From e20cd7c1e5ee5ba9a9bdf3bc175d077e59a64a0e Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Fri, 16 Feb 2024 19:25:38 +0900 Subject: [PATCH 1/2] Reverted RHEL image for web-service --- Dockerfiles/web-service/rhel/Dockerfile | 35 ++++++++++++------------- 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/Dockerfiles/web-service/rhel/Dockerfile b/Dockerfiles/web-service/rhel/Dockerfile index 068dc6156..45d9527da 100644 --- a/Dockerfiles/web-service/rhel/Dockerfile +++ b/Dockerfiles/web-service/rhel/Dockerfile @@ -1,12 +1,12 @@ # syntax=docker/dockerfile:1 -ARG MAJOR_VERSION=7.0 -ARG RELEASE=0 -ARG ZBX_VERSION=${MAJOR_VERSION} +ARG MAJOR_VERSION=6.0 +ARG RELEASE=26 +ARG ZBX_VERSION=${MAJOR_VERSION}.26 ARG BUILD_BASE_IMAGE=zabbix-build-mysql:rhel-${ZBX_VERSION} -FROM ${BUILD_BASE_IMAGE} AS builder +FROM ${BUILD_BASE_IMAGE} as builder -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3 +FROM registry.access.redhat.com/ubi8/ubi-minimal ARG MAJOR_VERSION ARG RELEASE @@ -19,9 +19,9 @@ ENV TERM=xterm \ LABEL description="Zabbix web service for performing various tasks using headless web browser" \ maintainer="alexey.pustovalov@zabbix.com" \ - name="zabbix/zabbix-web-service-trunk" \ + name="zabbix/zabbix-web-service-60" \ release="${RELEASE}" \ - run="docker run --name zabbix-web-service --link zabbix-server:zabbix-server -p 10053:10053 -d registry.connect.redhat.com/zabbix/zabbix-web-service-trunk:${ZBX_VERSION}" \ + run="docker run --name zabbix-web-service --link zabbix-server:zabbix-server -p 10053:10053 -d registry.connect.redhat.com/zabbix/zabbix-web-service-60:${ZBX_VERSION}" \ summary="Zabbix web service" \ url="https://www.zabbix.com/" \ vendor="Zabbix LLC" \ @@ -32,7 +32,7 @@ LABEL description="Zabbix web service for performing various tasks using headles io.openshift.tags="zabbix,zabbix-web-service" \ org.label-schema.build-date="${BUILD_DATE}" \ org.label-schema.description="Zabbix web service for performing various tasks using headless web browser" \ - org.label-schema.docker.cmd="docker run --name zabbix-web-service --link zabbix-server:zabbix-server -p 10053:10053 -d registry.connect.redhat.com/zabbix/zabbix-web-service-trunk:${ZBX_VERSION}" \ + org.label-schema.docker.cmd="docker run --name zabbix-web-service --link zabbix-server:zabbix-server -p 10053:10053 -d registry.connect.redhat.com/zabbix/zabbix-web-service-60:${ZBX_VERSION}" \ org.label-schema.license="GPL v2.0" \ org.label-schema.name="zabbix-web-service-rhel" \ org.label-schema.schema-version="1.0" \ @@ -53,16 +53,15 @@ RUN set -eux && \ INSTALL_PKGS="bash \ shadow-utils \ chromium-headless" && \ - curl --tlsv1.2 -sSf -L -o /tmp/epel-release-latest-9.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \ - rpm -ivh /tmp/epel-release-latest-9.noarch.rpm && \ - rm -rf /tmp/epel-release-latest-9.noarch.rpm && \ - ARCH_SUFFIX="$(arch)"; \ + curl --tlsv1.2 -sSf -L -o /tmp/epel-release-latest-8.