Skip to content

Commit

Permalink
feat: (re)introduce content manifest with content sets
Browse files Browse the repository at this point in the history 
For backwards compatibility with image scanners that still expect
https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json
  • Loading branch information
@ralphbean
ralphbean committed Dec 19, 2024
1 parent a72f293 commit b837471
Show file tree
Hide file tree
Showing 4 changed files with 162 additions and 16 deletions.
44 changes: 40 additions & 4 deletions task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -518,16 +518,52 @@ spec:
unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
container=$(buildah from --pull-never "$IMAGE")
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
echo $container >/shared/container_name
# Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
if [ -f "/tmp/cachi2/output/bom.json" ]; then
echo "Making copy of sbom-cachi2.json"
cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
# Inject a content sets file for backwards compatibility
# This is only possible for images built hermetically with prefetch
base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@')
base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE")
cat >content-sets.json <<EOF
{
"metadata": {
"icm_version": 1,
"icm_spec": "https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json",
"image_layer_index": 0
},
"from_dnf_hint": true,
"content_sets": []
}
EOF
while IFS='' read -r content_set; do
jq --arg content_set "$content_set" '.content_sets += [$content_set]' content-sets.json >content-sets.json.tmp
mv content-sets.json.tmp content-sets.json
done <<<"$(jq -r '.components[].purl' sbom-cachi2.json | grep -o -P '(?<=repository_id=).*(?=(&|$))' | sort -u)"
echo "Writing to /root/buildinfo/content_manifests/content-sets.json"
buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/
buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container"
BUILDAH_ARGS=()
if [ "${SQUASH}" == "true" ]; then
BUILDAH_ARGS+=("--squash")
fi
buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE"
# End content sets backwards compatibility
fi
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
echo $container >/shared/container_name
touch /shared/base_images_digests
for image in $BASE_IMAGES; do
base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image")
Expand Down
44 changes: 40 additions & 4 deletions task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -552,16 +552,52 @@ spec:
unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
container=$(buildah from --pull-never "$IMAGE")
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
echo $container >/shared/container_name
# Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
if [ -f "/tmp/cachi2/output/bom.json" ]; then
echo "Making copy of sbom-cachi2.json"
cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
# Inject a content sets file for backwards compatibility
# This is only possible for images built hermetically with prefetch
base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@')
base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE")
cat >content-sets.json <<EOF
{
"metadata": {
"icm_version": 1,
"icm_spec": "https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json",
"image_layer_index": 0
},
"from_dnf_hint": true,
"content_sets": []
}
EOF
while IFS='' read -r content_set; do
jq --arg content_set "$content_set" '.content_sets += [$content_set]' content-sets.json >content-sets.json.tmp
mv content-sets.json.tmp content-sets.json
done <<<"$(jq -r '.components[].purl' sbom-cachi2.json | grep -o -P '(?<=repository_id=).*(?=(&|$))' | sort -u)"
echo "Writing to /root/buildinfo/content_manifests/content-sets.json"
buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/
buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container"
BUILDAH_ARGS=()
if [ "${SQUASH}" == "true" ]; then
BUILDAH_ARGS+=("--squash")
fi
buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE"
# End content sets backwards compatibility
fi
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
echo $container >/shared/container_name
touch /shared/base_images_digests
for image in $BASE_IMAGES; do
base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image")
Expand Down
45 changes: 41 additions & 4 deletions task/buildah-remote/0.2/buildah-remote.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -529,16 +529,53 @@ spec:
unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
container=$(buildah from --pull-never "$IMAGE")
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
echo $container > /shared/container_name
# Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
if [ -f "/tmp/cachi2/output/bom.json" ]; then
echo "Making copy of sbom-cachi2.json"
cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
# Inject a content sets file for backwards compatibility
# This is only possible for images built hermetically with prefetch
base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@')
base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE")
cat >content-sets.json <<EOF
{
"metadata": {
"icm_version": 1,
"icm_spec": "https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json",
"image_layer_index": 0
},
"from_dnf_hint": true,
"content_sets": []
}
EOF
while IFS='' read -r content_set;
do
jq --arg content_set "$content_set" '.content_sets += [$content_set]' content-sets.json > content-sets.json.tmp
mv content-sets.json.tmp content-sets.json
done <<< "$(jq -r '.components[].purl' sbom-cachi2.json | grep -o -P '(?<=repository_id=).*(?=(&|$))' | sort -u)"
echo "Writing to /root/buildinfo/content_manifests/content-sets.json"
buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/
buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container"
BUILDAH_ARGS=()
if [ "${SQUASH}" == "true" ]; then
BUILDAH_ARGS+=("--squash")
fi
buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE"
# End content sets backwards compatibility
fi
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
echo $container > /shared/container_name
touch /shared/base_images_digests
for image in $BASE_IMAGES; do
base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image")
Expand Down
45 changes: 41 additions & 4 deletions task/buildah/0.2/buildah.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -450,16 +450,53 @@ spec:
unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
container=$(buildah from --pull-never "$IMAGE")
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
echo $container > /shared/container_name
# Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
if [ -f "/tmp/cachi2/output/bom.json" ]; then
echo "Making copy of sbom-cachi2.json"
cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
# Inject a content sets file for backwards compatibility
# This is only possible for images built hermetically with prefetch
base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@')
base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE")
cat >content-sets.json <<EOF
{
"metadata": {
"icm_version": 1,
"icm_spec": "https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json",
"image_layer_index": 0
},
"from_dnf_hint": true,
"content_sets": []
}
EOF
while IFS='' read -r content_set;
do
jq --arg content_set "$content_set" '.content_sets += [$content_set]' content-sets.json > content-sets.json.tmp
mv content-sets.json.tmp content-sets.json
done <<< "$(jq -r '.components[].purl' sbom-cachi2.json | grep -o -P '(?<=repository_id=).*(?=(&|$))' | sort -u)"
echo "Writing to /root/buildinfo/content_manifests/content-sets.json"
buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/
buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container"
BUILDAH_ARGS=()
if [ "${SQUASH}" == "true" ]; then
BUILDAH_ARGS+=("--squash")
fi
buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE"
# End content sets backwards compatibility
fi
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
echo $container > /shared/container_name
touch /shared/base_images_digests
for image in $BASE_IMAGES; do
base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image")
Expand Down

0 comments on commit b837471

Please sign in to comment.