From a277eff23ac3c941cd91b15087dacda9ee3a706b Mon Sep 17 00:00:00 2001 From: mburkert3 Date: Wed, 5 Jun 2024 19:08:43 -0400 Subject: [PATCH 01/26] NEXUS-42431-Alpine --- Dockerfile.alpine | 88 ++++++++++++++++++++++++ Jenkinsfile.alpine | 162 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 250 insertions(+) create mode 100644 Dockerfile.alpine create mode 100644 Jenkinsfile.alpine diff --git a/Dockerfile.alpine b/Dockerfile.alpine new file mode 100644 index 00000000..23ef4f8c --- /dev/null +++ b/Dockerfile.alpine @@ -0,0 +1,88 @@ +# Copyright (c) 2016-present Sonatype, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM alpine + +LABEL name="Nexus Repository Manager" \ + maintainer="Sonatype " \ + vendor=Sonatype \ + version="3.69.0-02" \ + release="3.69.0" \ + url="https://sonatype.com" \ + summary="The Nexus Repository Manager server \ + with universal support for popular component formats." \ + description="The Nexus Repository Manager server \ + with universal support for popular component formats." \ + run="docker run -d --name NAME \ + -p 8081:8081 \ + IMAGE" \ + stop="docker stop NAME" \ + com.sonatype.license="Apache License, Version 2.0" \ + com.sonatype.name="Nexus Repository Manager base image" \ + io.k8s.description="The Nexus Repository Manager server \ + with universal support for popular component formats." \ + io.k8s.display-name="Nexus Repository Manager" \ + io.openshift.expose-services="8081:8081" \ + io.openshift.tags="Sonatype,Nexus,Repository Manager" + +ARG NEXUS_VERSION=3.69.0-02 +ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz +ARG NEXUS_DOWNLOAD_SHA256_HASH=4161a1bb43d92ad8ca6185fa0da2c0f02dfd62280c5b6e4ac4419df4aecaf55f + +# configure nexus runtime +ENV SONATYPE_DIR=/opt/sonatype +ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \ + NEXUS_DATA=/nexus-data \ + NEXUS_CONTEXT='' \ + SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \ + DOCKER_TYPE='rh-docker' + +# Install Java & tar +RUN apk add openjdk8 tar procps gzip curl shadow \ + && apk cache clean \ + && groupadd --gid 201 -r nexus \ + && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user' + +WORKDIR ${SONATYPE_DIR} + +# Download nexus & setup directories +RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-unix.tar.gz \ + && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ + && sha256sum -c nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ + && tar xvf nexus-${NEXUS_VERSION}-unix.tar.gz \ + && rm -f nexus-${NEXUS_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ + && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \ + && chown -R nexus:nexus ${SONATYPE_WORK} \ + && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \ + && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3 + +# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS +RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions + +RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ + && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ + && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ + && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ + && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties + +RUN apk del gzip shadow + +VOLUME ${NEXUS_DATA} + +EXPOSE 8081 +USER nexus + +ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs" + +CMD ["/opt/sonatype/nexus/bin/nexus", "run"] diff --git a/Jenkinsfile.alpine b/Jenkinsfile.alpine new file mode 100644 index 00000000..d2c44365 --- /dev/null +++ b/Jenkinsfile.alpine @@ -0,0 +1,162 @@ +/* + * Copyright (c) 2016-present Sonatype, Inc. All rights reserved. + * Includes the third-party code listed at http://links.sonatype.com/products/nexus/attributions. + * "Sonatype" is a trademark of Sonatype, Inc. + */ + +@Library(['private-pipeline-library', 'jenkins-shared']) _ +import com.sonatype.jenkins.pipeline.OsTools + +String OPENJDK8 = 'OpenJDK 8' + +properties([ + parameters([ + string(defaultValue: '', description: 'New Nexus Repository Manager Version', name: 'nexus_repository_manager_version'), + string(defaultValue: '', description: 'New Nexus Repository Manager URL (Optional)', name: 'nexus_repository_manager_url'), + booleanParam(defaultValue: false, description: 'Optional scan for policy violations', name: 'scan_for_policy_violations') + ]) +]) + +node('ubuntu-zion') { + def commitId, commitDate, version, imageId, branch + def imageName = 'sonatype/nexus3', + archiveName = 'docker-nexus3' + + def JAVA_8 = 'java8' + + def DOCKERFILE_JAVA_8 = 'Dockerfile.alpine' + + try { + stage('Preparation') { + deleteDir() + OsTools.runSafe(this, "docker system prune -a -f") + + def checkoutDetails = checkout scm + + branch = checkoutDetails.GIT_BRANCH == 'origin/main' ? 'main' : checkoutDetails.GIT_BRANCH + commitId = checkoutDetails.GIT_COMMIT + commitDate = OsTools.runSafe(this, "git show -s --format=%cd --date=format:%Y%m%d-%H%M%S ${commitId}") + + OsTools.runSafe(this, 'git config --global user.email sonatype-ci@sonatype.com') + OsTools.runSafe(this, 'git config --global user.name Sonatype CI') + + version = readVersion() + + if (params.nexus_repository_manager_version) { + stage('Update Repository Manager Version') { + OsTools.runSafe(this, "git checkout ${branch}") + updateRepositoryManagerVersion("${pwd()}/${DOCKERFILE_JAVA_8}", JAVA_8) + version = getShortVersion(params.nexus_repository_manager_version) + } + } + } + stage('Build') { + def dockerfilePath = DOCKERFILE_JAVA_8 + def baseImage = extractBaseImage(dockerfilePath) + def baseImageRefFactory = load 'scripts/BaseImageReference.groovy' + def baseImageReference = baseImageRefFactory.build(this, baseImage as String) + def baseImageReferenceStr = baseImageReference.getReference() + def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}") + imageId = hash.split(':')[1] + } + if (params.scan_for_policy_violations) { + stage('Evaluate Policies') { + runEvaluation({ stage -> + nexusPolicyEvaluation( + iqStage: stage, + iqApplication: 'docker-nexus3', + iqScanPatterns: [[scanPattern: "container:${imageName}"]], + failBuildOnNetworkError: true, + )}, 'release') + } + } + if (currentBuild.result == 'FAILURE') { + return + } + stage('Archive') { + dir('build/target') { + OsTools.runSafe(this, "docker save ${imageName} | gzip > ${archiveName}.tar.gz") + archiveArtifacts artifacts: "${archiveName}.tar.gz", onlyIfSuccessful: true + } + } + if (branch == 'main') { + stage('Push image to RSC') { + withSonatypeDockerRegistry() { + def tags = ["${version}-java8-alpine", "${version}-alpine"] + tags.each { tag -> + sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${tag}" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${tag}" + } + } + } + } + } finally { + OsTools.runSafe(this, "docker logout") + OsTools.runSafe(this, "docker system prune -a -f") + OsTools.runSafe(this, 'git clean -f && git reset --hard origin/main') + } +} + +def readVersion() { + def content = readFile 'Dockerfile.alpine' + for (line in content.split('\n')) { + if (line.startsWith('ARG NEXUS_VERSION=')) { + return getShortVersion(line.substring(18)) + } + } + error 'Could not determine version.' +} + +def getShortVersion(version) { + return version.split('-')[0] +} + +def updateRepositoryManagerVersion(dockerFileLocation, javaVersion) { + def dockerFile = readFile(file: dockerFileLocation) + + def metaVersionRegex = /(version=")(\d\.\d{1,3}\.\d\-\d{2})(" \\)/ + def metaShortVersionRegex = /(release=")(\d\.\d{1,3}\.\d)(" \\)/ + + def versionRegex = /(ARG NEXUS_VERSION=)(\d\.\d{1,3}\.\d\-\d{2})/ + def shaRegex = /(ARG NEXUS_DOWNLOAD_SHA256_HASH=)([A-Fa-f0-9]{64})/ + + dockerFile = dockerFile.replaceAll(metaVersionRegex, "\$1${params.nexus_repository_manager_version}\$3") + dockerFile = dockerFile.replaceAll(metaShortVersionRegex, + "\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3") + dockerFile = dockerFile.replaceAll(versionRegex, "\$1${params.nexus_repository_manager_version}") + + def nexusUrlRegex = /(ARG NEXUS_DOWNLOAD_URL=)(.*)/ + def nexusUrl = params.nexus_repository_manager_url + if (params.nexus_repository_manager_url) { + dockerFile = dockerFile.replaceAll(nexusUrlRegex, "\$1${params.nexus_repository_manager_url}") + } + else { + // default URL + def defaultUrl = /https:\/\/download-staging.sonatype.com\/nexus\/3\/nexus-\$\{NEXUS_VERSION\}-unix\.tar\.gz/ + dockerFile = dockerFile.replaceAll(nexusUrlRegex, "\$1${defaultUrl}") + + def normalizedUrl = "a".replaceAll(/./, "${defaultUrl}") + nexusUrl = normalizedUrl.replace("\${NEXUS_VERSION}", params.nexus_repository_manager_version) + } + def sha = getSha(nexusUrl) + + dockerFile = dockerFile.replaceAll(shaRegex, "\$1${sha}") + + writeFile(file: dockerFileLocation, text: dockerFile) +} + +def getSha(url) { + def sha = sh ( + script: "curl -s -L ${url} | shasum -a 256 | cut -d' ' -f1", + returnStdout: true + ).trim() + return sha +} + +def extractBaseImage (dockerFileLocation) { + def dockerFile = readFile(file: dockerFileLocation) + def baseImageRegex = "FROM\\s+([^\\s]+)" + def usedImages = dockerFile =~ baseImageRegex + + return usedImages[0][1] +} From 24d3c88228afda56744332cab82b6b8a9e4db2f5 Mon Sep 17 00:00:00 2001 From: mburkert3 <126404216+mburkert3@users.noreply.github.com> Date: Thu, 6 Jun 2024 08:21:09 -0400 Subject: [PATCH 02/26] Change groupID to 200 --- Dockerfile.alpine | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 23ef4f8c..4e3b991a 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -51,7 +51,7 @@ ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \ # Install Java & tar RUN apk add openjdk8 tar procps gzip curl shadow \ && apk cache clean \ - && groupadd --gid 201 -r nexus \ + && groupadd --gid 200 -r nexus \ && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user' WORKDIR ${SONATYPE_DIR} From 6b2e71e87386de2058f3c70eaee688fd31875bfd Mon Sep 17 00:00:00 2001 From: mburkert3 <126404216+mburkert3@users.noreply.github.com> Date: Thu, 6 Jun 2024 23:46:12 -0400 Subject: [PATCH 03/26] Change DOCKER_TYPE to alpine --- Dockerfile.alpine | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 4e3b991a..d73644ba 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -46,7 +46,7 @@ ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \ NEXUS_DATA=/nexus-data \ NEXUS_CONTEXT='' \ SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \ - DOCKER_TYPE='rh-docker' + DOCKER_TYPE='alpine' # Install Java & tar RUN apk add openjdk8 tar procps gzip curl shadow \ From ab8b316becf2614b71082381ef6d38abbec4a0ec Mon Sep 17 00:00:00 2001 From: mburkert3 Date: Sun, 9 Jun 2024 13:26:39 -0400 Subject: [PATCH 04/26] NEXUS-42419 Alpine Images --- Dockerfile.alpine | 88 ++++++++++++++++++++++++++++++++++++ Dockerfile.alpine.java17 | 88 ++++++++++++++++++++++++++++++++++++ Dockerfile.alpine.java8 | 88 ++++++++++++++++++++++++++++++++++++ Jenkinsfile-Internal-Release | 68 +++++++++++++++++++--------- Jenkinsfile-Release | 43 ++++++++++++++---- 5 files changed, 345 insertions(+), 30 deletions(-) create mode 100644 Dockerfile.alpine create mode 100644 Dockerfile.alpine.java17 create mode 100644 Dockerfile.alpine.java8 diff --git a/Dockerfile.alpine b/Dockerfile.alpine new file mode 100644 index 00000000..e5d54861 --- /dev/null +++ b/Dockerfile.alpine @@ -0,0 +1,88 @@ +# Copyright (c) 2016-present Sonatype, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM alpine + +LABEL name="Nexus Repository Manager" \ + maintainer="Sonatype " \ + vendor=Sonatype \ + version="3.69.0-02" \ + release="3.69.0" \ + url="https://sonatype.com" \ + summary="The Nexus Repository Manager server \ + with universal support for popular component formats." \ + description="The Nexus Repository Manager server \ + with universal support for popular component formats." \ + run="docker run -d --name NAME \ + -p 8081:8081 \ + IMAGE" \ + stop="docker stop NAME" \ + com.sonatype.license="Apache License, Version 2.0" \ + com.sonatype.name="Nexus Repository Manager base image" \ + io.k8s.description="The Nexus Repository Manager server \ + with universal support for popular component formats." \ + io.k8s.display-name="Nexus Repository Manager" \ + io.openshift.expose-services="8081:8081" \ + io.openshift.tags="Sonatype,Nexus,Repository Manager" + +ARG NEXUS_VERSION=3.69.0-02 +ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz +ARG NEXUS_DOWNLOAD_SHA256_HASH=4a22cd3f2a2bd3fef46e2f13b57abfcca9e6244c36cee8c2aac226a333524c07 + +# configure nexus runtime +ENV SONATYPE_DIR=/opt/sonatype +ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \ + NEXUS_DATA=/nexus-data \ + NEXUS_CONTEXT='' \ + SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \ + DOCKER_TYPE='alpine' + +# Install Java & tar +RUN apk add openjdk11 tar procps gzip curl shadow \ + && apk cache clean \ + && groupadd --gid 200 -r nexus \ + && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user' + +WORKDIR ${SONATYPE_DIR} + +# Download nexus & setup directories +RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-unix.tar.gz \ + && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ + && sha256sum -c nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ + && tar xvf nexus-${NEXUS_VERSION}-unix.tar.gz \ + && rm -f nexus-${NEXUS_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ + && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \ + && chown -R nexus:nexus ${SONATYPE_WORK} \ + && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \ + && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3 + +# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS +RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions + +RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ + && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ + && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ + && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ + && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties + +RUN apk del gzip shadow + +VOLUME ${NEXUS_DATA} + +EXPOSE 8081 +USER nexus + +ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs" + +CMD ["/opt/sonatype/nexus/bin/nexus", "run"] diff --git a/Dockerfile.alpine.java17 b/Dockerfile.alpine.java17 new file mode 100644 index 00000000..8dbe6cdd --- /dev/null +++ b/Dockerfile.alpine.java17 @@ -0,0 +1,88 @@ +# Copyright (c) 2016-present Sonatype, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM alpine + +LABEL name="Nexus Repository Manager" \ + maintainer="Sonatype " \ + vendor=Sonatype \ + version="3.69.0-02" \ + release="3.69.0" \ + url="https://sonatype.com" \ + summary="The Nexus Repository Manager server \ + with universal support for popular component formats." \ + description="The Nexus Repository Manager server \ + with universal support for popular component formats." \ + run="docker run -d --name NAME \ + -p 8081:8081 \ + IMAGE" \ + stop="docker stop NAME" \ + com.sonatype.license="Apache License, Version 2.0" \ + com.sonatype.name="Nexus Repository Manager base image" \ + io.k8s.description="The Nexus Repository Manager server \ + with universal support for popular component formats." \ + io.k8s.display-name="Nexus Repository Manager" \ + io.openshift.expose-services="8081:8081" \ + io.openshift.tags="Sonatype,Nexus,Repository Manager" + +ARG NEXUS_VERSION=3.69.0-02 +ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz +ARG NEXUS_DOWNLOAD_SHA256_HASH=59ed008f74dea1a7f1a36dd896ea552c1d35ff537ec8e5669addd87776ecc7e2 + +# configure nexus runtime +ENV SONATYPE_DIR=/opt/sonatype +ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \ + NEXUS_DATA=/nexus-data \ + NEXUS_CONTEXT='' \ + SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \ + DOCKER_TYPE='alpine' + +# Install Java & tar +RUN apk add openjdk17 tar procps gzip curl shadow \ + && apk cache clean \ + && groupadd --gid 200 -r nexus \ + && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user' + +WORKDIR ${SONATYPE_DIR} + +# Download nexus & setup directories +RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-unix.tar.gz \ + && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ + && sha256sum -c nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ + && tar xvf nexus-${NEXUS_VERSION}-unix.tar.gz \ + && rm -f nexus-${NEXUS_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ + && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \ + && chown -R nexus:nexus ${SONATYPE_WORK} \ + && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \ + && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3 + +# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS +RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions + +RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ + && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ + && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ + && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ + && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties + +RUN apk del gzip shadow + +VOLUME ${NEXUS_DATA} + +EXPOSE 8081 +USER nexus + +ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs" + +CMD ["/opt/sonatype/nexus/bin/nexus", "run"] diff --git a/Dockerfile.alpine.java8 b/Dockerfile.alpine.java8 new file mode 100644 index 00000000..d73644ba --- /dev/null +++ b/Dockerfile.alpine.java8 @@ -0,0 +1,88 @@ +# Copyright (c) 2016-present Sonatype, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM alpine + +LABEL name="Nexus Repository Manager" \ + maintainer="Sonatype " \ + vendor=Sonatype \ + version="3.69.0-02" \ + release="3.69.0" \ + url="https://sonatype.com" \ + summary="The Nexus Repository Manager server \ + with universal support for popular component formats." \ + description="The Nexus Repository Manager server \ + with universal support for popular component formats." \ + run="docker run -d --name NAME \ + -p 8081:8081 \ + IMAGE" \ + stop="docker stop NAME" \ + com.sonatype.license="Apache License, Version 2.0" \ + com.sonatype.name="Nexus Repository Manager base image" \ + io.k8s.description="The Nexus Repository Manager server \ + with universal support for popular component formats." \ + io.k8s.display-name="Nexus Repository Manager" \ + io.openshift.expose-services="8081:8081" \ + io.openshift.tags="Sonatype,Nexus,Repository Manager" + +ARG NEXUS_VERSION=3.69.0-02 +ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz +ARG NEXUS_DOWNLOAD_SHA256_HASH=4161a1bb43d92ad8ca6185fa0da2c0f02dfd62280c5b6e4ac4419df4aecaf55f + +# configure nexus runtime +ENV SONATYPE_DIR=/opt/sonatype +ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \ + NEXUS_DATA=/nexus-data \ + NEXUS_CONTEXT='' \ + SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \ + DOCKER_TYPE='alpine' + +# Install Java & tar +RUN apk add openjdk8 tar procps gzip curl shadow \ + && apk cache clean \ + && groupadd --gid 200 -r nexus \ + && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user' + +WORKDIR ${SONATYPE_DIR} + +# Download nexus & setup directories +RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-unix.tar.gz \ + && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ + && sha256sum -c nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ + && tar xvf nexus-${NEXUS_VERSION}-unix.tar.gz \ + && rm -f nexus-${NEXUS_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ + && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \ + && chown -R nexus:nexus ${SONATYPE_WORK} \ + && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \ + && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3 + +# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS +RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions + +RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ + && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ + && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ + && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ + && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties + +RUN apk del gzip shadow + +VOLUME ${NEXUS_DATA} + +EXPOSE 8081 +USER nexus + +ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs" + +CMD ["/opt/sonatype/nexus/bin/nexus", "run"] diff --git a/Jenkinsfile-Internal-Release b/Jenkinsfile-Internal-Release index 3fe6ec7e..0c514595 100644 --- a/Jenkinsfile-Internal-Release +++ b/Jenkinsfile-Internal-Release @@ -21,7 +21,7 @@ properties([ ]) node('ubuntu-zion') { - def commitId, commitDate, version, imageId, branch + def commitId, commitDate, version, imageId, alpineImageId, branch def imageName = 'sonatype/nexus3', archiveName = 'docker-nexus3' @@ -32,6 +32,15 @@ node('ubuntu-zion') { def DOCKERFILE_JAVA_8 = 'Dockerfile' def DOCKERFILE_JAVA_11 = 'Dockerfile.java11' def DOCKERFILE_JAVA_17 = 'Dockerfile.java17' + def DOCKERFILE_ALPINE_JAVA_11 = 'Dockerfile.alpine' + def DOCKERFILE_ALPINE_JAVA_8 = 'Dockerfile.alpine.java8' + def DOCKERFILE_ALPINE_JAVA_17 = 'Dockerfile.alpine.java17' + + def dockerfileMap = [ + (OPENJDK8) : [DOCKERFILE_JAVA_8, DOCKERFILE_ALPINE_JAVA_8], + (OPENJDK11): [DOCKERFILE_JAVA_11, DOCKERFILE_ALPINE_JAVA_11], + (OPENJDK17): [DOCKERFILE_JAVA_17, DOCKERFILE_ALPINE_JAVA_17] + ] try { stage('Preparation') { @@ -52,32 +61,36 @@ node('ubuntu-zion') { if (params.nexus_repository_manager_version) { stage('Update Repository Manager Version') { OsTools.runSafe(this, "git checkout ${branch}") - def javaVersionsDockerfilesMap = [ - (JAVA_8): DOCKERFILE_JAVA_8, - (JAVA_11): DOCKERFILE_JAVA_11, - (JAVA_17): DOCKERFILE_JAVA_17 - ] - javaVersionsDockerfilesMap.each { javaVersion, dockerfile -> - updateRepositoryManagerVersion("${pwd()}/${dockerfile}", javaVersion) + + dockerfileMap.each { javaVersion, dockerfiles -> + dockerfiles.each { dockerfile -> + updateRepositoryManagerVersion("${pwd()}/${dockerfile}", javaVersion) + } } + version = getShortVersion(params.nexus_repository_manager_version) } } } - stage('Build') { - def dockerfilesMap = [ - (OPENJDK8): DOCKERFILE_JAVA_8, - (OPENJDK11): DOCKERFILE_JAVA_11, - (OPENJDK17): DOCKERFILE_JAVA_17 - ] - def dockerfilePath = dockerfilesMap.get(params.java_version) + + def dockerfilePath = dockerfileMap[params.java_version][0] + def alpineDockerfilePath = dockerfileMap[params.java_version][1] + + stage('Build UBI Image') { def baseImage = extractBaseImage(dockerfilePath) def baseImageRefFactory = load 'scripts/BaseImageReference.groovy' def baseImageReference = baseImageRefFactory.build(this, baseImage as String) def baseImageReferenceStr = baseImageReference.getReference() + def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}") imageId = hash.split(':')[1] } + + stage('Build Alpine Image') { + def hash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") + alpineImageId = hash.split(':')[1] + } + if (params.scan_for_policy_violations) { stage('Evaluate Policies') { runEvaluation({ stage -> @@ -89,15 +102,18 @@ node('ubuntu-zion') { )}, 'release') } } + if (currentBuild.result == 'FAILURE') { return } + stage('Archive') { dir('build/target') { OsTools.runSafe(this, "docker save ${imageName} | gzip > ${archiveName}.tar.gz") archiveArtifacts artifacts: "${archiveName}.tar.gz", onlyIfSuccessful: true } } + if (branch == 'main') { stage('Push image to RSC') { withSonatypeDockerRegistry() { @@ -108,11 +124,20 @@ node('ubuntu-zion') { ] def javaVersionSuffix = javaVersionSuffixesMap.get(params.java_version) - sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}" + // Push UBI images + sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-ubi" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-ubi" if (params.java_version == OPENJDK8) { - sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}" + sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi" + } + + // Push Alpine images + sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" + if (params.java_version == OPENJDK11) { + sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" } } } @@ -159,7 +184,7 @@ def updateRepositoryManagerVersion(dockerFileLocation, javaVersion) { } else { // default URL - def defaultUrl = /https:\/\/download-staging.sonatype.com\/nexus\/3\/nexus-\$\{NEXUS_VERSION\}-\$\{JAVA_VERSION\}-unix\.tar\.gz/ + def defaultUrl = /https:\/\/download-staging.sonatype.com\/nexus\/3\/nexus-\$\{NEXUS_VERSION\}-unix\.tar\.gz/ dockerFile = dockerFile.replaceAll(nexusUrlRegex, "\$1${defaultUrl}") def normalizedUrl = "a".replaceAll(/./, "${defaultUrl}") @@ -171,7 +196,6 @@ def updateRepositoryManagerVersion(dockerFileLocation, javaVersion) { dockerFile = dockerFile.replaceAll(shaRegex, "\$1${sha}") writeFile(file: dockerFileLocation, text: dockerFile) - } def getSha(url) { @@ -182,7 +206,7 @@ def getSha(url) { return sha } -def extractBaseImage (dockerFileLocation) { +def extractBaseImage(dockerFileLocation) { def dockerFile = readFile(file: dockerFileLocation) def baseImageRegex = "FROM\\s+([^\\s]+)" def usedImages = dockerFile =~ baseImageRegex diff --git a/Jenkinsfile-Release b/Jenkinsfile-Release index 9a1fe1bc..7945eaca 100644 --- a/Jenkinsfile-Release +++ b/Jenkinsfile-Release @@ -25,7 +25,7 @@ properties([ ]) node('ubuntu-zion') { - def commitId, commitDate, version, imageId, branch, dockerFileLocations, dockerJava11FileLocations, dockerJava17FileLocations + def commitId, commitDate, version, imageId, alpineImageId, branch, dockerFileLocations, dockerJava11FileLocations, dockerJava17FileLocations def organization = 'sonatype', gitHubRepository = 'docker-nexus3', credentialsId = 'jenkins-github', @@ -45,21 +45,27 @@ node('ubuntu-zion') { def checkoutDetails = checkout scm + // Regular Dockerfile Locations dockerFileLocations = [ "${pwd()}/Dockerfile", "${pwd()}/Dockerfile.rh.centos", "${pwd()}/Dockerfile.rh.el", - "${pwd()}/Dockerfile.rh.ubi" + "${pwd()}/Dockerfile.rh.ubi", + "${pwd()}/Dockerfile.alpine.java8" ] + // Java 11 Dockerfile Locations dockerJava11FileLocations = [ "${pwd()}/Dockerfile.java11", - "${pwd()}/Dockerfile.rh.ubi.java11" + "${pwd()}/Dockerfile.rh.ubi.java11", + "${pwd()}/Dockerfile.alpine.java11" ] + // Java 17 Dockerfile Locations dockerJava17FileLocations = [ "${pwd()}/Dockerfile.java17", - "${pwd()}/Dockerfile.rh.ubi.java17" + "${pwd()}/Dockerfile.rh.ubi.java17", + "${pwd()}/Dockerfile.alpine.java17" ] branch = checkoutDetails.GIT_BRANCH == 'origin/main' ? 