Merge branch 'release/v12.14-2'

Author: cbeyer42

CHANGELOG.md

@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v12.14-2] - 2023-04-21
+### Changed
+- [#20] Upgrade Base Image to 3.17.3-2
+
+### Security
+- [#20] Fixed CVE-2023-27536, CVE-2023-27536 and some others
+
 ## [v12.14-1] - 2023-03-14
 ### Changed
 - Upgrade to PostgreSQL 12.14; #18

Dockerfile

@@ -1,13 +1,29 @@
-FROM registry.cloudogu.com/official/base:3.17.1-1
+FROM registry.cloudogu.com/official/base:3.17.3-2 as builder
+
+ENV GOSU_SHA256=0f25a21cf64e58078057adc78f38705163c1d564a959ff30a891c31917011a54
+
+WORKDIR /build
+
+RUN set -x -o errexit \
+ && set -o nounset \
+ && set -o pipefail \
+ && apk update \
+ && apk upgrade \
+ && apk add wget \
+ && mkdir -p /build/usr/local/bin \
+ && wget --progress=bar:force:noscroll -O /build/usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/1.12/gosu-amd64" \
+ && echo "${GOSU_SHA256} */build/usr/local/bin/gosu" | sha256sum -c - \
+ && chmod +x /build/usr/local/bin/gosu
+
+FROM registry.cloudogu.com/official/base:3.17.3-2
 
 LABEL NAME="official/postgresql" \
-        VERSION="12.14-1" \
+        VERSION="12.14-2" \
         maintainer="[email protected]"
 
 ENV LANG=en_US.utf8 \
     PGDATA=/var/lib/postgresql \
-    POSTGRESQL_VERSION=12.14-r0 \
-    GOSU_SHA256=0f25a21cf64e58078057adc78f38705163c1d564a959ff30a891c31917011a54
+    POSTGRESQL_VERSION=12.14-r0
 
 # install postgresql and gosu
 # Note: the current postgresql version from alpine is installed
@@ -17,14 +33,10 @@ RUN set -x -o errexit \
  && set -o pipefail \
  && apk update \
  && apk upgrade \
- && apk add --update postgresql12="${POSTGRESQL_VERSION}" \
- && wget --progress=bar:force:noscroll "https://github.com/tianon/gosu/releases/download/1.12/gosu-amd64" \
- && echo "${GOSU_SHA256} *gosu-amd64" | sha256sum -c - \
- && mv /gosu-amd64 /usr/local/bin/gosu \
- && chmod +x /usr/local/bin/gosu \
- && rm -rf /var/cache/apk/*
+ && apk add --no-cache --update postgresql12="${POSTGRESQL_VERSION}"
 
 COPY resources/ /
+COPY --from=builder /build /
 
 VOLUME ["/var/lib/postgresql"]
 

Jenkinsfile

@@ -1,5 +1,5 @@
 #!groovy
-@Library(['github.com/cloudogu/ces-build-lib@1.48.0', 'github.com/cloudogu/dogu-build-lib@v1.6.0'])
+@Library(['github.com/cloudogu/ces-build-lib@1.64.1', 'github.com/cloudogu/dogu-build-lib@v2.0.0'])
 import com.cloudogu.ces.cesbuildlib.*
 import com.cloudogu.ces.dogubuildlib.*
 
@@ -12,10 +12,16 @@ node('docker') {
             lintDockerfile()
             shellCheck('resources/backup-consumer.sh resources/create-sa.sh resources/pre-upgrade.sh resources/remove-sa.sh resources/startup.sh resources/upgrade-notification.sh')
         }
+
+        stage('Check Markdown Links') {
+            Markdown markdown = new Markdown(this, "3.11.0")
+            markdown.check()
+        }
 }
 
 node('vagrant') {
 
+    String doguName = 'postgresql'
     Git git = new Git(this, 'cesmarvin')
     git.committerName = 'cesmarvin'
     git.committerEmail = '[email protected]'