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ + rpm -ivh /tmp/epel-release-latest-8.noarch.rpm && \ + rm -rf /tmp/epel-release-latest-8.noarch.rpm && \ microdnf -y install \ --disablerepo "*" \ - --enablerepo "ubi-9-baseos-rpms" \ - --enablerepo "ubi-9-appstream-rpms" \ - --enablerepo "rhel-9-for-$ARCH_SUFFIX-baseos-rpms" \ - --enablerepo "rhel-9-for-$ARCH_SUFFIX-appstream-rpms" \ + --enablerepo "ubi-8-baseos-rpms" \ + --enablerepo "ubi-8-appstream-rpms" \ + --enablerepo "rhel-8-for-x86_64-baseos-rpms" \ + --enablerepo "rhel-8-for-x86_64-appstream-rpms" \ --enablerepo "epel" \ --setopt=install_weak_deps=0 \ --best \ @@ -70,8 +69,8 @@ RUN set -eux && \ ${INSTALL_PKGS} && \ microdnf -y install \ --disablerepo "*" \ - --enablerepo "ubi-9-baseos-rpms" \ - --enablerepo "ubi-9-appstream-rpms" \ + --enablerepo "ubi-8-baseos-rpms" \ + --enablerepo "ubi-8-appstream-rpms" \ --setopt=install_weak_deps=0 \ --best \ --setopt=tsflags=nodocs \ From e11c23a7b5ba5c5a6fbce64a586179c8605020f2 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Fri, 16 Feb 2024 19:32:03 +0900 Subject: [PATCH 2/2] Updated according security and style recommendations --- .github/workflows/images_build.yml | 248 ++++++++++++++++++++++++----- 1 file changed, 204 insertions(+), 44 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 7b997705e..d32d26d04 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -170,24 +170,41 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > + abqix.mm.fcix.net:80 api.github.com:443 + archive.ubuntu.com:443 archive.ubuntu.com:80 atl.mirrors.knownhost.com:443 atl.mirrors.knownhost.com:80 auth.docker.io:443 cdn03.quay.io:443 + centos-distro.1gservers.com:80 centos-stream-distro.1gservers.com:443 centos-stream-distro.1gservers.com:80 + centos.hivelocity.net:80 + centos.mirror.shastacoe.net:80 + d2lzkl7pfhq30w.cloudfront.net:443 + deb.debian.org:80 dfw.mirror.rackspace.com:443 dfw.mirror.rackspace.com:80 + distro.ibiblio.org:80 dl-cdn.alpinelinux.org:443 download.cf.centos.org:443 download.cf.centos.org:80 + epel.gb.ssimn.org:443 epel.mirror.constant.com:443 + epel.mirror.constant.com:80 + forksystems.mm.fcix.net:80 ftp-nyc.osuosl.org:443 ftp-nyc.osuosl.org:80 ftp-osl.osuosl.org:443 ftp-osl.osuosl.org:80 + ftp.agdsn.de:443 + ftp.agdsn.de:80 + ftp.fau.de:443 + ftp.halifax.rwth-aachen.de:443 + ftp.halifax.rwth-aachen.de:80 + ftp.osuosl.org:80 ftp.plusline.net:443 ftp.plusline.net:80 ftpmirror.your.org:80 @@ -196,19 +213,42 @@ jobs: iad.mirror.rackspace.com:443 iad.mirror.rackspace.com:80 index.docker.io:443 + ix-denver.mm.fcix.net:443 + ix-denver.mm.fcix.net:80 + keyserver.ubuntu.com:11371 + la.mirrors.clouvider.net:80 lesnet.mm.fcix.net:443 + lesnet.mm.fcix.net:80 + linux-mirrors.fnal.gov:80 mirror-mci.yuki.net.uk:443 mirror-mci.yuki.net.uk:80 + mirror.23m.com:443 + mirror.23m.com:80 mirror.arizona.edu:443 mirror.arizona.edu:80 + mirror.ash.fastserv.com:80 + mirror.chpc.utah.edu:80 + mirror.clarkson.edu:80 + mirror.dal.nexril.net:80 + mirror.de.leaseweb.net:443 + mirror.de.leaseweb.net:80 mirror.dogado.de:443 mirror.dogado.de:80 + mirror.ette.biz:80 mirror.facebook.net:443 mirror.facebook.net:80 mirror.fcix.net:443 mirror.hoobly.com:443 + mirror.hoobly.com:80 + mirror.keystealth.org:80 mirror.math.princeton.edu:443 + mirror.math.princeton.edu:80 + mirror.metrocast.net:80 + mirror.netcologne.de:443 + mirror.netcologne.de:80 mirror.netzwerge.de:443 + mirror.netzwerge.de:80 + mirror.nodesdirect.com:80 mirror.pilotfiber.com:443 mirror.pilotfiber.com:80 mirror.rackspace.com:443 @@ -217,40 +257,95 @@ jobs: mirror.scaleuptech.com:80 mirror.servaxnet.com:443 mirror.servaxnet.com:80 + mirror.sfo12.us.leaseweb.net:80 mirror.siena.edu:80 + mirror.steadfastnet.com:80 mirror.stream.centos.org:443 mirror.stream.centos.org:80 mirror.team-cymru.com:443 mirror.team-cymru.com:80 + mirror.umd.edu:443 + mirror.umd.edu:80 + mirror.us-midwest-1.nexcess.net:80 + mirror.vacares.com:80 + mirror.vtti.vt.edu:80 + mirror.wdc2.us.leaseweb.net:80 mirror1.hs-esslingen.de:443 + mirror1.hs-esslingen.de:80 + mirrorlist.centos.org:80 + mirrors.advancedhosters.com:80 mirrors.centos.org:443 + mirrors.cmich.edu:80 mirrors.fedoraproject.org:443 mirrors.fedoraproject.org:80 + mirrors.iu13.net:443 mirrors.iu13.net:80 + mirrors.liquidweb.com:80 + mirrors.lug.mtu.edu:443 + mirrors.lug.mtu.edu:80 + mirrors.maine.edu:80 mirrors.mit.edu:443 + mirrors.mit.edu:80 mirrors.ocf.berkeley.edu:443 mirrors.ocf.berkeley.edu:80 + mirrors.oit.uci.edu:80 + mirrors.raystedman.org:80 mirrors.sonic.net:443 + mirrors.sonic.net:80 + mirrors.syringanetworks.net:80 + mirrors.tscak.com:80 + mirrors.vcea.wsu.edu:80 mirrors.wcupa.edu:443 mirrors.wcupa.edu:80 + mirrors.xtom.com:80 + mirrors.xtom.de:443 mirrors.xtom.de:80 + mnvoip.mm.fcix.net:80 na.edge.kernel.org:443 + nc-centos-mirror.iwebfusion.net:80 + nginx.org:443 + nginx.org:80 + nnenix.mm.fcix.net:80 nocix.mm.fcix.net:443 + nocix.mm.fcix.net:80 oauth2.sigstore.dev:443 objects.githubusercontent.com:443 + ohioix.mm.fcix.net:80 + opencolo.mm.fcix.net:443 + opencolo.mm.fcix.net:80 + packages.oit.ncsu.edu:80 + paducahix.mm.fcix.net:80 + ports.ubuntu.com:443 ports.ubuntu.com:80 production.cloudflare.docker.com:443 + pubmirror1.math.uh.edu:443 + pubmirror2.math.uh.edu:80 + pubmirror3.math.uh.edu:80 quay.io:443 registry-1.docker.io:443 rekor.sigstore.dev:443 repo.ialab.dsu.edu:443 + repo.ialab.dsu.edu:80 + repo1.sea.innoscale.net:80 repos.eggycrew.com:443 repos.eggycrew.com:80 + ridgewireless.mm.fcix.net:443 + ridgewireless.mm.fcix.net:80 + scientificlinux.physik.uni-muenchen.de:443 + scientificlinux.physik.uni-muenchen.de:80 + security.ubuntu.com:443 security.ubuntu.com:80 + southfront.mm.fcix.net:80 tuf-repo-cdn.sigstore.dev:443 + tx-mirror.tier.net:80 + us.mirrors.virtono.com:80 uvermont.mm.fcix.net:443 + uvermont.mm.fcix.net:80 + volico.mm.fcix.net:80 + www.gtlib.gatech.edu:80 yum.oracle.com:443 