From 542c160fe60b022c6a58b912a5cecf4de1e625cc Mon Sep 17 00:00:00 2001 From: Esun Kim Date: Thu, 11 Apr 2024 14:42:09 -0700 Subject: [PATCH] [Test] Adding an additional tag to test docker images (#36341) Updated `push_testing_images.sh` to add an additional tag, `infrastructure-public-image-HASH` to a new image to be excluded from the GCP Vulnerability scanner. To reviewer: - Only `tools/dockerfile/push_testing_images.sh` has an interesting change (adding a new tag) - Clang 6 and 17 don't have an actual change other than clean-up which is to test if the script is working. Closes #36341 PiperOrigin-RevId: 623944712 --- .../dockerfile/test/cxx_clang_17_x64/Dockerfile.template | 2 +- .../dockerfile/test/cxx_clang_6_x64/Dockerfile.template | 2 +- tools/bazelify_tests/dockerimage_current_versions.bzl | 4 ++-- tools/dockerfile/push_testing_images.sh | 9 ++++++++- tools/dockerfile/test/cxx_clang_17_x64.current_version | 2 +- tools/dockerfile/test/cxx_clang_17_x64/Dockerfile | 2 +- tools/dockerfile/test/cxx_clang_6_x64.current_version | 2 +- tools/dockerfile/test/cxx_clang_6_x64/Dockerfile | 2 +- 8 files changed, 16 insertions(+), 9 deletions(-) diff --git a/templates/tools/dockerfile/test/cxx_clang_17_x64/Dockerfile.template b/templates/tools/dockerfile/test/cxx_clang_17_x64/Dockerfile.template index e51290c5de4..1df0c4a856b 100644 --- a/templates/tools/dockerfile/test/cxx_clang_17_x64/Dockerfile.template +++ b/templates/tools/dockerfile/test/cxx_clang_17_x64/Dockerfile.template @@ -16,7 +16,7 @@ FROM silkeh/clang:17-bullseye - RUN apt-get update && apt-get install -y build-essential curl git time wget zip && apt-get clean + RUN apt update && apt -y upgrade && apt install -y build-essential curl git time wget zip && apt clean <%include file="../../git_avoid_dubious_ownership_error.include"/> <%include file="../../run_tests_python_deps.include"/> <%include file="../../cxx_test_deps.include"/> diff --git a/templates/tools/dockerfile/test/cxx_clang_6_x64/Dockerfile.template b/templates/tools/dockerfile/test/cxx_clang_6_x64/Dockerfile.template index bf463ca71a8..6199f20406b 100644 --- a/templates/tools/dockerfile/test/cxx_clang_6_x64/Dockerfile.template +++ b/templates/tools/dockerfile/test/cxx_clang_6_x64/Dockerfile.template @@ -16,7 +16,7 @@ FROM silkeh/clang:6 - RUN apt-get update && apt-get install -y build-essential curl git time wget zip && apt-get clean + RUN apt update && apt -y upgrade && apt install -y build-essential curl git time wget zip && apt clean <%include file="../../git_avoid_dubious_ownership_error.include"/> <%include file="../../run_tests_python_deps.include"/> <%include file="../../cxx_test_deps.include"/> diff --git a/tools/bazelify_tests/dockerimage_current_versions.bzl b/tools/bazelify_tests/dockerimage_current_versions.bzl index bbe9fe90141..423bc0f0237 100644 --- a/tools/bazelify_tests/dockerimage_current_versions.bzl +++ b/tools/bazelify_tests/dockerimage_current_versions.bzl @@ -94,8 +94,8 @@ DOCKERIMAGE_CURRENT_VERSIONS = { "tools/dockerfile/test/csharp_debian11_arm64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/csharp_debian11_arm64@sha256:4d4bc5f15e03f3d3d8fd889670ecde2c66a2e4d2dd9db80733c05c1d90c8a248", "tools/dockerfile/test/csharp_debian11_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/csharp_debian11_x64@sha256:0763d919b17b4cfe5b65aff3bf911c04e9e4d46d11649858742033facd9f534f", "tools/dockerfile/test/cxx_alpine_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_alpine_x64@sha256:5beda19bcf186b6c9606f4265e38c99bb4308f25bc0987e0fc15164f3c205232", - "tools/dockerfile/test/cxx_clang_17_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_17_x64@sha256:99482b4690586d39bda6d527e24ca8d8def997b9635a3b0d339bfd85ab597bcf", - "tools/dockerfile/test/cxx_clang_6_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_6_x64@sha256:b6ae69555ef0aedbc94724f1e0685e176cf61b787ace90ffa794345593f57ee2", + "tools/dockerfile/test/cxx_clang_17_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_17_x64@sha256:05d81ad07055c3409a2c60c3c95c4d19300419caaece5df20169b2b903963f0d", + "tools/dockerfile/test/cxx_clang_6_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_6_x64@sha256:eebbaf353522d523ec9a7acb34bb3ae194e22ea7493c85c01437719e30da205d", "tools/dockerfile/test/cxx_debian11_openssl102_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian11_openssl102_x64@sha256:477ae0da7ff7faa9cf195c0d32472fec4cf8b7325505c63e00b5c794c9a4b1a7", "tools/dockerfile/test/cxx_debian11_openssl111_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian11_openssl111_x64@sha256:d383e66d4a089f9305768e3037faa2a887ff91565b0f3ddd96985dca94e9754f", "tools/dockerfile/test/cxx_debian11_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian11_x64@sha256:9f9285da21c1053ac715027e0cee66c20c70ebf016053328a4cee61ffd37e59b", diff --git a/tools/dockerfile/push_testing_images.sh b/tools/dockerfile/push_testing_images.sh index 07362bc5bc6..8001fa6f37d 100755 --- a/tools/dockerfile/push_testing_images.sh +++ b/tools/dockerfile/push_testing_images.sh @@ -178,7 +178,13 @@ do then echo "Running 'docker build' for ${DOCKER_IMAGE_NAME}" echo "==========" - docker build -t ${ARTIFACT_REGISTRY_PREFIX}/${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG} ${DOCKERFILE_DIR} + # Buliding a docker image with two tags; + # - one for image identification based on Dockerfile hash + # - one to exclude it from the GCP Vulnerability Scanner + docker build \ + -t ${ARTIFACT_REGISTRY_PREFIX}/${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG} \ + -t ${ARTIFACT_REGISTRY_PREFIX}/${DOCKER_IMAGE_NAME}:infrastructure-public-image-${DOCKER_IMAGE_TAG} \ + ${DOCKERFILE_DIR} echo "==========" else # TRANSFER_FROM_DOCKERHUB is a temporary feature that pulls the corresponding image from dockerhub instead @@ -200,6 +206,7 @@ do if [ "${SKIP_UPLOAD}" == "" ] && [ "${LOCAL_ONLY_MODE}" == "" ] then docker push ${ARTIFACT_REGISTRY_PREFIX}/${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG} + docker push ${ARTIFACT_REGISTRY_PREFIX}/${DOCKER_IMAGE_NAME}:infrastructure-public-image-${DOCKER_IMAGE_TAG} # After successful push, the image's RepoDigest info will become available in "docker image inspect", # so we update the .current_version file with the repo digest. diff --git a/tools/dockerfile/test/cxx_clang_17_x64.current_version b/tools/dockerfile/test/cxx_clang_17_x64.current_version index 1de28e4a5b1..2c42984ff0a 100644 --- a/tools/dockerfile/test/cxx_clang_17_x64.current_version +++ b/tools/dockerfile/test/cxx_clang_17_x64.current_version @@ -1 +1 @@ -us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_17_x64:50db090958b219aa79e86c6b842f76269ca89db7@sha256:99482b4690586d39bda6d527e24ca8d8def997b9635a3b0d339bfd85ab597bcf \ No newline at end of file +us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_17_x64:3cbc0c7981febd613345e38415736a0ba09f3281@sha256:05d81ad07055c3409a2c60c3c95c4d19300419caaece5df20169b2b903963f0d \ No newline at end of file diff --git a/tools/dockerfile/test/cxx_clang_17_x64/Dockerfile b/tools/dockerfile/test/cxx_clang_17_x64/Dockerfile index 3f6b2bdb2d1..687b0f064a7 100644 --- a/tools/dockerfile/test/cxx_clang_17_x64/Dockerfile +++ b/tools/dockerfile/test/cxx_clang_17_x64/Dockerfile @@ -14,7 +14,7 @@ FROM silkeh/clang:17-bullseye -RUN apt-get update && apt-get install -y build-essential curl git time wget zip && apt-get clean +RUN apt update && apt -y upgrade && apt install -y build-essential curl git time wget zip && apt clean #================= # Setup git to access working directory across docker boundary. # This avoids the "fatal: detected dubious ownership in repository XYZ" diff --git a/tools/dockerfile/test/cxx_clang_6_x64.current_version b/tools/dockerfile/test/cxx_clang_6_x64.current_version index a982efc8b3d..0be6c7b665e 100644 --- a/tools/dockerfile/test/cxx_clang_6_x64.current_version +++ b/tools/dockerfile/test/cxx_clang_6_x64.current_version @@ -1 +1 @@ -us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_6_x64:cb71773eca53fac3138025893228472f85304aa0@sha256:b6ae69555ef0aedbc94724f1e0685e176cf61b787ace90ffa794345593f57ee2 \ No newline at end of file +us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_6_x64:f21d78164b0720b4291bf295b6142da24183286b@sha256:eebbaf353522d523ec9a7acb34bb3ae194e22ea7493c85c01437719e30da205d \ No newline at end of file diff --git a/tools/dockerfile/test/cxx_clang_6_x64/Dockerfile b/tools/dockerfile/test/cxx_clang_6_x64/Dockerfile index 3833ae56c71..da4a04ba180 100644 --- a/tools/dockerfile/test/cxx_clang_6_x64/Dockerfile +++ b/tools/dockerfile/test/cxx_clang_6_x64/Dockerfile @@ -14,7 +14,7 @@ FROM silkeh/clang:6 -RUN apt-get update && apt-get install -y build-essential curl git time wget zip && apt-get clean +RUN apt update && apt -y upgrade && apt install -y build-essential curl git time wget zip && apt clean #================= # Setup git to access working directory across docker boundary. # This avoids the "fatal: detected dubious ownership in repository XYZ"