[SYCL][Devops] Fix DockerFile linting issues discovered by trivy
#16361
Conversation
See https://avd.aquasec.com/misconfig/ds017 Docker best practices says that running `update` and `install` commands separately may lead to situations where Docker skips `update` step and re-uses cache leading to outdated versions of packages being installed.
See https://avd.aquasec.com/misconfig/ds002 Made it so that the last `USER` command in `base` and `build` is not `root`.
See https://avd.aquasec.com/misconfig/ds002 Made it so our docker files have at least one `USER` command which is not `root`.
AlexeySachkov
had a problem deploying
to
WindowsCILock
GitHub Actions
Error
AlexeySachkov
had a problem deploying
to
WindowsCILock
GitHub Actions
Error
AlexeySachkov
had a problem deploying
to
WindowsCILock
GitHub Actions
Error
AlexeySachkov
had a problem deploying
to
WindowsCILock
GitHub Actions
Error
AlexeySachkov
had a problem deploying
to
WindowsCILock
GitHub Actions
Error
AlexeySachkov
had a problem deploying
to
WindowsCILock
GitHub Actions
Error
AlexeySachkov
had a problem deploying
to
WindowsCILock
GitHub Actions
Error
Extended build containers action with an extra argument which specifies a password that will be assigned to the `sycl_ci` user created within containers. For now this new secret is unused, so this changes is expected to have no impact on our CI. This is outlined from intel#16361 to improve testing for that PR: for security reasons actions are only invoked from the default branch and never from a PR branch. Therefore, to actually test that this secret is properly used without errors we need to update the action first.
AlexeySachkov
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
AlexeySachkov
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
AlexeySachkov
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
AlexeySachkov
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
| @@ -196,9 +196,9 @@ jobs: | |||
| run: | | |||
| if [ "${{ inputs.install_dev_igc_driver }}" = "true" ]; then | |||
| # If libllvm14 is already installed (dev igc docker), still return true. | |||
| sudo apt-get install -yqq libllvm14 || true; | |||
| cat /run/secrets/sycl_passwd | sudo -S apt-get install -yqq libllvm14 || true; | |||
There was a problem hiding this comment.
From my local experiments:
$ cat /run/secrets/sycl_ci_passwd | sudo -S echo "I'm root!" || echo "second"
I'm root!
$ cat /run/secrets/sycl_ci_passwd | sudo -S false || echo "second"
secondSo, it seems to work correctly, but I can add parens for clarity if that's a preference
|
|
||
| if [[ $# -eq 0 ]]; then | ||
| # When launched without arguments, we assume that it was launched as part of | ||
| # CI workflow and therefore a different kind of user is created |
There was a problem hiding this comment.
i wonder if we can check GITHUB_ACTIONS here
There was a problem hiding this comment.
Considering that all our containers are only for the purposes of CI and local development, I decided that they will all use sycl_ci by default.
Those, who need sycl user are able to create it using that script manually as documented (8d931df). Considering that sycl user won't be created by us anymore, I think that it is actually better to have this script react to an arguments instead of the environment (i.e. I want everything to be explicit)
devops/scripts/create-sycl-user.sh
Outdated
|
|
||
| if [[ $SET_PASSWD == true ]]; then | ||
| if [[ ! -f /run/secrets/sycl_ci_passwd ]]; then | ||
| echo "Password is requested, but /run/secrtes/sycl_ci_passwd doesn't exists!" |
There was a problem hiding this comment.
| echo "Password is requested, but /run/secrtes/sycl_ci_passwd doesn't exists!" | |
| echo "Password is requested, but /run/secrtes/sycl_ci_passwd doesn't exist!" |
| SET_PASSWD=false | ||
|
|
||
| # Some user id which is different from the one assigned to sycl_ci user | ||
| USER_ID=1234 |
There was a problem hiding this comment.
also sorry, you might have to rebase because i added a 24.04 oneapi docker image today
Do we need to update anything in https://github.com/intel/llvm/blob/sycl/sycl/doc/developer/DockerBKMs.md#changing-docker-user? |
Extended build containers action with an extra argument which specifies a password that will be assigned to the `sycl_ci` user created within containers. For now this new secret is unused, so this changes is expected to have no impact on our CI. This is outlined from #16361 to improve testing for that PR: for security reasons actions are only invoked from the default branch and never from a PR branch. Therefore, to actually test that this secret is properly used without errors we need to update the action first.
Good point, I wasn't aware of that documentation, I will update it as well. In general, this change warrants a discussion, I believe, because short summary of what I do is making those images less useable for anyone else. I will initiate some discussion about that. |
AlexeySachkov
had a problem deploying
to
WindowsCILock
GitHub Actions
Error
AlexeySachkov
had a problem deploying
to
WindowsCILock
GitHub Actions
Error
Documentation was updated in 8d931df. The concern I had is resolved, so no extra discussions are necessary besides this code review. |
AlexeySachkov
had a problem deploying
to
WindowsCILock
GitHub Actions
Error
AlexeySachkov
had a problem deploying
to
WindowsCILock
GitHub Actions
Error
|
So, due to the way GH operates which has to do with security, there is no way to test this PR (more or less properly) when its submitted from a fork. #16411 is a re-submit which is made from within the repo to properly test this. |
This is a re-submit of #16290 with fixes from #16324 and some more extra changes.
Issues addressed:
See https://avd.aquasec.com/misconfig/ds017
See https://avd.aquasec.com/misconfig/ds002
Issues remaining:
See https://avd.aquasec.com/misconfig/ds026
I didn't add
HEALTHCHECKcommand to our containers, because I don't know if that makes sense and which command to launch. I.e. our containers they only provide some pre-installed tools, but they don't launch any services which we could check.Other notable changes:
sycluser creation was outlined into a separate helper script and that user requires password to usesudo.