ziply.mm.fcix.net:443 + ziply.mm.fcix.net:80 - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -597,117 +692,182 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > + abqix.mm.fcix.net:80 api.github.com:443 - auth.docker.io:443 - dl-cdn.alpinelinux.org:443 - github.com:443 - index.docker.io:443 - production.cloudflare.docker.com:443 - registry-1.docker.io:443 - fulcio.sigstore.dev:443 - objects.githubusercontent.com:443 - tuf-repo-cdn.sigstore.dev:443 - rekor.sigstore.dev:443 - api.github.com:443 + archive.ubuntu.com:443 + archive.ubuntu.com:80 atl.mirrors.knownhost.com:443 atl.mirrors.knownhost.com:80 auth.docker.io:443 cdn03.quay.io:443 + centos-distro.1gservers.com:80 centos-stream-distro.1gservers.com:443 centos-stream-distro.1gservers.com:80 + centos.hivelocity.net:80 + centos.mirror.shastacoe.net:80 d2lzkl7pfhq30w.cloudfront.net:443 + deb.debian.org:80 + dfw.mirror.rackspace.com:443 + dfw.mirror.rackspace.com:80 + distro.ibiblio.org:80 + dl-cdn.alpinelinux.org:443 + download.cf.centos.org:443 + download.cf.centos.org:80 + epel.gb.ssimn.org:443 + epel.mirror.constant.com:443 epel.mirror.constant.com:80 forksystems.mm.fcix.net:80 ftp-nyc.osuosl.org:443 ftp-nyc.osuosl.org:80 ftp-osl.osuosl.org:443 ftp-osl.osuosl.org:80 + ftp.agdsn.de:443 + ftp.agdsn.de:80 + ftp.fau.de:443 + ftp.halifax.rwth-aachen.de:443 + ftp.halifax.rwth-aachen.de:80 + ftp.osuosl.org:80 + ftp.plusline.net:443 ftp.plusline.net:80 ftpmirror.your.org:80 + fulcio.sigstore.dev:443 github.com:443 iad.mirror.rackspace.com:443 + iad.mirror.rackspace.com:80 index.docker.io:443 ix-denver.mm.fcix.net:443 + ix-denver.mm.fcix.net:80 + keyserver.ubuntu.com:11371 + la.mirrors.clouvider.net:80 + lesnet.mm.fcix.net:443 + lesnet.mm.fcix.net:80 + linux-mirrors.fnal.gov:80 mirror-mci.yuki.net.uk:443 + mirror-mci.yuki.net.uk:80 + mirror.23m.com:443 mirror.23m.com:80 + mirror.arizona.edu:443 mirror.arizona.edu:80 + mirror.ash.fastserv.com:80 + mirror.chpc.utah.edu:80 + mirror.clarkson.edu:80 mirror.dal.nexril.net:80 + mirror.de.leaseweb.net:443 mirror.de.leaseweb.net:80 + mirror.dogado.de:443 mirror.dogado.de:80 + mirror.ette.biz:80 + mirror.facebook.net:443 mirror.facebook.net:80 + mirror.fcix.net:443 + mirror.hoobly.com:443 mirror.hoobly.com:80 + mirror.keystealth.org:80 + mirror.math.princeton.edu:443 mirror.math.princeton.edu:80 + mirror.metrocast.net:80 mirror.netcologne.de:443 + mirror.netcologne.de:80 mirror.netzwerge.de:443 + mirror.netzwerge.de:80 + mirror.nodesdirect.com:80 mirror.pilotfiber.com:443 mirror.pilotfiber.com:80 mirror.rackspace.com:443 mirror.rackspace.com:80 mirror.scaleuptech.com:443 + mirror.scaleuptech.com:80 mirror.servaxnet.com:443 mirror.servaxnet.com:80 mirror.sfo12.us.leaseweb.net:80 mirror.siena.edu:80 mirror.steadfastnet.com:80 + mirror.stream.centos.org:443 + mirror.stream.centos.org:80 mirror.team-cymru.com:443 mirror.team-cymru.com:80 mirror.umd.edu:443 + mirror.umd.edu:80 + mirror.us-midwest-1.nexcess.net:80 + mirror.vacares.com:80 + mirror.vtti.vt.edu:80 + mirror.wdc2.us.leaseweb.net:80 mirror1.hs-esslingen.de:443 + mirror1.hs-esslingen.de:80 + mirrorlist.centos.org:80 + mirrors.advancedhosters.com:80 mirrors.centos.org:443 + mirrors.cmich.edu:80 mirrors.fedoraproject.org:443 + mirrors.fedoraproject.org:80 mirrors.iu13.net:443 mirrors.iu13.net:80 + mirrors.liquidweb.com:80 + mirrors.lug.mtu.edu:443 + mirrors.lug.mtu.edu:80 + mirrors.maine.edu:80 + mirrors.mit.edu:443 + mirrors.mit.edu:80 mirrors.ocf.berkeley.edu:443 + mirrors.ocf.berkeley.edu:80 + mirrors.oit.uci.edu:80 + mirrors.raystedman.org:80 + mirrors.sonic.net:443 mirrors.sonic.net:80 mirrors.syringanetworks.net:80 + mirrors.tscak.com:80 mirrors.vcea.wsu.edu:80 + mirrors.wcupa.edu:443 mirrors.wcupa.edu:80 + mirrors.xtom.com:80 + mirrors.xtom.de:443 mirrors.xtom.de:80 + mnvoip.mm.fcix.net:80 na.edge.kernel.org:443 + nc-centos-mirror.iwebfusion.net:80 + nginx.org:443 + nginx.org:80 nnenix.mm.fcix.net:80 + nocix.mm.fcix.net:443 + nocix.mm.fcix.net:80 + oauth2.sigstore.dev:443 + objects.githubusercontent.com:443 ohioix.mm.fcix.net:80 + opencolo.mm.fcix.net:443 + opencolo.mm.fcix.net:80 + packages.oit.ncsu.edu:80 + paducahix.mm.fcix.net:80 + ports.ubuntu.com:443 + ports.ubuntu.com:80 production.cloudflare.docker.com:443 pubmirror1.math.uh.edu:443 + pubmirror2.math.uh.edu:80 pubmirror3.math.uh.edu:80 quay.io:443 registry-1.docker.io:443 + rekor.sigstore.dev:443 + repo.ialab.dsu.edu:443 repo.ialab.dsu.edu:80 + repo1.sea.innoscale.net:80 + repos.eggycrew.com:443 repos.eggycrew.com:80 - uvermont.mm.fcix.net:80 - ziply.mm.fcix.net:443 - fulcio.sigstore.dev:443 - objects.githubusercontent.com:443 - tuf-repo-cdn.sigstore.dev:443 - rekor.sigstore.dev:443 - oauth2.sigstore.dev:443 - api.github.com:443 - auth.docker.io:443 - github.com:443 - index.docker.io:443 - production.cloudflare.docker.com:443 - registry-1.docker.io:443 - yum.oracle.com:443 - fulcio.sigstore.dev:443 - objects.githubusercontent.com:443 - tuf-repo-cdn.sigstore.dev:443 - rekor.sigstore.dev:443 - api.github.com:443 - archive.ubuntu.com:80 - auth.docker.io:443 - deb.debian.org:80 - github.com:443 - index.docker.io:443 - keyserver.ubuntu.com:11371 - nginx.org:443 - nginx.org:80 - ports.ubuntu.com:80 - production.cloudflare.docker.com:443 - registry-1.docker.io:443 + ridgewireless.mm.fcix.net:443 + ridgewireless.mm.fcix.net:80 + scientificlinux.physik.uni-muenchen.de:443 + scientificlinux.physik.uni-muenchen.de:80 + security.ubuntu.com:443 security.ubuntu.com:80 - fulcio.sigstore.dev:443 - objects.githubusercontent.com:443 + southfront.mm.fcix.net:80 tuf-repo-cdn.sigstore.dev:443 - rekor.sigstore.dev:443 + tx-mirror.tier.net:80 + us.mirrors.virtono.com:80 + uvermont.mm.fcix.net:443 + uvermont.mm.fcix.net:80 + volico.mm.fcix.net:80 + www.gtlib.gatech.edu:80 + yum.oracle.com:443 + ziply.mm.fcix.net:443 + ziply.mm.fcix.net:80 - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1