[Test] Adding an additional tag to test docker images (#36341)

Updated `push_testing_images.sh` to add an additional tag, `infrastructure-public-image-HASH` to a new image to be excluded from the GCP Vulnerability scanner. To reviewer: - Only `tools/dockerfile/push_testing_images.sh` has an interesting change (adding a new tag) - Clang 6 and 17 don't have an actual change other than clean-up which is to test if the script is working. Closes #36341 PiperOrigin-RevId: 623944712
8 months ago · 542c160fe6
parent bfe6db2924
commit 542c160fe6
8 changed files with 16 additions and 9 deletions
--- a/templates/tools/dockerfile/test/cxx_clang_17_x64/Dockerfile.template
+++ b/templates/tools/dockerfile/test/cxx_clang_17_x64/Dockerfile.template
@ -16,7 +16,7 @@
  
  FROM silkeh/clang:17-bullseye
  
-  RUN apt-get update && apt-get install -y build-essential curl git time wget zip && apt-get clean
+  RUN apt update && apt -y upgrade && apt install -y build-essential curl git time wget zip && apt clean
  <%include file="../../git_avoid_dubious_ownership_error.include"/>
  <%include file="../../run_tests_python_deps.include"/>
  <%include file="../../cxx_test_deps.include"/>
--- a/templates/tools/dockerfile/test/cxx_clang_6_x64/Dockerfile.template
+++ b/templates/tools/dockerfile/test/cxx_clang_6_x64/Dockerfile.template
@ -16,7 +16,7 @@
  
  FROM silkeh/clang:6
  
-  RUN apt-get update && apt-get install -y build-essential curl git time wget zip && apt-get clean
+  RUN apt update && apt -y upgrade && apt install -y build-essential curl git time wget zip && apt clean
  <%include file="../../git_avoid_dubious_ownership_error.include"/>
  <%include file="../../run_tests_python_deps.include"/>
  <%include file="../../cxx_test_deps.include"/>
--- a/tools/bazelify_tests/dockerimage_current_versions.bzl
+++ b/tools/bazelify_tests/dockerimage_current_versions.bzl
@ -94,8 +94,8 @@ DOCKERIMAGE_CURRENT_VERSIONS = {
    "tools/dockerfile/test/csharp_debian11_arm64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/csharp_debian11_arm64@sha256:4d4bc5f15e03f3d3d8fd889670ecde2c66a2e4d2dd9db80733c05c1d90c8a248",
    "tools/dockerfile/test/csharp_debian11_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/csharp_debian11_x64@sha256:0763d919b17b4cfe5b65aff3bf911c04e9e4d46d11649858742033facd9f534f",
    "tools/dockerfile/test/cxx_alpine_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_alpine_x64@sha256:5beda19bcf186b6c9606f4265e38c99bb4308f25bc0987e0fc15164f3c205232",
-    "tools/dockerfile/test/cxx_clang_17_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_17_x64@sha256:99482b4690586d39bda6d527e24ca8d8def997b9635a3b0d339bfd85ab597bcf",
-    "tools/dockerfile/test/cxx_clang_6_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_6_x64@sha256:b6ae69555ef0aedbc94724f1e0685e176cf61b787ace90ffa794345593f57ee2",
+    "tools/dockerfile/test/cxx_clang_17_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_17_x64@sha256:05d81ad07055c3409a2c60c3c95c4d19300419caaece5df20169b2b903963f0d",
+    "tools/dockerfile/test/cxx_clang_6_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_6_x64@sha256:eebbaf353522d523ec9a7acb34bb3ae194e22ea7493c85c01437719e30da205d",
    "tools/dockerfile/test/cxx_debian11_openssl102_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian11_openssl102_x64@sha256:477ae0da7ff7faa9cf195c0d32472fec4cf8b7325505c63e00b5c794c9a4b1a7",
    "tools/dockerfile/test/cxx_debian11_openssl111_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian11_openssl111_x64@sha256:d383e66d4a089f9305768e3037faa2a887ff91565b0f3ddd96985dca94e9754f",
    "tools/dockerfile/test/cxx_debian11_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian11_x64@sha256:9f9285da21c1053ac715027e0cee66c20c70ebf016053328a4cee61ffd37e59b",
--- a/tools/dockerfile/push_testing_images.sh
+++ b/tools/dockerfile/push_testing_images.sh
@ -178,7 +178,13 @@ do
  then
    echo "Running 'docker build' for ${DOCKER_IMAGE_NAME}"
    echo "=========="
-    docker build -t ${ARTIFACT_REGISTRY_PREFIX}/${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG} ${DOCKERFILE_DIR}
+    # Buliding a docker image with two tags;
+    # - one for image identification based on Dockerfile hash
+    # - one to exclude it from the GCP Vulnerability Scanner
+    docker build \
+      -t ${ARTIFACT_REGISTRY_PREFIX}/${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG} \
+      -t ${ARTIFACT_REGISTRY_PREFIX}/${DOCKER_IMAGE_NAME}:infrastructure-public-image-${DOCKER_IMAGE_TAG} \
+      ${DOCKERFILE_DIR}
    echo "=========="
  else
    # TRANSFER_FROM_DOCKERHUB is a temporary feature that pulls the corresponding image from dockerhub instead
@ -200,6 +206,7 @@ do
  if [ "${SKIP_UPLOAD}" == "" ] && [ "${LOCAL_ONLY_MODE}" == "" ]
  then
    docker push ${ARTIFACT_REGISTRY_PREFIX}/${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG}
+    docker push ${ARTIFACT_REGISTRY_PREFIX}/${DOCKER_IMAGE_NAME}:infrastructure-public-image-${DOCKER_IMAGE_TAG}

