demo: pin base image with sha

tkatila · tkatila · commit 2bfd368b13cc · 2024-05-21T14:32:17.000+03:00
And setup a workflow to update them montly

Signed-off-by: Tuomas Katila &lt;tuomas.katila@intel.com&gt;
diff --git a/.github/workflows/demo-img-update.yaml b/.github/workflows/demo-img-update.yaml
@@ -0,0 +1,47 @@
+name: Update demo bases
+on:
+  schedule:
+    - cron: '0 0 1 * *' # once a month
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  demo_base_update:
+    name: Create a PR for demo image updates
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+      - name: Install frizbee
+        run: |
+          export FRIZBEE_HASH=cda91f86d0c96d0bc3c464c57a601ca414e0b2415372eb19b9a4c82fa3d4f802
+          export FRIZBEE_VERSION=0.0.15
+
+          mkdir /tmp/frizbee
+          wget -q https://github.com/stacklok/frizbee/releases/download/v${FRIZBEE_VERSION}/frizbee_${FRIZBEE_VERSION}_linux_amd64.tar.gz -O /tmp/frizbee/frizbee.tar.gz
+          cd /tmp/frizbee
+          echo "$FRIZBEE_HASH frizbee.tar.gz" | sha256sum -c -
+          tar xzf frizbee.tar.gz
+          chmod +x /tmp/frizbee/frizbee
+      - name: Run update script
+        run: |
+          export PATH=$PATH:/tmp/frizbee
+          cd demo
+          bash update-shas.sh
+      - name: Get current date
+        id: date
+        run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6
+        with:
+          commit-message: "demo: update base images ${{ steps.date.outputs.date }}"
+          title: "Update demo base images (${{ steps.date.outputs.date }})"
+          token: ${{ secrets.GH_PR_TOKEN }}
+          branch: demo-base-update-${{ steps.date.outputs.date }}
+          body: >
+            PR is auto-generated by GH action.
+
+
+
diff --git a/demo/accel-config-demo/Dockerfile b/demo/accel-config-demo/Dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM debian:unstable-slim AS builder
+FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb AS builder
 
 RUN apt-get update && apt-get install -y --no-install-recommends libaccel-config-dev \
     gcc g++ nasm make cmake autoconf automake libtool pkg-config git ca-certificates uuid-dev
@@ -29,7 +29,7 @@ RUN cd / && git clone --recurse-submodules --depth 1 --branch v1.5.0 https://git
     cmake -DLOG_HW_INIT=ON .. && \
     make install
 
-FROM debian:unstable-slim
+FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb
 
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends pciutils accel-config accel-config-test kmod && rm -rf /var/lib/apt/lists/\*
 
diff --git a/demo/crypto-perf/Dockerfile b/demo/crypto-perf/Dockerfile
@@ -1,4 +1,4 @@
-FROM debian:unstable-slim as builder
+FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb as builder
 
 ARG DIR=/dpdk-build
 WORKDIR $DIR
@@ -37,7 +37,7 @@ RUN mkdir -p /install_root/licenses/dpdk && \
     cd /install_root/licenses/dpdk && \
     apt-get source --download-only -y libatomic1 libnuma1
 
-FROM debian:unstable-slim
+FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends libipsec-mb1 libnuma1 libatomic1 && ldconfig -v
 COPY --from=builder /install_root /
 COPY run-dpdk-test /usr/bin/
diff --git a/demo/dlb-dpdk-demo/Dockerfile b/demo/dlb-dpdk-demo/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:20.04 as builder
+FROM ubuntu:20.04@sha256:874aca52f79ae5f8258faff03e10ce99ae836f6e7d2df6ecd3da5c1cad3a912b as builder
 
 ARG DIR=/dpdk-build
 WORKDIR $DIR
@@ -24,7 +24,7 @@ RUN wget -q https://fast.dpdk.org/rel/$DPDK_TARBALL \
 RUN cd dpdk-* && patch -Np1 < $(echo ../dlb/dpdk/dpdk_dlb_*.patch) && sed -i 's/270b,2710,2714/270b,2710,2711,2714/g' ./usertools/dpdk-devbind.py && meson setup --prefix $(pwd)/installdir builddir
 RUN cd dpdk-* && ninja -C builddir install && install -D builddir/app/dpdk-test-eventdev /install_root/usr/bin/dpdk-test-eventdev
 
-FROM ubuntu:20.04
+FROM ubuntu:20.04@sha256:874aca52f79ae5f8258faff03e10ce99ae836f6e7d2df6ecd3da5c1cad3a912b
 RUN apt-get update && apt-get install -y --no-install-recommends libnuma1 libatomic1
 COPY --from=builder /install_root /
 COPY test.sh /usr/bin/
diff --git a/demo/dlb-libdlb-demo/Dockerfile b/demo/dlb-libdlb-demo/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:20.04 AS builder
+FROM ubuntu:20.04@sha256:874aca52f79ae5f8258faff03e10ce99ae836f6e7d2df6ecd3da5c1cad3a912b AS builder
 
