From 58930ea8c063013f2ddcaa7020895021d7e761ad Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Tue, 21 May 2024 09:17:46 +0200 Subject: [PATCH] new(ci,docker): renamed driver-loader-legacy to driver-loader-buster. Moreover, ported docker images CI to new images. Signed-off-by: Federico Di Pierro --- .github/release_template.md | 15 ++-- .github/workflows/reusable_build_docker.yaml | 40 ++++----- .../workflows/reusable_publish_docker.yaml | 86 ++++++++----------- .../Dockerfile | 0 .../docker-entrypoint.sh | 2 +- 5 files changed, 58 insertions(+), 85 deletions(-) rename docker/{driver-loader-legacy => driver-loader-buster}/Dockerfile (100%) rename docker/{driver-loader-legacy => driver-loader-buster}/docker-entrypoint.sh (98%) diff --git a/.github/release_template.md b/.github/release_template.md index e4dc3e43..b69c6c7b 100644 --- a/.github/release_template.md +++ b/.github/release_template.md @@ -10,12 +10,11 @@ | deb-aarch64 | [![deb](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-aarch64.deb) | | tgz-aarch64 | [![tgz](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/aarch64/falco-FALCOVER-aarch64.tar.gz) | -| Images | -| --------------------------------------------------------------------------- | -| `docker pull docker.io/falcosecurity/falco:FALCOVER` | -| `docker pull public.ecr.aws/falcosecurity/falco:FALCOVER` | -| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER` | -| `docker pull docker.io/falcosecurity/falco-driver-loader-legacy:FALCOVER` | -| `docker pull docker.io/falcosecurity/falco-no-driver:FALCOVER` | -| `docker pull docker.io/falcosecurity/falco-distroless:FALCOVER` | +| Images | +|---------------------------------------------------------------------------| +| `docker pull docker.io/falcosecurity/falco:FALCOVER` | +| `docker pull public.ecr.aws/falcosecurity/falco:FALCOVER` | +| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER` | +| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER-buster` | +| `docker pull docker.io/falcosecurity/falco:FALCOVER-debian` | diff --git a/.github/workflows/reusable_build_docker.yaml b/.github/workflows/reusable_build_docker.yaml index ff7c4736..df153f2b 100644 --- a/.github/workflows/reusable_build_docker.yaml +++ b/.github/workflows/reusable_build_docker.yaml @@ -41,35 +41,25 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - name: Build no-driver image - run: | - cd ${{ github.workspace }}/docker/no-driver/ - docker build -t docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} \ - --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \ - --build-arg FALCO_VERSION=${{ inputs.version }} \ - --build-arg TARGETARCH=${TARGETARCH} \ - . - docker save docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-no-driver-${{ inputs.arch }}.tar - - - name: Build distroless image - run: | - cd ${{ github.workspace }}/docker/no-driver/ - docker build -f Dockerfile.distroless -t docker.io/falcosecurity/falco-distroless:${{ inputs.arch }}-${{ inputs.tag }} \ - --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \ - --build-arg FALCO_VERSION=${{ inputs.version }} \ - --build-arg TARGETARCH=${TARGETARCH} \ - . - docker save docker.io/falcosecurity/falco-distroless:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-distroless-${{ inputs.arch }}.tar - - name: Build falco image run: | cd ${{ github.workspace }}/docker/falco/ docker build -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} \ + --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \ + --build-arg FALCO_VERSION=${{ inputs.version }} \ + --build-arg TARGETARCH=${TARGETARCH} \ + . + docker save docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-${{ inputs.arch }}.tar + + - name: Build falco-debian image + run: | + cd ${{ github.workspace }}/docker/falco-debian/ + docker build -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian \ --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \ --build-arg FALCO_VERSION=${{ inputs.version }} \ --build-arg TARGETARCH=${TARGETARCH} \ . - docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-${{ inputs.arch }}.tar + docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian --output /tmp/falco-${{ inputs.arch }}-debian.tar - name: Build falco-driver-loader image run: | @@ -80,15 +70,15 @@ jobs: . docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-${{ inputs.arch }}.tar - - name: Build falco-driver-loader-legacy image + - name: Build falco-driver-loader-buster image run: | - cd ${{ github.workspace }}/docker/driver-loader-legacy/ - docker build -t docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} \ + cd ${{ github.workspace }}/docker/driver-loader-buster/ + docker build -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster \ --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \ --build-arg FALCO_VERSION=${{ inputs.version }} \ --build-arg TARGETARCH=${TARGETARCH} \ . - docker save docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-legacy-${{ inputs.arch }}.tar + docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster --output /tmp/falco-driver-loader-${{ inputs.arch }}-buster.tar - name: Upload images tarballs uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 diff --git a/.github/workflows/reusable_publish_docker.yaml b/.github/workflows/reusable_publish_docker.yaml index 47418527..1ba7767b 100644 --- a/.github/workflows/reusable_publish_docker.yaml +++ b/.github/workflows/reusable_publish_docker.yaml @@ -64,42 +64,33 @@ jobs: # We're pushing the arch-specific manifests to Docker Hub so that we'll be able to easily create the index/multiarch later - name: Push arch-specific images to Docker Hub run: | - docker push docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }} - docker push docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }} - docker push docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }} - docker push docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }} docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }} docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }} + docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian + docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }} docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }} - docker push docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }} - docker push docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }} + docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}-buster + docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}-buster - - name: Create no-driver manifest on Docker Hub - uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0 - with: - inputs: docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} - images: docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }} - push: true - - - name: Create distroless manifest on Docker Hub - uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0 - with: - inputs: docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} - images: docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }} - push: true - - - name: Tag slim manifest on Docker Hub - run: | - crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} docker.io/falcosecurity/falco:${{ inputs.tag }}-slim - - - name: Create falco manifest on Docker Hub + - name: Create Falco manifest on Docker Hub uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0 with: inputs: docker.io/falcosecurity/falco:${{ inputs.tag }} images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }} push: true + - name: Tag slim manifest on Docker Hub + run: | + crane copy docker.io/falcosecurity/falco:${{ inputs.tag }} docker.io/falcosecurity/falco:${{ inputs.tag }}-slim + + - name: Create falco-debian manifest on Docker Hub + uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0 + with: + inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}-debian + images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian,docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian + push: true + - name: Create falco-driver-loader manifest on Docker Hub uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0 with: @@ -107,47 +98,42 @@ jobs: images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }} push: true - - name: Create falco-driver-loader-legacy manifest on Docker Hub + - name: Create falco-driver-loader-buster manifest on Docker Hub uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0 with: - inputs: docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} - images: docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }} + inputs: docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster + images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}-buster,docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}-buster push: true - name: Get Digests for images id: digests # We could probably use the docker-manifest-action output instead of recomputing those with crane run: | - echo "falco-no-driver=$(crane digest docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }})" >> $GITHUB_OUTPUT - echo "falco-distroless=$(crane digest docker.io/falcosecurity/falco-distroless:${{ inputs.tag }})" >> $GITHUB_OUTPUT echo "falco=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }})" >> $GITHUB_OUTPUT + echo "falco-debian=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }}-debian)" >> $GITHUB_OUTPUT echo "falco-driver-loader=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }})" >> $GITHUB_OUTPUT - echo "falco-driver-loader-legacy=$(crane digest docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }})" >> $GITHUB_OUTPUT + echo "falco-driver-loader-buster=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster)" >> $GITHUB_OUTPUT - name: Publish images to ECR run: | - crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} - crane copy docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }} crane copy docker.io/falcosecurity/falco:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} + crane copy docker.io/falcosecurity/falco:${{ inputs.tag }}-debian public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-debian crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} - crane copy docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} - crane copy public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim + crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster - name: Tag latest on Docker Hub and ECR if: inputs.is_latest run: | - crane tag docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} latest - crane tag docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} latest crane tag docker.io/falcosecurity/falco:${{ inputs.tag }} latest + crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest - crane tag docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest + crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim - crane tag public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} latest - crane tag public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }} latest crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} latest + crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest - crane tag public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest + crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim - name: Setup Cosign @@ -160,14 +146,12 @@ jobs: COSIGN_EXPERIMENTAL: "true" COSIGN_YES: "true" run: | - cosign sign docker.io/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }} - cosign sign docker.io/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }} - cosign sign docker.io/falcosecurity/falco@${{ steps.digests.outputs.falco }} - cosign sign docker.io/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }} - cosign sign docker.io/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }} + cosign sign docker.io/falcosecurity/falco:latest@${{ steps.digests.outputs.falco }} + cosign sign docker.io/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }} + cosign sign docker.io/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }} + cosign sign docker.io/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }} - cosign sign public.ecr.aws/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }} - cosign sign public.ecr.aws/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }} - cosign sign public.ecr.aws/falcosecurity/falco@${{ steps.digests.outputs.falco }} - cosign sign public.ecr.aws/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }} - cosign sign public.ecr.aws/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }} + cosign sign public.ecr.aws/falcosecurity/falco:latest@${{ steps.digests.outputs.falco }} + cosign sign public.ecr.aws/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }} + cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }} + cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }} diff --git a/docker/driver-loader-legacy/Dockerfile b/docker/driver-loader-buster/Dockerfile similarity index 100% rename from docker/driver-loader-legacy/Dockerfile rename to docker/driver-loader-buster/Dockerfile diff --git a/docker/driver-loader-legacy/docker-entrypoint.sh b/docker/driver-loader-buster/docker-entrypoint.sh similarity index 98% rename from docker/driver-loader-legacy/docker-entrypoint.sh rename to docker/driver-loader-buster/docker-entrypoint.sh index 6ac26b76..72502b66 100755 --- a/docker/driver-loader-legacy/docker-entrypoint.sh +++ b/docker/driver-loader-buster/docker-entrypoint.sh @@ -21,7 +21,7 @@ print_usage() { echo "" echo "Usage:" - echo " docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader-legacy:latest [driver] [options]" + echo " docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest-buster [driver] [options]" echo "" echo "Available drivers:" echo " auto leverage automatic driver selection logic (default)"