From b91aa49834d5af91343da5266269859ee35169c4 Mon Sep 17 00:00:00 2001 From: Ricardo Zanini Date: Thu, 1 Feb 2024 17:17:25 -0300 Subject: [PATCH] Fix #830 - Make Images Reproducible Signed-off-by: Ricardo Zanini --- kogito-swf-builder-image.yaml | 20 ++----------- kogito-swf-devmode-image.yaml | 14 ++------- modules/kogito-clean-cache/clean-cache.sh | 30 +++++++++++++++++++ modules/kogito-clean-cache/module.yaml | 25 ++++++++++++++++ modules/kogito-dynamic-resources/module.yaml | 2 -- modules/kogito-maven/common/configure | 13 ++++++-- .../builder/runtime/community/configure.sh | 5 ++-- .../builder/runtime/community/module.yaml | 4 +-- .../common/build/added/cleanup_project.sh | 7 ++++- .../common/build/added/zip_files.sh | 8 ++--- modules/kogito-swf/common/build/module.yaml | 4 --- .../devmode/runtime/community/configure.sh | 7 +++-- .../devmode/runtime/community/module.yaml | 4 +-- 13 files changed, 92 insertions(+), 51 deletions(-) create mode 100755 modules/kogito-clean-cache/clean-cache.sh create mode 100644 modules/kogito-clean-cache/module.yaml mode change 100644 => 100755 modules/kogito-maven/common/configure diff --git a/kogito-swf-builder-image.yaml b/kogito-swf-builder-image.yaml index a937e26ae..195fdae6c 100644 --- a/kogito-swf-builder-image.yaml +++ b/kogito-swf-builder-image.yaml @@ -17,32 +17,24 @@ # under the License. # - name: builder - from: "registry.access.redhat.com/ubi8/ubi-minimal:latest" + from: "registry.access.redhat.com/ubi8/openjdk-17:1.18" version: "999-SNAPSHOT" modules: repositories: - path: modules install: - - name: org.kie.kogito.image.dependencies - name: org.kie.kogito.system.user - name: org.kie.kogito.logging - name: org.kie.kogito.launch.scripts - - name: org.kie.kogito.openjdk - version: "17" - name: org.kie.kogito.dynamic.resources - - name: org.kie.kogito.maven - version: "3.9.3" - name: org.kie.kogito.maven.common - name: org.kie.kogito.project.versions - name: org.kie.kogito.swf.common.scripts - name: org.kie.kogito.swf.builder.build-config - name: org.kie.kogito.swf.common.build - packages: - manager: microdnf - - name: "quay.io/kiegroup/kogito-swf-builder" - from: "registry.access.redhat.com/ubi8/ubi-minimal:latest" + from: "registry.access.redhat.com/ubi8/openjdk-17:1.18" version: "999-SNAPSHOT" description: "Kogito Serverless Workflow base builder with Quarkus extensions libraries preinstalled" @@ -64,22 +56,14 @@ - name: "io.openshift.tags" value: "kogito,builder,serverless,workflow" - packages: - manager: microdnf - modules: repositories: - path: modules install: - - name: org.kie.kogito.image.dependencies - name: org.kie.kogito.system.user - name: org.kie.kogito.logging - name: org.kie.kogito.launch.scripts - - name: org.kie.kogito.openjdk - version: "17" - name: org.kie.kogito.dynamic.resources - - name: org.kie.kogito.maven - version: "3.9.3" - name: org.kie.kogito.maven.common - name: org.kie.kogito.project.versions - name: org.kie.kogito.swf.common.scripts diff --git a/kogito-swf-devmode-image.yaml b/kogito-swf-devmode-image.yaml index 6f4346810..105a522c5 100644 --- a/kogito-swf-devmode-image.yaml +++ b/kogito-swf-devmode-image.yaml @@ -17,21 +17,16 @@ # under the License. # - name: builder - from: "registry.access.redhat.com/ubi8/ubi-minimal:latest" + from: "registry.access.redhat.com/ubi8/openjdk-17:1.18" version: "999-SNAPSHOT" modules: repositories: - path: modules install: - - name: org.kie.kogito.image.dependencies - name: org.kie.kogito.system.user - name: org.kie.kogito.logging - name: org.kie.kogito.launch.scripts - - name: org.kie.kogito.openjdk - version: "17" - name: org.kie.kogito.dynamic.resources - - name: org.kie.kogito.maven - version: "3.9.3" - name: org.kie.kogito.maven.common - name: org.kie.kogito.project.versions - name: org.kie.kogito.swf.common.scripts @@ -42,7 +37,7 @@ manager: microdnf - name: "quay.io/kiegroup/kogito-swf-devmode" - from: "registry.access.redhat.com/ubi8/ubi-minimal:latest" + from: "registry.access.redhat.com/ubi8/openjdk-17:1.18" version: "999-SNAPSHOT" description: "Kogito Serverless Workflow development mode with Quarkus extensions libraries preinstalled" @@ -69,15 +64,10 @@ repositories: - path: modules install: - - name: org.kie.kogito.image.dependencies - name: org.kie.kogito.system.user - name: org.kie.kogito.logging - name: org.kie.kogito.launch.scripts - - name: org.kie.kogito.openjdk - version: "17" - name: org.kie.kogito.dynamic.resources - - name: org.kie.kogito.maven - version: "3.9.3" - name: org.kie.kogito.maven.common - name: org.kie.kogito.project.versions - name: org.kie.kogito.swf.common.scripts diff --git a/modules/kogito-clean-cache/clean-cache.sh b/modules/kogito-clean-cache/clean-cache.sh new file mode 100755 index 000000000..d82b623bd --- /dev/null +++ b/modules/kogito-clean-cache/clean-cache.sh @@ -0,0 +1,30 @@ +#!/bin/bash +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# Remove font cache +rm -rf /usr/lib/fontconfig/cache/* +# Clean dnf history see https://access.redhat.com/solutions/4500331 +rm -f /var/lib/dnf/history* +# Clean RPM database. We know it's not safe, but we must do it anyway to achieve a reproducible builds +# Since we won't use rpm once the image is built, it should be ok +# See +# - https://access.redhat.com/solutions/439953 +# - https://access.redhat.com/solutions/6903 +rm -rf /var/lib/rpm/* diff --git a/modules/kogito-clean-cache/module.yaml b/modules/kogito-clean-cache/module.yaml new file mode 100644 index 000000000..3855e8139 --- /dev/null +++ b/modules/kogito-clean-cache/module.yaml @@ -0,0 +1,25 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +schema_version: 1 +name: org.kie.kogito.clean.cache +version: "999-SNAPSHOT" +description: Clean up cache files and non-deterministic files leftovers to guarantee a reproducible build. + +execute: + - script: clean-cache.sh diff --git a/modules/kogito-dynamic-resources/module.yaml b/modules/kogito-dynamic-resources/module.yaml index 55802bf98..7699783d8 100644 --- a/modules/kogito-dynamic-resources/module.yaml +++ b/modules/kogito-dynamic-resources/module.yaml @@ -26,8 +26,6 @@ execute: - script: configure envs: - - name: JBOSS_CONTAINER_JAVA_JVM_MODULE - value: /opt/container/java/jvm - name: JAVA_OPTIONS description: User specified Java options to be appended to generated options in JAVA_OPTS (internal use). example: "-verbose:class" diff --git a/modules/kogito-maven/common/configure