purpose

* make it so ploigos-tool containers can build containers while running as any uid
* standerdize setting user in all containers
* standerdize entrypoint for all containers so that updtes-ca-trust gets run by default
* readme updates/cleanup

breaking
* helm, argo, and maven containers had their entrypoints changed so they no longer directly call their respective commands as part of the entrypoint. this makes it simpler for using these containers in workflows where they just need to be running but could break anyone who was usng them outside of a workflow to simply run commands.

.github/workflows/publish.yaml

@@ -509,8 +509,8 @@ jobs:
 
       - name: Test Image 🧪
         run: |
-          echo "Running: docker run ${{ env.IMAGE_TAG_LOCAL }} version --client"
-          docker run ${{ env.IMAGE_TAG_LOCAL }} version --client
+          echo "Verify ArgoCD installed"
+          docker run ${{ env.IMAGE_TAG_LOCAL }} argocd version --client
 
       - name: Login to External Registry 🔑
         uses: docker/login-action@v1
@@ -710,22 +710,22 @@ jobs:
       - name: Test Image 🧪
         run: |
           echo "Check helm is entry point"
-          docker run -u 1001 ${{ env.IMAGE_TAG_LOCAL }} --help
+          docker run -u 1001 ${{ env.IMAGE_TAG_LOCAL }} helm --help
 
           echo "Check helm version (this value needs to be updated if default value in container is updated)"
-          docker run -u 1001 ${{ env.IMAGE_TAG_LOCAL }} version
+          docker run -u 1001 ${{ env.IMAGE_TAG_LOCAL }} helm version
 
           echo "Check helm-secrets plugin is installed in expected location"
-          docker run -u 1001 --entrypoint='' ${{ env.IMAGE_TAG_LOCAL }} /bin/sh -c "ls /helm/plugins/helm-secrets"
+          docker run -u 1001 ${{ env.IMAGE_TAG_LOCAL }} ls /helm/plugins/helm-secrets
 
           echo "Check that helm-secrets plugin is installed"
-          docker run -u 1001 ${{ env.IMAGE_TAG_LOCAL }} secrets --help
+          docker run -u 1001 ${{ env.IMAGE_TAG_LOCAL }} helm secrets --help
 
           echo "Check that helm-secrets plugin is installed when running as random user"
-          docker run -u 10010042 ${{ env.IMAGE_TAG_LOCAL }} secrets --help
+          docker run -u 10010042 ${{ env.IMAGE_TAG_LOCAL }} helm secrets --help
 
           echo "Check that sops is installed"
-          docker run -u 1001 --entrypoint='' ${{ env.IMAGE_TAG_LOCAL }} /bin/sh -c "sops --version"
+          docker run -u 1001 ${{ env.IMAGE_TAG_LOCAL }} sops --version
 
       - name: Login to External Registry 🔑
         uses: docker/login-action@v1
@@ -825,11 +825,13 @@ jobs:
       - name: Test Image 🧪
         run: |
           echo "Verify java installed"
-          docker run -u 1001 --entrypoint='' ${{ env.IMAGE_TAG_LOCAL }} /bin/bash -c "java -version"
+          docker run -u 1001 ${{ env.IMAGE_TAG_LOCAL }} java -version
+
           echo "Verify maven installed"
-          docker run -u 1001 --entrypoint='' ${{ env.IMAGE_TAG_LOCAL }} /bin/bash -c "mvn --version"
+          docker run -u 1001  ${{ env.IMAGE_TAG_LOCAL }} mvn --version
+
           echo "Verify can create file in ~/.m2"
-          docker run -u 1001 --entrypoint='' ${{ env.IMAGE_TAG_LOCAL }} /bin/bash -c "mkdir -p ~/.m2; touch ~/.m2/test-settings.xml"
+          docker run -u 1001 ${{ env.IMAGE_TAG_LOCAL }} /bin/bash -c "mkdir -p ~/.m2; touch ~/.m2/test-settings.xml"
 
       - name: Login to External Registry 🔑
         uses: docker/login-action@v1

README.md

@@ -20,25 +20,45 @@ Defines a Java 8 base container image, built on top of `ploigos-base`, from whic
 
 Defines a jenkins agent as a sidecar for the `ploigos-tool-*` containers. Built from `ploigos-base-java-8`.
 