Makefile

@@ -1,4 +1,4 @@
-MAKEFILES_VERSION=4.2.0
+MAKEFILES_VERSION=7.5.0
 
 .DEFAULT_GOAL:=dogu-release
 

build/make/bats.mk

@@ -0,0 +1,64 @@
+WORKSPACE=/workspace
+BATS_LIBRARY_DIR=$(TARGET_DIR)/bats_libs
+TESTS_DIR=$(WORKDIR)/batsTests
+BASH_TEST_REPORT_DIR=$(TARGET_DIR)/shell_test_reports
+BASH_TEST_REPORTS=$(BASH_TEST_REPORT_DIR)/TestReport-*.xml
+BATS_ASSERT=$(BATS_LIBRARY_DIR)/bats-assert
+BATS_MOCK=$(BATS_LIBRARY_DIR)/bats-mock
+BATS_SUPPORT=$(BATS_LIBRARY_DIR)/bats-support
+BATS_FILE=$(BATS_LIBRARY_DIR)/bats-file
+BATS_BASE_IMAGE?=bats/bats
+BATS_CUSTOM_IMAGE?=cloudogu/bats
+BATS_TAG?=1.2.1
+BATS_DIR=build/make/bats
+BATS_WORKDIR="${WORKDIR}"/"${BATS_DIR}"
+
+.PHONY unit-test-shell:
+unit-test-shell: unit-test-shell-$(ENVIRONMENT)
+
+$(BATS_ASSERT):
+	@git clone --depth 1 https://github.com/bats-core/bats-assert $@
+
+$(BATS_MOCK):
+	@git clone --depth 1 https://github.com/grayhemp/bats-mock $@
+
+$(BATS_SUPPORT):
+	@git clone --depth 1 https://github.com/bats-core/bats-support $@
+
+$(BATS_FILE):
+	@git clone --depth 1 https://github.com/bats-core/bats-file $@
+
+$(BASH_SRC):
+	BASH_SRC:=$(shell find "${WORKDIR}" -type f -name "*.sh")
+
+${BASH_TEST_REPORT_DIR}: $(TARGET_DIR)
+	@mkdir -p $(BASH_TEST_REPORT_DIR)
+
+unit-test-shell-ci: $(BASH_SRC) $(BASH_TEST_REPORT_DIR) $(BATS_ASSERT) $(BATS_MOCK) $(BATS_SUPPORT) $(BATS_FILE)
+	@echo "Test shell units on CI server"
+	@make unit-test-shell-generic
+
+unit-test-shell-local: $(BASH_SRC) $(PASSWD) $(ETCGROUP) $(HOME_DIR) buildTestImage $(BASH_TEST_REPORT_DIR) $(BATS_ASSERT) $(BATS_MOCK) $(BATS_SUPPORT) $(BATS_FILE)
+	@echo "Test shell units locally (in Docker)"
+	@docker run --rm \
+		-v $(HOME_DIR):/home/$(USER) \
+		-v $(WORKDIR):$(WORKSPACE) \
+		-w $(WORKSPACE) \
+		--entrypoint="" \
+		$(BATS_CUSTOM_IMAGE):$(BATS_TAG) \
+		"${BATS_DIR}"/customBatsEntrypoint.sh make unit-test-shell-generic-no-junit
+
+unit-test-shell-generic:
+	@bats --formatter junit --output ${BASH_TEST_REPORT_DIR} ${TESTS_DIR}
+
+unit-test-shell-generic-no-junit:
+	@bats ${TESTS_DIR}
+
+.PHONY buildTestImage:
+buildTestImage:
+	@echo "Build shell test container"
+	@cd $(BATS_WORKDIR) && docker build \
+		--build-arg=BATS_BASE_IMAGE=${BATS_BASE_IMAGE} \
+		--build-arg=BATS_TAG=${BATS_TAG} \
+		-t ${BATS_CUSTOM_IMAGE}:${BATS_TAG} \
+		.

