From 378a16c3572161687f43ddaf77d12c39bfacd760 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Andr=C3=A9?= Date: Wed, 30 Jan 2019 14:28:12 +0100 Subject: [PATCH] Add script to check for forbidden instructions When building images for binary type, it is expected to not install executables from untrusted sources, and gem, sensu-install, npm or pip packages for instance should come from the distro itself. This commit adds a `validate-binary-build.sh` script that checks for forbidden commands in the rendered Dockerfile templates for the binary type builds and hooks this script with the pep8 CI job. The output is just informative for now until we've fixed the culprit Dockerfiles, then we'll make the script return an error code and with the ability to fail the pep8 CI check. This should prevent unwanted commands from entering binary type Dockerfiles. Change-Id: I66e54bd18f4256cdca6c0c50626de4f975c246b8 --- tools/validate-all-dockerfiles.sh | 2 ++ tools/validate-binary-build.sh | 48 +++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100755 tools/validate-binary-build.sh diff --git a/tools/validate-all-dockerfiles.sh b/tools/validate-all-dockerfiles.sh index f9dabaa9cb..9599208ebe 100755 --- a/tools/validate-all-dockerfiles.sh +++ b/tools/validate-all-dockerfiles.sh @@ -14,4 +14,6 @@ find docker -name Dockerfile.j2 -print0 | find docker -name Dockerfile.j2 -print0 | xargs -0 tools/validate-indentation.sh || RES=1 +tools/validate-binary-build.sh || RES=1 + exit $RES diff --git a/tools/validate-binary-build.sh b/tools/validate-binary-build.sh new file mode 100755 index 0000000000..76aafe7c4f --- /dev/null +++ b/tools/validate-binary-build.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +REAL_PATH=$(python -c "import os,sys;print(os.path.realpath('$0'))") +cd "$(dirname "$REAL_PATH")/.." + +RES=0 + +generate_templates () { + echo Generating templates for $distro + tools/build.py --template-only --type binary --base $distro --work-dir=$tmpdir +} + +check_for_errors () { + regex=$1 + # Look for all rendered Dockerfile. + # TODO(mwhahaha): Skip kolla-toolbox for now as it's dependent on specific + # set of pip installed items. + find $tmpdir/docker -not -path "*kolla-toolbox*" -name Dockerfile -print0 | + xargs -0 egrep --color "$regex" + # NOTE(mandre) grep returns status code of 1 if the expression isn't found + # xargs returns with status 123 when the command invocation returns with an + # exit status 1-125, this is what we should be looking for as our "everything + # is good" code. + if [ $? -ne 123 ]; then + RES=1 + fi +} + +echo Looking for forbidden instructions in binary image templates + +for distro in debian ubuntu centos rhel oraclelinux; do + tmpdir=$(mktemp -d kolla-templates.XXXXXX --tmpdir) + generate_templates + check_for_errors "gem .*install" + check_for_errors "pip .*install" + check_for_errors "npm .*install" + check_for_errors "sensu-install" + check_for_errors "git .*clone" + check_for_errors "wget" + check_for_errors "curl" + rm -r $tmpdir +done + +if [ $RES -eq 1 ]; then + echo "ERROR Found forbidden instructions in binary image templates" +fi +# Let's not make it fail pep8 job for now +#exit $RES