diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3ad41a2c1..c9853ebe3 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -15,7 +15,7 @@ jobs: pre-build-updater: runs-on: ubuntu-latest container: - image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 + image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 steps: - name: Checkout uses: actions/checkout@v4 @@ -42,7 +42,7 @@ jobs: pre-build-scanner: runs-on: ubuntu-latest container: - image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 + image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 steps: - name: Checkout uses: actions/checkout@v4 @@ -69,7 +69,7 @@ jobs: style-check: runs-on: ubuntu-latest container: - image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 + image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 steps: - name: Checkout uses: actions/checkout@v4 @@ -90,7 +90,7 @@ jobs: needs: - pre-build-scanner container: - image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 + image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 steps: - name: Checkout uses: actions/checkout@v4 @@ -119,7 +119,7 @@ jobs: needs: - pre-build-scanner container: - image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 + image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 steps: - name: Checkout uses: actions/checkout@v4 @@ -153,7 +153,7 @@ jobs: needs: - pre-build-updater container: - image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 + image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 steps: - name: Checkout uses: actions/checkout@v4 @@ -194,7 +194,7 @@ jobs: needs: - generate-genesis-dump container: - image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 + image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 steps: - name: Checkout uses: actions/checkout@v4 @@ -236,7 +236,7 @@ jobs: always() && (needs.generate-genesis-dump.result == 'success' || needs.generate-genesis-dump.result == 'skipped') container: - image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 + image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 steps: - name: Checkout uses: actions/checkout@v4 @@ -289,7 +289,7 @@ jobs: always() && (needs.generate-db-dump.result == 'success' || needs.generate-db-dump.result == 'skipped') container: - image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 + image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 steps: - name: Checkout uses: actions/checkout@v4 @@ -334,7 +334,7 @@ jobs: - generate-scanner-db-bundle if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') container: - image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 + image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 steps: - name: Checkout uses: actions/checkout@v4 @@ -400,7 +400,7 @@ jobs: needs: - generate-genesis-dump container: - image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 + image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 steps: - name: Checkout uses: actions/checkout@v4 @@ -436,7 +436,7 @@ jobs: needs: - generate-db-dump container: - image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 + image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 steps: - name: Checkout uses: actions/checkout@v4 @@ -463,7 +463,7 @@ jobs: needs: - generate-db-dump container: - image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 + image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 steps: - name: Checkout uses: actions/checkout@v4 @@ -495,7 +495,7 @@ jobs: needs: - generate-db-dump container: - image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 + image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.openshift-ci/Dockerfile.build_root b/.openshift-ci/Dockerfile.build_root index dae06d18d..47ce2f55e 100644 --- a/.openshift-ci/Dockerfile.build_root +++ b/.openshift-ci/Dockerfile.build_root @@ -10,4 +10,4 @@ # - `make update` and commit the results # - run `/test pj-rehearse-max` on the openshift/release PR to validate the change -FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 +FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 diff --git a/.openshift-ci/build/Dockerfile.build-bundle b/.openshift-ci/build/Dockerfile.build-bundle index c15cd804d..7042c7d6c 100644 --- a/.openshift-ci/build/Dockerfile.build-bundle +++ b/.openshift-ci/build/Dockerfile.build-bundle @@ -1,4 +1,4 @@ -FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 +FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 COPY . /go/src/github.com/stackrox/scanner WORKDIR /go/src/github.com/stackrox/scanner diff --git a/.openshift-ci/build/Dockerfile.build-db-bundle b/.openshift-ci/build/Dockerfile.build-db-bundle index e0c0b8a44..2fd105198 100644 --- a/.openshift-ci/build/Dockerfile.build-db-bundle +++ b/.openshift-ci/build/Dockerfile.build-db-bundle @@ -1,4 +1,4 @@ -FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 +FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 COPY . /go/src/github.com/stackrox/scanner WORKDIR /go/src/github.com/stackrox/scanner diff --git a/.openshift-ci/build/Dockerfile.generate-db-dump