ | ||
# | ||
# Then, you can install any specific packages you need for your docker | ||
# container. | ||
# Install them here, while Ubuntu Pro is enabled, so that you get the appropriate | ||
# versions. | ||
# Any `apt-get install ...` commands you have in an existing Dockerfile | ||
# that you may be migrating to use Ubuntu Pro should probably be moved here. | ||
&& apt-get install -y ca-certificates git xz-utils python3 python3-yaml coreutils bsdmainutils jq bc python3-simplejson \ | ||
# | ||
########################################################################### | ||
# Now that we have upgraded and installed any packages from the Ubuntu Pro | ||
# services, we can clean up. | ||
########################################################################### | ||
# | ||
# This purges ubuntu-advantage-tools, including all Ubuntu Pro related | ||
# secrets from the system. | ||
########################################################################### | ||
# IMPORTANT: As written here, this command assumes your container does not | ||
# need ca-certificates so it is purged as well. | ||
# If your container needs ca-certificates, then do not purge it from the | ||
# system here. | ||
########################################################################### | ||
&& apt-get purge --auto-remove -y ubuntu-advantage-tools \ | ||
# | ||
# Finally, we clean up the apt lists which should not be needed anymore | ||
# because any `apt-get install`s should have happened above. Cleaning these | ||
# lists keeps your image smaller. | ||
&& rm -rf /var/lib/apt/lists/* | ||
|
||
RUN update-ca-certificates | ||
RUN mkdir /etc/athena/ | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,57 @@ | ||
FROM ubuntu:20.04 | ||
LABEL maintainer="Canonical Sustaining Engineering <[email protected]>" | ||
|
||
RUN apt update -yyq && apt -yyq install ca-certificates git xz-utils python3 python3-yaml coreutils bsdmainutils jq bc python3-simplejson python3-pip | ||
# Reference: https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/howtoguides/enable_in_dockerfile.html | ||
RUN --mount=type=secret,id=pro_attach_config \ | ||
# First we update apt so we install the correct versions of packages in | ||
# the next step | ||
apt-get update \ | ||
# | ||
# Here we install `pro` (ubuntu-advantage-tools) as well as ca-certificates, | ||
# which is required to talk to the Ubuntu Pro authentication server securely. | ||
&& apt-get install --no-install-recommends -y ubuntu-advantage-tools ca-certificates \ | ||
# | ||
# With pro installed, we attach using our attach config file from the | ||
# previous step | ||
&& (if grep -q ^token /run/secrets/pro_attach_config; then pro attach --attach-config /run/secrets/pro_attach_config; fi) \ | ||
# | ||
########################################################################### | ||
# At this point, the container has access to all Ubuntu Pro services | ||
# specified in the attach config file. | ||
########################################################################### | ||
# | ||
# Always upgrade all packages to the latest available version with the Ubuntu Pro | ||
# services enabled. | ||
&& apt-get upgrade -y \ | ||
# | ||
# Then, you can install any specific packages you need for your docker | ||
# container. | ||
# Install them here, while Ubuntu Pro is enabled, so that you get the appropriate | ||
# versions. | ||
# Any `apt-get install ...` commands you have in an existing Dockerfile | ||
# that you may be migrating to use Ubuntu Pro should probably be moved here. | ||
&& apt-get install -y ca-certificates git xz-utils python3 python3-yaml coreutils bsdmainutils jq bc python3-simplejson python3-pip \ | ||
# | ||
########################################################################### | ||
# Now that we have upgraded and installed any packages from the Ubuntu Pro | ||
# services, we can clean up. | ||
########################################################################### | ||
# | ||
# This purges ubuntu-advantage-tools, including all Ubuntu Pro related | ||
# secrets from the system. | ||
########################################################################### | ||
# IMPORTANT: As written here, this command assumes your container does not | ||
# need ca-certificates so it is purged as well. | ||
# If your container needs ca-certificates, then do not purge it from the | ||
# system here. | ||
########################################################################### | ||
&& apt-get purge --auto-remove -y ubuntu-advantage-tools \ | ||
# | ||
# Finally, we clean up the apt lists which should not be needed anymore | ||
# because any `apt-get install`s should have happened above. Cleaning these | ||
# lists keeps your image smaller. | ||
&& rm -rf /var/lib/apt/lists/* | ||
|
||
RUN update-ca-certificates | ||
RUN mkdir /etc/athena/ | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# If a non-commented "token:" line exists in the secret but the attachment | ||
# fails, the build will error. However if no token exists it will not | ||
# error and build without Ubuntu Pro. This is to ensure the GitHub action | ||
# fails if the token becomes invalid but also allows for local development | ||
# without a token. | ||
|
||
# Uncomment the following lines and insert your TOKEN from | ||
# https://ubuntu.com/pro/dashboard to enable Ubuntu Pro in the docker image | ||
# build | ||
|
||
#token: TOKEN | ||
#enable_services: | ||
# - esm-infra | ||
# - esm-apps |