build/make/bats/Dockerfile

@@ -0,0 +1,7 @@
+ARG BATS_BASE_IMAGE
+ARG BATS_TAG
+
+FROM ${BATS_BASE_IMAGE}:${BATS_TAG}
+
+# Make bash more findable by scripts and tests
+RUN apk add make git bash

build/make/bats/customBatsEntrypoint.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -o errexit
+set -o nounset
+set -o pipefail
+
+"$@"

build/make/bower.mk

@@ -1,7 +1,9 @@
+##@ Bower dependency management
+
 BOWER_JSON=$(WORKDIR)/bower.json
 
 .PHONY: bower-install
-bower-install: $(BOWER_TARGET)
+bower-install: $(BOWER_TARGET) ## Execute yarn run bower (in Docker)
 
 ifeq ($(ENVIRONMENT), ci)
 
@@ -19,7 +21,7 @@ $(BOWER_TARGET): $(BOWER_JSON) $(PASSWD) $(YARN_TARGET)
 	  -v $(PASSWD):/etc/passwd:ro \
 	  -v $(WORKDIR):$(WORKDIR) \
 	  -w $(WORKDIR) \
-	  node:8 \
+	  node:$(NODE_VERSION) \
 	  yarn run bower
 	@touch $@
 

build/make/build.mk

@@ -1,24 +1,28 @@
+##@ Compiling go software
+
 ADDITIONAL_LDFLAGS?=-extldflags -static
 LDFLAGS?=-ldflags "$(ADDITIONAL_LDFLAGS) -X main.Version=$(VERSION) -X main.CommitID=$(COMMIT_ID)"
-GOIMAGE?=cloudogu/golang
-GOTAG?=1.10.2-2
+GOIMAGE?=golang
+GOTAG?=1.14.13
 GOOS?=linux
 GOARCH?=amd64
 PRE_COMPILE?=
 GO_ENV_VARS?=
+CUSTOM_GO_MOUNT?=-v /tmp:/tmp
+GO_BUILD_FLAGS?=-mod=vendor -a -tags netgo $(LDFLAGS) -installsuffix cgo -o $(BINARY)
 
 .PHONY: compile
-compile: $(BINARY)
+compile: $(BINARY) ## Compile the go program via Docker
 
-compile-ci:
+compile-ci: ## Compile the go program without Docker
 	@echo "Compiling (CI)..."
 	make compile-generic
 
 compile-generic:
 	@echo "Compiling..."
 # here is go called without mod capabilities because of error "go: error loading module requirements"
 # see https://github.com/golang/go/issues/30868#issuecomment-474199640
-	@$(GO_ENV_VARS) go build -a -tags netgo $(LDFLAGS) -installsuffix cgo -o $(BINARY)
+	@$(GO_ENV_VARS) go build $(GO_BUILD_FLAGS)
 
 
 ifeq ($(ENVIRONMENT), ci)
@@ -29,17 +33,19 @@ $(BINARY): $(SRC) vendor $(PRE_COMPILE)
 
 else
 
-$(BINARY): $(SRC) vendor $(PASSWD) $(HOME_DIR) $(PRE_COMPILE)
+$(BINARY): $(SRC) vendor $(PASSWD) $(ETCGROUP) $(HOME_DIR) $(PRE_COMPILE)
 	@echo "Building locally (in Docker)"
 	@docker run --rm \
-	 -e GOOS=$(GOOS) \
-	 -e GOARCH=$(GOARCH) \
-	 -u "$(UID_NR):$(GID_NR)" \
-	 -v $(PASSWD):/etc/passwd:ro \
-	 -v $(HOME_DIR):/home/$(USER) \
-	 -v $(WORKDIR):/go/src/github.com/cloudogu/$(ARTIFACT_ID) \
-	 -w /go/src/github.com/cloudogu/$(ARTIFACT_ID) \
-	 $(GOIMAGE):$(GOTAG) \
+		-e GOOS=$(GOOS) \
+		-e GOARCH=$(GOARCH) \
+		-u "$(UID_NR):$(GID_NR)" \
+		-v $(PASSWD):/etc/passwd:ro \
+		-v $(ETCGROUP):/etc/group:ro \
+		-v $(HOME_DIR):/home/$(USER) \
+		-v $(WORKDIR):/go/src/github.com/cloudogu/$(ARTIFACT_ID) \
+		$(CUSTOM_GO_MOUNT) \
+		-w /go/src/github.com/cloudogu/$(ARTIFACT_ID) \
+		$(GOIMAGE):$(GOTAG) \
   make compile-generic
 