+## ploigos-jenkins
+**To be deprecated.**
+
+Custom Jenkins Controller that allows for CA root trust to be updated.
+
+## ploigos-jenkins-init
+**To be deprecated.**
+
+Custom Jenkins init image which installs a preset set of Jenkins plugins.
+
 ## ploigos-tool-argocd
 [![ploigos-tool-argocd](https://img.shields.io/badge/quay.io-ploigos--tool--argocd-lightgrey?logo=open-containers-initiative)](https://quay.io/repository/ploigos/ploigos-tool-argocd)
 
 Defines an ArgoCD container image. Built from `ploigos-base`.
 
+## ploigos-tool-config-lint
+[![ploigos-tool-config-lint](https://img.shields.io/badge/quay.io-ploigos--tool--config--lint-lightgrey?logo=open-containers-initiative)](https://quay.io/repository/ploigos/ploigos-tool-config-lint)
+
+Defines a [config-lint](https://github.com/stelligent/config-lint) container image. Built from `ploigos-base`.
+
 ## ploigos-tool-containers
 [![ploigos-tool-containers](https://img.shields.io/badge/quay.io-ploigos--tool--containers-lightgrey?logo=open-containers-initiative)](https://quay.io/repository/ploigos/ploigos-tool-containers)
 
-> **_NOTE:_** This image is not automatically built by GitHub actions because it requires to be built on a subscribed RHEL 8 machine.
-
-Defines a ci tools container that has tools for working with containers.
+Defines a tools container that has tools for working with containers.
 * buildah
 * podman
 * skopeo
 
-## ploigos-tool-config-lint
-[![ploigos-tool-config-lint](https://img.shields.io/badge/quay.io-ploigos--tool--config--lint-lightgrey?logo=open-containers-initiative)](https://quay.io/repository/ploigos/ploigos-tool-config-lint)
+Required Capabilities for rootless container building:
+* SETUID
+* SETGID
 
-Defines a [config-lint](https://github.com/stelligent/config-lint) container image. Built from `ploigos-base`.
+## ploigos-tool-helm
+[![ploigos-tool-helm](https://img.shields.io/badge/quay.io-ploigos--tool--helm-lightgrey?logo=open-containers-initiative)](https://quay.io/repository/ploigos/ploigos-tool-helm)
+
+Defines a tools container that has helm and helpful helm plugins.
+
+Helm Plugins
+* [helm-secrets (SOPS)](https://github.com/zendesk/helm-secrets)
 
 ## ploigos-tool-maven
 [![ploigos-tool-maven](https://img.shields.io/badge/quay.io-ploigos--tool--maven-lightgrey?logo=open-containers-initiative)](https://quay.io/repository/ploigos/ploigos-tool-maven)
@@ -48,10 +68,16 @@ Defines a maven container image. Built from `ploigos-base-java-8`.
 ## ploigos-tool-openscap
 [![ploigos-tool-openscap](https://img.shields.io/badge/quay.io-ploigos--tool--openscap-lightgrey?logo=open-containers-initiative)](https://quay.io/repository/ploigos/ploigos-tool-openscap)
 
-> **_NOTE:_** This image is not automatically built by GitHub actions because it requires to be built on a subscribed RHEL 8 machine.
-
 Defines an OpenSCAP based image scanning container image. Built from ploigos-base.
 
+## ploigos-tool-rekor
+[![ploigos-tool-sonar](https://img.shields.io/badge/quay.io-ploigos--tool--rekor-lightgrey?logo=open-containers-initiative)](https://quay.io/repository/ploigos/ploigos-tool-rekor)
+
+Defines a tools container that has the tools for doing auto governance. Built from `ploigos-base`.
+
+Tools
+* [rekor](https://github.com/sigstore/rekor)
+
 ## ploigos-tool-sonar
 [![ploigos-tool-sonar](https://img.shields.io/badge/quay.io-ploigos--tool--sonar-lightgrey?logo=open-containers-initiative)](https://quay.io/repository/ploigos/ploigos-tool-sonar)
 

ploigos-base-java-8/Containerfile.ubi8

@@ -26,4 +26,7 @@ RUN INSTALL_PKGS="java-1.8.0-openjdk-devel" && \
     dnf clean all && \
     rm -rf /var/cache /var/log/dnf* /var/log/yum.*
 