b/modules/kogito-maven/common/configure old mode 100644 new mode 100755 index aa7e67b61..7f5306045 --- a/modules/kogito-maven/common/configure +++ b/modules/kogito-maven/common/configure @@ -22,8 +22,17 @@ set -e SOURCES_DIR=/tmp/artifacts SCRIPT_DIR=$(dirname "${0}") -tar xzf "${SOURCES_DIR}"/apache-maven-"${MAVEN_VERSION}"-bin.tar.gz -C /usr/share -mv /usr/share/apache-maven-"${MAVEN_VERSION}" /usr/share/maven +mvn_install_dir="/usr/share/maven" + +# Verify if mvn is installed +if [ ! -d ${mvn_install_dir} ] && ! command -v mvn &> /dev/null ; +then + echo "---> Maven not found, downloading and installing it" + tar xzf "${SOURCES_DIR}"/apache-maven-"${MAVEN_VERSION}"-bin.tar.gz -C /usr/share + mv /usr/share/apache-maven-"${MAVEN_VERSION}" ${mvn_install_dir} +else + echo "---> Maven already present in the current context" +fi mkdir "${KOGITO_HOME}"/.m2 cp -v "${SCRIPT_DIR}"/maven/* "${KOGITO_HOME}"/.m2 diff --git a/modules/kogito-swf/builder/runtime/community/configure.sh b/modules/kogito-swf/builder/runtime/community/configure.sh index 14d76b745..8d26bb594 100644 --- a/modules/kogito-swf/builder/runtime/community/configure.sh +++ b/modules/kogito-swf/builder/runtime/community/configure.sh @@ -23,10 +23,11 @@ set -e SOURCES_DIR=/tmp/artifacts mkdir -p "${KOGITO_HOME}"/.m2/repository +mkdir -p "${KOGITO_HOME}/${PROJECT_ARTIFACT_ID}" # Unzip Quarkus app and Maven repository -unzip "${SOURCES_DIR}"/kogito-swf-quarkus-app.zip -d "${KOGITO_HOME}" -unzip "${SOURCES_DIR}"/kogito-swf-maven-repo.zip -d "${KOGITO_HOME}"/.m2/repository +tar xf "${SOURCES_DIR}"/kogito-swf-quarkus-app.tar -C "${KOGITO_HOME}/${PROJECT_ARTIFACT_ID}" +tar xf "${SOURCES_DIR}"/kogito-swf-maven-repo.tar -C "${KOGITO_HOME}"/.m2/repository chown -R 1001:0 "${KOGITO_HOME}" chmod -R ug+rwX "${KOGITO_HOME}" diff --git a/modules/kogito-swf/builder/runtime/community/module.yaml b/modules/kogito-swf/builder/runtime/community/module.yaml index 0a4d41728..4562b12ed 100644 --- a/modules/kogito-swf/builder/runtime/community/module.yaml +++ b/modules/kogito-swf/builder/runtime/community/module.yaml @@ -23,9 +23,9 @@ description: "Kogito Serverless Workflow builder runtime module" artifacts: - image: builder - path: /home/kogito/build_output/kogito-swf-quarkus-app.zip + path: /home/kogito/build_output/kogito-swf-quarkus-app.tar - image: builder - path: /home/kogito/build_output/kogito-swf-maven-repo.zip + path: /home/kogito/build_output/kogito-swf-maven-repo.tar execute: - script: configure.sh diff --git a/modules/kogito-swf/common/build/added/cleanup_project.sh b/modules/kogito-swf/common/build/added/cleanup_project.sh index b3c12a336..adfac1d52 100755 --- a/modules/kogito-swf/common/build/added/cleanup_project.sh +++ b/modules/kogito-swf/common/build/added/cleanup_project.sh @@ -35,4 +35,9 @@ rm -rfv "${PROJECT_ARTIFACT_ID}"/*.bak echo 'Clean Maven useless files' find "${KOGITO_HOME}"/.m2/repository -name _remote.repositories -type f -delete find "${KOGITO_HOME}"/.m2/repository -name _maven.repositories -type f -delete -find "${KOGITO_HOME}"/.m2/repository -name *.lastUpdated -type f -delete \ No newline at end of file +find "${KOGITO_HOME}"/.m2/repository -name *.lastUpdated -type f -delete + +# Remove files that include build timestamps to have reproducible images +find "${KOGITO_HOME}"/.m2/ -name resolver-status.properties -delete +# Remove quarkus registry +rm -rf "${KOGITO_HOME}"/.m2/repository/io/quarkus/registry/ diff --git a/modules/kogito-swf/common/build/added/zip_files.sh b/modules/kogito-swf/common/build/added/zip_files.sh index 31e30ec6f..3e68296ef 100755 --- a/modules/kogito-swf/common/build/added/zip_files.sh +++ b/modules/kogito-swf/common/build/added/zip_files.sh @@ -25,10 +25,10 @@ BUILD_OUTPUT="${KOGITO_HOME}"/build_output/ mkdir -p "${BUILD_OUTPUT}" echo "Zip and copy scaffold project" -zip -r kogito-swf-quarkus-app.zip "${PROJECT_ARTIFACT_ID}"/ -cp -v kogito-swf-quarkus-app.zip "${BUILD_OUTPUT}" +tar cf kogito-swf-quarkus-app.tar -C "${PROJECT_ARTIFACT_ID}" . +cp -v kogito-swf-quarkus-app.tar "${BUILD_OUTPUT}" echo "Zip and copy maven repo" cd "${KOGITO_HOME}"/.m2/repository/ -zip -r kogito-swf-maven-repo.zip * -cp -v kogito-swf-maven-repo.zip "${BUILD_OUTPUT}" \ No newline at end of file +tar cf kogito-swf-maven-repo.tar . +cp -v kogito-swf-maven-repo.tar "${BUILD_OUTPUT}" \ No newline at end of file diff --git a/modules/kogito-swf/common/build/module.yaml b/modules/kogito-swf/common/build/module.yaml index 8f277cd9f..84c1dfbe6 100644 --- a/modules/kogito-swf/common/build/module.yaml +++ b/modules/kogito-swf/common/build/module.yaml @@ -21,9 +21,5 @@ name: org.kie.kogito.swf.common.build version: "999-SNAPSHOT" description: "Kogito Serverless Workflow image build process" -packages: - install: - - zip - execute: - script: configure.sh diff --git a/modules/kogito-swf/devmode/runtime/community/configure.sh b/modules/kogito-swf/devmode/runtime/community/configure.sh index efe6f6089..7404a5c1e 100644 --- a/modules/kogito-swf/devmode/runtime/community/configure.sh +++ b/modules/kogito-swf/devmode/runtime/community/configure.sh @@ -23,9 +23,12 @@ set -e SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" SOURCES_DIR=/tmp/artifacts +mkdir -p "${KOGITO_HOME}/${PROJECT_ARTIFACT_ID}" +mkdir -p "${KOGITO_HOME}"/.m2/repository + # Unzip Quarkus app and Maven repository -unzip "${SOURCES_DIR}"/kogito-swf-quarkus-app.zip -d "${KOGITO_HOME}" -unzip "${SOURCES_DIR}"/kogito-swf-maven-repo.zip -d "${KOGITO_HOME}"/.m2/repository +tar xf "${SOURCES_DIR}"/kogito-swf-quarkus-app.tar -C "${KOGITO_HOME}/${PROJECT_ARTIFACT_ID}" +tar xf "${SOURCES_DIR}"/kogito-swf-maven-repo.tar -C "${KOGITO_HOME}"/.m2/repository chown -R 1001:0 "${KOGITO_HOME}" chmod -R ug+rwX "${KOGITO_HOME}" diff --git a/modules/kogito-swf/devmode/runtime/community/module.yaml b/modules/kogito-swf/devmode/runtime/community/module.yaml index c48ec7281..aa0662c64 100644 --- a/modules/kogito-swf/devmode/runtime/community/module.yaml +++ b/modules/kogito-swf/devmode/runtime/community/module.yaml @@ -40,9 +40,9 @@ envs: artifacts: - image: builder - path: /home/kogito/build_output/kogito-swf-quarkus-app.zip + path: /home/kogito/build_output/kogito-swf-quarkus-app.tar - image: builder - path: /home/kogito/build_output/kogito-swf-maven-repo.zip + path: /home/kogito/build_output/kogito-swf-maven-repo.tar execute: - script: configure.sh