From 3184778642f70ed570082d6e2fcb79c0e1fd6e53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20H=C3=A1va?= Date: Sun, 8 Sep 2024 23:32:41 +0200 Subject: [PATCH 01/10] chore: Switch to wolfi to fix critical vulnerability --- .github/dependabot.yml | 10 +++++++++ .github/workflows/image-build.yml | 10 ++++----- local-rest-scorer/Dockerfile | 22 +++++++++++++++++++ local-rest-scorer/README.md | 7 +----- local-rest-scorer/build.gradle | 36 ------------------------------- 5 files changed, 38 insertions(+), 47 deletions(-) create mode 100644 local-rest-scorer/Dockerfile diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 24aba059..5d1a72b0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -21,3 +21,13 @@ updates: labels: - "type/update" - "area/chore" + + - package-ecosystem: "docker" + directory: "local-rest-scorer/" + schedule: + interval: "daily" + open-pull-requests-limit: 10 + commit-message: + prefix: "chore" + labels: + - "type/update" \ No newline at end of file diff --git a/.github/workflows/image-build.yml b/.github/workflows/image-build.yml index 11647358..b5ac53fa 100644 --- a/.github/workflows/image-build.yml +++ b/.github/workflows/image-build.yml @@ -30,13 +30,13 @@ jobs: - name: Setup Gradle uses: gradle/actions/setup-gradle@v4 - - name: Build templates - run: | - ./gradlew --init-script init.gradle distributionZip - - name: Build images with Gradle Wrapper run: | - ./gradlew -Pversion=${{inputs.component_version}} --init-script init.gradle jibBuildTar -Djib.to.image=image:latest -Djib.outputPaths.tar=/tmp/image.tar + ./gradlew :local-rest-scorer:build -Pversion=${{ inputs.component_version }} -x check --init-script init.gradle + docker build -t image:latest -f local-rest-scorer/Dockerfile local-rest-scorer + + - name: Save docker image + run: docker save image:latest > /tmp/image.tar - name: Save image artifact uses: actions/upload-artifact@v4 diff --git a/local-rest-scorer/Dockerfile b/local-rest-scorer/Dockerfile new file mode 100644 index 00000000..2517a95e --- /dev/null +++ b/local-rest-scorer/Dockerfile @@ -0,0 +1,22 @@ +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0f1d81605bda6e2388c3c7f731700d8c12e17259d58ffba11f36ddc81d9c0a76 AS builder +RUN apk add openjdk-17 bash coreutils +ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk +ENV PATH="$JAVA_HOME/bin:$PATH" +WORKDIR application +COPY build/libs/local-rest-scorer-0.0.0-boot.jar application.jar +RUN java -Djarmode=layertools -jar application.jar extract + +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0f1d81605bda6e2388c3c7f731700d8c12e17259d58ffba11f36ddc81d9c0a76 +RUN apk add openjdk-17-jre bash coreutils +ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk +ENV PATH="$JAVA_HOME/bin:$PATH" +USER nonroot +COPY --from=builder --chown=nonroot:nonroot application/dependencies/ ./ +COPY --from=builder --chown=nonroot:nonroot application/spring-boot-loader/ ./ +COPY --from=builder --chown=nonroot:nonroot application/snapshot-dependencies/ ./ +COPY --from=builder --chown=nonroot:nonroot application/application/ ./ +VOLUME /mojos +VOLUME /secrets +EXPOSE 8080 +ENV DRIVERLESS_AI_LICENSE_FILE="/secrets/license.sig" +CMD ["java", "org.springframework.boot.loader.launch.JarLauncher"] \ No newline at end of file diff --git a/local-rest-scorer/README.md b/local-rest-scorer/README.md index 12f68e10..c38dbade 100644 --- a/local-rest-scorer/README.md +++ b/local-rest-scorer/README.md @@ -275,12 +275,7 @@ Generation of this Docker image is plugged into the build process of this projec Run the following command in the root project directory to run the `build` process. ```bash -./gradlew :local-rest-scorer:jibDockerBuild -``` - -Verify that the Docker image was created, and take note of the version created. -```bash -docker images --format "{{.Repository}} \t {{.Tag}}" | grep "h2oai/rest-scorer" +docker build -t rest-scorer . ``` ### Run Container diff --git a/local-rest-scorer/build.gradle b/local-rest-scorer/build.gradle index 93ac3697..34516920 100644 --- a/local-rest-scorer/build.gradle +++ b/local-rest-scorer/build.gradle @@ -1,5 +1,4 @@ plugins { - id 'com.google.cloud.tools.jib' id 'org.springframework.boot' } apply from: project(":").file('gradle/java.gradle') @@ -57,38 +56,3 @@ rootProject.distributionZip { from bootJar.archivePath } } - -// Docker image configuration. -jib { - from { - image = javaBaseImage - } - to { - image = dockerRepositoryPrefix + 'rest-scorer' - tags = [version] - auth { - username = System.getenv('TO_DOCKER_USERNAME') ?: '' - password = System.getenv('TO_DOCKER_PASSWORD') ?: '' - } - } - container { - jvmFlags = defaultJibContainerJvmFlags.split(" ").each { it.trim() }.toList() - user = 1001 - ports = ['8080'] - volumes = [ - // For storing the mojo2 file with the model to be used for scoring. - '/mojos', - // For the DAI license file. - '/secrets', - ] - environment = [ - // The expected path to the DAI license file. - DRIVERLESS_AI_LICENSE_FILE: '/secrets/license.sig', - ] - } -} - -// Make docker TAR build part of the build task to ensure the image can be built. -// No pushing anywhere (not even to local docker). To push to local docker run task `jibDockerBuild` instead. -// To push to harbor use task `jib`, credentials will be needed though. -tasks.build.dependsOn tasks.jibBuildTar From eb8d6158c2668bcb4e50fe583508c495b58fcbb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20H=C3=A1va?= Date: Sun, 8 Sep 2024 23:33:44 +0200 Subject: [PATCH 02/10] nl --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5d1a72b0..826c4222 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -30,4 +30,4 @@ updates: commit-message: prefix: "chore" labels: - - "type/update" \ No newline at end of file + - "type/update" From ed2f35c78f2a84ed48d8a4933963eab06aa56c08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20H=C3=A1va?= Date: Sun, 8 Sep 2024 23:34:05 +0200 Subject: [PATCH 03/10] fix nl --- local-rest-scorer/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/local-rest-scorer/Dockerfile b/local-rest-scorer/Dockerfile index 2517a95e..2d2f1a94 100644 --- a/local-rest-scorer/Dockerfile +++ b/local-rest-scorer/Dockerfile @@ -19,4 +19,4 @@ VOLUME /mojos VOLUME /secrets EXPOSE 8080 ENV DRIVERLESS_AI_LICENSE_FILE="/secrets/license.sig" -CMD ["java", "org.springframework.boot.loader.launch.JarLauncher"] \ No newline at end of file +CMD ["java", "org.springframework.boot.loader.launch.JarLauncher"] From 5f2848129ddd952573bb19f4ad38a4db0e7fa6fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20H=C3=A1va?= Date: Sun, 8 Sep 2024 23:37:11 +0200 Subject: [PATCH 04/10] fix --- local-rest-scorer/Dockerfile | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/local-rest-scorer/Dockerfile b/local-rest-scorer/Dockerfile index 2d2f1a94..155808c1 100644 --- a/local-rest-scorer/Dockerfile +++ b/local-rest-scorer/Dockerfile @@ -2,7 +2,7 @@ FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0f1d81605bda6e2388c3c7f731700d8 RUN apk add openjdk-17 bash coreutils ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk ENV PATH="$JAVA_HOME/bin:$PATH" -WORKDIR application +WORKDIR /app COPY build/libs/local-rest-scorer-0.0.0-boot.jar application.jar RUN java -Djarmode=layertools -jar application.jar extract @@ -11,10 +11,11 @@ RUN apk add openjdk-17-jre bash coreutils ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk ENV PATH="$JAVA_HOME/bin:$PATH" USER nonroot -COPY --from=builder --chown=nonroot:nonroot application/dependencies/ ./ -COPY --from=builder --chown=nonroot:nonroot application/spring-boot-loader/ ./ -COPY --from=builder --chown=nonroot:nonroot application/snapshot-dependencies/ ./ -COPY --from=builder --chown=nonroot:nonroot application/application/ ./ +WORKDIR /app +COPY --from=builder --chown=nonroot:nonroot /app/dependencies/ ./ +COPY --from=builder --chown=nonroot:nonroot /app/spring-boot-loader/ ./ +COPY --from=builder --chown=nonroot:nonroot /app/snapshot-dependencies/ ./ +COPY --from=builder --chown=nonroot:nonroot /app/application/ ./ VOLUME /mojos VOLUME /secrets EXPOSE 8080 From d43bdf8fa1dd56b9eb52aa02f0e2faf914fb95b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20H=C3=A1va?= Date: Sun, 8 Sep 2024 23:41:36 +0200 Subject: [PATCH 05/10] fix --- local-rest-scorer/Dockerfile | 2 +- local-rest-scorer/build.gradle | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/local-rest-scorer/Dockerfile b/local-rest-scorer/Dockerfile index 155808c1..f9bc0c90 100644 --- a/local-rest-scorer/Dockerfile +++ b/local-rest-scorer/Dockerfile @@ -3,7 +3,7 @@ RUN apk add openjdk-17 bash coreutils ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk ENV PATH="$JAVA_HOME/bin:$PATH" WORKDIR /app -COPY build/libs/local-rest-scorer-0.0.0-boot.jar application.jar +COPY build/libs/local-rest-scorer-boot.jar application.jar RUN java -Djarmode=layertools -jar application.jar extract FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0f1d81605bda6e2388c3c7f731700d8c12e17259d58ffba11f36ddc81d9c0a76 diff --git a/local-rest-scorer/build.gradle b/local-rest-scorer/build.gradle index 34516920..a8dcbe9a 100644 --- a/local-rest-scorer/build.gradle +++ b/local-rest-scorer/build.gradle @@ -43,6 +43,7 @@ bootRun { bootJar { mainClass = 'ai.h2o.mojos.deploy.local.rest.ScorerApplication' archiveClassifier = 'boot' + archiveVersion = '' } jar { From 70726d8e54fbb855efa1e5f983548d5309179765 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20H=C3=A1va?