Merge branch 'build-git-lfs-in-ubi-base'

ggeorgiev-gitlab · ggeorgiev-gitlab · commit 8b31bac703f4 · 2023-07-20T14:34:39.000+03:00
Build git-lfs in the base UBI fips image as multiarch See merge request https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/4219
diff --git a/.gitlab/ci/_rules.gitlab-ci.yml b/.gitlab/ci/_rules.gitlab-ci.yml
@@ -263,6 +263,17 @@
       changes:
         - dockerfiles/ci/go.fips.Dockerfile
         - dockerfiles/ci/go.fips.Dockerfile.rebuild
+        - dockerfiles/ci/ubi.fips.base.Dockerfile
+        - dockerfiles/ci/ubi.fips.base.Dockerfile.rebuild
+        - .gitlab/ci/prepare.gitlab-ci.yml
+        - .gitlab/ci/_common.gitlab-ci.yml
+
+.rules:prepare:ubi-base:image:merge-requests:
+  rules:
+    - <<: *if-runner-merge-request-pipeline
+      changes:
+        - dockerfiles/ci/ubi.fips.base.Dockerfile
+        - dockerfiles/ci/ubi.fips.base.Dockerfile.rebuild
         - .gitlab/ci/prepare.gitlab-ci.yml
         - .gitlab/ci/_common.gitlab-ci.yml
 
diff --git a/.gitlab/ci/prepare.gitlab-ci.yml b/.gitlab/ci/prepare.gitlab-ci.yml
@@ -82,7 +82,8 @@ prepare go fips:
 prepare ubi base:
   extends:
     - .docker
-    - .rules:prepare:go-fips:image:merge-requests
+    - .rules:prepare:ubi-base:image:merge-requests
+  timeout: 4h
   stage: prepare
   image: docker:${DOCKER_VERSION}-git
   script:
diff --git a/Makefile.build.mk b/Makefile.build.mk
@@ -27,6 +27,7 @@ go-fips-docker:
 ubi-fips-base-docker: export UBI_VERSION ?= $(UBI_FIPS_VERSION)
 ubi-fips-base-docker: export BUILD_IMAGE ?= registry.gitlab.com/gitlab-org/gitlab-runner/ubi-fips-base:$(UBI_FIPS_VERSION)
 ubi-fips-base-docker: export GIT_VERSION ?= $(GIT_VERSION)
+ubi-fips-base-docker: export GIT_LFS_VERSION ?= $(GIT_LFS_VERSION)
 ubi-fips-base-docker: export BUILD_DOCKERFILE ?= ./dockerfiles/ci/ubi.fips.base.Dockerfile
 ubi-fips-base-docker:
 	# Building UBI FIPS base Docker image
diff --git a/ci/build_ubi_fips_base_image b/ci/build_ubi_fips_base_image
@@ -2,22 +2,35 @@
 
 set -eo pipefail
 
+# shellcheck source=ci/docker_commands
+source "ci/docker_commands"
+
+# source order is important as some functions overlap in name
 source "ci/_build_ci_image_common"
 
 build() {
     echo "Building UBI FIPS base image: ${BUILD_IMAGE}"
-    docker build \
-           --cache-from "${BUILD_IMAGE}" \
+
+    trap cleanup_docker_context_trap ERR SIGINT SIGTERM
+    setup_docker_context
+
+    _docker_buildx build \
+           --platform linux/amd64,linux/ppc64le,linux/arm64  \
+           --no-cache \
            --build-arg UBI_VERSION="${UBI_VERSION}" \
            --build-arg GIT_VERSION="${GIT_VERSION}" \
+           --build-arg GIT_LFS_VERSION="${GIT_LFS_VERSION}" \
+           --push \
            -t "${BUILD_IMAGE}" \
            -f "${BUILD_DOCKERFILE}" \
            "${GIT_ROOT}"
+
+    trap - ERR SIGINT SIGTERM
+    cleanup_docker_context
 }
 
 login
 pull
 build
-push
 logout
 scan
diff --git a/dockerfiles/ci/build_git_lfs b/dockerfiles/ci/build_git_lfs
@@ -13,11 +13,10 @@ set -eo pipefail
 cd /tmp
 
 downloadURL="https://github.com/git-lfs/git-lfs/archive/refs/tags/v${GIT_LFS_VERSION}.tar.gz"
-wget "${downloadURL}" -O git-lfs-${GIT_LFS_VERSION}.tar.gz
+wget "${downloadURL}" -O "git-lfs-${GIT_LFS_VERSION}.tar.gz"
 
-tar -xzf git-lfs-${GIT_LFS_VERSION}.tar.gz
-make -C git-lfs-${GIT_LFS_VERSION}
-cp git-lfs-${GIT_LFS_VERSION}/bin/git-lfs /usr/bin/
-rm -fr /tmp/*
-git-lfs install --skip-repo
+tar -xzf "git-lfs-${GIT_LFS_VERSION}.tar.gz"
+make -C "git-lfs-${GIT_LFS_VERSION}"
+cp "git-lfs-${GIT_LFS_VERSION}/bin/git-lfs" /usr/bin/
+rm -rf /tmp/*
 git-lfs version
diff --git a/dockerfiles/ci/ubi.fips.base.Dockerfile b/dockerfiles/ci/ubi.fips.base.Dockerfile
@@ -1,8 +1,21 @@
 ARG UBI_VERSION
 
