adding docker-bench-security #15
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Bench for Security | |
| on: | |
| pull_request: | |
| branches: [ develop ] | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Set up Python 3.8 | |
| uses: actions/setup-python@v3 | |
| with: | |
| python-version: "3.8" | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install . | |
| - name: Clean Docker System | |
| run: | | |
| docker system prune -f | |
| - name: Build base image | |
| run: | | |
| docker build -t openfl -f openfl-docker/Dockerfile.base . | |
| - name: Create workspace image | |
| run: | | |
| fx workspace create --prefix example_workspace --template keras_cnn_mnist | |
| cd example_workspace | |
| fx plan initialize -a localhost | |
| fx workspace dockerize --base_image openfl | |
| - name: Create certificate authority for workspace | |
| run: | | |
| cd example_workspace | |
| fx workspace certify | |
| - name: Create signed cert for collaborator | |
| run: | | |
| cd example_workspace | |
| fx collaborator create -d 1 -n charlie --silent | |
| fx collaborator generate-cert-request -n charlie --silent | |
| fx collaborator certify --request-pkg col_charlie_to_agg_cert_request.zip --silent | |
| # Pack the collaborator's private key, signed cert, and data.yaml into a tarball | |
| tarfiles="plan/data.yaml agg_to_col_charlie_signed_cert.zip" | |
| for entry in cert/client/*; do | |
| if [[ "$entry" == *.key ]]; then | |
| tarfiles="$tarfiles $entry" | |
| fi | |
| done | |
| tar -cf cert_col_charlie.tar $tarfiles | |
| # Clean up | |
| rm -f $tarfiles | |
| rm -f col_charlie_to_agg_cert_request.zip | |
| - name: Create signed cert for aggregator | |
| run: | | |
| cd example_workspace | |
| fx aggregator generate-cert-request --fqdn localhost | |
| fx aggregator certify --fqdn localhost --silent | |
| # Pack all files that aggregator needs to start training | |
| tar -cf cert_agg.tar plan cert save | |
| # Remove the directories after archiving | |
| rm -rf plan cert save | |
| - name: Load workspace image | |
| run: | | |
| cd example_workspace | |
| docker load -i example_workspace_image.tar | |
| - name: Run aggregator and collaborator | |
| run: | | |
| cd example_workspace | |
| set -x | |
| docker run --rm \ | |
| --network host \ | |
| --mount type=bind,source=./cert_agg.tar,target=/certs.tar \ | |
| -e CONTAINER_TYPE=aggregator \ | |
| example_workspace /home/openfl/openfl-docker/start_actor_in_container.sh & | |
| # TODO: Run with two collaborators instead. | |
| docker run --rm \ | |
| --network host \ | |
| --mount type=bind,source=./cert_col_charlie.tar,target=/certs.tar \ | |
| -e CONTAINER_TYPE=collaborator \ | |
| -e COL=charlie \ | |
| example_workspace /home/openfl/openfl-docker/start_actor_in_container.sh | |
| - name: Run Docker Bench for Security | |
| run: | | |
| docker run --rm --net host --pid host --userns host --cap-add audit_control \ | |
| -e DOCKER_CONTENT_TRUST=0 \ | |
| -v /etc:/etc:ro \ | |
| -v /lib/systemd/system:/lib/systemd/system:ro \ | |
| -v /usr/bin/containerd:/usr/bin/containerd:ro \ | |
| -v /usr/bin/runc:/usr/bin/runc:ro \ | |
| -v /usr/lib/systemd:/usr/lib/systemd:ro \ | |
| -v /var/lib:/var/lib:ro \ | |
| -v /var/run/docker.sock:/var/run/docker.sock:ro \ | |
| -v "$(pwd)/results:/results" \ | |
| --label docker_bench_security \ | |
| docker/docker-bench-security | |
| # name: Docker Bench for Security | |
| # on: | |
| # pull_request: | |
| # branches: [ develop ] | |
| # permissions: | |
| # contents: read | |
| # jobs: | |
| # docker-bench-security: | |
| # runs-on: ubuntu-latest | |
| # steps: | |
| # - name: Checkout code | |
| # uses: actions/checkout@v3 | |
| # - name: Set up Python 3.8 | |
| # uses: actions/setup-python@v3 | |
| # with: | |
| # python-version: "3.8" | |
| # - name: Install dependencies | |
| # run: | | |
| # python -m pip install --upgrade pip | |
| # pip install . | |
| # - name: Run Docker Bench for Security | |
| # run: | | |
| # mkdir -p results | |
| # docker run --rm --net host --pid host --userns host --cap-add audit_control \ | |
| # -e DOCKER_CONTENT_TRUST=0 \ | |
| # -v /etc:/etc:ro \ | |
| # -v /lib/systemd/system:/lib/systemd/system:ro \ | |
| # -v /usr/bin/containerd:/usr/bin/containerd:ro \ | |
| # -v /usr/bin/runc:/usr/bin/runc:ro \ | |
| # -v /usr/lib/systemd:/usr/lib/systemd:ro \ | |
| # -v /var/lib:/var/lib:ro \ | |
| # -v /var/run/docker.sock:/var/run/docker.sock:ro \ | |
| # -v "$(pwd)/results:/results" \ | |
| # --label docker_bench_security \ | |
| # docker/docker-bench-security | |
| # - name: Upload Results | |
| # uses: actions/upload-artifact@v3 | |
| # with: | |
| # name: docker-bench-results | |
| # path: logs/docker-bench-security.log |