    # After successful push, the image's RepoDigest info will become available in "docker image inspect",
    # so we update the .current_version file with the repo digest.
--- a/tools/dockerfile/test/cxx_clang_17_x64.current_version
+++ b/tools/dockerfile/test/cxx_clang_17_x64.current_version
@ -1 +1 @@
-us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_17_x64:50db090958b219aa79e86c6b842f76269ca89db7@sha256:99482b4690586d39bda6d527e24ca8d8def997b9635a3b0d339bfd85ab597bcf
+us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_17_x64:3cbc0c7981febd613345e38415736a0ba09f3281@sha256:05d81ad07055c3409a2c60c3c95c4d19300419caaece5df20169b2b903963f0d
--- a/tools/dockerfile/test/cxx_clang_17_x64/Dockerfile
+++ b/tools/dockerfile/test/cxx_clang_17_x64/Dockerfile
@ -14,7 +14,7 @@

 FROM silkeh/clang:17-bullseye

-RUN apt-get update && apt-get install -y build-essential curl git time wget zip && apt-get clean
+RUN apt update && apt -y upgrade && apt install -y build-essential curl git time wget zip && apt clean
 #=================
 # Setup git to access working directory across docker boundary.
 # This avoids the "fatal: detected dubious ownership in repository XYZ"
--- a/tools/dockerfile/test/cxx_clang_6_x64.current_version
+++ b/tools/dockerfile/test/cxx_clang_6_x64.current_version
@ -1 +1 @@
-us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_6_x64:cb71773eca53fac3138025893228472f85304aa0@sha256:b6ae69555ef0aedbc94724f1e0685e176cf61b787ace90ffa794345593f57ee2
+us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_6_x64:f21d78164b0720b4291bf295b6142da24183286b@sha256:eebbaf353522d523ec9a7acb34bb3ae194e22ea7493c85c01437719e30da205d
--- a/tools/dockerfile/test/cxx_clang_6_x64/Dockerfile
+++ b/tools/dockerfile/test/cxx_clang_6_x64/Dockerfile
@ -14,7 +14,7 @@

 FROM silkeh/clang:6

-RUN apt-get update && apt-get install -y build-essential curl git time wget zip && apt-get clean
+RUN apt update && apt -y upgrade && apt install -y build-essential curl git time wget zip && apt clean
 #=================
 # Setup git to access working directory across docker boundary.
 # This avoids the "fatal: detected dubious ownership in repository XYZ"