= Date: Sun, 8 Sep 2024 23:44:11 +0200 Subject: [PATCH 06/10] Fix manual --- .github/workflows/setup-environment.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/setup-environment.yml b/.github/workflows/setup-environment.yml index dd48a252..83ecc981 100644 --- a/.github/workflows/setup-environment.yml +++ b/.github/workflows/setup-environment.yml @@ -42,6 +42,7 @@ jobs: run: | if ${{ github.event_name == 'pull_request' }}; then echo "sha=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT; fi if ${{ github.event_name == 'push' }}; then echo "sha=${{ github.sha }}" >> $GITHUB_OUTPUT; fi + if ${{ github.event_name == 'workflow_dispatch' }}; then echo "sha=$(git rev-parse --short=7 ${{ github.ref }})" >> $GITHUB_OUTPUT; fi - name: Save Github Release Base Version id: release_base_version From 62a4c7252e6128c5d8cd2b359fca9898871cf149 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20H=C3=A1va?= Date: Sun, 8 Sep 2024 23:58:17 +0200 Subject: [PATCH 07/10] needs' --- .github/workflows/manual-image-publish.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/manual-image-publish.yml b/.github/workflows/manual-image-publish.yml index 6c91f220..8ee3c740 100644 --- a/.github/workflows/manual-image-publish.yml +++ b/.github/workflows/manual-image-publish.yml @@ -16,7 +16,9 @@ jobs: publish_from_branch: uses: ./.github/workflows/image-publish.yml - needs: build_from_branch + needs: + - setup_env + - build_from_branch secrets: inherit with: gar_push_enabled: true From 9ae2ab3c9ad9baccde70452d02a8dfa09b51df58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20H=C3=A1va?= Date: Mon, 9 Sep 2024 00:00:17 +0200 Subject: [PATCH 08/10] make more clear --- .github/workflows/component-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/component-scan.yml b/.github/workflows/component-scan.yml index 6619e1d0..63491c6d 100644 --- a/.github/workflows/component-scan.yml +++ b/.github/workflows/component-scan.yml @@ -220,7 +220,7 @@ jobs: "type": "section", "text": { "type": "mrkdwn", - "text": "*DAI Runtimes* \n_Vulnerabilities have been detected on the `${{ github.ref_name }}` branch_" + "text": "*Java MOJO Runtime* \n_Vulnerabilities have been detected on the `${{ github.ref_name }}` branch_" } }, { From 00b40d53cb11fc0aff35ff096ade9f03227a3bd5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20H=C3=A1va?= Date: Mon, 9 Sep 2024 17:11:50 +0200 Subject: [PATCH 09/10] toolchains --- gradle/java.gradle | 8 ++++++++ settings.gradle | 4 +++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/gradle/java.gradle b/gradle/java.gradle index 185c5f5a..a7edf9c1 100644 --- a/gradle/java.gradle +++ b/gradle/java.gradle @@ -4,3 +4,11 @@ apply from: project(":").file('gradle/java_no_style.gradle') apply from: project(":").file('gradle/mixins/checkstyle.gradle') apply from: project(":").file('gradle/mixins/errorprone.gradle') +apply plugin: 'java' + +java { + toolchain { + languageVersion = JavaLanguageVersion.of(17) + vendor = JvmVendorSpec.ADOPTIUM + } +} diff --git a/settings.gradle b/settings.gradle index e050dd28..0f335c08 100644 --- a/settings.gradle +++ b/settings.gradle @@ -6,7 +6,9 @@ pluginManagement { id 'org.openapi.generator' version "${openApiGeneratorGradlePluginVersion}" } } - +plugins { + id 'org.gradle.toolchains.foojay-resolver-convention' version '0.8.0' +} dependencyResolutionManagement { repositories { mavenCentral() From 2b90bd30e80771fb8318f3fffe72692da82d507e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20H=C3=A1va?= Date: Mon, 9 Sep 2024 18:36:54 +0200 Subject: [PATCH 10/10] Fix --- local-rest-scorer/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/local-rest-scorer/Dockerfile b/local-rest-scorer/Dockerfile index f9bc0c90..1be7b13d 100644 --- a/local-rest-scorer/Dockerfile +++ b/local-rest-scorer/Dockerfile @@ -20,4 +20,4 @@ VOLUME /mojos VOLUME /secrets EXPOSE 8080 ENV DRIVERLESS_AI_LICENSE_FILE="/secrets/license.sig" -CMD ["java", "org.springframework.boot.loader.launch.JarLauncher"] +CMD ["java", "-Dmojo.path=/mojos/pipeline.mojo", "--add-opens=java.base/java.lang=ALL-UNNAMED", "--add-opens=java.base/java.util=ALL-UNNAMED", "--add-opens=java.base/java.lang.reflect=ALL-UNNAMED", "org.springframework.boot.loader.launch.JarLauncher"]