 WORKDIR /dlb-build
 
@@ -16,7 +16,7 @@ RUN wget https://downloadmirror.intel.com/791459/$DLB_TARBALL \
 # Build libdlb
 RUN cd dlb/libdlb && make
 
-FROM ubuntu:20.04
+FROM ubuntu:20.04@sha256:874aca52f79ae5f8258faff03e10ce99ae836f6e7d2df6ecd3da5c1cad3a912b
 COPY --from=builder /dlb-build/dlb/libdlb/libdlb.so /usr/local/lib
 RUN ldconfig
 
diff --git a/demo/intel-opencl-icd/Dockerfile b/demo/intel-opencl-icd/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:22.04
+FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e57fd7aec21dd0d1b0761bbfb2
 
 ARG APT="env DEBIAN_FRONTEND=noninteractive apt"
 
diff --git a/demo/opae-nlb-demo/Dockerfile b/demo/opae-nlb-demo/Dockerfile
@@ -1,4 +1,4 @@
-FROM debian:unstable-slim AS builder
+FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb AS builder
 
 # Install build dependencies
 RUN apt-get update && apt-get install -y curl python3-dev git gcc g++ make cmake uuid-dev libjson-c-dev libedit-dev libudev-dev
@@ -24,7 +24,7 @@ RUN cd /usr/src/opae/opae-sdk-${OPAE_RELEASE} && \
     make -j xfpga nlb0 nlb3
 
 
-FROM debian:unstable-slim
+FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb
 
 RUN apt-get update && apt-get upgrade -y && apt-get install --no-install-recommends -y libjson-c5
 
diff --git a/demo/openssl-qat-engine/Dockerfile b/demo/openssl-qat-engine/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:24.04
+FROM ubuntu:24.04@sha256:3f85b7caad41a95462cf5b787d8a04604c8262cdcdf9a472b8c52ef83375fe15
 
 RUN apt update && \
     apt install --no-install-recommends -y qatengine qatlib-examples qatzip openssl
diff --git a/demo/sgx-aesmd-demo/Dockerfile b/demo/sgx-aesmd-demo/Dockerfile
@@ -1,6 +1,6 @@
 # This Dockerfile is currently provided as a reference to build aesmd with ECDSA attestation
 # but is not published along with the device plugin container images.
-FROM ubuntu:22.04
+FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e57fd7aec21dd0d1b0761bbfb2
 
 RUN apt update && apt install -y curl gnupg-agent \
     && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main" | \
diff --git a/demo/sgx-sdk-demo/Dockerfile b/demo/sgx-sdk-demo/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:22.04 AS builder
+FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e57fd7aec21dd0d1b0761bbfb2 AS builder
 
 WORKDIR /root
 
@@ -66,7 +66,7 @@ RUN cd SGXDataCenterAttestationPrimitives/SampleCode/QuoteVerificationSample \
     && sgx_sign sign -key ../QuoteGenerationSample/Enclave/Enclave_private_sample.pem -enclave enclave.so -out enclave.signed.so -config Enclave/Enclave.config.xml \
     && cd -
 
-FROM ubuntu:22.04
+FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e57fd7aec21dd0d1b0761bbfb2
 
 RUN apt-get update && \
     apt-get install -y \
diff --git a/demo/update-shas.sh b/demo/update-shas.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+type frizbee > /dev/null 2>&1 || {
+    echo "no 'frizbee' installed, please install it from https://github.com/stacklok/frizbee"
+    exit 1
+}
+
+echo "frizbee available, continue"
+
+files=$(grep -sr "^FROM" * | cut -d":" -f1 | sort | uniq)
+
+for file in $files; do
+    echo "checking $file"
+
+    base=$(grep "^FROM" $file | head -1 | cut -d' ' -f2)
+    baseimg=$(echo $base | cut -d'@' -f1)
+    prevhash=$(echo $base | cut -d'@' -f2 | cut -d' ' -f1)
+
+    hash=$(frizbee containerimage one $baseimg | cut -d'@' -f2)
+    [ $? -ne 0 ] && exit 1
+
+    [ "x$verbose" != "x" ] && echo $prevhash ?= $hash
+
+    if [ $prevhash != $hash ]; then
+        echo "> updating hash in $file: $hash"
+
+        sed -i s/$prevhash/$hash/ $file
+    fi
+done

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM ubuntu:22.04`
	`1`	`+FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e57fd7aec21dd0d1b0761bbfb2`
`2`	`2`
`3`	`3`	`ARG APT="env DEBIAN_FRONTEND=noninteractive apt"`
`4`	`4`