Add test matrix to include different buildkit connectors

Signed-off-by: Brian Goff <[email protected]>
project-copacetic · Aug 9, 2023 · a5e68e4 · a5e68e4
1 parent 528345b
commit a5e68e4
Show file tree

Hide file tree

Showing 7 changed files with 119 additions and 34 deletions.
diff --git a/.devcontainer/scripts/run-functional-tests.sh b/.devcontainer/scripts/run-functional-tests.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
+
+: "${TEST_BUILDKIT_MODE:="direct/tcp"}"
+: "${IMAGE_NAME_ONLY:="${IMAGE_REF%@*}"}"
+: "${IMAGE_REF_PATCHED:="${IMAGE_NAME_ONLY}-patched"}"
+: "${COPA_FLAGS:=}"
+
+echo "[INFO]: Buildkit mode: ${TEST_BUILDKIT_MODE}"
+echo "[INFO]: Image to patch: ${IMAGE_REF}"
+echo "[INFO]: Patched image name: ${IMAGE_REF_PATCHED}"
+
+echo "[INFO]: Scanning image with trivy ..."
+trivy image --vuln-type os --ignore-unfixed --scanners vuln -f json -o scan.json "${IMAGE_REF}" --exit-on-eol 1 --ignore-policy "${SCRIPT_DIR}/trivy_ignore.rego"
+echo "[INFO]: Setting up buildkit with mode ${TEST_BUILDKIT_MODE} ..."
+
+if [ ! -f "${SCRIPT_DIR}/setup/${TEST_BUILDKIT_MODE}" ]; then
+ echo "[ERROR]: Unknown mode: ${TEST_BUILDKIT_MODE}" >&2
+ exit 1
+fi
+
+. "${SCRIPT_DIR}/setup/${TEST_BUILDKIT_MODE}"
+
+echo "[INFO]: Run copa on target ..."
+if [ -v COPA_BUILDKIT_ADDR ] && [ -n "${COPA_BUILDKIT_ADDR}" ]; then
+ COPA_FLAGS+="-a ${COPA_BUILDKIT_ADDR}"
+fi
+./copa patch -i "${IMAGE_REF}" -r scan.json -t "${IMAGE_REF_PATCHED}" --timeout 20m ${COPA_FLAGS}
+
+echo "[INFO]: Rescanning patched image with same vuln DB ..."
+trivy image --vuln-type os --ignore-unfixed --skip-db-update --scanners vuln "${IMAGE_REF_PATCHED}" --exit-code 1 --exit-on-eol 1 --ignore-policy "${SCRIPT_DIR}/trivy_ignore.rego"
diff --git a/.devcontainer/scripts/setup/buildx/default b/.devcontainer/scripts/setup/buildx/default
@@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+
+docker buildx create --use
+docker buildx inspect --bootstrap
+export COPA_BUILDKIT_ADDR="buildx://"
diff --git a/.devcontainer/scripts/setup/buildx/named b/.devcontainer/scripts/setup/buildx/named
@@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+
+docker buildx create --name testpatch
+docker buildx inspect --bootstrap testpatch
+export COPA_BUILDKIT_ADDR="buildx://testpatch"
diff --git a/.devcontainer/scripts/setup/direct/tcp b/.devcontainer/scripts/setup/direct/tcp
@@ -0,0 +1,24 @@
+#!/usr/bin/env sh
+
+
+: "${BUILDKIT_PORT:=30321}"
+: "${BUILDKIT_VERSION=0.12.0}"
+
+_buildkit_direct_tcp_id="$(docker run --detach --rm --privileged -p 127.0.0.1::${BUILDKIT_PORT}/tcp --entrypoint buildkitd "moby/buildkit:v$BUILDKIT_VERSION" --addr tcp://0.0.0.0:${BUILDKIT_PORT})"
+_buildkitd_tcp_addr="$(docker port ${_buildkit_direct_tcp_id} ${BUILDKIT_PORT})"
+export COPA_BUILDKIT_ADDR="tcp://${_buildkitd_tcp_addr}"
+
+_cleanup() {
+ docker rm -f "${_buildkit_direct_tcp_id}"
+}
+
+trap '_cleanup' EXIT
+
+_check_buildkitd_tcp() {
+ buildctl --addr ${COPA_BUILDKIT_ADDR} debug info
+}
+
+echo "[INFO] Wait for buildkitd to be ready @ ${COPA_BUILDKIT_ADDR}"
+while ! _check_buildkitd_tcp; do
+ sleep 1
+done
diff --git a/.devcontainer/scripts/setup/docker/custom-unix b/.devcontainer/scripts/setup/docker/custom-unix
@@ -0,0 +1,31 @@
+#!/usr/bin/env sh
+
+# dockerd requires containerd snapshotter support to be enabled otherwise required features for buildkit are disabled.
+docker build -t dind -<<EOF
+FROM docker:24.0-dind