 endif

build/make/clean.mk

@@ -1,10 +1,13 @@
+##@ Cleaning
+
 .PHONY: clean
-clean: $(ADDITIONAL_CLEAN)
+clean: $(ADDITIONAL_CLEAN) ## Remove target and tmp directories
 	rm -rf ${TARGET_DIR}
 	rm -rf ${TMP_DIR}
+	rm -rf ${UTILITY_BIN_PATH}
 
 .PHONY: dist-clean
-dist-clean: clean
+dist-clean: clean ## Remove all generated directories
 	rm -rf node_modules
 	rm -rf public/vendor
 	rm -rf vendor

build/make/dependencies-glide.mk

@@ -1,5 +1,7 @@
+##@ Go mod dependency management
+
 .PHONY: dependencies
-dependencies: vendor
+dependencies: vendor ## Install dependencies using go mod
 
 vendor: go.mod go.sum
 	@echo "Installing dependencies using go modules..."

build/make/dependencies-godep.mk

@@ -1,3 +1,5 @@
+##@ Debian package deployment
+
 # This Makefile holds all targets for deploying and undeploying
 # Uses the variable APT_REPO to determine which apt repos should be used to deploy
 
@@ -21,11 +23,8 @@ ifeq ($(APT_REPO), ces-premium)
 	@echo "... add package to ces-premium repository"
 	@$(APTLY) -X POST "${APT_API_BASE_URL}/repos/ces-premium/file/$$(basename ${DEBIAN_PACKAGE})"
 else
-	@echo "... add package to ces and xenial repositories"
-	# heads up: For migration to a new repo structure we use two repos, new (ces) and old (xenial)
-	# '?noRemove=1': aptly removes the file on success. This leads to an error on the second package add. Keep it this round
-	@$(APTLY) -X POST "${APT_API_BASE_URL}/repos/ces/file/$$(basename ${DEBIAN_PACKAGE})?noRemove=1"
-	@$(APTLY) -X POST "${APT_API_BASE_URL}/repos/xenial/file/$$(basename ${DEBIAN_PACKAGE})"
+	@echo "\n... add package to ces repository"
+	@$(APTLY) -X POST "${APT_API_BASE_URL}/repos/ces/file/$$(basename ${DEBIAN_PACKAGE})"
 endif
 
 define aptly_publish
@@ -34,17 +33,16 @@ endef
 
 .PHONY: publish
 publish:
-	@echo "... publish packages"
+	@echo "\n... publish packages"
 ifeq ($(APT_REPO), ces-premium)
 	@$(call aptly_publish,ces-premium,bionic)
 else
-	@$(call aptly_publish,xenial,xenial)
-	@$(call aptly_publish,ces,xenial)
+	@$(call aptly_publish,ces,focal)
 	@$(call aptly_publish,ces,bionic)
 endif
 
 .PHONY: deploy
-deploy: add-package-to-repo publish
+deploy: add-package-to-repo publish ## Deploy package to apt repository
 
 define aptly_undeploy
 	PREF=$$(${APTLY} "${APT_API_BASE_URL}/repos/$(1)/packages?q=${ARTIFACT_ID}%20(${VERSION})"); \
@@ -56,13 +54,12 @@ remove-package-from-repo:
 ifeq ($(APT_REPO), ces-premium)
 	@$(call aptly_undeploy,ces-premium)
 else
-	@$(call aptly_undeploy,xenial)
 	@$(call aptly_undeploy,ces)
 endif
 
 .PHONY: undeploy
-undeploy: deploy-check remove-package-from-repo publish
+undeploy: deploy-check remove-package-from-repo publish ## Undeploy package from apt repository
 
 .PHONE: lint-deb-package
-lint-deb-package: debian
+lint-deb-package: debian ## Lint debian package
 	@lintian -i $(DEBIAN_PACKAGE)