'main' : checkoutDetails.GIT_BRANCH @@ -116,6 +122,11 @@ node('ubuntu-zion') { def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}") imageId = hash.split(':')[1] + // Build Alpine Image + def alpineDockerfilePath = dockerfilePath.replace("Dockerfile", "Dockerfile.alpine") + def alpineHash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") + alpineImageId = alpineHash.split(':')[1] + if (currentBuild.result == 'FAILURE') { gitHub.statusUpdate commitId, 'failure', 'build', 'Build failed' return @@ -198,9 +209,10 @@ node('ubuntu-zion') { ] def javaVersionSuffix = javaVersionSuffixesMap.get(params.java_version) - OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}-${javaVersionSuffix}") + // Push UBI image + OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}-${javaVersionSuffix}-ubi") if (params.java_version == OPENJDK8) { - OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}") + OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}-ubi") OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:latest") } @@ -210,13 +222,28 @@ node('ubuntu-zion') { def dockerPushCmdsMap = [ (OPENJDK8): "docker push --all-tags ${organization}/${dockerHubRepository}", - (OPENJDK11): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_11}", - (OPENJDK17): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_17}" + (OPENJDK11): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_11}-ubi", + (OPENJDK17): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_17}-ubi" ] def dockerPushCmd = dockerPushCmdsMap.get(params.java_version) OsTools.runSafe(this, dockerPushCmd) + // Push Alpine image + OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-${javaVersionSuffix}-alpine") + if (params.java_version == OPENJDK11) { + OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-alpine") + } + + def alpineDockerPushCmdsMap = [ + (OPENJDK8): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_8}-alpine", + (OPENJDK11): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_11}-alpine", + (OPENJDK17): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_17}-alpine" + ] + def alpineDockerPushCmd = alpineDockerPushCmdsMap.get(params.java_version) + + OsTools.runSafe(this, alpineDockerPushCmd) + response = OsTools.runSafe(this, """ curl -X POST https://hub.docker.com/v2/users/login/ \ -H 'cache-control: no-cache' -H 'content-type: application/json' \ From 67403bf2bb2e4cfafdbc72d6327c97a412c90182 Mon Sep 17 00:00:00 2001 From: mburkert3 Date: Sun, 9 Jun 2024 13:33:49 -0400 Subject: [PATCH 05/26] NEXUS-42419 Alpine Images --- Jenkinsfile-Internal-Release | 9 --------- 1 file changed, 9 deletions(-) diff --git a/Jenkinsfile-Internal-Release b/Jenkinsfile-Internal-Release index 0c514595..599dc5b2 100644 --- a/Jenkinsfile-Internal-Release +++ b/Jenkinsfile-Internal-Release @@ -61,18 +61,15 @@ node('ubuntu-zion') { if (params.nexus_repository_manager_version) { stage('Update Repository Manager Version') { OsTools.runSafe(this, "git checkout ${branch}") - dockerfileMap.each { javaVersion, dockerfiles -> dockerfiles.each { dockerfile -> updateRepositoryManagerVersion("${pwd()}/${dockerfile}", javaVersion) } } - version = getShortVersion(params.nexus_repository_manager_version) } } } - def dockerfilePath = dockerfileMap[params.java_version][0] def alpineDockerfilePath = dockerfileMap[params.java_version][1] @@ -81,16 +78,13 @@ node('ubuntu-zion') { def baseImageRefFactory = load 'scripts/BaseImageReference.groovy' def baseImageReference = baseImageRefFactory.build(this, baseImage as String) def baseImageReferenceStr = baseImageReference.getReference() - def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}") imageId = hash.split(':')[1] } - stage('Build Alpine Image') { def hash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") alpineImageId = hash.split(':')[1] } - if (params.scan_for_policy_violations) { stage('Evaluate Policies') { runEvaluation({ stage -> @@ -102,18 +96,15 @@ node('ubuntu-zion') { )}, 'release') } } - if (currentBuild.result == 'FAILURE') { return } - stage('Archive') { dir('build/target') { OsTools.runSafe(this, "docker save ${imageName} | gzip > ${archiveName}.tar.gz") archiveArtifacts artifacts: "${archiveName}.tar.gz", onlyIfSuccessful: true } } - if (branch == 'main') { stage('Push image to RSC') { withSonatypeDockerRegistry() { From 5f35ba15e5be8428391f91d9587129dd2b1e5cb3 Mon Sep 17 00:00:00 2001 From: mburkert3 Date: Sun, 9 Jun 2024 13:35:31 -0400 Subject: [PATCH 06/26] NEXUS-42419 Alpine Images --- Jenkinsfile-Release | 3 --- 1 file changed, 3 deletions(-) diff --git a/Jenkinsfile-Release b/Jenkinsfile-Release index 7945eaca..583e71ea 100644 --- a/Jenkinsfile-Release +++ b/Jenkinsfile-Release @@ -45,7 +45,6 @@ node('ubuntu-zion') { def checkoutDetails = checkout scm - // Regular Dockerfile Locations dockerFileLocations = [ "${pwd()}/Dockerfile", "${pwd()}/Dockerfile.rh.centos", @@ -54,14 +53,12 @@ node('ubuntu-zion') { "${pwd()}/Dockerfile.alpine.java8" ] - // Java 11 Dockerfile Locations dockerJava11FileLocations = [ "${pwd()}/Dockerfile.java11", "${pwd()}/Dockerfile.rh.ubi.java11", "${pwd()}/Dockerfile.alpine.java11" ] - // Java 17 Dockerfile Locations dockerJava17FileLocations = [ "${pwd()}/Dockerfile.java17", "${pwd()}/Dockerfile.rh.ubi.java17", From 3474faae3bb03a3779db07e175dd4a746a7c1ea7 Mon Sep 17 00:00:00 2001 From: mburkert3 <126404216+mburkert3@users.noreply.github.com> Date: Mon, 10 Jun 2024 19:37:43 -0400 Subject: [PATCH 07/26] Remove Java8 Alpine --- Jenkinsfile-Internal-Release | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/Jenkinsfile-Internal-Release b/Jenkinsfile-Internal-Release index 599dc5b2..842f86c4 100644 --- a/Jenkinsfile-Internal-Release +++ b/Jenkinsfile-Internal-Release @@ -33,11 +33,10 @@ node('ubuntu-zion') { def DOCKERFILE_JAVA_11 = 'Dockerfile.java11' def DOCKERFILE_JAVA_17 = 'Dockerfile.java17' def DOCKERFILE_ALPINE_JAVA_11 = 'Dockerfile.alpine' - def DOCKERFILE_ALPINE_JAVA_8 = 'Dockerfile.alpine.java8' def DOCKERFILE_ALPINE_JAVA_17 = 'Dockerfile.alpine.java17' def dockerfileMap = [ - (OPENJDK8) : [DOCKERFILE_JAVA_8, DOCKERFILE_ALPINE_JAVA_8], + (OPENJDK8) : [DOCKERFILE_JAVA_8], (OPENJDK11): [DOCKERFILE_JAVA_11, DOCKERFILE_ALPINE_JAVA_11], (OPENJDK17): [DOCKERFILE_JAVA_17, DOCKERFILE_ALPINE_JAVA_17] ] @@ -71,7 +70,7 @@ node('ubuntu-zion') { } } def dockerfilePath = dockerfileMap[params.java_version][0] - def alpineDockerfilePath = dockerfileMap[params.java_version][1] + def alpineDockerfilePath = params.java_version == OPENJDK8 ? null : dockerfileMap[params.java_version][1] stage('Build UBI Image') { def baseImage = extractBaseImage(dockerfilePath) @@ -81,9 +80,11 @@ node('ubuntu-zion') { def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}") imageId = hash.split(':')[1] } - stage('Build Alpine Image') { - def hash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") - alpineImageId = hash.split(':')[1] + if (params.java_version != OPENJDK8) { + stage('Build Alpine Image') { + def hash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") + alpineImageId = hash.split(':')[1] + } } if (params.scan_for_policy_violations) { stage('Evaluate Policies') { @@ -124,11 +125,13 @@ node('ubuntu-zion') { } // Push Alpine images - sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" - if (params.java_version == OPENJDK11) { - sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" + if (params.java_version != OPENJDK8) { + sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" + if (params.java_version == OPENJDK11) { + sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" + } } } } From 1e3df4790747fe037996fec04d737a3fb0982fb6 Mon Sep 17 00:00:00 2001 From: mburkert3 <126404216+mburkert3@users.noreply.github.com> Date: Mon, 10 Jun 2024 19:39:40 -0400 Subject: [PATCH 08/26] Remove Java8 Alpine --- Jenkinsfile-Release | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/Jenkinsfile-Release b/Jenkinsfile-Release index 583e71ea..70a3feb5 100644 --- a/Jenkinsfile-Release +++ b/Jenkinsfile-Release @@ -49,8 +49,7 @@ node('ubuntu-zion') { "${pwd()}/Dockerfile", "${pwd()}/Dockerfile.rh.centos", "${pwd()}/Dockerfile.rh.el", - "${pwd()}/Dockerfile.rh.ubi", - "${pwd()}/Dockerfile.alpine.java8" + "${pwd()}/Dockerfile.rh.ubi" ] dockerJava11FileLocations = [ @@ -119,10 +118,12 @@ node('ubuntu-zion') { def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}") imageId = hash.split(':')[1] - // Build Alpine Image - def alpineDockerfilePath = dockerfilePath.replace("Dockerfile", "Dockerfile.alpine") - def alpineHash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") - alpineImageId = alpineHash.split(':')[1] + // Build Alpine Image if not Java 8 + if (params.java_version != OPENJDK8) { + def alpineDockerfilePath = dockerfilePath.replace("Dockerfile", "Dockerfile.alpine") + def alpineHash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") + alpineImageId = alpineHash.split(':')[1] + } if (currentBuild.result == 'FAILURE') { gitHub.statusUpdate commitId, 'failure', 'build', 'Build failed' @@ -226,20 +227,21 @@ node('ubuntu-zion') { OsTools.runSafe(this, dockerPushCmd) - // Push Alpine image - OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-${javaVersionSuffix}-alpine") - if (params.java_version == OPENJDK11) { - OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-alpine") - } + // Push Alpine image if not Java 8 + if (params.java_version != OPENJDK8) { + OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-${javaVersionSuffix}-alpine") + if (params.java_version == OPENJDK11) { + OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-alpine") + } - def alpineDockerPushCmdsMap = [ - (OPENJDK8): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_8}-alpine", - (OPENJDK11): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_11}-alpine", - (OPENJDK17): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_17}-alpine" - ] - def alpineDockerPushCmd = alpineDockerPushCmdsMap.get(params.java_version) + def alpineDockerPushCmdsMap = [ + (OPENJDK11): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_11}-alpine", + (OPENJDK17): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_17}-alpine" + ] + def alpineDockerPushCmd = alpineDockerPushCmdsMap.get(params.java_version) - OsTools.runSafe(this, alpineDockerPushCmd) + OsTools.runSafe(this, alpineDockerPushCmd) + } response = OsTools.runSafe(this, """ curl -X POST https://hub.docker.com/v2/users/login/ \ From ed420a2859ef09fddb13998a0ae8337c68cc2aa8 Mon Sep 17 00:00:00 2001 From: mburkert3 <126404216+mburkert3@users.noreply.github.com> Date: Mon, 10 Jun 2024 19:42:08 -0400 Subject: [PATCH 09/26] Delete Java8 Alpine Dockerfile --- Dockerfile.alpine.java8 | 88 ----------------------------------------- 1 file changed, 88 deletions(-) delete mode 100644 Dockerfile.alpine.java8 diff --git a/Dockerfile.alpine.java8 b/Dockerfile.alpine.java8 deleted file mode 100644 index d73644ba..00000000 --- a/Dockerfile.alpine.java8 +++ /dev/null @@ -1,88 +0,0 @@ -# Copyright (c) 2016-present Sonatype, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM alpine - -LABEL name="Nexus Repository Manager" \ - maintainer="Sonatype " \ - vendor=Sonatype \ - version="3.69.0-02" \ - release="3.69.0" \ - url="https://sonatype.com" \ - summary="The Nexus Repository Manager server \ - with universal support for popular component formats." \ - description="The Nexus Repository Manager server \ - with universal support for popular component formats." \ - run="docker run -d --name NAME \ - -p 8081:8081 \ - IMAGE" \ - stop="docker stop NAME" \ - com.sonatype.license="Apache License, Version 2.0" \ - com.sonatype.name="Nexus Repository Manager base image" \ - io.k8s.description="The Nexus Repository Manager server \ - with universal support for popular component formats." \ - io.k8s.display-name="Nexus Repository Manager" \ - io.openshift.expose-services="8081:8081" \ - io.openshift.tags="Sonatype,Nexus,Repository Manager" - -ARG NEXUS_VERSION=3.69.0-02 -ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz -ARG NEXUS_DOWNLOAD_SHA256_HASH=4161a1bb43d92ad8ca6185fa0da2c0f02dfd62280c5b6e4ac4419df4aecaf55f - -# configure nexus runtime -ENV SONATYPE_DIR=/opt/sonatype -ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \ - NEXUS_DATA=/nexus-data \ - NEXUS_CONTEXT='' \ - SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \ - DOCKER_TYPE='alpine' - -# Install Java & tar -RUN apk add openjdk8 tar procps gzip curl shadow \ - && apk cache clean \ - && groupadd --gid 200 -r nexus \ - && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user' - -WORKDIR ${SONATYPE_DIR} - -# Download nexus & setup directories -RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-unix.tar.gz \ - && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ - && sha256sum -c nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ - && tar xvf nexus-${NEXUS_VERSION}-unix.tar.gz \ - && rm -f nexus-${NEXUS_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ - && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \ - && chown -R nexus:nexus ${SONATYPE_WORK} \ - && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \ - && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3 - -# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS -RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions - -RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ - && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ - && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ - && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ - && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties - -RUN apk del gzip shadow - -VOLUME ${NEXUS_DATA} - -EXPOSE 8081 -USER nexus - -ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs" - -CMD ["/opt/sonatype/nexus/bin/nexus", "run"] From 7fbab5698c14709b10dc7b0f4459f301f02b3ef7 Mon Sep 17 00:00:00 2001 From: mburkert3 <126404216+mburkert3@users.noreply.github.com> Date: Tue, 11 Jun 2024 11:55:23 -0400 Subject: [PATCH 10/26] Rename --- Dockerfile.alpine => Dockerfile.alpine.java11 | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Dockerfile.alpine => Dockerfile.alpine.java11 (100%) diff --git a/Dockerfile.alpine b/Dockerfile.alpine.java11 similarity index 100% rename from Dockerfile.alpine rename to Dockerfile.alpine.java11 From 43cd20b93769d087b4d6efabe21ec19f3d9d1f23 Mon Sep 17 00:00:00 2001 From: mburkert3 <126404216+mburkert3@users.noreply.github.com> Date: Tue, 11 Jun 2024 12:13:44 -0400 Subject: [PATCH 11/26] Rename Dockerfile.alpine.java11 --- Jenkinsfile-Internal-Release | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile-Internal-Release b/Jenkinsfile-Internal-Release index 842f86c4..68e20d2f 