-USER $PLOIGOS_USER_UID
+# may not actually be able to run as this user at runtime
+# but platforms like OpenShift will still respect users home directory
+# so still worth setting
+USER ${PLOIGOS_USER_UID}

ploigos-base/Containerfile.ubi8

@@ -73,11 +73,18 @@ RUN alternatives --set python /usr/bin/python3 && \
 RUN python -m pip install --no-cache-dir --upgrade ${PLOIGOS_SOURCE}
 
 # Configure ploigos user
-RUN useradd ploigos --uid $PLOIGOS_USER_UID --gid $PLOIGOS_USER_GID --home-dir ${PLOIGOS_HOME_DIR} --create-home --shell /sbin/nologin && \
-    chown -R $PLOIGOS_USER_UID:${PLOIGOS_USER_GID} ${PLOIGOS_HOME_DIR} && \
+RUN useradd ploigos --uid ${PLOIGOS_USER_UID} --gid ${PLOIGOS_USER_GID} --home-dir ${PLOIGOS_HOME_DIR} --create-home --shell /sbin/nologin && \
+    chown -R ${PLOIGOS_USER_UID}:${PLOIGOS_USER_GID} ${PLOIGOS_HOME_DIR} && \
     chmod -R g+w ${PLOIGOS_HOME_DIR}
 
 # Allow root(0) group to run update-ca-trust extract
 RUN chmod -R g+w /etc/pki/ca-trust/extracted
 
-USER $PLOIGOS_USER_UID
+# may not actually be able to run as this user at runtime
+# but platforms like OpenShift will still respect users home directory
+# so still worth setting
+USER ${PLOIGOS_USER_UID}
+
+# set entrypoint
+COPY ploigos-base-entrypoint.sh /
+ENTRYPOINT [ "/ploigos-base-entrypoint.sh" ]

ploigos-base/ploigos-base-entrypoint.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+set -o errexit
+
+# always update CA trust
+update-ca-trust
+
+# if params given, execute them as is
+# else puase indefinitly
+if [ "$1" ]; then
+  exec "$@"
+else
+  cat
+fi

ploigos-ci-agent-jenkins/Containerfile.ubi8

@@ -37,7 +37,10 @@ RUN chmod 775 /usr/bin && \
     chmod 550 /usr/local/bin/run-jnlp-client && \
     chown 1001:0 /usr/local/bin/run-jnlp-client
 
-USER $PLOIGOS_USER_UID
+# may not actually be able to run as this user at runtime
+# but platforms like OpenShift will still respect users home directory
+# so still worth setting
+USER ${PLOIGOS_USER_UID}
 
-# Run the Jenkins JNLP client
-ENTRYPOINT ["/usr/local/bin/run-jnlp-client"]
+# # run the base entry point which will then execute the Jenkins JNLP client
+ENTRYPOINT [ "/ploigos-base-entrypoint.sh", "/usr/local/bin/run-jnlp-client" ]

ploigos-tool-argocd/Containerfile.ubi8

@@ -27,6 +27,7 @@ USER root
 RUN curl -L https://github.com/argoproj/argo-cd/releases/download/v1.6.1/argocd-linux-amd64 -o /usr/bin/argocd && \
     chmod 775 /usr/bin/argocd && chown 1001:0 /usr/bin/argocd
 
-USER $PLOIGOS_USER_UID
-
-ENTRYPOINT [ "/usr/bin/argocd" ]
+# may not actually be able to run as this user at runtime
+# but platforms like OpenShift will still respect users home directory
+# so still worth setting
+USER ${PLOIGOS_USER_UID}

ploigos-tool-config-lint/Containerfile.ubi8

@@ -27,4 +27,7 @@ RUN curl -L https://github.com/stelligent/config-lint/releases/latest/download/c
     chmod 775 ./config-lint && \
     chown 1001:0 ./config-lint
 
