From 58029c577fc79b9ea5cfcc1e2ad1b798801b9f8d Mon Sep 17 00:00:00 2001 From: Dominik Lammers Date: Wed, 20 Sep 2023 14:37:04 +0200 Subject: [PATCH 1/4] fix: Adjust minor Makefile issues --- Makefile | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/Makefile b/Makefile index c7be436a..7edc6ec6 100644 --- a/Makefile +++ b/Makefile @@ -174,10 +174,10 @@ base: base $(MAKE) PUSH_IMAGES=$(PUSH_IMAGES) DOCKER_TAG=$(CAPELLA_DOCKERIMAGES_REVISION) IMAGENAME=$@ .push -base: SHELL=/bin/bash +jupyter-notebook: DOCKER_TAG=$(JUPYTER_NOTEBOOK_REVISION) jupyter-notebook: base - docker build $(DOCKER_BUILD_FLAGS) -t $(DOCKER_PREFIX)$@:$(JUPYTER_NOTEBOOK_REVISION) jupyter-notebook - $(MAKE) PUSH_IMAGES=$(PUSH_IMAGES) DOCKER_TAG=$(JUPYTER_NOTEBOOK_REVISION) IMAGENAME=$@ .push + docker build $(DOCKER_BUILD_FLAGS) -t $(DOCKER_PREFIX)$@:$(DOCKER_TAG) jupyter-notebook + $(MAKE) PUSH_IMAGES=$(PUSH_IMAGES) DOCKER_TAG=$(DOCKER_TAG) IMAGENAME=$@ .push capella/base: SHELL=./capella_loop.sh capella/base: base @@ -195,24 +195,25 @@ capella/base: base rm capella/.dockerignore $(MAKE) PUSH_IMAGES=$(PUSH_IMAGES) IMAGENAME=$@ .push +papyrus/base: DOCKER_TAG=$(PAPYRUS_VERSION)-$(CAPELLA_DOCKERIMAGES_REVISION) papyrus/base: DOCKER_BUILD_FLAGS=--platform linux/amd64 papyrus/base: base docker build $(DOCKER_BUILD_FLAGS) \ - -t $(DOCKER_PREFIX)$@:$$DOCKER_TAG \ + -t $(DOCKER_PREFIX)$@:$(DOCKER_TAG) \ --build-arg BASE_IMAGE=$(DOCKER_PREFIX)$<:$(CAPELLA_DOCKERIMAGES_REVISION) \ --build-arg PAPYRUS_VERSION=$(PAPYRUS_VERSION) \ papyrus - $(MAKE) PUSH_IMAGES=$(PUSH_IMAGES) IMAGENAME=$@ .push + $(MAKE) PUSH_IMAGES=$(PUSH_IMAGES) DOCKER_TAG=$(DOCKER_TAG) IMAGENAME=$@ .push -eclipse/remote: DOCKER_TAG=$(ECLIPSE_VERSION)-$(CAPELLA_DOCKERIMAGES_REVISION) +eclipse/base: DOCKER_TAG=$(ECLIPSE_VERSION)-$(CAPELLA_DOCKERIMAGES_REVISION) eclipse/base: base docker build $(DOCKER_BUILD_FLAGS) \ - -t $(DOCKER_PREFIX)$@:$$DOCKER_TAG \ + -t $(DOCKER_PREFIX)$@:$(DOCKER_TAG) \ --build-arg BUILD_ARCHITECTURE=$(BUILD_ARCHITECTURE) \ --build-arg BASE_IMAGE=$(DOCKER_PREFIX)$<:$(CAPELLA_DOCKERIMAGES_REVISION) \ --build-arg ECLIPSE_VERSION=$(ECLIPSE_VERSION) \ eclipse - $(MAKE) PUSH_IMAGES=$(PUSH_IMAGES) IMAGENAME=$@ .push + $(MAKE) PUSH_IMAGES=$(PUSH_IMAGES) DOCKER_TAG=$(DOCKER_TAG) IMAGENAME=$@ .push capella/remote: SHELL=./capella_loop.sh capella/remote: capella/base @@ -223,27 +224,27 @@ papyrus/remote: DOCKER_TAG=$(PAPYRUS_VERSION)-$(CAPELLA_DOCKERIMAGES_REVISION) papyrus/remote: DOCKER_BUILD_FLAGS=--platform linux/amd64 papyrus/remote: papyrus/base docker build $(DOCKER_BUILD_FLAGS) \ - -t $(DOCKER_PREFIX)$@:$$DOCKER_TAG \ - --build-arg BASE_IMAGE=$(DOCKER_PREFIX)$<:$$DOCKER_TAG \ + -t $(DOCKER_PREFIX)$@:$(DOCKER_TAG) \ + --build-arg BASE_IMAGE=$(DOCKER_PREFIX)$<:$(DOCKER_TAG) \ remote - $(MAKE) PUSH_IMAGES=$(PUSH_IMAGES) IMAGENAME=$@ .push + $(MAKE) PUSH_IMAGES=$(PUSH_IMAGES) DOCKER_TAG=$(DOCKER_TAG) IMAGENAME=$@ .push eclipse/remote: DOCKER_TAG=$(ECLIPSE_VERSION)-$(CAPELLA_DOCKERIMAGES_REVISION) eclipse/remote: eclipse/base docker build $(DOCKER_BUILD_FLAGS) \ - -t $(DOCKER_PREFIX)$@:$$DOCKER_TAG \ - --build-arg BASE_IMAGE=$(DOCKER_PREFIX)$<:$$DOCKER_TAG \ + -t $(DOCKER_PREFIX)$@:$(DOCKER_TAG) \ + --build-arg BASE_IMAGE=$(DOCKER_PREFIX)$<:$(DOCKER_TAG) \ remote - $(MAKE) PUSH_IMAGES=$(PUSH_IMAGES) IMAGENAME=$@ .push + $(MAKE) PUSH_IMAGES=$(PUSH_IMAGES) DOCKER_TAG=$(DOCKER_TAG) IMAGENAME=$@ .push eclipse/remote/pure-variants: DOCKER_TAG=$(ECLIPSE_VERSION)-$(PURE_VARIANTS_VERSION)-$(CAPELLA_DOCKERIMAGES_REVISION) eclipse/remote/pure-variants: eclipse/remote docker build $(DOCKER_BUILD_FLAGS) \ - -t $(DOCKER_PREFIX)$@:$$DOCKER_TAG \ + -t $(DOCKER_PREFIX)$@:$(DOCKER_TAG) \ --build-arg BASE_IMAGE=$(DOCKER_PREFIX)$<:$(ECLIPSE_VERSION)-$(CAPELLA_DOCKERIMAGES_REVISION) \ --build-arg PURE_VARIANTS_VERSION=$(PURE_VARIANTS_VERSION) \ pure-variants - $(MAKE) PUSH_IMAGES=$(PUSH_IMAGES) IMAGENAME=$@ .push + $(MAKE) PUSH_IMAGES=$(PUSH_IMAGES) DOCKER_TAG=$(DOCKER_TAG) IMAGENAME=$@ .push t4c/client/base: SHELL=./capella_loop.sh t4c/client/base: capella/base From 16bf16cc33213c892d494943f467567a12da51ac Mon Sep 17 00:00:00 2001 From: Dominik Lammers Date: Wed, 20 Sep 2023 14:37:41 +0200 Subject: [PATCH 2/4] fix: Run Papyrus installation as root --- papyrus/Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/papyrus/Dockerfile b/papyrus/Dockerfile index e2841ffb..b8bb78c5 100644 --- a/papyrus/Dockerfile +++ b/papyrus/Dockerfile @@ -8,6 +8,8 @@ ENV DEBIAN_FRONTEND=noninteractive SHELL ["/bin/bash", "-euo", "pipefail", "-c"] ENV SHELL=/bin/bash +USER root + ARG PAPYRUS_VERSION COPY ./versions/${PAPYRUS_VERSION}/papyrus.tar.gz /opt/ @@ -34,3 +36,5 @@ ENV ECLIPSE_INSTALLATION_PATH=/opt/Papyrus ENV ECLIPSE_EXECUTABLE=/opt/Papyrus/papyrus ENV BASE_TYPE=papyrus + +USER techuser From 12bf0bf3a6812ee8dfb6de3e223a25e1e81115f6 Mon Sep 17 00:00:00 2001 From: Dominik Lammers Date: Wed, 20 Sep 2023 14:38:07 +0200 Subject: [PATCH 3/4] fix: Fail if `RMT_PASSWORD` is not set but used --- readonly/startup.sh | 4 +++- remote/startup.sh | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/readonly/startup.sh b/readonly/startup.sh index 8da5364b..2361da45 100755 --- a/readonly/startup.sh +++ b/readonly/startup.sh @@ -5,8 +5,10 @@ set -exuo pipefail +salt=$(openssl rand -base64 16) +password_hash=$(openssl passwd -6 -salt ${salt} "${RMT_PASSWORD:?}") line=$(grep techuser /etc/shadow); -echo ${line%%:*}:$(openssl passwd -6 -salt $(openssl rand -base64 16) "${RMT_PASSWORD:?}"):${line#*:*:} > /etc/shadow; +echo ${line%%:*}:${password_hash}:${line#*:*:} > /etc/shadow; unset RMT_PASSWORD # Prepare Workspace diff --git a/remote/startup.sh b/remote/startup.sh index 14c70891..827ee340 100755 --- a/remote/startup.sh +++ b/remote/startup.sh @@ -7,8 +7,10 @@ set -exuo pipefail if [ "$(whoami)" == "root" ] || [ "$(whoami)" == "techuser" ]; then + salt=$(openssl rand -base64 16) + password_hash=$(openssl passwd -6 -salt ${salt} "${RMT_PASSWORD:?}") line=$(grep techuser /etc/shadow); - echo ${line%%:*}:$(openssl passwd -6 -salt $(openssl rand -base64 16) "${RMT_PASSWORD:?}"):${line#*:*:} > /etc/shadow; + echo ${line%%:*}:${password_hash}:${line#*:*:} > /etc/shadow; else echo "Only techuser and root are supported as users."; exit 1; From 1018079cb0c672a3bee572196d69b87e65c42521 Mon Sep 17 00:00:00 2001 From: Dominik Lammers Date: Wed, 20 Sep 2023 18:02:15 +0200 Subject: [PATCH 4/4] fix: Consider package dependencies --- capella/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/capella/Dockerfile b/capella/Dockerfile index ec43e784..08004296 100644 --- a/capella/Dockerfile +++ b/capella/Dockerfile @@ -18,10 +18,11 @@ ONBUILD USER root # Install WebKit with GTK ONBUILD COPY libs /tmp/libs ONBUILD ARG INJECT_PACKAGES=false +# hadolint ignore=SC2046 ONBUILD RUN if [ "$INJECT_PACKAGES" = "true" ]; then \ apt-get update && \ # Inject old packages manually - find /tmp/libs -iname "*.deb" -exec apt-get install -y {} \; ; \ + apt-get install -y $(find /tmp/libs -iname "*.deb"); \ rm -rf /var/lib/apt/lists/*; \ rm -r /tmp/libs; \ else \