100644 --- a/Jenkinsfile-Internal-Release +++ b/Jenkinsfile-Internal-Release @@ -32,7 +32,7 @@ node('ubuntu-zion') { def DOCKERFILE_JAVA_8 = 'Dockerfile' def DOCKERFILE_JAVA_11 = 'Dockerfile.java11' def DOCKERFILE_JAVA_17 = 'Dockerfile.java17' - def DOCKERFILE_ALPINE_JAVA_11 = 'Dockerfile.alpine' + def DOCKERFILE_ALPINE_JAVA_11 = 'Dockerfile.alpine.java11' def DOCKERFILE_ALPINE_JAVA_17 = 'Dockerfile.alpine.java17' def dockerfileMap = [ From 79633981d7adfde6e021c5a2d8334a297f50ed9f Mon Sep 17 00:00:00 2001 From: mburkert3 <126404216+mburkert3@users.noreply.github.com> Date: Tue, 11 Jun 2024 12:18:59 -0400 Subject: [PATCH 12/26] Update Jenkinsfile.alpine Co-authored-by: Jerson Huerfano --- Jenkinsfile.alpine | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile.alpine b/Jenkinsfile.alpine index d2c44365..3f479e38 100644 --- a/Jenkinsfile.alpine +++ b/Jenkinsfile.alpine @@ -64,7 +64,7 @@ node('ubuntu-zion') { runEvaluation({ stage -> nexusPolicyEvaluation( iqStage: stage, - iqApplication: 'docker-nexus3', + iqApplication: 'docker-nexus3-alpine', iqScanPatterns: [[scanPattern: "container:${imageName}"]], failBuildOnNetworkError: true, )}, 'release') From 18da6a9eff269ec6cf246ed2f60f0701188696ad Mon Sep 17 00:00:00 2001 From: mburkert3 Date: Wed, 12 Jun 2024 11:32:31 -0400 Subject: [PATCH 13/26] Add docker-nexus3-alpine scan --- Jenkinsfile-Internal-Release | 42 ++++++++++++++++--------------- Jenkinsfile-Release | 49 +++++++++++++++++++----------------- 2 files changed, 48 insertions(+), 43 deletions(-) diff --git a/Jenkinsfile-Internal-Release b/Jenkinsfile-Internal-Release index 68e20d2f..7826aed9 100644 --- a/Jenkinsfile-Internal-Release +++ b/Jenkinsfile-Internal-Release @@ -32,11 +32,12 @@ node('ubuntu-zion') { def DOCKERFILE_JAVA_8 = 'Dockerfile' def DOCKERFILE_JAVA_11 = 'Dockerfile.java11' def DOCKERFILE_JAVA_17 = 'Dockerfile.java17' - def DOCKERFILE_ALPINE_JAVA_11 = 'Dockerfile.alpine.java11' + def DOCKERFILE_ALPINE_JAVA_11 = 'Dockerfile.alpine' + def DOCKERFILE_ALPINE_JAVA_8 = 'Dockerfile.alpine.java8' def DOCKERFILE_ALPINE_JAVA_17 = 'Dockerfile.alpine.java17' def dockerfileMap = [ - (OPENJDK8) : [DOCKERFILE_JAVA_8], + (OPENJDK8) : [DOCKERFILE_JAVA_8, DOCKERFILE_ALPINE_JAVA_8], (OPENJDK11): [DOCKERFILE_JAVA_11, DOCKERFILE_ALPINE_JAVA_11], (OPENJDK17): [DOCKERFILE_JAVA_17, DOCKERFILE_ALPINE_JAVA_17] ] @@ -70,7 +71,7 @@ node('ubuntu-zion') { } } def dockerfilePath = dockerfileMap[params.java_version][0] - def alpineDockerfilePath = params.java_version == OPENJDK8 ? null : dockerfileMap[params.java_version][1] + def alpineDockerfilePath = dockerfileMap[params.java_version][1] stage('Build UBI Image') { def baseImage = extractBaseImage(dockerfilePath) @@ -80,21 +81,24 @@ node('ubuntu-zion') { def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}") imageId = hash.split(':')[1] } - if (params.java_version != OPENJDK8) { - stage('Build Alpine Image') { - def hash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") - alpineImageId = hash.split(':')[1] - } + stage('Build Alpine Image') { + def hash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") + alpineImageId = hash.split(':')[1] } if (params.scan_for_policy_violations) { stage('Evaluate Policies') { runEvaluation({ stage -> + def isAlpine = alpineDockerfilePath.contains('alpine') + def iqApplicationName = isAlpine ? 'docker-nexus3-alpine' : 'docker-nexus3' + def imageToScan = isAlpine ? "${imageName}-alpine" : imageName + nexusPolicyEvaluation( - iqStage: stage, - iqApplication: 'docker-nexus3', - iqScanPatterns: [[scanPattern: "container:${imageName}"]], - failBuildOnNetworkError: true, - )}, 'release') + iqStage: stage, + iqApplication: iqApplicationName, + iqScanPatterns: [[scanPattern: "container:${imageToScan}"]], + failBuildOnNetworkError: true, + ) + }, 'release') } } if (currentBuild.result == 'FAILURE') { @@ -125,13 +129,11 @@ node('ubuntu-zion') { } // Push Alpine images - if (params.java_version != OPENJDK8) { - sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" - if (params.java_version == OPENJDK11) { - sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" - } + sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" + if (params.java_version == OPENJDK11) { + sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" } } } diff --git a/Jenkinsfile-Release b/Jenkinsfile-Release index 70a3feb5..d01439b3 100644 --- a/Jenkinsfile-Release +++ b/Jenkinsfile-Release @@ -49,7 +49,8 @@ node('ubuntu-zion') { "${pwd()}/Dockerfile", "${pwd()}/Dockerfile.rh.centos", "${pwd()}/Dockerfile.rh.el", - "${pwd()}/Dockerfile.rh.ubi" + "${pwd()}/Dockerfile.rh.ubi", + "${pwd()}/Dockerfile.alpine.java8" ] dockerJava11FileLocations = [ @@ -118,12 +119,10 @@ node('ubuntu-zion') { def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}") imageId = hash.split(':')[1] - // Build Alpine Image if not Java 8 - if (params.java_version != OPENJDK8) { - def alpineDockerfilePath = dockerfilePath.replace("Dockerfile", "Dockerfile.alpine") - def alpineHash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") - alpineImageId = alpineHash.split(':')[1] - } + // Build Alpine Image + def alpineDockerfilePath = dockerfilePath.replace("Dockerfile", "Dockerfile.alpine") + def alpineHash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") + alpineImageId = alpineHash.split(':')[1] if (currentBuild.result == 'FAILURE') { gitHub.statusUpdate commitId, 'failure', 'build', 'Build failed' @@ -152,12 +151,17 @@ node('ubuntu-zion') { stage('Evaluate Policies') { runEvaluation({ stage -> + def isAlpine = alpineDockerfilePath.contains('alpine') + def iqApplicationName = isAlpine ? 'docker-nexus3-alpine' : 'docker-nexus3' + def imageToScan = isAlpine ? "${imageName}-alpine" : imageName + nexusPolicyEvaluation( iqStage: stage, - iqApplication: 'docker-nexus3', - iqScanPatterns: [[scanPattern: "container:${imageName}"]], + iqApplication: iqApplicationName, + iqScanPatterns: [[scanPattern: "container:${imageToScan}"]], failBuildOnNetworkError: true, - )}, 'release') + ) + }, 'release') } if (currentBuild.result == 'FAILURE') { @@ -227,21 +231,20 @@ node('ubuntu-zion') { OsTools.runSafe(this, dockerPushCmd) - // Push Alpine image if not Java 8 - if (params.java_version != OPENJDK8) { - OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-${javaVersionSuffix}-alpine") - if (params.java_version == OPENJDK11) { - OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-alpine") - } + // Push Alpine image + OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-${javaVersionSuffix}-alpine") + if (params.java_version == OPENJDK11) { + OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-alpine") + } - def alpineDockerPushCmdsMap = [ - (OPENJDK11): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_11}-alpine", - (OPENJDK17): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_17}-alpine" - ] - def alpineDockerPushCmd = alpineDockerPushCmdsMap.get(params.java_version) + def alpineDockerPushCmdsMap = [ + (OPENJDK8): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_8}-alpine", + (OPENJDK11): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_11}-alpine", + (OPENJDK17): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_17}-alpine" + ] + def alpineDockerPushCmd = alpineDockerPushCmdsMap.get(params.java_version) - OsTools.runSafe(this, alpineDockerPushCmd) - } + OsTools.runSafe(this, alpineDockerPushCmd) response = OsTools.runSafe(this, """ curl -X POST https://hub.docker.com/v2/users/login/ \ From 7a718e04596e45ffdd6a8b9af49fff311a9007b8 Mon Sep 17 00:00:00 2001 From: mburkert3 Date: Wed, 12 Jun 2024 12:09:03 -0400 Subject: [PATCH 14/26] Add docker-nexus3-alpine scan --- Jenkinsfile-Internal-Release | 334 ++++++++++++++++++----------------- Jenkinsfile-Release | 42 ++--- 2 files changed, 190 insertions(+), 186 deletions(-) diff --git a/Jenkinsfile-Internal-Release b/Jenkinsfile-Internal-Release index 7826aed9..d030a498 100644 --- a/Jenkinsfile-Internal-Release +++ b/Jenkinsfile-Internal-Release @@ -21,191 +21,193 @@ properties([ ]) node('ubuntu-zion') { - def commitId, commitDate, version, imageId, alpineImageId, branch - def imageName = 'sonatype/nexus3', - archiveName = 'docker-nexus3' - - def JAVA_8 = 'java8' - def JAVA_11 = 'java11' - def JAVA_17 = 'java17' - - def DOCKERFILE_JAVA_8 = 'Dockerfile' - def DOCKERFILE_JAVA_11 = 'Dockerfile.java11' - def DOCKERFILE_JAVA_17 = 'Dockerfile.java17' - def DOCKERFILE_ALPINE_JAVA_11 = 'Dockerfile.alpine' - def DOCKERFILE_ALPINE_JAVA_8 = 'Dockerfile.alpine.java8' - def DOCKERFILE_ALPINE_JAVA_17 = 'Dockerfile.alpine.java17' - - def dockerfileMap = [ - (OPENJDK8) : [DOCKERFILE_JAVA_8, DOCKERFILE_ALPINE_JAVA_8], - (OPENJDK11): [DOCKERFILE_JAVA_11, DOCKERFILE_ALPINE_JAVA_11], - (OPENJDK17): [DOCKERFILE_JAVA_17, DOCKERFILE_ALPINE_JAVA_17] - ] - - try { - stage('Preparation') { - deleteDir() - OsTools.runSafe(this, "docker system prune -a -f") - - def checkoutDetails = checkout scm - - branch = checkoutDetails.GIT_BRANCH == 'origin/main' ? 'main' : checkoutDetails.GIT_BRANCH - commitId = checkoutDetails.GIT_COMMIT - commitDate = OsTools.runSafe(this, "git show -s --format=%cd --date=format:%Y%m%d-%H%M%S ${commitId}") - - OsTools.runSafe(this, 'git config --global user.email sonatype-ci@sonatype.com') - OsTools.runSafe(this, 'git config --global user.name Sonatype CI') - - version = readVersion() - - if (params.nexus_repository_manager_version) { - stage('Update Repository Manager Version') { - OsTools.runSafe(this, "git checkout ${branch}") - dockerfileMap.each { javaVersion, dockerfiles -> - dockerfiles.each { dockerfile -> - updateRepositoryManagerVersion("${pwd()}/${dockerfile}", javaVersion) + def commitId, commitDate, version, imageId, alpineImageId, branch + def imageName = 'sonatype/nexus3', + archiveName = 'docker-nexus3' + + def JAVA_8 = 'java8' + def JAVA_11 = 'java11' + def JAVA_17 = 'java17' + + def DOCKERFILE_JAVA_8 = 'Dockerfile' + def DOCKERFILE_JAVA_11 = 'Dockerfile.java11' + def DOCKERFILE_JAVA_17 = 'Dockerfile.java17' + def DOCKERFILE_ALPINE_JAVA_11 = 'Dockerfile.alpine.java11' + def DOCKERFILE_ALPINE_JAVA_17 = 'Dockerfile.alpine.java17' + + def dockerfileMap = [ + (OPENJDK8) : [DOCKERFILE_JAVA_8], + (OPENJDK11): [DOCKERFILE_JAVA_11, DOCKERFILE_ALPINE_JAVA_11], + (OPENJDK17): [DOCKERFILE_JAVA_17, DOCKERFILE_ALPINE_JAVA_17] + ] + + try { + stage('Preparation') { + deleteDir() + OsTools.runSafe(this, "docker system prune -a -f") + + def checkoutDetails = checkout scm + + branch = checkoutDetails.GIT_BRANCH == 'origin/main' ? 'main' : checkoutDetails.GIT_BRANCH + commitId = checkoutDetails.GIT_COMMIT + commitDate = OsTools.runSafe(this, "git show -s --format=%cd --date=format:%Y%m%d-%H%M%S ${commitId}") + + OsTools.runSafe(this, 'git config --global user.email sonatype-ci@sonatype.com') + OsTools.runSafe(this, 'git config --global user.name Sonatype CI') + + version = readVersion() + + if (params.nexus_repository_manager_version) { + stage('Update Repository Manager Version') { + OsTools.runSafe(this, "git checkout ${branch}") + dockerfileMap.each { javaVersion, dockerfiles -> + dockerfiles.each { dockerfile -> + updateRepositoryManagerVersion("${pwd()}/${dockerfile}", javaVersion) + } + } + version = getShortVersion(params.nexus_repository_manager_version) + } } - } - version = getShortVersion(params.nexus_repository_manager_version) } - } - } - def dockerfilePath = dockerfileMap[params.java_version][0] - def alpineDockerfilePath = dockerfileMap[params.java_version][1] - - stage('Build UBI Image') { - def baseImage = extractBaseImage(dockerfilePath) - def baseImageRefFactory = load 'scripts/BaseImageReference.groovy' - def baseImageReference = baseImageRefFactory.build(this, baseImage as String) - def baseImageReferenceStr = baseImageReference.getReference() - def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}") - imageId = hash.split(':')[1] - } - stage('Build Alpine Image') { - def hash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") - alpineImageId = hash.split(':')[1] - } - if (params.scan_for_policy_violations) { - stage('Evaluate Policies') { - runEvaluation({ stage -> - def isAlpine = alpineDockerfilePath.contains('alpine') - def iqApplicationName = isAlpine ? 'docker-nexus3-alpine' : 'docker-nexus3' - def imageToScan = isAlpine ? "${imageName}-alpine" : imageName - - nexusPolicyEvaluation( - iqStage: stage, - iqApplication: iqApplicationName, - iqScanPatterns: [[scanPattern: "container:${imageToScan}"]], - failBuildOnNetworkError: true, - ) - }, 'release') - } - } - if (currentBuild.result == 'FAILURE') { - return - } - stage('Archive') { - dir('build/target') { - OsTools.runSafe(this, "docker save ${imageName} | gzip > ${archiveName}.tar.gz") - archiveArtifacts artifacts: "${archiveName}.tar.gz", onlyIfSuccessful: true - } - } - if (branch == 'main') { - stage('Push image to RSC') { - withSonatypeDockerRegistry() { - def javaVersionSuffixesMap = [ - (OPENJDK8): JAVA_8, - (OPENJDK11): JAVA_11, - (OPENJDK17): JAVA_17 - ] - def javaVersionSuffix = javaVersionSuffixesMap.get(params.java_version) - - // Push UBI images - sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-ubi" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-ubi" - if (params.java_version == OPENJDK8) { - sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi" - } - - // Push Alpine images - sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" - if (params.java_version == OPENJDK11) { - sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" - } + def dockerfilePath = dockerfileMap[params.java_version][0] + def alpineDockerfilePath = dockerfileMap[params.java_version][1] + + stage('Build UBI Image') { + def baseImage = extractBaseImage(dockerfilePath) + def baseImageRefFactory = load 'scripts/BaseImageReference.groovy' + def baseImageReference = baseImageRefFactory.build(this, baseImage as String) + def baseImageReferenceStr = baseImageReference.getReference() + def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}") + imageId = hash.split(':')[1] + } + if (params.java_version != OPENJDK8) { + stage('Build Alpine Image') { + def hash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") + alpineImageId = hash.split(':')[1] + } + } + if (params.scan_for_policy_violations) { + stage('Evaluate Policies') { + runEvaluation({ stage -> + def isAlpine = params.java_version != OPENJDK8 && alpineDockerfilePath != null && alpineDockerfilePath.contains('alpine') + def iqApplicationName = isAlpine ? 