diff --git a/Earthfile b/Earthfile index 0fb811f..b11bd80 100644 --- a/Earthfile +++ b/Earthfile @@ -36,7 +36,7 @@ ARG IMAGE_REPOSITORY_ORG=quay.io/kairos all: - BUILD +docker + BUILD +image BUILD +image-sbom BUILD +trivy-scan BUILD +grype-scan @@ -45,7 +45,7 @@ all: BUILD +ipxe-iso all-arm: - BUILD --platform=linux/arm64 +docker + BUILD --platform=linux/arm64 +image BUILD +image-sbom BUILD +trivy-scan BUILD +grype-scan @@ -208,7 +208,8 @@ syft: SAVE ARTIFACT /syft syft image-sbom: - FROM +docker + # Use base-image so it can read original os-release file + FROM +base-image WORKDIR /build COPY +version/VERSION ./ ARG VERSION=$(cat VERSION) @@ -295,7 +296,7 @@ framework-image: COPY (+framework/framework --VERSION=$VERSION --FLAVOR=$FLAVOR) / SAVE IMAGE --push $IMAGE_REPOSITORY_ORG/framework:${VERSION}_${FLAVOR} -docker: +base-image: ARG FLAVOR ARG VARIANT IF [ "$BASE_IMAGE" = "" ] @@ -315,39 +316,15 @@ docker: ELSE ARG OS_VERSION=${KAIROS_VERSION} END - - ARG OS_ID - ARG OS_NAME=${OS_ID}-${VARIANT}-${FLAVOR} - ARG OS_REPO=quay.io/kairos/${VARIANT}-${FLAVOR} - ARG OS_LABEL=latest # Includes overlay/files COPY (+framework/framework --FLAVOR=$FLAVOR --VERSION=$OS_VERSION) / - DO +OSRELEASE --HOME_URL=https://github.com/kairos-io/kairos --BUG_REPORT_URL=https://github.com/kairos-io/kairos/issues --GITHUB_REPO=kairos-io/kairos --VARIANT=${VARIANT} --FLAVOR=${FLAVOR} --OS_ID=${OS_ID} --OS_LABEL=${OS_LABEL} --OS_NAME=${OS_NAME} --OS_REPO=${OS_REPO} --OS_VERSION=${OS_VERSION} - RUN rm -rf /etc/machine-id && touch /etc/machine-id && chmod 444 /etc/machine-id # Avoid to accidentally push keys generated by package managers RUN rm -rf /etc/ssh/ssh_host_* - # Copy flavor-specific overlay files - IF [[ "$FLAVOR" =~ "alpine" ]] - COPY overlay/files-alpine/ / - END - - IF [ "$FLAVOR" = "opensuse" ] || [ "$FLAVOR" = "opensuse-tumbleweed" ] - COPY overlay/files-opensuse/ / - ELSE IF [ "$FLAVOR" = "alpine-arm-rpi" ] - COPY overlay/files-opensuse-arm-rpi/ / - ELSE IF [ "$FLAVOR" = "opensuse-leap-arm-rpi" ] || [ "$FLAVOR" = "opensuse-tumbleweed-arm-rpi" ] - COPY overlay/files-opensuse-arm-rpi/ / - ELSE IF [ "$FLAVOR" = "fedora" ] || [ "$FLAVOR" = "rockylinux" ] - COPY overlay/files-fedora/ / - ELSE IF [ "$FLAVOR" = "debian" ] || [ "$FLAVOR" = "ubuntu" ] || [ "$FLAVOR" = "ubuntu-20-lts" ] || [ "$FLAVOR" = "ubuntu-22-lts" ] - COPY overlay/files-ubuntu/ / - END - # Enable services IF [ -f /sbin/openrc ] RUN mkdir -p /etc/runlevels/default && \ @@ -416,10 +393,29 @@ docker: RUN rm -rf /tmp/* +image: + FROM +base-image + ARG FLAVOR + ARG VARIANT + ARG KAIROS_VERSION + IF [ "$KAIROS_VERSION" = "" ] + COPY +version/VERSION ./ + ARG VERSION=$(cat VERSION) + RUN echo "version ${VERSION}" + ARG OS_VERSION=${VERSION} + RUN rm VERSION + ELSE + ARG OS_VERSION=${KAIROS_VERSION} + END + ARG OS_ID + ARG OS_NAME=${OS_ID}-${VARIANT}-${FLAVOR} + ARG