b/.openshift-ci/build/Dockerfile.generate-db-dump index 9caa9cb3b..62018a7f9 100644 --- a/.openshift-ci/build/Dockerfile.generate-db-dump +++ b/.openshift-ci/build/Dockerfile.generate-db-dump @@ -1,4 +1,4 @@ -FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 +FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 COPY . /go/src/github.com/stackrox/scanner WORKDIR /go/src/github.com/stackrox/scanner diff --git a/.openshift-ci/build/Dockerfile.generate-genesis-dump b/.openshift-ci/build/Dockerfile.generate-genesis-dump index 81d432e0a..fd58726bf 100644 --- a/.openshift-ci/build/Dockerfile.generate-genesis-dump +++ b/.openshift-ci/build/Dockerfile.generate-genesis-dump @@ -1,4 +1,4 @@ -FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 +FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.65 COPY . /go/src/github.com/stackrox/scanner WORKDIR /go/src/github.com/stackrox/scanner diff --git a/BUILD_IMAGE_VERSION b/BUILD_IMAGE_VERSION index 1bd4544ea..8c0322885 100644 --- a/BUILD_IMAGE_VERSION +++ b/BUILD_IMAGE_VERSION @@ -1 +1 @@ -scanner-build-0.3.61 +scanner-build-0.3.65 diff --git a/image/db/rhel/Dockerfile b/image/db/rhel/Dockerfile index 301f43235..3d1c35436 100644 --- a/image/db/rhel/Dockerfile +++ b/image/db/rhel/Dockerfile @@ -16,7 +16,7 @@ LABEL name="scanner-db" \ summary="Image scanner database for the StackRox Kubernetes Security Platform" \ description="This image supports image scanning in the StackRox Kubernetes Security Platform." -ENV PG_MAJOR=12 +ENV PG_MAJOR=15 ENV PATH="$PATH:/usr/pgsql-$PG_MAJOR/bin/" \ PGDATA="/var/lib/postgresql/data/pgdata" @@ -37,7 +37,7 @@ RUN curl -sSLf https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-K adduser postgres -u 70 -g 70 -d /var/lib/postgresql -s /bin/sh && \ microdnf install \ ca-certificates libicu systemd-sysv glibc-locale-source glibc-langpack-en \ - postgresql12-server && \ + postgresql15-server && \ # The removal of /usr/share/zoneinfo from UBI minimal images is intentional. # After building the image, the image is reduced in size as much as possible, # and the /usr/share/zoneinfo directory is purged as it saves space diff --git a/image/db/rhel/Dockerfile.slim b/image/db/rhel/Dockerfile.slim index f01fc7ace..ac0d26b57 100644 --- a/image/db/rhel/Dockerfile.slim +++ b/image/db/rhel/Dockerfile.slim @@ -16,7 +16,7 @@ LABEL name="scanner-db-slim" \ summary="Image scanner database for the StackRox Kubernetes Security Platform" \ description="This image supports image scanning in the StackRox Kubernetes Security Platform." -ENV PG_MAJOR=12 +ENV PG_MAJOR=15 ENV PATH="$PATH:/usr/pgsql-$PG_MAJOR/bin/" \ PGDATA="/var/lib/postgresql/data/pgdata" @@ -37,7 +37,7 @@ RUN curl -sSLf https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-K adduser postgres -u 70 -g 70 -d /var/lib/postgresql -s /bin/sh && \ microdnf install \ ca-certificates libicu systemd-sysv glibc-locale-source glibc-langpack-en \ - postgresql12-server && \ + postgresql15-server && \ # The removal of /usr/share/zoneinfo from UBI minimal images is intentional. # After building the image, the image is reduced in size as much as possible, # and the /usr/share/zoneinfo directory is purged as it saves space diff --git a/image/db/rhel/konflux.Dockerfile b/image/db/rhel/konflux.Dockerfile index 7077477e5..0c37b572c 100644 --- a/image/db/rhel/konflux.Dockerfile +++ b/image/db/rhel/konflux.Dockerfile @@ -1,4 +1,4 @@ -FROM registry.redhat.io/rhel8/postgresql-12:latest AS scanner-db-common +FROM registry.redhat.io/rhel8/postgresql-15:latest AS scanner-db-common LABEL \ com.redhat.license_terms="https://www.redhat.com/agreements" \ @@ -35,7 +35,7 @@ RUN dnf upgrade -y --nobest && \ rm -rf /var/cache/dnf /var/cache/yum && \ chmod +x /usr/local/bin/docker-entrypoint.sh -ENV PG_MAJOR=12 \ +ENV PG_MAJOR=15 \ PGDATA="/var/lib/postgresql/data/pgdata" ENTRYPOINT ["docker-entrypoint.sh"] diff --git a/image/db/rhel/scripts/docker-entrypoint.sh b/image/db/rhel/scripts/docker-entrypoint.sh index 27491bb91..0fa992498 100755 --- a/image/db/rhel/scripts/docker-entrypoint.sh +++ b/image/db/rhel/scripts/docker-entrypoint.sh @@ -4,7 +4,7 @@ ### Community][1]. Any stackrox modification or comments are tagged with this ### comment. ### -### [1]: https://github.com/docker-library/postgres/blob/master/12/bullseye/docker-entrypoint.sh +### [1]: https://github.com/docker-library/postgres/blob/44ef8b226a40f86cf9df3f9299067db6779a3aa3/15/bookworm/docker-entrypoint.sh set -Eeo pipefail # TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) @@ -18,7 +18,7 @@ file_env() { local fileVar="${var}_FILE" local def="${2:-}" if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" exit 1 fi local val="$def" @@ -45,11 +45,11 @@ docker_create_db_directories() { mkdir -p "$PGDATA" # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) - chmod 700 "$PGDATA" || : + chmod 00700 "$PGDATA" || : # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 mkdir -p /var/run/postgresql || : - chmod 775 /var/run/postgresql || : + chmod 03775 /var/run/postgresql || : # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then @@ -84,8 +84,8 @@ docker_init_database_dir() { NSS_WRAPPER_GROUP="$(mktemp)" export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP local gid; gid="$(id -g)" - echo "postgres:x:$uid:$gid:PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$gid:" > "$NSS_WRAPPER_GROUP" + printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" + printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" break fi done @@ -95,7 +95,8 @@ docker_init_database_dir() { set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" fi - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' + # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' # unset/cleanup "nss_wrapper" bits if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then @@ -109,20 +110,24 @@ docker_init_database_dir() { # print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] docker_verify_minimum_env() { - # check password first so we can output the warning before postgres - # messes it up - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' + case "${PG_MAJOR:-}" in + 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - This will not work if used via PGPASSWORD with "psql". + This will not work if used via PGPASSWORD with "psql". - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 - EOWARN - fi + EOWARN + fi + ;; + esac if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then # The - option suppresses leading tabs but *not* spaces. :) cat >&2 <<-'EOE' @@ -164,7 +169,7 @@ docker_process_init_files() { # psql here for backwards compatibility "${psql[@]}" psql=( docker_process_sql ) - echo + printf '\n' local f for f; do case "$f" in @@ -172,20 +177,20 @@ docker_process_init_files() { # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 # https://github.com/docker-library/postgres/pull/452 if [ -x "$f" ]; then - echo "$0: running $f" + printf '%s: running %s\n' "$0" "$f" "$f" else - echo "$0: sourcing $f" + printf '%s: sourcing %s\n' "$0" "$f" . "$f" fi ;; - *.sql) echo "$0: running $f"; docker_process_sql -f "$f"; echo ;; - *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; - *.sql.xz) echo "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;; - *.sql.zst) echo "$0: running $f"; zstd -dc "$f" | docker_process_sql; echo ;; - *) echo "$0: ignoring $f" ;; + *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; + *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; + *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; + *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; + *) printf '%s: ignoring %s\n' "$0" "$f" ;; esac - echo + printf '\n' done } @@ -216,7 +221,7 @@ docker_setup_db() { POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL' CREATE DATABASE :"db" ; EOSQL - echo + printf '\n' fi } @@ -231,6 +236,7 @@ docker_setup_env() { : "${POSTGRES_HOST_AUTH_METHOD:=}" declare -g DATABASE_ALREADY_EXISTS + : "${DATABASE_ALREADY_EXISTS:=}" # look specifically for PG_VERSION, as it is expected in the DB dir if [ -s "$PGDATA/PG_VERSION" ]; then DATABASE_ALREADY_EXISTS='true' @@ -250,12 +256,12 @@ pg_setup_hba_conf() { auth="$(postgres -C password_encryption "$@")" : "${POSTGRES_HOST_AUTH_METHOD:=$auth}" { - echo + printf '\n' if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then - echo '# warning trust is enabled for all connections' - echo '# see https://www.postgresql.org/docs/12/auth-trust.html' + printf '# warning trust is enabled for all connections\n' + printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n' fi - echo "host all all all $POSTGRES_HOST_AUTH_METHOD" + printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD" } >> "$PGDATA/pg_hba.conf" } @@ -308,9 +314,9 @@ _main() { if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then ### STACKROX MODIFIED - If we are initializing, then ensure we start from scratch. if [ -n "$ROX_SCANNER_DB_INIT" ]; then - echo - echo 'Initializing... Clearing any previous data from directories' - echo + printf '\n' + printf 'Initializing... Clearing any previous data from directories\n' + printf '\n' rm -rf "$PGDATA" if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then @@ -332,9 +338,9 @@ _main() { ### STACKROX MODIFIED - Sanity check the database does not exist ### upon initialization. if [ -n "$ROX_SCANNER_DB_INIT" ] && [ -n "$DATABASE_ALREADY_EXISTS" ]; then - echo - echo 'PostgreSQL Database appears to already exist upon initialization; Exiting with error...' - echo + printf '\n' + printf 'PostgreSQL Database appears to already exist upon initialization; Exiting with error...\n' + printf '\n' exit 1 fi @@ -360,16 +366,20 @@ _main() { docker_temp_server_stop unset PGPASSWORD - echo - echo 'PostgreSQL init process complete; ready for start up.' - echo + cat <<-'EOM' + + PostgreSQL init process complete; ready for start up. + + EOM ### STACKROX MODIFIED - Exit once DB is initialized. exit 0 else - echo - echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization' - echo + cat <<-'EOM' + + PostgreSQL Database directory appears to contain a database; Skipping initialization + + EOM fi fi