'docker-nexus3-alpine' : 'docker-nexus3' + def imageToScan = isAlpine ? "${imageName}-alpine" : imageName + + nexusPolicyEvaluation( + iqStage: stage, + iqApplication: iqApplicationName, + iqScanPatterns: [[scanPattern: "container:${imageToScan}"]], + failBuildOnNetworkError: true, + ) + }, 'release') + } } - } + if (currentBuild.result == 'FAILURE') { + return + } + stage('Archive') { + dir('build/target') { + OsTools.runSafe(this, "docker save ${imageName} | gzip > ${archiveName}.tar.gz") + archiveArtifacts artifacts: "${archiveName}.tar.gz", onlyIfSuccessful: true + } + } + if (branch == 'main') { + stage('Push image to RSC') { + withSonatypeDockerRegistry() { + def javaVersionSuffixesMap = [ + (OPENJDK8): JAVA_8, + (OPENJDK11): JAVA_11, + (OPENJDK17): JAVA_17 + ] + def javaVersionSuffix = javaVersionSuffixesMap.get(params.java_version) + + // Push UBI images + sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-ubi" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-ubi" + if (params.java_version == OPENJDK8) { + sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi" + } + + // Push Alpine images + if (params.java_version != OPENJDK8) { + sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" + if (params.java_version == OPENJDK11) { + sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" + } + } + } + } + } + } finally { + OsTools.runSafe(this, "docker logout") + OsTools.runSafe(this, "docker system prune -a -f") + OsTools.runSafe(this, 'git clean -f && git reset --hard origin/main') } - } finally { - OsTools.runSafe(this, "docker logout") - OsTools.runSafe(this, "docker system prune -a -f") - OsTools.runSafe(this, 'git clean -f && git reset --hard origin/main') - } } def readVersion() { - def content = readFile 'Dockerfile' - for (line in content.split('\n')) { - if (line.startsWith('ARG NEXUS_VERSION=')) { - return getShortVersion(line.substring(18)) + def content = readFile 'Dockerfile' + for (line in content.split('\n')) { + if (line.startsWith('ARG NEXUS_VERSION=')) { + return getShortVersion(line.substring(18)) + } } - } - error 'Could not determine version.' + error 'Could not determine version.' } def getShortVersion(version) { - return version.split('-')[0] + return version.split('-')[0] } def updateRepositoryManagerVersion(dockerFileLocation, javaVersion) { - def dockerFile = readFile(file: dockerFileLocation) - - def metaVersionRegex = /(version=")(\d\.\d{1,3}\.\d\-\d{2})(" \\)/ - def metaShortVersionRegex = /(release=")(\d\.\d{1,3}\.\d)(" \\)/ - - def versionRegex = /(ARG NEXUS_VERSION=)(\d\.\d{1,3}\.\d\-\d{2})/ - def shaRegex = /(ARG NEXUS_DOWNLOAD_SHA256_HASH=)([A-Fa-f0-9]{64})/ - - dockerFile = dockerFile.replaceAll(metaVersionRegex, "\$1${params.nexus_repository_manager_version}\$3") - dockerFile = dockerFile.replaceAll(metaShortVersionRegex, - "\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3") - dockerFile = dockerFile.replaceAll(versionRegex, "\$1${params.nexus_repository_manager_version}") - - def nexusUrlRegex = /(ARG NEXUS_DOWNLOAD_URL=)(.*)/ - def nexusUrl = params.nexus_repository_manager_url - if (params.nexus_repository_manager_url) { - dockerFile = dockerFile.replaceAll(nexusUrlRegex, "\$1${params.nexus_repository_manager_url}") - } - else { - // default URL - def defaultUrl = /https:\/\/download-staging.sonatype.com\/nexus\/3\/nexus-\$\{NEXUS_VERSION\}-unix\.tar\.gz/ - dockerFile = dockerFile.replaceAll(nexusUrlRegex, "\$1${defaultUrl}") - - def normalizedUrl = "a".replaceAll(/./, "${defaultUrl}") - nexusUrl = normalizedUrl.replace("\${NEXUS_VERSION}", params.nexus_repository_manager_version) - nexusUrl = nexusUrl.replace("\${JAVA_VERSION}", javaVersion) - } - def sha = getSha(nexusUrl) - - dockerFile = dockerFile.replaceAll(shaRegex, "\$1${sha}") - - writeFile(file: dockerFileLocation, text: dockerFile) + def dockerFile = readFile(file: dockerFileLocation) + + def metaVersionRegex = /(version=")(\d\.\d{1,3}\.\d\-\d{2})(" \\)/ + def metaShortVersionRegex = /(release=")(\d\.\d{1,3}\.\d)(" \\)/ + + def versionRegex = /(ARG NEXUS_VERSION=)(\d\.\d{1,3}\.\d\-\d{2})/ + def shaRegex = /(ARG NEXUS_DOWNLOAD_SHA256_HASH=)([A-Fa-f0-9]{64})/ + + dockerFile = dockerFile.replaceAll(metaVersionRegex, "\$1${params.nexus_repository_manager_version}\$3") + dockerFile = dockerFile.replaceAll(metaShortVersionRegex, + "\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3") + dockerFile = dockerFile.replaceAll(versionRegex, "\$1${params.nexus_repository_manager_version}") + + def nexusUrlRegex = /(ARG NEXUS_DOWNLOAD_URL=)(.*)/ + def nexusUrl = params.nexus_repository_manager_url + if (params.nexus_repository_manager_url) { + dockerFile = dockerFile.replaceAll(nexusUrlRegex, "\$1${params.nexus_repository_manager_url}") + } else { + // default URL + def defaultUrl = /https:\/\/download-staging.sonatype.com\/nexus\/3\/nexus-\$\{NEXUS_VERSION\}-unix\.tar\.gz/ + dockerFile = dockerFile.replaceAll(nexusUrlRegex, "\$1${defaultUrl}") + + def normalizedUrl = "a".replaceAll(/./, "${defaultUrl}") + nexusUrl = normalizedUrl.replace("\${NEXUS_VERSION}", params.nexus_repository_manager_version) + nexusUrl = nexusUrl.replace("\${JAVA_VERSION}", javaVersion) + } + def sha = getSha(nexusUrl) + + dockerFile = dockerFile.replaceAll(shaRegex, "\$1${sha}") + + writeFile(file: dockerFileLocation, text: dockerFile) } def getSha(url) { - def sha = sh ( - script: "curl -s -L ${url} | shasum -a 256 | cut -d' ' -f1", - returnStdout: true - ).trim() - return sha + def sha = sh ( + script: "curl -s -L ${url} | shasum -a 256 | cut -d' ' -f1", + returnStdout: true + ).trim() + return sha } def extractBaseImage(dockerFileLocation) { - def dockerFile = readFile(file: dockerFileLocation) - def baseImageRegex = "FROM\\s+([^\\s]+)" - def usedImages = dockerFile =~ baseImageRegex + def dockerFile = readFile(file: dockerFileLocation) + def baseImageRegex = "FROM\\s+([^\\s]+)" + def usedImages = dockerFile =~ baseImageRegex - return usedImages[0][1] + return usedImages[0][1] } diff --git a/Jenkinsfile-Release b/Jenkinsfile-Release index d01439b3..478dd8f7 100644 --- a/Jenkinsfile-Release +++ b/Jenkinsfile-Release @@ -49,8 +49,7 @@ node('ubuntu-zion') { "${pwd()}/Dockerfile", "${pwd()}/Dockerfile.rh.centos", "${pwd()}/Dockerfile.rh.el", - "${pwd()}/Dockerfile.rh.ubi", - "${pwd()}/Dockerfile.alpine.java8" + "${pwd()}/Dockerfile.rh.ubi" ] dockerJava11FileLocations = [ @@ -119,10 +118,12 @@ node('ubuntu-zion') { def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}") imageId = hash.split(':')[1] - // Build Alpine Image - def alpineDockerfilePath = dockerfilePath.replace("Dockerfile", "Dockerfile.alpine") - def alpineHash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") - alpineImageId = alpineHash.split(':')[1] + // Build Alpine Image if not Java 8 + if (params.java_version != OPENJDK8) { + def alpineDockerfilePath = dockerfilePath.replace("Dockerfile", "Dockerfile.alpine") + def alpineHash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") + alpineImageId = alpineHash.split(':')[1] + } if (currentBuild.result == 'FAILURE') { gitHub.statusUpdate commitId, 'failure', 'build', 'Build failed' @@ -151,7 +152,7 @@ node('ubuntu-zion') { stage('Evaluate Policies') { runEvaluation({ stage -> - def isAlpine = alpineDockerfilePath.contains('alpine') + def isAlpine = dockerfilePath.contains('alpine') def iqApplicationName = isAlpine ? 'docker-nexus3-alpine' : 'docker-nexus3' def imageToScan = isAlpine ? "${imageName}-alpine" : imageName @@ -231,20 +232,21 @@ node('ubuntu-zion') { OsTools.runSafe(this, dockerPushCmd) - // Push Alpine image - OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-${javaVersionSuffix}-alpine") - if (params.java_version == OPENJDK11) { - OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-alpine") - } + // Push Alpine image if not Java 8 + if (params.java_version != OPENJDK8) { + OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-${javaVersionSuffix}-alpine") + if (params.java_version == OPENJDK11) { + OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-alpine") + } - def alpineDockerPushCmdsMap = [ - (OPENJDK8): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_8}-alpine", - (OPENJDK11): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_11}-alpine", - (OPENJDK17): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_17}-alpine" - ] - def alpineDockerPushCmd = alpineDockerPushCmdsMap.get(params.java_version) + def alpineDockerPushCmdsMap = [ + (OPENJDK11): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_11}-alpine", + (OPENJDK17): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_17}-alpine" + ] + def alpineDockerPushCmd = alpineDockerPushCmdsMap.get(params.java_version) - OsTools.runSafe(this, alpineDockerPushCmd) + OsTools.runSafe(this, alpineDockerPushCmd) + } response = OsTools.runSafe(this, """ curl -X POST https://hub.docker.com/v2/users/login/ \ @@ -336,7 +338,7 @@ def updateRepositoryManagerVersion(dockerFileLocation) { dockerFile = dockerFile.replaceAll(metaVersionRegex, "\$1${params.nexus_repository_manager_version}\$3") dockerFile = dockerFile.replaceAll(metaShortVersionRegex, - "\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3") + "\\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3") dockerFile = dockerFile.replaceAll(versionRegex, "\$1${params.nexus_repository_manager_version}") dockerFile = dockerFile.replaceAll(shaRegex, "\$1${params.nexus_repository_manager_version_sha}") From 51fc28be4d0065283648367479d766de5d6fc2a1 Mon Sep 17 00:00:00 2001 From: mburkert3 Date: Wed, 12 Jun 2024 12:21:49 -0400 Subject: [PATCH 15/26] Add docker-nexus3-alpine scan --- Jenkinsfile-Internal-Release | 335 ++++++++++++++++++----------------- Jenkinsfile-Release | 28 +-- 2 files changed, 182 insertions(+), 181 deletions(-) diff --git a/Jenkinsfile-Internal-Release b/Jenkinsfile-Internal-Release index d030a498..3e34f7ce 100644 --- a/Jenkinsfile-Internal-Release +++ b/Jenkinsfile-Internal-Release @@ -21,193 +21,194 @@ properties([ ]) node('ubuntu-zion') { - def commitId, commitDate, version, imageId, alpineImageId, branch - def imageName = 'sonatype/nexus3', - archiveName = 'docker-nexus3' - - def JAVA_8 = 'java8' - def JAVA_11 = 'java11' - def JAVA_17 = 'java17' - - def DOCKERFILE_JAVA_8 = 'Dockerfile' - def DOCKERFILE_JAVA_11 = 'Dockerfile.java11' - def DOCKERFILE_JAVA_17 = 'Dockerfile.java17' - def DOCKERFILE_ALPINE_JAVA_11 = 'Dockerfile.alpine.java11' - def DOCKERFILE_ALPINE_JAVA_17 = 'Dockerfile.alpine.java17' - - def dockerfileMap = [ - (OPENJDK8) : [DOCKERFILE_JAVA_8], - (OPENJDK11): [DOCKERFILE_JAVA_11, DOCKERFILE_ALPINE_JAVA_11], - (OPENJDK17): [DOCKERFILE_JAVA_17, DOCKERFILE_ALPINE_JAVA_17] - ] - - try { - stage('Preparation') { - deleteDir() - OsTools.runSafe(this, "docker system prune -a -f") - - def checkoutDetails = checkout scm - - branch = checkoutDetails.GIT_BRANCH == 'origin/main' ? 'main' : checkoutDetails.GIT_BRANCH - commitId = checkoutDetails.GIT_COMMIT - commitDate = OsTools.runSafe(this, "git show -s --format=%cd --date=format:%Y%m%d-%H%M%S ${commitId}") - - OsTools.runSafe(this, 'git config --global user.email sonatype-ci@sonatype.com') - OsTools.runSafe(this, 'git config --global user.name Sonatype CI') - - version = readVersion() - - if (params.nexus_repository_manager_version) { - stage('Update Repository Manager Version') { - OsTools.runSafe(this, "git checkout ${branch}") - dockerfileMap.each { javaVersion, dockerfiles -> - dockerfiles.each { dockerfile -> - updateRepositoryManagerVersion("${pwd()}/${dockerfile}", javaVersion) - } - } - version = getShortVersion(params.nexus_repository_manager_version) - } + def commitId, commitDate, version, imageId, alpineImageId, branch + def imageName = 'sonatype/nexus3', + archiveName = 'docker-nexus3' + + def JAVA_8 = 'java8' + def JAVA_11 = 'java11' + def JAVA_17 = 'java17' + + def DOCKERFILE_JAVA_8 = 'Dockerfile' + def DOCKERFILE_JAVA_11 = 'Dockerfile.java11' + def DOCKERFILE_JAVA_17 = 'Dockerfile.java17' + def DOCKERFILE_ALPINE_JAVA_11 = 'Dockerfile.alpine.java11' + def DOCKERFILE_ALPINE_JAVA_17 = 'Dockerfile.alpine.java17' + + def dockerfileMap = [ + (OPENJDK8) : [DOCKERFILE_JAVA_8], + (OPENJDK11): [DOCKERFILE_JAVA_11, DOCKERFILE_ALPINE_JAVA_11], + (OPENJDK17): [DOCKERFILE_JAVA_17, DOCKERFILE_ALPINE_JAVA_17] + ] + + try { + stage('Preparation') { + deleteDir() + OsTools.runSafe(this, "docker system prune -a -f") + + def checkoutDetails = checkout scm + + branch = checkoutDetails.GIT_BRANCH == 'origin/main' ? 