HIRS/.ci/docker/Dockerfile.aca-windows

FROM mcr.microsoft.com/powershell:latest
LABEL org.opencontainers.image.vendor NSA Laboratory for Advanced Cybersecurity Research
LABEL org.opencontainers.image.source https://github.com/nsacyber/hirs
LABEL org.opencontainers.image.description NSA\'s HIRS Attestation Certificate Authority in a Windows-native image. Expose port 8443 to access the portal from outside the container.

SHELL ["pwsh", "-Command"]

# Output Powershell Version
# This Dockerfile requires Powershell 7+.
RUN $PSVersionTable

# Set up logging area
RUN mkdir -p C:/ProgramData/hirs/aca
RUN mkdir -p C:/ProgramData/hirs/log

# Download and install Java 17
RUN ((New-Object System.Net.WebClient).DownloadFile('https://download.oracle.com/java/17/archive/jdk-17.0.8_windows-x64_bin.exe', 'C:/jdk-17.0.8_windows-x64_bin.exe'))
RUN Write-Host "Installing JDK..."
RUN ./jdk-17.0.8_windows-x64_bin.exe /s
RUN Write-Host "Finished installing JDK."

RUN ls 'C:\Program Files\Java'
RUN ls 'C:\Program Files\Java\jdk-17\'

# Download and install Mariadb as a service
RUN ((New-Object System.Net.WebClient).DownloadFile('https://ftp.osuosl.org/pub/mariadb/mariadb-11.1.2/winx64-packages/mariadb-11.1.2-winx64.msi', 'C:/mariadb-11.1.2-winx64.msi'))
RUN Write-Host "Installing MariaDB..."
# mariadb silent install options https://mariadb.com/kb/en/installing-mariadb-msi-packages-on-windows/
RUN Start-Process -Wait -FilePath msiexec.exe -ArgumentList @('/i', 'C:\mariadb-11.1.2-winx64.msi', 'ADDLOCAL=ALL', 'REMOVE=HeidiSQL', 'SERVICENAME=MariaDB', '/qn', '/L*V', 'C:/ProgramData/hirs/log/mariadb_install.log')
RUN Write-Host "Finished installing mariadb."

RUN ls 'C:\Program Files'
RUN ls 'C:\Program Files\MariaDB 11.1'

# Download and install Git
RUN ((New-Object System.Net.WebClient).DownloadFile('https://github.com/git-for-windows/git/releases/download/v2.42.0.windows.2/Git-2.42.0.2-64-bit.exe', 'C:/Git-2.42.0.2-64-bit.exe'))
RUN Write-Host "Installing Git..."
RUN Start-Process -FilePath 'C:/Git-2.42.0.2-64-bit.exe' -ArgumentList \"/VERYSILENT /NORESTART /NOCANCEL /SP- /CLOSEAPPLICATIONS /RESTARTAPPLICATIONS /o:PathOption=CmdTools /o:BashTerminalOption=ConHost /o:EnableSymlinks=Enabled /COMPONENTS=gitlfs\" -Wait -PassThru
# Disable GCM machine-wide
RUN [Environment]::SetEnvironmentVariable('GCM_INTERACTIVE', 'Never', [System.EnvironmentVariableTarget]::Machine)
RUN Write-Host "Finished installing Git."

# Expose ACA Port
EXPOSE 8443 8080

# Set Environment Variables
RUN setx JAVA_HOME 'C:\Program Files\Java\jdk-17'
RUN setx GIT_HOME 'C:\Program Files\Git'
RUN setx PATH '%JAVA_HOME%\bin;C:\Program Files\MariaDB 11.1\bin;%GIT_HOME%\bin;%PATH%'

# Echo System Variables
RUN echo $Env:PATH
RUN echo $Env:GIT_HOME
RUN echo $Env:JAVA_HOME

# Clone HIRS main
WORKDIR C:/
RUN git config --global --add core.autocrlf false
RUN git config --global --add safe.directory '*'
RUN git clone -b v3_windows-package-scripts https://github.com/nsacyber/hirs.git C:/repo

# Defensive copy of the repo so it's easy to start fresh if needed
WORKDIR C:/repo
RUN cp -Recurse -Force C:/repo C:/hirs

