-
Notifications
You must be signed in to change notification settings - Fork 1.4k
fix(docker): multi-arch image build (amd64+arm64) -- closes #223 #445
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
TheAuditorTool
wants to merge
1
commit into
OWASP-Benchmark:master
Choose a base branch
from
TheAuditorTool:fix/multi-arch-docker
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| # ------------------------------------------------------------------ | ||
| # INACTIVE BY DEFAULT -- manual trigger only (workflow_dispatch). | ||
| # | ||
| # This workflow builds and publishes a multi-architecture Docker image | ||
| # (linux/amd64 + linux/arm64) to Docker Hub. | ||
| # | ||
| # TO ACTIVATE: | ||
| # 1. Add two repository secrets (Settings > Secrets and variables > Actions): | ||
| # DOCKERHUB_USERNAME - your Docker Hub username | ||
| # DOCKERHUB_TOKEN - a Docker Hub access token (not your password) | ||
| # 2. Optionally add automatic triggers by uncommenting the lines below: | ||
| # push: | ||
| # branches: [master] | ||
| # paths: ['VMs/Dockerfile'] | ||
| # release: | ||
| # types: [published] | ||
| # | ||
| # Until you do both steps, this workflow does nothing on its own. | ||
| # ------------------------------------------------------------------ | ||
|
|
||
| name: Docker Publish | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| # Uncomment the triggers below when ready to automate: | ||
| # push: | ||
| # branches: [master] | ||
| # paths: ['VMs/Dockerfile'] | ||
| # release: | ||
| # types: [published] | ||
|
|
||
| env: | ||
| IMAGE_NAME: owasp/benchmark | ||
| PLATFORMS: linux/amd64,linux/arm64 | ||
|
|
||
| jobs: | ||
| build-and-push: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up QEMU (multi-arch emulation) | ||
| uses: docker/setup-qemu-action@v3 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Log in to Docker Hub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
|
||
| - name: Build and push multi-arch image | ||
| uses: docker/build-push-action@v6 | ||
| with: | ||
| context: VMs | ||
| file: VMs/Dockerfile | ||
| platforms: ${{ env.PLATFORMS }} | ||
| push: true | ||
| tags: ${{ env.IMAGE_NAME }}:latest |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,44 +1,45 @@ | ||
| # This dockerfile builds a container that pulls down and runs the latest version of BenchmarkJava | ||
| FROM ubuntu:latest | ||
| FROM ubuntu:22.04 | ||
| LABEL org.opencontainers.image.authors="Dave Wichers dave.wichers@owasp.org" | ||
|
|
||
| RUN apt-get update | ||
| RUN DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata | ||
| RUN apt-get install -q -y \ | ||
| openjdk-17-jre-headless \ | ||
| openjdk-17-jdk \ | ||
| git \ | ||
| maven \ | ||
| wget \ | ||
| iputils-ping \ | ||
| && apt-get clean | ||
| RUN apt-get update \ | ||
| && DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata \ | ||
| && apt-get install -q -y \ | ||
| openjdk-17-jre-headless \ | ||
| openjdk-17-jdk \ | ||
| git \ | ||
| maven \ | ||
| wget \ | ||
| iputils-ping \ | ||
| && apt-get clean \ | ||
| && rm -rf /var/lib/apt/lists/* | ||
|
|
||
| RUN mkdir /owasp | ||
| WORKDIR /owasp | ||
|
|
||
| # Download, build, install Benchmark Utilities required by crawler and scorecard generation | ||
| RUN git clone https://github.com/OWASP-Benchmark/BenchmarkUtils.git | ||
| WORKDIR /owasp/BenchmarkUtils | ||
| RUN mvn install | ||
| RUN git clone https://github.com/OWASP-Benchmark/BenchmarkUtils.git \ | ||
| && cd BenchmarkUtils \ | ||