'main' : checkoutDetails.GIT_BRANCH + commitId = checkoutDetails.GIT_COMMIT + commitDate = OsTools.runSafe(this, "git show -s --format=%cd --date=format:%Y%m%d-%H%M%S ${commitId}") + + OsTools.runSafe(this, 'git config --global user.email sonatype-ci@sonatype.com') + OsTools.runSafe(this, 'git config --global user.name Sonatype CI') + + version = readVersion() + + if (params.nexus_repository_manager_version) { + stage('Update Repository Manager Version') { + OsTools.runSafe(this, "git checkout ${branch}") + dockerfileMap.each { javaVersion, dockerfiles -> + dockerfiles.each { dockerfile -> + updateRepositoryManagerVersion("${pwd()}/${dockerfile}", javaVersion) } + } + version = getShortVersion(params.nexus_repository_manager_version) } - def dockerfilePath = dockerfileMap[params.java_version][0] - def alpineDockerfilePath = dockerfileMap[params.java_version][1] - - stage('Build UBI Image') { - def baseImage = extractBaseImage(dockerfilePath) - def baseImageRefFactory = load 'scripts/BaseImageReference.groovy' - def baseImageReference = baseImageRefFactory.build(this, baseImage as String) - def baseImageReferenceStr = baseImageReference.getReference() - def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}") - imageId = hash.split(':')[1] - } - if (params.java_version != OPENJDK8) { - stage('Build Alpine Image') { - def hash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") - alpineImageId = hash.split(':')[1] - } - } - if (params.scan_for_policy_violations) { - stage('Evaluate Policies') { - runEvaluation({ stage -> - def isAlpine = params.java_version != OPENJDK8 && alpineDockerfilePath != null && alpineDockerfilePath.contains('alpine') - def iqApplicationName = isAlpine ? 'docker-nexus3-alpine' : 'docker-nexus3' - def imageToScan = isAlpine ? "${imageName}-alpine" : imageName - - nexusPolicyEvaluation( - iqStage: stage, - iqApplication: iqApplicationName, - iqScanPatterns: [[scanPattern: "container:${imageToScan}"]], - failBuildOnNetworkError: true, - ) - }, 'release') - } - } - if (currentBuild.result == 'FAILURE') { - return - } - stage('Archive') { - dir('build/target') { - OsTools.runSafe(this, "docker save ${imageName} | gzip > ${archiveName}.tar.gz") - archiveArtifacts artifacts: "${archiveName}.tar.gz", onlyIfSuccessful: true - } - } - if (branch == 'main') { - stage('Push image to RSC') { - withSonatypeDockerRegistry() { - def javaVersionSuffixesMap = [ - (OPENJDK8): JAVA_8, - (OPENJDK11): JAVA_11, - (OPENJDK17): JAVA_17 - ] - def javaVersionSuffix = javaVersionSuffixesMap.get(params.java_version) - - // Push UBI images - sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-ubi" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-ubi" - if (params.java_version == OPENJDK8) { - sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi" - } - - // Push Alpine images - if (params.java_version != OPENJDK8) { - sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" - if (params.java_version == OPENJDK11) { - sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" - } - } - } + } + } + def dockerfilePath = dockerfileMap[params.java_version][0] + def alpineDockerfilePath = params.java_version == OPENJDK8 ? null : dockerfileMap[params.java_version][1] + + stage('Build UBI Image') { + def baseImage = extractBaseImage(dockerfilePath) + def baseImageRefFactory = load 'scripts/BaseImageReference.groovy' + def baseImageReference = baseImageRefFactory.build(this, baseImage as String) + def baseImageReferenceStr = baseImageReference.getReference() + def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}") + imageId = hash.split(':')[1] + } + if (params.java_version != OPENJDK8) { + stage('Build Alpine Image') { + def hash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}") + alpineImageId = hash.split(':')[1] + } + } + if (params.scan_for_policy_violations) { + stage('Evaluate Policies') { + runEvaluation({ stage -> + def isAlpine = dockerfilePath.contains('alpine') + def iqApplicationName = isAlpine ? 'docker-nexus3-alpine' : 'docker-nexus3' + def imageToScan = isAlpine ? "${imageName}-alpine" : imageName + + nexusPolicyEvaluation( + iqStage: stage, + iqApplication: iqApplicationName, + iqScanPatterns: [[scanPattern: "container:${imageToScan}"]], + failBuildOnNetworkError: true, + ) + }, 'release') + } + } + if (currentBuild.result == 'FAILURE') { + return + } + stage('Archive') { + dir('build/target') { + OsTools.runSafe(this, "docker save ${imageName} | gzip > ${archiveName}.tar.gz") + archiveArtifacts artifacts: "${archiveName}.tar.gz", onlyIfSuccessful: true + } + } + if (branch == 'main') { + stage('Push image to RSC') { + withSonatypeDockerRegistry() { + def javaVersionSuffixesMap = [ + (OPENJDK8): JAVA_8, + (OPENJDK11): JAVA_11, + (OPENJDK17): JAVA_17 + ] + def javaVersionSuffix = javaVersionSuffixesMap.get(params.java_version) + + // Push UBI images + sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-ubi" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-ubi" + if (params.java_version == OPENJDK8) { + sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi" + } + + // Push Alpine images + if (params.java_version != OPENJDK8) { + sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine" + if (params.java_version == OPENJDK11) { + sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" + sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine" } + } } - } finally { - OsTools.runSafe(this, "docker logout") - OsTools.runSafe(this, "docker system prune -a -f") - OsTools.runSafe(this, 'git clean -f && git reset --hard origin/main') + } } + } finally { + OsTools.runSafe(this, "docker logout") + OsTools.runSafe(this, "docker system prune -a -f") + OsTools.runSafe(this, 'git clean -f && git reset --hard origin/main') + } } def readVersion() { - def content = readFile 'Dockerfile' - for (line in content.split('\n')) { - if (line.startsWith('ARG NEXUS_VERSION=')) { - return getShortVersion(line.substring(18)) - } + def content = readFile 'Dockerfile' + for (line in content.split('\n')) { + if (line.startsWith('ARG NEXUS_VERSION=')) { + return getShortVersion(line.substring(18)) } - error 'Could not determine version.' + } + error 'Could not determine version.' } def getShortVersion(version) { - return version.split('-')[0] + return version.split('-')[0] } def updateRepositoryManagerVersion(dockerFileLocation, javaVersion) { - def dockerFile = readFile(file: dockerFileLocation) - - def metaVersionRegex = /(version=")(\d\.\d{1,3}\.\d\-\d{2})(" \\)/ - def metaShortVersionRegex = /(release=")(\d\.\d{1,3}\.\d)(" \\)/ - - def versionRegex = /(ARG NEXUS_VERSION=)(\d\.\d{1,3}\.\d\-\d{2})/ - def shaRegex = /(ARG NEXUS_DOWNLOAD_SHA256_HASH=)([A-Fa-f0-9]{64})/ - - dockerFile = dockerFile.replaceAll(metaVersionRegex, "\$1${params.nexus_repository_manager_version}\$3") - dockerFile = dockerFile.replaceAll(metaShortVersionRegex, - "\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3") - dockerFile = dockerFile.replaceAll(versionRegex, "\$1${params.nexus_repository_manager_version}") - - def nexusUrlRegex = /(ARG NEXUS_DOWNLOAD_URL=)(.*)/ - def nexusUrl = params.nexus_repository_manager_url - if (params.nexus_repository_manager_url) { - dockerFile = dockerFile.replaceAll(nexusUrlRegex, "\$1${params.nexus_repository_manager_url}") - } else { - // default URL - def defaultUrl = /https:\/\/download-staging.sonatype.com\/nexus\/3\/nexus-\$\{NEXUS_VERSION\}-unix\.tar\.gz/ - dockerFile = dockerFile.replaceAll(nexusUrlRegex, "\$1${defaultUrl}") - - def normalizedUrl = "a".replaceAll(/./, "${defaultUrl}") - nexusUrl = normalizedUrl.replace("\${NEXUS_VERSION}", params.nexus_repository_manager_version) - nexusUrl = nexusUrl.replace("\${JAVA_VERSION}", javaVersion) - } - def sha = getSha(nexusUrl) - - dockerFile = dockerFile.replaceAll(shaRegex, "\$1${sha}") - - writeFile(file: dockerFileLocation, text: dockerFile) + def dockerFile = readFile(file: dockerFileLocation) + + def metaVersionRegex = /(version=")(\d\.\d{1,3}\.\d\-\d{2})(" \\)/ + def metaShortVersionRegex = /(release=")(\d\.\d{1,3}\.\d)(" \\)/ + + def versionRegex = /(ARG NEXUS_VERSION=)(\d\.\d{1,3}\.\d\-\d{2})/ + def shaRegex = /(ARG NEXUS_DOWNLOAD_SHA256_HASH=)([A-Fa-f0-9]{64})/ + + dockerFile = dockerFile.replaceAll(metaVersionRegex, "\$1${params.nexus_repository_manager_version}\$3") + dockerFile = dockerFile.replaceAll(metaShortVersionRegex, + "\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3") + dockerFile = dockerFile.replaceAll(versionRegex, "\$1${params.nexus_repository_manager_version}") + + def nexusUrlRegex = /(ARG NEXUS_DOWNLOAD_URL=)(.*)/ + def nexusUrl = params.nexus_repository_manager_url + if (params.nexus_repository_manager_url) { + dockerFile = dockerFile.replaceAll(nexusUrlRegex, "\$1${params.nexus_repository_manager_url}") + } + else { + // default URL + def defaultUrl = /https:\/\/download-staging.sonatype.com\/nexus\/3\/nexus-\$\{NEXUS_VERSION\}-unix\.tar\.gz/ + dockerFile = dockerFile.replaceAll(nexusUrlRegex, "\$1${defaultUrl}") + + def normalizedUrl = "a".replaceAll(/./, "${defaultUrl}") + nexusUrl = normalizedUrl.replace("\${NEXUS_VERSION}", params.nexus_repository_manager_version) + nexusUrl = nexusUrl.replace("\${JAVA_VERSION}", javaVersion) + } + def sha = getSha(nexusUrl) + + dockerFile = dockerFile.replaceAll(shaRegex, "\$1${sha}") + + writeFile(file: dockerFileLocation, text: dockerFile) } def getSha(url) { - def sha = sh ( - script: "curl -s -L ${url} | shasum -a 256 | cut -d' ' -f1", - returnStdout: true - ).trim() - return sha + def sha = sh ( + script: "curl -s -L ${url} | shasum -a 256 | cut -d' ' -f1", + returnStdout: true + ).trim() + return sha } def extractBaseImage(dockerFileLocation) { - def dockerFile = readFile(file: dockerFileLocation) - def baseImageRegex = "FROM\\s+([^\\s]+)" - def usedImages = dockerFile =~ baseImageRegex + def dockerFile = readFile(file: dockerFileLocation) + def baseImageRegex = "FROM\\s+([^\\s]+)" + def usedImages = dockerFile =~ baseImageRegex - return usedImages[0][1] + return usedImages[0][1] } diff --git a/Jenkinsfile-Release b/Jenkinsfile-Release index 478dd8f7..260db5d6 100644 --- a/Jenkinsfile-Release +++ b/Jenkinsfile-Release @@ -151,19 +151,19 @@ node('ubuntu-zion') { } stage('Evaluate Policies') { - runEvaluation({ stage -> - def isAlpine = dockerfilePath.contains('alpine') - def iqApplicationName = isAlpine ? 'docker-nexus3-alpine' : 'docker-nexus3' - def imageToScan = isAlpine ? "${imageName}-alpine" : imageName - - nexusPolicyEvaluation( - iqStage: stage, - iqApplication: iqApplicationName, - iqScanPatterns: [[scanPattern: "container:${imageToScan}"]], - failBuildOnNetworkError: true, - ) - }, 'release') - } + runEvaluation({ stage -> + def isAlpine = alpineDockerfilePath.contains('alpine') + def iqApplicationName = isAlpine ? 'docker-nexus3-alpine' : 'docker-nexus3' + def imageToScan = isAlpine ? "${imageName}-alpine" : imageName + + nexusPolicyEvaluation( + iqStage: stage, + iqApplication: iqApplicationName, + iqScanPatterns: [[scanPattern: "container:${imageToScan}"]], + failBuildOnNetworkError: true, + ) + }, 'release') + } if (currentBuild.result == 'FAILURE') { return @@ -338,7 +338,7 @@ def updateRepositoryManagerVersion(dockerFileLocation) { dockerFile = dockerFile.replaceAll(metaVersionRegex, "\$1${params.nexus_repository_manager_version}\$3") dockerFile = dockerFile.replaceAll(metaShortVersionRegex, - "\\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3") + "\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3") dockerFile = dockerFile.replaceAll(versionRegex, "\$1${params.nexus_repository_manager_version}") dockerFile = dockerFile.replaceAll(shaRegex, "\$1${params.nexus_repository_manager_version_sha}") From 58d2a8199246dad43b442c4c23d570677d2172c2 Mon Sep 17 00:00:00 2001 From: mburkert3 <126404216+mburkert3@users.noreply.github.com> Date: Wed, 12 Jun 2024 22:14:08 -0400 Subject: [PATCH 16/26] Change Alpine Docker-nexus3 logic --- Jenkinsfile-Internal-Release | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile-Internal-Release b/Jenkinsfile-Internal-Release index 3e34f7ce..f3daf0a2 100644 --- a/Jenkinsfile-Internal-Release +++ b/Jenkinsfile-Internal-Release @@ -89,7 +89,7 @@ node('ubuntu-zion') { if (params.scan_for_policy_violations) { stage('Evaluate Policies') { runEvaluation({ stage -> - def isAlpine = dockerfilePath.contains('alpine') + def isAlpine = alpineDockerfilePath != null && alpineDockerfilePath.contains('alpine') def iqApplicationName = isAlpine ? 'docker-nexus3-alpine' : 'docker-nexus3' def imageToScan = isAlpine ? "${imageName}-alpine" : imageName From 92c2a9e9c1485e0f93902397bcaa3eaad860f05e Mon Sep 17 00:00:00 2001 From: mburkert3 <126404216+mburkert3@users.noreply.github.com> Date: Wed, 12 Jun 2024 22:16:13 -0400 Subject: [PATCH 17/26] Change Alpine Docker-nexus3 logic --- Jenkinsfile-Release | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile-Release b/Jenkinsfile-Release index 260db5d6..5ec5c0de 100644 --- a/Jenkinsfile-Release +++ b/Jenkinsfile-Release @@ -152,7 +152,7 @@ node('ubuntu-zion') { stage('Evaluate Policies') { runEvaluation({ stage -> - def isAlpine = alpineDockerfilePath.contains('alpine') + def isAlpine = alpineDockerfilePath != null && alpineDockerfilePath.contains('alpine') def iqApplicationName = isAlpine ? 