# Ensure Windows configuration files are in place before build.
WORKDIR C:/hirs
RUN pwsh -Command pwsh -ExecutionPolicy Bypass ./package/win/aca/aca_win_config.ps1

# Run bootWar to cache build objects and dependencies
WORKDIR C:/hirs
RUN setx GRADLE_OPTS '-Dorg.gradle.daemon=false'
RUN ./gradlew.bat clean bootWar 2>&1 | tee -a C:/ProgramData/hirs/log/hirs_build.log
RUN cp ./HIRS_AttestationCAPortal/src/main/resources/application.win.properties C:/ProgramData/hirs/aca/

# Run ACA Setup- PKI and DB
WORKDIR C:/hirs
RUN pwsh -Command pwsh -ExecutionPolicy Bypass ./package/win/aca/aca_setup.ps1 -unattended

# Add ACA TLS certification path to container OS
# Allows the curl command in the HEALTHCHECK to work with TLS
RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_intermediate_ca_rsa_3k_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_intermediate_ca_ecc_512_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_root_ca_rsa_3k_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_root_ca_ecc_512_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_leaf_ca3_rsa_3k_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_leaf_ca3_ecc_512_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"

# The container will report a health state based on when embedded tomcat finishes loading. If the ACA isn't loaded after the timeout, the container will report that it is unhealthy.
HEALTHCHECK --start-period=50s --interval=1s --timeout=90s CMD curl -Uri https://localhost:8443/HIRS_AttestationCAPortal/portal/index

CMD ["pwsh", "-Command", "pwsh -ExecutionPolicy Bypass C:/hirs/package/win/aca/aca_bootRun.ps1"]
Dockerfiles for v3 ACA. Also Powershell Package Scripts (#628) * Package scripts for powershell * Adding dockerfiles 2023-11-09 16:54:51 +00:00			`FROM mcr.microsoft.com/powershell:latest`
			`LABEL org.opencontainers.image.vendor NSA Laboratory for Advanced Cybersecurity Research`
			`LABEL org.opencontainers.image.source https://github.com/nsacyber/hirs`
			`LABEL org.opencontainers.image.description NSA\'s HIRS Attestation Certificate Authority in a Windows-native image. Expose port 8443 to access the portal from outside the container.`

			`SHELL ["pwsh", "-Command"]`

			`# Output Powershell Version`
			`# This Dockerfile requires Powershell 7+.`
			`RUN $PSVersionTable`

			`# Set up logging area`
			`RUN mkdir -p C:/ProgramData/hirs/aca`
			`RUN mkdir -p C:/ProgramData/hirs/log`

			`# Download and install Java 17`
			`RUN ((New-Object System.Net.WebClient).DownloadFile('https://download.oracle.com/java/17/archive/jdk-17.0.8_windows-x64_bin.exe', 'C:/jdk-17.0.8_windows-x64_bin.exe'))`
			`RUN Write-Host "Installing JDK..."`
			`RUN ./jdk-17.0.8_windows-x64_bin.exe /s`
			`RUN Write-Host "Finished installing JDK."`

			`RUN ls 'C:\Program Files\Java'`
			`RUN ls 'C:\Program Files\Java\jdk-17\'`

			`# Download and install Mariadb as a service`
			`RUN ((New-Object System.Net.WebClient).DownloadFile('https://ftp.osuosl.org/pub/mariadb/mariadb-11.1.2/winx64-packages/mariadb-11.1.2-winx64.msi', 'C:/mariadb-11.1.2-winx64.msi'))`
			`RUN Write-Host "Installing MariaDB..."`
			`# mariadb silent install options https://mariadb.com/kb/en/installing-mariadb-msi-packages-on-windows/`
			`RUN Start-Process -Wait -FilePath msiexec.exe -ArgumentList @('/i', 'C:\mariadb-11.1.2-winx64.msi', 'ADDLOCAL=ALL', 'REMOVE=HeidiSQL', 'SERVICENAME=MariaDB', '/qn', '/L*V', 'C:/ProgramData/hirs/log/mariadb_install.log')`
			`RUN Write-Host "Finished installing mariadb."`

			`RUN ls 'C:\Program Files'`
			`RUN ls 'C:\Program Files\MariaDB 11.1'`

			`# Download and install Git`
			`RUN ((New-Object System.Net.WebClient).DownloadFile('https://github.com/git-for-windows/git/releases/download/v2.42.0.windows.2/Git-2.42.0.2-64-bit.exe', 'C:/Git-2.42.0.2-64-bit.exe'))`
			`RUN Write-Host "Installing Git..."`
			`RUN Start-Process -FilePath 'C:/Git-2.42.0.2-64-bit.exe' -ArgumentList \"/VERYSILENT /NORESTART /NOCANCEL /SP- /CLOSEAPPLICATIONS /RESTARTAPPLICATIONS /o:PathOption=CmdTools /o:BashTerminalOption=ConHost /o:EnableSymlinks=Enabled /COMPONENTS=gitlfs\" -Wait -PassThru`
			`# Disable GCM machine-wide`
			`RUN [Environment]::SetEnvironmentVariable('GCM_INTERACTIVE', 'Never', [System.EnvironmentVariableTarget]::Machine)`
			`RUN Write-Host "Finished installing Git."`

			`# Expose ACA Port`
			`EXPOSE 8443 8080`

			`# Set Environment Variables`
			`RUN setx JAVA_HOME 'C:\Program Files\Java\jdk-17'`
			`RUN setx GIT_HOME 'C:\Program Files\Git'`
			`RUN setx PATH '%JAVA_HOME%\bin;C:\Program Files\MariaDB 11.1\bin;%GIT_HOME%\bin;%PATH%'`

			`# Echo System Variables`
			`RUN echo $Env:PATH`
			`RUN echo $Env:GIT_HOME`
			`RUN echo $Env:JAVA_HOME`

			`# Clone HIRS main`
			`WORKDIR C:/`
			`RUN git config --global --add core.autocrlf false`
			`RUN git config --global --add safe.directory '*'`
			`RUN git clone -b v3_windows-package-scripts https://github.com/nsacyber/hirs.git C:/repo`

			`# Defensive copy of the repo so it's easy to start fresh if needed`
			`WORKDIR C:/repo`
			`RUN cp -Recurse -Force C:/repo C:/hirs`

			`# Ensure Windows configuration files are in place before build.`
			`WORKDIR C:/hirs`
			`RUN pwsh -Command pwsh -ExecutionPolicy Bypass ./package/win/aca/aca_win_config.ps1`

			`# Run bootWar to cache build objects and dependencies`
			`WORKDIR C:/hirs`
			`RUN setx GRADLE_OPTS '-Dorg.gradle.daemon=false'`
			`RUN ./gradlew.bat clean bootWar 2>&1 \| tee -a C:/ProgramData/hirs/log/hirs_build.log`
			`RUN cp ./HIRS_AttestationCAPortal/src/main/resources/application.win.properties C:/ProgramData/hirs/aca/`

			`# Run ACA Setup- PKI and DB`
			`WORKDIR C:/hirs`
			`RUN pwsh -Command pwsh -ExecutionPolicy Bypass ./package/win/aca/aca_setup.ps1 -unattended`

Look for Component Class json on Windows. Update aca-windows 2023-11-14 12:05:44 +00:00			`# Add ACA TLS certification path to container OS`
			`# Allows the curl command in the HEALTHCHECK to work with TLS`
			`RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_intermediate_ca_rsa_3k_sha384.pem" \| Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"`
			`RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_intermediate_ca_ecc_512_sha384.pem" \| Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"`
			`RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_root_ca_rsa_3k_sha384.pem" \| Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"`
			`RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_root_ca_ecc_512_sha384.pem" \| Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"`
			`RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_leaf_ca3_rsa_3k_sha384.pem" \| Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"`
			`RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_leaf_ca3_ecc_512_sha384.pem" \| Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"`

			`# The container will report a health state based on when embedded tomcat finishes loading. If the ACA isn't loaded after the timeout, the container will report that it is unhealthy.`
			`HEALTHCHECK --start-period=50s --interval=1s --timeout=90s CMD curl -Uri https://localhost:8443/HIRS_AttestationCAPortal/portal/index`

Dockerfiles for v3 ACA. Also Powershell Package Scripts (#628) * Package scripts for powershell * Adding dockerfiles 2023-11-09 16:54:51 +00:00			`CMD ["pwsh", "-Command", "pwsh -ExecutionPolicy Bypass C:/hirs/package/win/aca/aca_bootRun.ps1"]`