+RUN mkdir -p /etc/docker && echo '{"features": { "containerd-snapshotter": true }}' > /etc/docker/daemon.json
+ENTRYPOINT ["dockerd"]
+EOF
+
+: "${DOCKER_DIND_VOLUME:="copa-docker-dind"}"
+
+sock_dir="$(mktemp -d)"
+
+docker_custom_unix_id="$(docker run -d --privileged --mount=type=bind,source="${sock_dir}",target=/run --mount=type=volume,source="${DOCKER_DIND_VOLUME}",target=/var/lib/docker dind --group "$(id -g)")"
+
+_cleanup() {
+ docker rm -f "$docker_custom_unix_id"
+ sudo rm -rf "${sock_dir}"
+}
+
+trap '_cleanup' EXIT
+
+_check_docker_dind() {
+ docker -H "unix://${sock_dir}/docker.sock" info
+}
+
+while ! _check_docker_dind; do
+ check_docker_dind || sleep 1
+done
+
+export COPA_BUILDKIT_ADDR="docker://unix://${sock_dir}/docker.sock"
diff --git a/.devcontainer/scripts/trivy_ignore.rego b/.devcontainer/scripts/trivy_ignore.rego
@@ -0,0 +1,11 @@
+package trivy
+
+import data.lib.trivy
+
+default ignore = false
+
+ignore_vulnerability_ids := {
+ # centos 7.6.1810
+ # bind-license package version "9.11.4-26.P2.el7_9.14" does not exist
+ "CVE-2023-2828"
+}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -89,6 +89,11 @@ jobs:
  runs-on: ubuntu-latest
  strategy:
  matrix:
+ mode:
+ - "direct/tcp"
+ - "buildx/default"
+ - "buildx/named"
+ - "docker/custom-unix"
  include: ${{ fromJson(needs.build.outputs.include) }}
  steps:
  - name: Check out dev container definition
@@ -105,44 +110,14 @@ jobs:
  registry: ghcr.io
  username: ${{ github.actor }}
  password: ${{ secrets.GITHUB_TOKEN }}
- - name: Create Trivy ignore policy
- shell: bash
- run: |
- cat <<EOF >>trivy_ignore.rego
- package trivy
-
- import data.lib.trivy
-
- default ignore = false
-
- ignore_vulnerability_ids := {
- # centos 7.6.1810
- # bind-license package version "9.11.4-26.P2.el7_9.14" does not exist
- "CVE-2023-2828"
- }
-
- ignore {
- input.VulnerabilityID == ignore_vulnerability_ids[_]
- }
- EOF
  - name: Run functional test in dev container
  uses: devcontainers/ci@57eaf0c9b518a76872bc429cdceefd65a912309b # v0.3.1900000329
  with:
  cacheFrom: ${{ env.DEVCON_NAME }}
  push: never
  env: |
- BUILDKIT_PORT=30321
- BUILDKIT_VERSION=0.12.0
+ TEST_BUILDKIT_MODE=${{ matrix.mode }}
+ IMAGE_REF=${{ matrix.image }}:${{ matrix.tag }}@${{ matrix.digest }}
  runCmd: |
- set -e
- echo "[INFO]: Patching ${{ matrix.distro }} image with: ${{ matrix.description }}"
- echo "[INFO]: Scanning image with trivy ..."
- trivy image --vuln-type os --ignore-unfixed --scanners vuln -f json -o scan.json "${{ matrix.image }}:${{ matrix.tag }}@${{ matrix.digest }}" --exit-on-eol 1 --ignore-policy trivy_ignore.rego
- echo "[INFO]: Start buildkitd in the background ..."
- docker run --detach --rm --privileged -p 0.0.0.0:$BUILDKIT_PORT:$BUILDKIT_PORT/tcp --name buildkitd --entrypoint buildkitd "moby/buildkit:v$BUILDKIT_VERSION" --addr tcp://0.0.0.0:$BUILDKIT_PORT
- docker stats buildkitd --no-stream
- sudo lsof -nP -iTCP -sTCP:LISTEN
- echo "[INFO]: Run copa on target ..."
- ./copa patch -i "${{ matrix.image }}:${{ matrix.tag }}@${{ matrix.digest }}" -r scan.json -t "${{ matrix.tag }}-patched" -a tcp://0.0.0.0:$BUILDKIT_PORT --timeout 20m
- echo "[INFO]: Rescanning patched image with same vuln DB ..."
- trivy image --vuln-type os --ignore-unfixed --skip-db-update --scanners vuln "${{ matrix.image }}:${{ matrix.tag }}-patched" --exit-code 1 --exit-on-eol 1 --ignore-policy trivy_ignore.rego
+ echo "[INFO]: Patching ${{ matrix.distro }} image with: ${{ matrix.description}}"
+ .devcontainers/scripts/run-functional-tests.sh