'docker-nexus3-alpine' : 'docker-nexus3' def imageToScan = isAlpine ? "${imageName}-alpine" : imageName From c50a4205569ed290baf32778c4cce23db55cca12 Mon Sep 17 00:00:00 2001 From: mburkert3 <126404216+mburkert3@users.noreply.github.com> Date: Fri, 14 Jun 2024 18:47:51 -0400 Subject: [PATCH 18/26] Add Alpine Description --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index 27fb3bef..886c1739 100644 --- a/README.md +++ b/README.md @@ -106,6 +106,19 @@ In addition to the Universal Base Image, we can build images based on: * Red Hat Enterprise Linux: [Dockerfile.rh.el](https://github.com/sonatype/docker-nexus3/blob/main/Dockerfile.rh.el) * CentOS: [Dockerfile.rh.centos](https://github.com/sonatype/docker-nexus3/blob/main/Dockerfile.rh.centos) +## Alpine Image + +An Alpine-based container image can be created using [Dockerfile.alpine.java11](https://github.com/sonatype/docker-nexus3/blob/main/Dockerfile.alpine.java11) which is built to leverage the minimalistic and efficient nature of Alpine Linux. +The image is designed to be lightweight and fast, with a smaller footprint compared to traditional base images, making it ideal for environments where size and speed are critical. + +The Alpine-based container image includes minimal dependencies and uses an ENTRYPOINT script to ensure the application runs with the necessary permissions. It is optimized for rapid deployment and efficient resource usage. + +The Alpine-based container image is available from Docker Hub and can be pulled using the following tags: + +- 'sonatype/nexus3:3.XX.y-alpine' (runs Java 11) +- 'sonatype/nexus3:3.XX.y-java11-alpine' +- 'sonatype/nexus3:3.XX.y-java17-alpine' + ## Notes * Our [system requirements](https://help.sonatype.com/display/NXRM3/System+Requirements) should be taken into account when provisioning the Docker container. From 09620aed650525b24a9b7bbc8b54fe72c0fe2210 Mon Sep 17 00:00:00 2001 From: mburkert3 <126404216+mburkert3@users.noreply.github.com> Date: Fri, 14 Jun 2024 18:48:18 -0400 Subject: [PATCH 19/26] Add Alpine Description --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 886c1739..93003ed8 100644 --- a/README.md +++ b/README.md @@ -115,9 +115,9 @@ The Alpine-based container image includes minimal dependencies and uses an ENTRY The Alpine-based container image is available from Docker Hub and can be pulled using the following tags: -- 'sonatype/nexus3:3.XX.y-alpine' (runs Java 11) -- 'sonatype/nexus3:3.XX.y-java11-alpine' -- 'sonatype/nexus3:3.XX.y-java17-alpine' +- sonatype/nexus3:3.XX.y-alpine (runs Java 11) +- sonatype/nexus3:3.XX.y-java11-alpine +- sonatype/nexus3:3.XX.y-java17-alpine ## Notes From 1f34e110e5907be6e37510a5e7529bb7df120fe5 Mon Sep 17 00:00:00 2001 From: Jerson Huerfano Date: Tue, 18 Jun 2024 11:21:14 -0500 Subject: [PATCH 20/26] NEXUS-43198: Added support for alpine tags in SBOM release pipeline (#199) * NEXUS-43198: Added support for *-alpine tags --- Jenkinsfile-sbom-release | 92 ++++++++++++++++++++++++++-------------- 1 file changed, 59 insertions(+), 33 deletions(-) diff --git a/Jenkinsfile-sbom-release b/Jenkinsfile-sbom-release index 9e190ff4..d988d210 100644 --- a/Jenkinsfile-sbom-release +++ b/Jenkinsfile-sbom-release @@ -7,14 +7,22 @@ @Library(['private-pipeline-library', 'jenkins-shared']) _ import groovy.json.JsonSlurper +import groovy.json.JsonBuilder IQ_URL_BASE = "https://sonatype.sonatype.app/platform" REPO_BASE_URL = "https://repo.sonatype.com/service/rest" TARGET_REPO_NAME = "sonatype-sboms" +SBOM_DEPLOYER_CREDENTIALS = "sonatype-sbom-deployer" REDHAT_SBOM_REPO_URL_BASE = "https://access.redhat.com/security/data/sbom/beta" REDHAT_CONTAINER_API_URL_BASE = "https://catalog.redhat.com/api/containers/v1" CYCLONEDX_VERSION = "1.5" SPDXMERGE_VERSION_TAG = "v0.2.0" +NEXUS3_REPORT_BY_TAG = [ + "^(\\d+\\.\\d+\\.\\d+)(-java\\d+)?-alpine\$" : "docker-nexus3-alpine", + "^(\\d+\\.\\d+\\.\\d+)(-java\\d+)?(-ubi)?\$" : "docker-nexus3" +] +DOCKER_NEXUS_IMAGE_NAME = "docker-all.repo.sonatype.com/sonatype/nexus3" +DEFAULT_NEXUS3_REPORT = "docker-nexus3" properties([ parameters([ @@ -72,12 +80,12 @@ def getComponentInfo(String componentName) { } } -def publishComponent(String buildDir, String componentName, String componentVersion, boolean cyclonedxAvailable = true) { +def publishComponentSbom(String buildDir, String componentName, String componentVersion, boolean cyclonedxAvailable = true) { def publishCommand = "curl -v -s -w 'Status: %{http_code}' -u \$NXRM_USER:\$NXRM_PASSWORD -X POST '${REPO_BASE_URL}/v1/components?repository=${TARGET_REPO_NAME}' \ -F 'raw.directory=/${componentName}/${componentVersion}/' \ -F 'raw.asset1=@${buildDir}/spdx/${componentName}-${componentVersion}-spdx.json' \ -F 'raw.asset1.filename=${componentName}-${componentVersion}-spdx.json'" - + if (cyclonedxAvailable) { publishCommand = "${publishCommand} \ -F 'raw.asset2=@${buildDir}/cyclonedx/${componentName}-${componentVersion}-cyclonedx.json' \ @@ -86,11 +94,15 @@ def publishComponent(String buildDir, String componentName, String componentVers withCredentials([ usernamePassword( - credentialsId: 'sonatype-sbom-deployer', + credentialsId: SBOM_DEPLOYER_CREDENTIALS, usernameVariable: 'NXRM_USER', passwordVariable: 'NXRM_PASSWORD') ]) { - sh(publishCommand) + def publishStatus = sh(script: publishCommand, returnStdout: true).trim() + + if( !(publishStatus ==~ "Status: 2\\d\\d") ) { + error "Could not publish SBOM of component ${componentName}:${componentVersion}" + } } } @@ -125,34 +137,38 @@ def mergeSpdxComponents(String buildDir, String finalComponentName, String final """ } +def getNexusReportName(String tag) { + for(entry in NEXUS3_REPORT_BY_TAG) { + if(tag ==~ entry.key) { + return entry.value + } + } + return DEFAULT_NEXUS3_REPORT +} + +def dockerInspectLabel(String image, String tag, String label) { + sh(script: "docker inspect ${image}:${tag} | jq -r '.[0].Config.Labels[\"${label}\"]'", returnStdout: true).trim() +} + dockerizedRunPipeline( skipVulnerabilityScan: true, pathToDockerfile: "./build-images/Dockerfile.sbom-deployer", prepare: { withSonatypeDockerRegistry() { - sh "docker pull sonatype/nexus3:${params.docker_nexus3_tag}" - env['nexusVersion'] = sh(script: "docker inspect sonatype/nexus3:${params.docker_nexus3_tag} \ - | jq -r '.[0].Config.Labels.version' ", - returnStdout: true).trim() - env['dockerImageVersion'] = sh(script: "docker inspect sonatype/nexus3:${params.docker_nexus3_tag} \ - | jq -r '.[0].Config.Labels.release' ", - returnStdout: true).trim() - env['ubiImageId'] = sh(script: "docker inspect sonatype/nexus3:${params.docker_nexus3_tag} \ - | jq -r '.[0].Config.Labels.\"base-image-ref\"' \ - | sed -En 's/^.+image=(.+)\$/\\1/p'", - returnStdout: true).trim() + sh "docker pull ${DOCKER_NEXUS_IMAGE_NAME}:${params.docker_nexus3_tag}" + + def baseImageRef = dockerInspectLabel(DOCKER_NEXUS_IMAGE_NAME, params.docker_nexus3_tag, "base-image-ref") + + env['imageTag'] = params.docker_nexus3_tag + env['nexusVersion'] = dockerInspectLabel(DOCKER_NEXUS_IMAGE_NAME, params.docker_nexus3_tag, "version") + env['dockerImageVersion'] = dockerInspectLabel(DOCKER_NEXUS_IMAGE_NAME, params.docker_nexus3_tag, "release") + env['ubiImageId'] = baseImageRef.contains("image=") ? baseImageRef.split("image=")[1] : "" } }, run: { - def buildDir = "./.sbom-build/job-${env.BUILD_NUMBER}" - def ubiImageName = sh(script: "curl -s -X 'GET' '${REDHAT_CONTAINER_API_URL_BASE}/images/id/${env.ubiImageId}' -H 'accept: application/json' \ - | jq -r '.brew.build' \ - | sed -En 's/(ubi[0-9]+-minimal)-container-([0-9]+\\.[0-9]+-[0-9]+\\.?[0-9]*)/\\1-\\2/p'", - returnStdout: true).trim() - def ubiImageVersion = sh(script: "curl -s -X 'GET' '${REDHAT_CONTAINER_API_URL_BASE}/images/id/${env.ubiImageId}' -H 'accept: application/json' \ - | jq -r '.brew.build' \ - | sed -En 's/ubi[0-9]+-minimal-container-([0-9]+\\.[0-9]+-[0-9]+\\.?[0-9]*)/\\1/p'", - returnStdout: true).trim() + def buildDir = "./.sbom-build/job-${env.BUILD_NUMBER}/v${env.imageTag}" + def jsonSlurper = new JsonSlurper() + def nexusReportName = getNexusReportName(env.imageTag) // Download SBOMs sh "mkdir -p ${buildDir}/spdx && mkdir -p ${buildDir}/cyclonedx" @@ -161,26 +177,36 @@ dockerizedRunPipeline( getComponentSbom(buildDir, "nexus-internal", env.nexusVersion) // Get nxrm-db-migrator SBOM getComponentSbom(buildDir, "nxrm-db-migrator", env.nexusVersion) - // Get docker-nexus3 SBOM - getComponentSbom(buildDir, "docker-nexus3", env.dockerImageVersion) + // Get we SBOM + getComponentSbom(buildDir, nexusReportName, env.dockerImageVersion) + // Get UBI Minimal SBOM - def ubiSbomAvailable = getUbiImageSbom(buildDir, ubiImageName, ubiImageVersion) + boolean ubiSbomAvailable = env.ubiImageId?.trim() ? true : false + def ubiImageName = ubiSbomAvailable ? sh(script: "curl -s -X 'GET' '${REDHAT_CONTAINER_API_URL_BASE}/images/id/${env.ubiImageId}' -H 'accept: application/json' \ + | jq -r '.brew.build' \ + | sed -En 's/(ubi[0-9]+-minimal)-container-([0-9]+\\.[0-9]+-[0-9]+\\.?[0-9]*)/\\1-\\2/p'", + returnStdout: true).trim() : "" + def ubiImageVersion = ubiSbomAvailable ? sh(script: "curl -s -X 'GET' '${REDHAT_CONTAINER_API_URL_BASE}/images/id/${env.ubiImageId}' -H 'accept: application/json' \ + | jq -r '.brew.build' \ + | sed -En 's/ubi[0-9]+-minimal-container-([0-9]+\\.[0-9]+-[0-9]+\\.?[0-9]*)/\\1/p'", + returnStdout: true).trim() : "" + ubiSbomAvailable = ubiSbomAvailable ? getUbiImageSbom(buildDir, ubiImageName, ubiImageVersion) : false sh "echo 'Available SPDX SBOMS' && ls ${buildDir}/spdx" sh "echo 'Available CycloneDx SBOMS' && ls ${buildDir}/cyclonedx" // Merge supported sboms - def dockerImageNamespace = sh(script: "cat ${buildDir}/spdx/docker-nexus3-${env.dockerImageVersion}-spdx.json | jq -r '.documentNamespace'", returnStdout: true).trim() - mergeSpdxComponents(buildDir, "docker-nexus3-aggregate", env.dockerImageVersion, dockerImageNamespace) + def dockerImageNamespace = sh(script: "cat ${buildDir}/spdx/${nexusReportName}-${env.dockerImageVersion}-spdx.json | jq -r '.documentNamespace'", returnStdout: true).trim() + mergeSpdxComponents(buildDir, "${nexusReportName}-aggregate", env.dockerImageVersion, dockerImageNamespace) // Publish SBOMs if (ubiSbomAvailable) { publishComponent(buildDir, "ubi-minimal", ubiImageVersion, false) } - publishComponent(buildDir, "nexus-internal", env.nexusVersion) - publishComponent(buildDir, "nxrm-db-migrator", env.nexusVersion) - publishComponent(buildDir, "docker-nexus3", env.dockerImageVersion) - publishComponent(buildDir, "docker-nexus3-aggregate", env.dockerImageVersion, false) + publishComponentSbom(buildDir, "nexus-internal", env.nexusVersion) + publishComponentSbom(buildDir, "nxrm-db-migrator", env.nexusVersion) + publishComponentSbom(buildDir, nexusReportName, env.dockerImageVersion) + publishComponentSbom(buildDir, "${nexusReportName}-aggregate", env.dockerImageVersion, false) sh "rm -rf '${buildDir}'" } From 36e3c5c162f5f1eaf3abb26ca8664bec8bf3ebc6 Mon Sep 17 00:00:00 2001 From: mburkert3 <126404216+mburkert3@users.noreply.github.com> Date: Tue, 18 Jun 2024 13:24:23 -0400 Subject: [PATCH 21/26] Update README.md --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 93003ed8..1b42af06 100644 --- a/README.md +++ b/README.md @@ -108,8 +108,7 @@ In addition to the Universal Base Image, we can build images based on: ## Alpine Image -An Alpine-based container image can be created using [Dockerfile.alpine.java11](https://github.com/sonatype/docker-nexus3/blob/main/Dockerfile.alpine.java11) which is built to leverage the minimalistic and efficient nature of Alpine Linux. -The image is designed to be lightweight and fast, with a smaller footprint compared to traditional base images, making it ideal for environments where size and speed are critical. +An Alpine-based container image can be created using [Dockerfile.alpine.java11](https://github.com/sonatype/docker-nexus3/blob/main/Dockerfile.alpine.java11) This Dockerfile is built to leverage the minimalistic and efficient nature of Alpine Linux, emphasizing fewer dependencies to achieve a cleaner SBOM (Software Bill of Materials) and a stronger security posture. The Alpine-based container image includes minimal dependencies and uses an ENTRYPOINT script to ensure the application runs with the necessary permissions. It is optimized for rapid deployment and efficient resource usage. From 99895473ad0958c12c9298590920a15a20966864 Mon Sep 17 00:00:00 2001 From: Tahir Awan Date: Tue, 18 Jun 2024 18:20:45 -0400 Subject: [PATCH 22/26] update nexus.vmoptions --- Dockerfile.alpine | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile.alpine b/Dockerfile.alpine index d73644ba..d2298842 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -70,6 +70,9 @@ RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-unix.tar.gz \ # Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions +# Removing the line not applicable to jdk9+alpine +RUN sed -i ';/^-Djava.endorsed/d;/# comment out/d' $NEXUS_HOME/bin/nexus.vmoptions + RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ From 77a9588b7c9dc219c059e59ccf84fdd061c2c060 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Iv=C3=A1n=20Contreras?