OS_REPO=quay.io/kairos/${VARIANT}-${FLAVOR} + ARG OS_LABEL=latest + DO +OSRELEASE --HOME_URL=https://github.com/kairos-io/kairos --BUG_REPORT_URL=https://github.com/kairos-io/kairos/issues --GITHUB_REPO=kairos-io/kairos --VARIANT=${VARIANT} --FLAVOR=${FLAVOR} --OS_ID=${OS_ID} --OS_LABEL=${OS_LABEL} --OS_NAME=${OS_NAME} --OS_REPO=${OS_REPO} --OS_VERSION=${OS_VERSION} SAVE IMAGE $IMAGE -docker-rootfs: - FROM +docker +image-rootfs: + FROM +image SAVE ARTIFACT --keep-own /. rootfs ### @@ -434,7 +430,7 @@ iso: FROM $OSBUILDER_IMAGE WORKDIR /build COPY . ./ - COPY --keep-own +docker-rootfs/rootfs /build/image + COPY --keep-own +image-rootfs/rootfs /build/image RUN /entrypoint.sh --name $ISO_NAME --debug build-iso --squash-no-compression --date=false dir:/build/image --overlay-iso /build/${overlay} --output /build/ SAVE ARTIFACT /build/$ISO_NAME.iso kairos.iso AS LOCAL build/$ISO_NAME.iso SAVE ARTIFACT /build/$ISO_NAME.iso.sha256 kairos.iso.sha256 AS LOCAL build/$ISO_NAME.iso.sha256 @@ -473,7 +469,7 @@ arm-image: ENV RECOVERY_SIZE="4200" ENV SIZE="15200" ENV DEFAULT_ACTIVE_SIZE="2000" - COPY --platform=linux/arm64 +docker-rootfs/rootfs /build/image + COPY --platform=linux/arm64 +image-rootfs/rootfs /build/image # With docker is required for loop devices WITH DOCKER --allow-privileged RUN /build-arm-image.sh --model $MODEL --directory "/build/image" /build/$IMAGE_NAME @@ -531,7 +527,8 @@ trivy: SAVE ARTIFACT /usr/local/bin/trivy /trivy trivy-scan: - FROM +docker + # Use base-image so it can read original os-release file + FROM +base-image COPY +trivy/trivy /trivy COPY +trivy/contrib /contrib COPY +version/VERSION ./ @@ -551,15 +548,16 @@ grype: SAVE ARTIFACT /grype /grype grype-scan: - FROM +docker + # Use base-image so it can read original os-release file + FROM +base-image COPY +grype/grype /grype COPY +version/VERSION ./ ARG VERSION=$(cat VERSION) ARG FLAVOR ARG VARIANT WORKDIR /build - RUN /grype dir:/ --output sarif --file report.sarif - RUN /grype dir:/ --output json --file report.json + RUN /grype dir:/ --output sarif --add-cpes-if-none --file report.sarif + RUN /grype dir:/ --output json --add-cpes-if-none --file report.json SAVE ARTIFACT /build/report.sarif report.sarif AS LOCAL build/${VARIANT}-${FLAVOR}-${VERSION}-grype.sarif SAVE ARTIFACT /build/report.json report.json AS LOCAL build/${VARIANT}-${FLAVOR}-${VERSION}-grype.json @@ -574,7 +572,7 @@ linux-bench: # However, some checks are relevant as well at container level. # It is good enough for a quick assessment. linux-bench-scan: - FROM +docker + FROM +image GIT CLONE https://github.com/aquasecurity/linux-bench /build/linux-bench WORKDIR /build/linux-bench COPY +linux-bench/linux-bench /build/linux-bench/linux-bench @@ -825,7 +823,7 @@ temp-image: ARG TTL_IMAGE = "ttl.sh/${NAME}:${EXPIRATION}" - FROM +docker + FROM +image SAVE IMAGE --push $TTL_IMAGE generate-schema: