HIRS/.ci/docker/Dockerfile.aca-rocky

FROM rockylinux:9
LABEL org.opencontainers.image.vendor NSA Laboratory for Advanced Cybersecurity Research
LABEL org.opencontainers.image.source https://github.com/nsacyber/hirs
LABEL org.opencontainers.image.description NSA\'s HIRS Attestation Certificate Authority. Expose port 8443 to access the portal from outside the container.

SHELL ["/bin/bash", "-c"]

# Rocky 9 has a different channel for some apps
RUN dnf install -y 'dnf-command(config-manager)' && dnf config-manager --set-enabled crb

# Update and install OS-dependencies
RUN dnf update -y
# Dependencies were selected for these reasons:
#   OS setup/Unknown direct impact for HIRS
ENV HIRS_DNF_OS_SETUP="initscripts firewalld policycoreutils policycoreutils-python-utils net-tools" 
#   OS tools
ENV HIRS_DNF_OS_TOOLS="git sudo vim wget"
#   ACA compile
ENV HIRS_DNF_ACA_COMPILE="java-17-openjdk-devel"
#   ACA run
ENV HIRS_DNF_ACA_RUN="mariadb-server"
#   IBM TPM simulator compile
ENV HIRS_DNF_TPM_COMPILE="tpm2-tools gcc cmake openssl-devel"
# Download and install all dependencies at one time
RUN dnf -y install $(echo "$HIRS_DNF_OS_SETUP") $(echo "$HIRS_DNF_OS_TOOLS") $(echo "$HIRS_DNF_ACA_COMPILE") $(echo "$HIRS_DNF_ACA_RUN") $(echo "$HIRS_DNF_TPM_COMPILE")

# Set up TPM Simulator
RUN git clone https://github.com/kgoldman/ibmswtpm2 /ibmswtpm2
WORKDIR /ibmswtpm2/src
RUN make
# The following script allows the TPM to be set up in the docker image.
# This will install an empty TPM. 
RUN echo "#!/bin/bash" > /tmp/tpm_config && \
    echo "/ibmswtpm2/src/tpm_server &" >> /tmp/tpm_config && \
    echo "sleep 5" >> /tmp/tpm_config && \
    echo "tpm2_startup -c" >> /tmp/tpm_config && \
    bash /tmp/tpm_config && \
    rm -rf /tmp/tpm_config

#EXPOSE 8080 # Only needed if TLS is not working.
EXPOSE 8443

# Checkout HIRS
RUN git clone -b main https://github.com/nsacyber/HIRS.git /repo

# Defensive copy of the repo so it's easy to start fresh if needed
RUN mkdir /hirs
WORKDIR /repo
RUN cp -r . /hirs

# Run bootwar to cache build artifacts
WORKDIR /hirs
RUN ./gradlew bootWar

# Add ACA TLS certification path to container OS
# Allows the curl command in the HEALTHCHECK to work with TLS
# These commands are placed into a script that can be run after aca_setup.sh on container launch.
RUN echo "#!/bin/bash" > /tmp/hirs_add_aca_tls_path_to_os.sh && \
    echo "cp /etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_intermediate_ca_rsa_3k_sha384.pem /etc/pki/ca-trust/source/anchors/" >> /tmp/hirs_add_aca_tls_path_to_os.sh && \
    echo "cp /etc/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_intermediate_ca_ecc_512_sha384.pem /etc/pki/ca-trust/source/anchors/" >> /tmp/hirs_add_aca_tls_path_to_os.sh && \
    echo "cp /etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_root_ca_rsa_3k_sha384.pem /etc/pki/ca-trust/source/anchors/" >> /tmp/hirs_add_aca_tls_path_to_os.sh && \
    echo "cp /etc/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_root_ca_ecc_512_sha384.pem /etc/pki/ca-trust/source/anchors/"  >> /tmp/hirs_add_aca_tls_path_to_os.sh && \
    echo "cp /etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_leaf_ca3_rsa_3k_sha384.pem /etc/pki/ca-trust/source/anchors/" >> /tmp/hirs_add_aca_tls_path_to_os.sh && \
    echo "cp /etc/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_leaf_ca3_ecc_512_sha384.pem /etc/pki/ca-trust/source/anchors/" >> /tmp/hirs_add_aca_tls_path_to_os.sh && \
    echo "update-ca-trust" >> /tmp/hirs_add_aca_tls_path_to_os.sh
RUN chmod +x /tmp/hirs_add_aca_tls_path_to_os.sh
  
# The container will report a health state based on when embedded tomcat finishes loading. If the ACA isn't loaded after the timeout, the container will report that it is unhealthy.
HEALTHCHECK --start-period=50s --interval=1s --timeout=90s CMD curl -f https://localhost:8443/HIRS_AttestationCAPortal/portal/index

# Reset working directory
WORKDIR /hirs

# On container launch, the database will be set up. Then bootRun should utilize build artifacts stored in the image.
CMD ["bash", "-c", "/hirs/package/scripts/aca/aca_setup.sh --unattended && /tmp/hirs_add_aca_tls_path_to_os.sh && /hirs/package/scripts/aca/aca_bootRun.sh"]
Dockerfiles for v3 ACA. Also Powershell Package Scripts (#628) * Package scripts for powershell * Adding dockerfiles 2023-11-09 16:54:51 +00:00			`FROM rockylinux:9`
			`LABEL org.opencontainers.image.vendor NSA Laboratory for Advanced Cybersecurity Research`
			`LABEL org.opencontainers.image.source https://github.com/nsacyber/hirs`
			`LABEL org.opencontainers.image.description NSA\'s HIRS Attestation Certificate Authority. Expose port 8443 to access the portal from outside the container.`

			`SHELL ["/bin/bash", "-c"]`

			`# Rocky 9 has a different channel for some apps`
			`RUN dnf install -y 'dnf-command(config-manager)' && dnf config-manager --set-enabled crb`

			`# Update and install OS-dependencies`
			`RUN dnf update -y`
			`# Dependencies were selected for these reasons:`
			`# OS setup/Unknown direct impact for HIRS`
			`ENV HIRS_DNF_OS_SETUP="initscripts firewalld policycoreutils policycoreutils-python-utils net-tools"`
			`# OS tools`
			`ENV HIRS_DNF_OS_TOOLS="git sudo vim wget"`
			`# ACA compile`
			`ENV HIRS_DNF_ACA_COMPILE="java-17-openjdk-devel"`
			`# ACA run`
			`ENV HIRS_DNF_ACA_RUN="mariadb-server"`
			`# IBM TPM simulator compile`
			`ENV HIRS_DNF_TPM_COMPILE="tpm2-tools gcc cmake openssl-devel"`
			`# Download and install all dependencies at one time`
			`RUN dnf -y install $(echo "$HIRS_DNF_OS_SETUP") $(echo "$HIRS_DNF_OS_TOOLS") $(echo "$HIRS_DNF_ACA_COMPILE") $(echo "$HIRS_DNF_ACA_RUN") $(echo "$HIRS_DNF_TPM_COMPILE")`

			`# Set up TPM Simulator`
			`RUN git clone https://github.com/kgoldman/ibmswtpm2 /ibmswtpm2`
			`WORKDIR /ibmswtpm2/src`
			`RUN make`
			`# The following script allows the TPM to be set up in the docker image.`
			`# This will install an empty TPM.`
			`RUN echo "#!/bin/bash" > /tmp/tpm_config && \`
			`echo "/ibmswtpm2/src/tpm_server &" >> /tmp/tpm_config && \`
			`echo "sleep 5" >> /tmp/tpm_config && \`
			`echo "tpm2_startup -c" >> /tmp/tpm_config && \`
			`bash /tmp/tpm_config && \`
			`rm -rf /tmp/tpm_config`

			`#EXPOSE 8080 # Only needed if TLS is not working.`
			`EXPOSE 8443`

			`# Checkout HIRS`
			`RUN git clone -b main https://github.com/nsacyber/HIRS.git /repo`

			`# Defensive copy of the repo so it's easy to start fresh if needed`
			`RUN mkdir /hirs`
			`WORKDIR /repo`
			`RUN cp -r . /hirs`

			`# Run bootwar to cache build artifacts`
			`WORKDIR /hirs`
			`RUN ./gradlew bootWar`

			`# Add ACA TLS certification path to container OS`
			`# Allows the curl command in the HEALTHCHECK to work with TLS`
			`# These commands are placed into a script that can be run after aca_setup.sh on container launch.`
			`RUN echo "#!/bin/bash" > /tmp/hirs_add_aca_tls_path_to_os.sh && \`
			`echo "cp /etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_intermediate_ca_rsa_3k_sha384.pem /etc/pki/ca-trust/source/anchors/" >> /tmp/hirs_add_aca_tls_path_to_os.sh && \`
			`echo "cp /etc/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_intermediate_ca_ecc_512_sha384.pem /etc/pki/ca-trust/source/anchors/" >> /tmp/hirs_add_aca_tls_path_to_os.sh && \`
			`echo "cp /etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_root_ca_rsa_3k_sha384.pem /etc/pki/ca-trust/source/anchors/" >> /tmp/hirs_add_aca_tls_path_to_os.sh && \`
			`echo "cp /etc/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_root_ca_ecc_512_sha384.pem /etc/pki/ca-trust/source/anchors/" >> /tmp/hirs_add_aca_tls_path_to_os.sh && \`
			`echo "cp /etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_leaf_ca3_rsa_3k_sha384.pem /etc/pki/ca-trust/source/anchors/" >> /tmp/hirs_add_aca_tls_path_to_os.sh && \`
			`echo "cp /etc/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_leaf_ca3_ecc_512_sha384.pem /etc/pki/ca-trust/source/anchors/" >> /tmp/hirs_add_aca_tls_path_to_os.sh && \`
			`echo "update-ca-trust" >> /tmp/hirs_add_aca_tls_path_to_os.sh`
			`RUN chmod +x /tmp/hirs_add_aca_tls_path_to_os.sh`

			`# The container will report a health state based on when embedded tomcat finishes loading. If the ACA isn't loaded after the timeout, the container will report that it is unhealthy.`
			`HEALTHCHECK --start-period=50s --interval=1s --timeout=90s CMD curl -f https://localhost:8443/HIRS_AttestationCAPortal/portal/index`

			`# Reset working directory`
			`WORKDIR /hirs`

			`# On container launch, the database will be set up. Then bootRun should utilize build artifacts stored in the image.`
			`CMD ["bash", "-c", "/hirs/package/scripts/aca/aca_setup.sh --unattended && /tmp/hirs_add_aca_tls_path_to_os.sh && /hirs/package/scripts/aca/aca_bootRun.sh"]`