-FROM redhat/ubi8-minimal:${UBI_VERSION}
+FROM redhat/ubi8-minimal:${UBI_VERSION} AS git_lfs
 
-ARG PLATFORM_ARCH=amd64
+ARG GIT_LFS_VERSION
+# Build git-lfs from source. This is necessary to resolve a number of CVES
+# vulnerabilties reported against this image.
+#
+# We can probably remove this on the next release of git-lfs.
+# See https://gitlab.com/gitlab-org/gitlab-runner/-/issues/31065
+COPY dockerfiles/ci/build_git_lfs /tmp/
+
+RUN microdnf update -y && \
+    microdnf install -y --setopt=tsflags=nodocs \
+        wget make git tar gzip go && \
+    /tmp/build_git_lfs
+
+FROM redhat/ubi8-minimal:${UBI_VERSION}
 
 RUN microdnf update -y && \
     microdnf install -y --setopt=tsflags=nodocs \
@@ -42,6 +55,9 @@ RUN wget https://github.com/git/git/archive/refs/tags/v${GIT_VERSION}.tar.gz &&
     rm -rf /git-${GIT_VERSION} && \
     microdnf remove autoconf emacs-filesystem
 
+COPY --from=git_lfs /usr/bin/git-lfs /usr/bin
+RUN git-lfs install --skip-repo
+
 RUN cd /tmp && \
     git clone https://github.com/larsks/fakeprovide.git && \
     cd fakeprovide && \
diff --git a/dockerfiles/runner-helper/Dockerfile.fips b/dockerfiles/runner-helper/Dockerfile.fips
@@ -9,14 +9,11 @@ ENV PATH="${PATH:-/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin}"
 RUN microdnf update -y && \
     microdnf install -y \
     bash \
-    git-lfs \
     wget \
     findutils && \
     wget -O /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 && \
     chmod +x /usr/bin/dumb-init
 
-RUN git lfs install --skip-repo
-
 COPY ./helpers/entrypoint /
 RUN chmod +x /entrypoint
 
diff --git a/dockerfiles/runner/install-deps b/dockerfiles/runner/install-deps
@@ -54,9 +54,17 @@ else
 fi
 wget -nv "https://github.com/Yelp/dumb-init/releases/download/v${DUMB_INIT_VERSION}/dumb-init_${DUMB_INIT_VERSION}_${DUMB_INIT_ARCH}" \
   -O /usr/bin/dumb-init
-wget -nv "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-${GIT_LFS_ARCH}-v${GIT_LFS_VERSION}.tar.gz" \
-  -O /tmp/git-lfs.tar.gz
-sha256sum -c -w "${SCRIPTPATH}/checksums-${ARCH}"
+
+if [ -n "$GIT_LFS_VERSION" ]; then
+  wget -nv "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-${GIT_LFS_ARCH}-v${GIT_LFS_VERSION}.tar.gz" \
+    -O /tmp/git-lfs.tar.gz
+  sha256sum -c -w "${SCRIPTPATH}/checksums-${ARCH}"
+  tar -xf /tmp/git-lfs.tar.gz -C /tmp/
+  mv "/tmp/git-lfs-${GIT_LFS_VERSION}/git-lfs" /usr/bin/git-lfs
+  rm -rf /tmp/git-lfs*
+  git-lfs install --skip-repo
+  git-lfs version
+fi
 
 if [[ -f /usr/bin/docker-machine ]]; then
   chmod +x /usr/bin/docker-machine
@@ -65,9 +73,3 @@ fi
 
 chmod +x /usr/bin/dumb-init
 dumb-init --version
-
-tar -xf /tmp/git-lfs.tar.gz -C /tmp/
-mv /tmp/git-lfs-${GIT_LFS_VERSION}/git-lfs /usr/bin/git-lfs
-rm -rf /tmp/git-lfs*
-git-lfs install --skip-repo
-git-lfs version
diff --git a/dockerfiles/runner/ubi-fips/Dockerfile b/dockerfiles/runner/ubi-fips/Dockerfile
@@ -6,21 +6,11 @@ ARG TARGETPLATFORM
 
 ARG DOCKER_MACHINE_VERSION
 ARG DUMB_INIT_VERSION
-ARG GIT_LFS_VERSION
 
 COPY gitlab-runner_*.rpm checksums-* install-deps install-gitlab-runner /tmp/
-RUN /tmp/install-deps "${TARGETPLATFORM}" "${DOCKER_MACHINE_VERSION}" "${DUMB_INIT_VERSION}" "${GIT_LFS_VERSION}"
+RUN /tmp/install-deps "${TARGETPLATFORM}" "${DOCKER_MACHINE_VERSION}" "${DUMB_INIT_VERSION}"
 RUN rm -rf /tmp/* /etc/gitlab-runner/.runner_system_id
 
-# Build git-lfs from source. This is necessary to resolve a number of CVES
-# vulnerabilties reported against this image.
-#
-# We can probably remove this on the next release of git-lfs.
-# See https://gitlab.com/gitlab-org/gitlab-runner/-/issues/31065
-RUN microdnf install -y --setopt=tsflags=nodocs go
-COPY build_git_lfs /tmp/
-RUN /tmp/build_git_lfs
-
 FROM $BASE_IMAGE
 
 COPY --from=0 / /