= Date: Tue, 18 Jun 2024 23:06:52 -0500 Subject: [PATCH 23/26] fixing alpine images --- Dockerfile.alpine | 5 +---- Dockerfile.alpine.java11 | 13 +++++++------ Dockerfile.alpine.java17 | 15 ++++++++------- 3 files changed, 16 insertions(+), 17 deletions(-) diff --git a/Dockerfile.alpine b/Dockerfile.alpine index d2298842..e6dd6e62 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -38,7 +38,7 @@ LABEL name="Nexus Repository Manager" \ ARG NEXUS_VERSION=3.69.0-02 ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz -ARG NEXUS_DOWNLOAD_SHA256_HASH=4161a1bb43d92ad8ca6185fa0da2c0f02dfd62280c5b6e4ac4419df4aecaf55f +ARG NEXUS_DOWNLOAD_SHA256_HASH=eec80b3ee33dde61443e54dddea258f851951c4aef81c4c6256c1205ca818162 # configure nexus runtime ENV SONATYPE_DIR=/opt/sonatype @@ -70,9 +70,6 @@ RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-unix.tar.gz \ # Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions -# Removing the line not applicable to jdk9+alpine -RUN sed -i ';/^-Djava.endorsed/d;/# comment out/d' $NEXUS_HOME/bin/nexus.vmoptions - RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ diff --git a/Dockerfile.alpine.java11 b/Dockerfile.alpine.java11 index e5d54861..71543264 100644 --- a/Dockerfile.alpine.java11 +++ b/Dockerfile.alpine.java11 @@ -37,7 +37,8 @@ LABEL name="Nexus Repository Manager" \ io.openshift.tags="Sonatype,Nexus,Repository Manager" ARG NEXUS_VERSION=3.69.0-02 -ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz +ARG JAVA_VERSION=java11 +ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz ARG NEXUS_DOWNLOAD_SHA256_HASH=4a22cd3f2a2bd3fef46e2f13b57abfcca9e6244c36cee8c2aac226a333524c07 # configure nexus runtime @@ -57,11 +58,11 @@ RUN apk add openjdk11 tar procps gzip curl shadow \ WORKDIR ${SONATYPE_DIR} # Download nexus & setup directories -RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-unix.tar.gz \ - && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ - && sha256sum -c nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ - && tar xvf nexus-${NEXUS_VERSION}-unix.tar.gz \ - && rm -f nexus-${NEXUS_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ +RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \ + && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \ + && sha256sum -c nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \ + && tar xvf nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \ + && rm -f nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \ && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \ && chown -R nexus:nexus ${SONATYPE_WORK} \ && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \ diff --git a/Dockerfile.alpine.java17 b/Dockerfile.alpine.java17 index 8dbe6cdd..96b0be29 100644 --- a/Dockerfile.alpine.java17 +++ b/Dockerfile.alpine.java17 @@ -37,8 +37,9 @@ LABEL name="Nexus Repository Manager" \ io.openshift.tags="Sonatype,Nexus,Repository Manager" ARG NEXUS_VERSION=3.69.0-02 -ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz -ARG NEXUS_DOWNLOAD_SHA256_HASH=59ed008f74dea1a7f1a36dd896ea552c1d35ff537ec8e5669addd87776ecc7e2 +ARG JAVA_VERSION=java17 +ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz +ARG NEXUS_DOWNLOAD_SHA256_HASH=4a22cd3f2a2bd3fef46e2f13b57abfcca9e6244c36cee8c2aac226a333524c07 # configure nexus runtime ENV SONATYPE_DIR=/opt/sonatype @@ -57,11 +58,11 @@ RUN apk add openjdk17 tar procps gzip curl shadow \ WORKDIR ${SONATYPE_DIR} # Download nexus & setup directories -RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-unix.tar.gz \ - && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ - && sha256sum -c nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ - && tar xvf nexus-${NEXUS_VERSION}-unix.tar.gz \ - && rm -f nexus-${NEXUS_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ +RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \ + && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \ + && sha256sum -c nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \ + && tar xvf nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \ + && rm -f nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \ && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \ && chown -R nexus:nexus ${SONATYPE_WORK} \ && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \ From 05d3b64e2df8d72982d6c8e68b5cb0c131a0bbf5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Iv=C3=A1n=20Contreras?= Date: Wed, 19 Jun 2024 09:50:22 -0500 Subject: [PATCH 24/26] fixing alpine image sha for java 17 --- Dockerfile.alpine.java17 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.alpine.java17 b/Dockerfile.alpine.java17 index 96b0be29..8a55d860 100644 --- a/Dockerfile.alpine.java17 +++ b/Dockerfile.alpine.java17 @@ -39,7 +39,7 @@ LABEL name="Nexus Repository Manager" \ ARG NEXUS_VERSION=3.69.0-02 ARG JAVA_VERSION=java17 ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz -ARG NEXUS_DOWNLOAD_SHA256_HASH=4a22cd3f2a2bd3fef46e2f13b57abfcca9e6244c36cee8c2aac226a333524c07 +ARG NEXUS_DOWNLOAD_SHA256_HASH=59ed008f74dea1a7f1a36dd896ea552c1d35ff537ec8e5669addd87776ecc7e2 # configure nexus runtime ENV SONATYPE_DIR=/opt/sonatype From 98eb54f76515305d88c7e3c4c7af93d52b2abc41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Iv=C3=A1n=20Contreras?= Date: Wed, 19 Jun 2024 10:28:04 -0500 Subject: [PATCH 25/26] removing java 8 alpine image --- Dockerfile.alpine | 88 ----------------------------------------------- 1 file changed, 88 deletions(-) delete mode 100644 Dockerfile.alpine diff --git a/Dockerfile.alpine b/Dockerfile.alpine deleted file mode 100644 index e6dd6e62..00000000 --- a/Dockerfile.alpine +++ /dev/null @@ -1,88 +0,0 @@ -# Copyright (c) 2016-present Sonatype, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM alpine - -LABEL name="Nexus Repository Manager" \ - maintainer="Sonatype " \ - vendor=Sonatype \ - version="3.69.0-02" \ - release="3.69.0" \ - url="https://sonatype.com" \ - summary="The Nexus Repository Manager server \ - with universal support for popular component formats." \ - description="The Nexus Repository Manager server \ - with universal support for popular component formats." \ - run="docker run -d --name NAME \ - -p 8081:8081 \ - IMAGE" \ - stop="docker stop NAME" \ - com.sonatype.license="Apache License, Version 2.0" \ - com.sonatype.name="Nexus Repository Manager base image" \ - io.k8s.description="The Nexus Repository Manager server \ - with universal support for popular component formats." \ - io.k8s.display-name="Nexus Repository Manager" \ - io.openshift.expose-services="8081:8081" \ - io.openshift.tags="Sonatype,Nexus,Repository Manager" - -ARG NEXUS_VERSION=3.69.0-02 -ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz -ARG NEXUS_DOWNLOAD_SHA256_HASH=eec80b3ee33dde61443e54dddea258f851951c4aef81c4c6256c1205ca818162 - -# configure nexus runtime -ENV SONATYPE_DIR=/opt/sonatype -ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \ - NEXUS_DATA=/nexus-data \ - NEXUS_CONTEXT='' \ - SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \ - DOCKER_TYPE='alpine' - -# Install Java & tar -RUN apk add openjdk8 tar procps gzip curl shadow \ - && apk cache clean \ - && groupadd --gid 200 -r nexus \ - && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user' - -WORKDIR ${SONATYPE_DIR} - -# Download nexus & setup directories -RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-unix.tar.gz \ - && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ - && sha256sum -c nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ - && tar xvf nexus-${NEXUS_VERSION}-unix.tar.gz \ - && rm -f nexus-${NEXUS_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \ - && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \ - && chown -R nexus:nexus ${SONATYPE_WORK} \ - && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \ - && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3 - -# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS -RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions - -RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ - && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ - && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ - && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \ - && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties - -RUN apk del gzip shadow - -VOLUME ${NEXUS_DATA} - -EXPOSE 8081 -USER nexus - -ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs" - -CMD ["/opt/sonatype/nexus/bin/nexus", "run"] From ec2dd05046cfc2614df8dbaca6180723ed7ca7e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Iv=C3=A1n=20Contreras?= Date: Wed, 19 Jun 2024 10:37:38 -0500 Subject: [PATCH 26/26] removing alpine temp Jenkins file --- Jenkinsfile.alpine | 162 --------------------------------------------- 1 file changed, 162 deletions(-) delete mode 100644 Jenkinsfile.alpine diff --git a/Jenkinsfile.alpine b/Jenkinsfile.alpine deleted file mode 100644 index 3f479e38..00000000 --- a/Jenkinsfile.alpine +++ /dev/null @@ -1,162 +0,0 @@ -/* - * Copyright (c) 2016-present Sonatype, Inc. All rights reserved. - * Includes the third-party code listed at http://links.sonatype.com/products/nexus/attributions. - * "Sonatype" is a trademark of Sonatype, Inc. - */ - -@Library(['private-pipeline-library', 'jenkins-shared']) _ -import com.sonatype.jenkins.pipeline.OsTools - -String OPENJDK8 = 'OpenJDK 8' - -properties([ - parameters([ - string(defaultValue: '', description: 'New Nexus Repository Manager Version', name: 'nexus_repository_manager_version'), - string(defaultValue: '', description: 'New Nexus Repository Manager URL (Optional)', name: 'nexus_repository_manager_url'), - booleanParam(defaultValue: false, description: 'Optional scan for policy violations', name: 'scan_for_policy_violations') - ]) -]) - -node('ubuntu-zion') { - def commitId, commitDate, version, imageId, branch - def imageName = 'sonatype/nexus3', - archiveName = 'docker-nexus3' - - def JAVA_8 = 'java8' - - def DOCKERFILE_JAVA_8 = 'Dockerfile.alpine' - - try { - stage('Preparation') { - deleteDir() - OsTools.runSafe(this, "docker system prune -a -f") - - def checkoutDetails = checkout scm - - branch = checkoutDetails.GIT_BRANCH == 'origin/main' ? 'main' : checkoutDetails.GIT_BRANCH - commitId = checkoutDetails.GIT_COMMIT - commitDate = OsTools.runSafe(this, "git show -s --format=%cd --date=format:%Y%m%d-%H%M%S ${commitId}") - - OsTools.runSafe(this, 'git config --global user.email sonatype-ci@sonatype.com') - OsTools.runSafe(this, 'git config --global user.name Sonatype CI') - - version = readVersion() - - if (params.nexus_repository_manager_version) { - stage('Update Repository Manager Version') { - OsTools.runSafe(this, "git checkout ${branch}") - updateRepositoryManagerVersion("${pwd()}/${DOCKERFILE_JAVA_8}", JAVA_8) - version = getShortVersion(params.nexus_repository_manager_version) - } - } - } - stage('Build') { - def dockerfilePath = DOCKERFILE_JAVA_8 - def baseImage = extractBaseImage(dockerfilePath) - def baseImageRefFactory = load 'scripts/BaseImageReference.groovy' - def baseImageReference = baseImageRefFactory.build(this, baseImage as String) - def baseImageReferenceStr = baseImageReference.getReference() - def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}") - imageId = hash.split(':')[1] - } - if (params.scan_for_policy_violations) { - stage('Evaluate Policies') { - runEvaluation({ stage -> - nexusPolicyEvaluation( - iqStage: stage, - iqApplication: 'docker-nexus3-alpine', - iqScanPatterns: [[scanPattern: "container:${imageName}"]], - failBuildOnNetworkError: true, - )}, 'release') - } - } - if (currentBuild.result == 'FAILURE') { - return - } - stage('Archive') { - dir('build/target') { - OsTools.runSafe(this, "docker save ${imageName} | gzip > ${archiveName}.tar.gz") - archiveArtifacts artifacts: "${archiveName}.tar.gz", onlyIfSuccessful: true - } - } - if (branch == 'main') { - stage('Push image to RSC') { - withSonatypeDockerRegistry() { - def tags = ["${version}-java8-alpine", "${version}-alpine"] - tags.each { tag -> - sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${tag}" - sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${tag}" - } - } - } - } - } finally { - OsTools.runSafe(this, "docker logout") - OsTools.runSafe(this, "docker system prune -a -f") - OsTools.runSafe(this, 'git clean -f && git reset --hard origin/main') - } -} - -def readVersion() { - def content = readFile 'Dockerfile.alpine' - for (line in content.split('\n')) { - if (line.startsWith('ARG NEXUS_VERSION=')) { - return getShortVersion(line.substring(18)) - } - } - error 'Could not determine version.' -} - -def getShortVersion(version) { - return version.split('-')[0] -} - -def updateRepositoryManagerVersion(dockerFileLocation, javaVersion) { - def dockerFile = readFile(file: dockerFileLocation) - - def metaVersionRegex = /(version=")(\d\.\d{1,3}\.\d\-\d{2})(" \\)/ - def metaShortVersionRegex = /(release=")(\d\.\d{1,3}\.\d)(" \\)/ - - def versionRegex = /(ARG NEXUS_VERSION=)(\d\.\d{1,3}\.\d\-\d{2})/ - def shaRegex = /(ARG NEXUS_DOWNLOAD_SHA256_HASH=)([A-Fa-f0-9]{64})/ - - dockerFile = dockerFile.replaceAll(metaVersionRegex, "\$1${params.nexus_repository_manager_version}\$3") - dockerFile = dockerFile.replaceAll(metaShortVersionRegex, - "\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3") - dockerFile = dockerFile.replaceAll(versionRegex, "\$1${params.nexus_repository_manager_version}") - - def nexusUrlRegex = /(ARG NEXUS_DOWNLOAD_URL=)(.*)/ - def nexusUrl = params.nexus_repository_manager_url - if (params.nexus_repository_manager_url) { - dockerFile = dockerFile.replaceAll(nexusUrlRegex, "\$1${params.nexus_repository_manager_url}") - } - else { - // default URL - def defaultUrl = /https:\/\/download-staging.sonatype.com\/nexus\/3\/nexus-\$\{NEXUS_VERSION\}-unix\.tar\.gz/ - dockerFile = dockerFile.replaceAll(nexusUrlRegex, "\$1${defaultUrl}") - - def normalizedUrl = "a".replaceAll(/./, "${defaultUrl}") - nexusUrl = normalizedUrl.replace("\${NEXUS_VERSION}", params.nexus_repository_manager_version) - } - def sha = getSha(nexusUrl) - - dockerFile = dockerFile.replaceAll(shaRegex, "\$1${sha}") - - writeFile(file: dockerFileLocation, text: dockerFile) -} - -def getSha(url) { - def sha = sh ( - script: "curl -s -L ${url} | shasum -a 256 | cut -d' ' -f1", - returnStdout: true - ).trim() - return sha -} - -def extractBaseImage (dockerFileLocation) { - def dockerFile = readFile(file: dockerFileLocation) - def baseImageRegex = "FROM\\s+([^\\s]+)" - def usedImages = dockerFile =~ baseImageRegex - - return usedImages[0][1] -}