-USER $PLOIGOS_USER_UID
+# may not actually be able to run as this user at runtime
+# but platforms like OpenShift will still respect users home directory
+# so still worth setting
+USER ${PLOIGOS_USER_UID}

ploigos-tool-containers/Containerfile.ubi8

@@ -36,13 +36,20 @@ RUN INSTALL_PKGS="buildah podman skopeo" && \
     dnf clean all && \
     rm -rf /var/cache /var/log/dnf* /var/log/yum.*
 
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
+# allow for subgid and subuid to be set at runtime for random UIDs
+# needed to allow for buildah to call newgidmap and newuidmap
+RUN chmod g+rw /etc/subgid /etc/subuid
 
+# may not actually be able to run as this user at runtime
+# but platforms like OpenShift will still respect users home directory
+# so still worth setting
 USER $PLOIGOS_USER_UID
 
 # Set up environment variables to note that this is
 # not starting with usernamespace and default to
 # isolate the filesystem with chroot.
 ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot
+
+# set custom entrypoint which also calls the base entrypoint
+COPY ploigos-tool-containers-entrypoint.sh /
+ENTRYPOINT [ "/ploigos-tool-containers-entrypoint.sh" ]

ploigos-tool-containers/ploigos-tool-containers-entrypoint.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# update subgid and subuid for our current id
+# NOTE: can not use usermod because also requires permisions to /etc/passwd
+echo $(whoami):10000:65536 >> /etc/subuid
+echo $(whoami):10000:65536 >> /etc/subgid
+
+# call the base entrypoint
+/ploigos-base-entrypoint.sh $@

ploigos-tool-helm/Containerfile.ubi8

@@ -43,6 +43,7 @@ RUN export XDG_DATA_HOME="/" \
     && unset XDG_DATA_HOME
 RUN chmod -R g+w ${HELM_PLUGINS_DIR}
 
+# may not actually be able to run as this user at runtime
+# but platforms like OpenShift will still respect users home directory
+# so still worth setting
 USER ${PLOIGOS_USER_UID}
-
-ENTRYPOINT [ "/usr/local/bin/helm" ]

ploigos-tool-maven/Containerfile.ubi8

@@ -29,10 +29,7 @@ RUN INSTALL_PKGS="maven" && \
     dnf clean all && \
     rm -rf /var/cache /var/log/dnf* /var/log/yum.*
 
-# Copy scripts
-ADD contrib/bin/* /usr/local/bin/
-
-USER $PLOIGOS_USER_UID
-
-# Configure maven settings
-ENTRYPOINT [ "/usr/local/bin/entrypoint" ]
+# may not actually be able to run as this user at runtime
+# but platforms like OpenShift will still respect users home directory
+# so still worth setting
+USER ${PLOIGOS_USER_UID}

ploigos-tool-openscap/Containerfile.ubi8

@@ -18,8 +18,15 @@ LABEL \
     io.openshift.tags="ploigos,oscap,openscap" \
     com.redhat.component="ploigos-tool-openscap-container"
 
+USER root
+
 RUN INSTALL_PKGS="openscap-scanner" && \
     dnf update -y --allowerasing --nobest && \
     dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
     dnf clean all && \
     rm -rf /var/cache /var/log/dnf* /var/log/yum.*
+
+# may not actually be able to run as this user at runtime
+# but platforms like OpenShift will still respect users home directory
+# so still worth setting
+USER ${PLOIGOS_USER_UID}

ploigos-tool-rekor/Containerfile.ubi8

@@ -42,4 +42,7 @@ RUN git clone https://github.com/sigstore/rekor.git && \
     chmod 777 /usr/local/bin/rekor && \
     chown 1001:0 /usr/local/bin/rekor
 
-USER $PLOIGOS_USER_UID
+# may not actually be able to run as this user at runtime
+# but platforms like OpenShift will still respect users home directory
+# so still worth setting
+USER ${PLOIGOS_USER_UID}

ploigos-tool-sonar/Containerfile.ubi8

@@ -39,4 +39,7 @@ RUN curl https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/${SONAR
 
 ENV PATH /usr/bin/sonar/bin:$PATH
 
-USER $PLOIGOS_USER_UID
+# may not actually be able to run as this user at runtime
+# but platforms like OpenShift will still respect users home directory
+# so still worth setting
+USER ${PLOIGOS_USER_UID}