Skip to content
This repository has been archived by the owner on Nov 29, 2024. It is now read-only.

chore: Switch to wolfi to fix critical vulnerability #421

Merged
merged 11 commits into from
Sep 10, 2024
Merged
Show file tree
Hide file tree
Changes from 8 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,13 @@ updates:
labels:
- "type/update"
- "area/chore"

- package-ecosystem: "docker"
directory: "local-rest-scorer/"
schedule:
interval: "daily"
open-pull-requests-limit: 10
commit-message:
prefix: "chore"
labels:
- "type/update"
2 changes: 1 addition & 1 deletion .github/workflows/component-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ jobs:
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*DAI Runtimes* \n_Vulnerabilities have been detected on the `${{ github.ref_name }}` branch_"
"text": "*Java MOJO Runtime* \n_Vulnerabilities have been detected on the `${{ github.ref_name }}` branch_"
}
},
{
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/image-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,13 @@ jobs:
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4

- name: Build templates
run: |
./gradlew --init-script init.gradle distributionZip

- name: Build images with Gradle Wrapper
run: |
./gradlew -Pversion=${{inputs.component_version}} --init-script init.gradle jibBuildTar -Djib.to.image=image:latest -Djib.outputPaths.tar=/tmp/image.tar
./gradlew :local-rest-scorer:build -Pversion=${{ inputs.component_version }} -x check --init-script init.gradle
docker build -t image:latest -f local-rest-scorer/Dockerfile local-rest-scorer

- name: Save docker image
run: docker save image:latest > /tmp/image.tar

- name: Save image artifact
uses: actions/upload-artifact@v4
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/manual-image-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,9 @@ jobs:

publish_from_branch:
uses: ./.github/workflows/image-publish.yml
needs: build_from_branch
needs:
- setup_env
- build_from_branch
secrets: inherit
with:
gar_push_enabled: true
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/setup-environment.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ jobs:
run: |
if ${{ github.event_name == 'pull_request' }}; then echo "sha=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT; fi
if ${{ github.event_name == 'push' }}; then echo "sha=${{ github.sha }}" >> $GITHUB_OUTPUT; fi
if ${{ github.event_name == 'workflow_dispatch' }}; then echo "sha=$(git rev-parse --short=7 ${{ github.ref }})" >> $GITHUB_OUTPUT; fi
Rupeekshan marked this conversation as resolved.
Show resolved Hide resolved

- name: Save Github Release Base Version
id: release_base_version
Expand Down
23 changes: 23 additions & 0 deletions local-rest-scorer/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0f1d81605bda6e2388c3c7f731700d8c12e17259d58ffba11f36ddc81d9c0a76 AS builder
RUN apk add openjdk-17 bash coreutils
ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk
ENV PATH="$JAVA_HOME/bin:$PATH"
WORKDIR /app
COPY build/libs/local-rest-scorer-boot.jar application.jar
RUN java -Djarmode=layertools -jar application.jar extract

FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0f1d81605bda6e2388c3c7f731700d8c12e17259d58ffba11f36ddc81d9c0a76
RUN apk add openjdk-17-jre bash coreutils
ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk
ENV PATH="$JAVA_HOME/bin:$PATH"
USER nonroot
WORKDIR /app
COPY --from=builder --chown=nonroot:nonroot /app/dependencies/ ./
COPY --from=builder --chown=nonroot:nonroot /app/spring-boot-loader/ ./
COPY --from=builder --chown=nonroot:nonroot /app/snapshot-dependencies/ ./
COPY --from=builder --chown=nonroot:nonroot /app/application/ ./
VOLUME /mojos
VOLUME /secrets
EXPOSE 8080
ENV DRIVERLESS_AI_LICENSE_FILE="/secrets/license.sig"
CMD ["java", "org.springframework.boot.loader.launch.JarLauncher"]
7 changes: 1 addition & 6 deletions local-rest-scorer/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -275,12 +275,7 @@ Generation of this Docker image is plugged into the build process of this projec
Run the following command in the root project directory to run the `build` process.

```bash
./gradlew :local-rest-scorer:jibDockerBuild
```

Verify that the Docker image was created, and take note of the version created.
```bash
docker images --format "{{.Repository}} \t {{.Tag}}" | grep "h2oai/rest-scorer"
docker build -t rest-scorer .
```

### Run Container
Expand Down
37 changes: 1 addition & 36 deletions local-rest-scorer/build.gradle
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
plugins {
id 'com.google.cloud.tools.jib'
id 'org.springframework.boot'
}
apply from: project(":").file('gradle/java.gradle')
Expand Down Expand Up @@ -44,6 +43,7 @@ bootRun {
bootJar {
mainClass = 'ai.h2o.mojos.deploy.local.rest.ScorerApplication'
archiveClassifier = 'boot'
archiveVersion = ''
}

jar {
Expand All @@ -57,38 +57,3 @@ rootProject.distributionZip {
from bootJar.archivePath
}
}

// Docker image configuration.
jib {
from {
image = javaBaseImage
}
to {
image = dockerRepositoryPrefix + 'rest-scorer'
tags = [version]
auth {
username = System.getenv('TO_DOCKER_USERNAME') ?: ''
password = System.getenv('TO_DOCKER_PASSWORD') ?: ''
}
}
container {
jvmFlags = defaultJibContainerJvmFlags.split(" ").each { it.trim() }.toList()
user = 1001
ports = ['8080']
volumes = [
// For storing the mojo2 file with the model to be used for scoring.
'/mojos',
// For the DAI license file.
'/secrets',
]
environment = [
// The expected path to the DAI license file.
DRIVERLESS_AI_LICENSE_FILE: '/secrets/license.sig',
]
}
}

// Make docker TAR build part of the build task to ensure the image can be built.
// No pushing anywhere (not even to local docker). To push to local docker run task `jibDockerBuild` instead.
// To push to harbor use task `jib`, credentials will be needed though.
tasks.build.dependsOn tasks.jibBuildTar