Add script to check for forbidden instructions

When building images for binary type, it is expected to not install executables from untrusted sources, and gem, sensu-install, npm or pip packages for instance should come from the distro itself. This commit adds a `validate-binary-build.sh` script that checks for forbidden commands in the rendered Dockerfile templates for the binary type builds and hooks this script with the pep8 CI job. The output is just informative for now until we've fixed the culprit Dockerfiles, then we'll make the script return an error code and with the ability to fail the pep8 CI check. This should prevent unwanted commands from entering binary type Dockerfiles. Change-Id: I66e54bd18f4256cdca6c0c50626de4f975c246b8
2019-01-30 14:28:12 +01:00 · 2019-01-30 14:28:12 +01:00 · 378a16c357
commit 378a16c357
parent 498c57fcac
2 changed files with 50 additions and 0 deletions
--- a/tools/validate-all-dockerfiles.sh
+++ b/tools/validate-all-dockerfiles.sh
@ -14,4 +14,6 @@ find docker -name Dockerfile.j2 -print0 |
 find docker -name Dockerfile.j2 -print0 |
    xargs -0 tools/validate-indentation.sh || RES=1

+tools/validate-binary-build.sh || RES=1
+
 exit $RES
--- a/tools/validate-binary-build.sh
+++ b/tools/validate-binary-build.sh
@ -0,0 +1,48 @@
+#!/bin/bash
+
+REAL_PATH=$(python -c "import os,sys;print(os.path.realpath('$0'))")
+cd "$(dirname "$REAL_PATH")/.."
+
+RES=0
+
+generate_templates () {
+    echo Generating templates for $distro
+    tools/build.py --template-only --type binary --base $distro --work-dir=$tmpdir
+}
+
+check_for_errors () {
+    regex=$1
+    # Look for all rendered Dockerfile.
+    # TODO(mwhahaha): Skip kolla-toolbox for now as it's dependent on specific
+    # set of pip installed items.
+    find $tmpdir/docker -not -path "*kolla-toolbox*" -name Dockerfile -print0 |
+        xargs -0 egrep --color "$regex"
+    # NOTE(mandre) grep returns status code of 1 if the expression isn't found
+    # xargs returns with status 123 when the command invocation returns with an
+    # exit status 1-125, this is what we should be looking for as our "everything
+    # is good" code.
+    if [ $? -ne 123 ]; then
+        RES=1
+    fi
+}
+
+echo Looking for forbidden instructions in binary image templates
+
+for distro in debian ubuntu centos rhel oraclelinux; do
+    tmpdir=$(mktemp -d kolla-templates.XXXXXX --tmpdir)
+    generate_templates
+    check_for_errors "gem .*install"
+    check_for_errors "pip .*install"
+    check_for_errors "npm .*install"
+    check_for_errors "sensu-install"
+    check_for_errors "git .*clone"
+    check_for_errors "wget"
+    check_for_errors "curl"
+    rm -r $tmpdir
+done
+
+if [ $RES -eq 1 ]; then
+    echo "ERROR Found forbidden instructions in binary image templates"
+fi
+# Let's not make it fail pep8 job for now
+#exit $RES