| && mvn install | ||
|
|
||
| # Download, build BenchmarkJava | ||
| WORKDIR /owasp | ||
| RUN git clone https://github.com/OWASP-Benchmark/BenchmarkJava | ||
|
|
||
| # Workaround for security fix for CVE-2022-24765 | ||
| RUN git config --global --add safe.directory /owasp/BenchmarkJava | ||
| RUN git clone https://github.com/OWASP-Benchmark/BenchmarkJava \ | ||
| && git config --global --add safe.directory /owasp/BenchmarkJava \ | ||
| && cd BenchmarkJava \ | ||
| && mvn clean package cargo:install | ||
|
|
||
| WORKDIR /owasp/BenchmarkJava | ||
| RUN mvn clean package cargo:install | ||
|
|
||
| RUN useradd -d /home/bench -m -s /bin/bash bench | ||
| RUN echo bench:bench | chpasswd | ||
| RUN useradd -d /home/bench -m -s /bin/bash bench \ | ||
| && echo bench:bench | chpasswd | ||
|
|
||
| RUN chown -R bench /owasp/ | ||
| ENV PATH=/owasp/BenchmarkJava:$PATH | ||
|
|
||
| # start up Benchmark once, for 60 seconds, then kill it, so the additional dependencies required to run it are downloaded/cached in the image as well. | ||
| # exit 0 is required to return a 'success' code, otherwise the timeout returns a failure code, causing the Docker build to fail. | ||
| # Start up Benchmark once for 60 seconds then kill it, so additional runtime | ||
| # dependencies are downloaded and cached in the image. | ||
| # exit 0 prevents the timeout return code from failing the Docker build. | ||
| WORKDIR /owasp/BenchmarkJava | ||
| RUN timeout 60 ./runBenchmark.sh; exit 0 | ||
|
|
||
| EXPOSE 8443 | ||
| CMD ["./runBenchmark.sh"] | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,16 +1,28 @@ | ||
| # Pull in latest version of ubuntu. This builds an image using the OS native to this platform. | ||
| docker pull ubuntu:latest | ||
| # Remove any ubuntu:<none> image if it was left behind by a new version of ubuntu:latest being pulled | ||
| i=$(docker images | grep "ubuntu" | grep "<none" | awk '{print $3}') | ||
| if [ "$i" ] | ||
| then | ||
| docker rmi $i | ||
| #!/usr/bin/env bash | ||
| set -euo pipefail | ||
|
|
||
| IMAGE="owasp/benchmark" | ||
| TAG="latest" | ||
| PLATFORMS="linux/amd64,linux/arm64" | ||
| BUILDER_NAME="benchmark-multiarch" | ||
|
|
||
| # Create (or re-use) a buildx builder that supports multi-platform builds. | ||
| if ! docker buildx inspect "$BUILDER_NAME" >/dev/null 2>&1; then | ||
| echo "Creating buildx builder: $BUILDER_NAME" | ||
| docker buildx create --name "$BUILDER_NAME" --use | ||
| else | ||
| docker buildx use "$BUILDER_NAME" | ||
| fi | ||
|
|
||
| # Since Docker doesn't auto delete anything, just like for the Ubuntu update, delete any existing benchmark:latest image before building a new one | ||
| docker image rm benchmark:latest | ||
| docker build -t benchmark . | ||
| # Build and push a multi-architecture image in one step. | ||
| # --push is required because multi-arch manifest lists cannot be loaded into | ||
| # the local daemon. The image is pushed directly to Docker Hub. | ||
| echo "Building ${IMAGE}:${TAG} for ${PLATFORMS} ..." | ||
| docker buildx build \ | ||
| --platform "$PLATFORMS" \ | ||
| --tag "${IMAGE}:${TAG}" \ | ||
| --push \ | ||
| . | ||
|
|
||
| # Once verified/tested, to publish an update to the OWASP Benchmark Docker image, run the following: | ||
| # docker push owasp/benchmark:latest | ||
| echo "Done. Published ${IMAGE}:${TAG} for ${PLATFORMS}." | ||
|
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this simply be latest, like it was previously?