diff --git a/.ci/docker/Dockerfile.acaimage b/.ci/docker/Dockerfile.acaimage new file mode 100644 index 00000000..c938b547 --- /dev/null +++ b/.ci/docker/Dockerfile.acaimage @@ -0,0 +1,25 @@ +FROM centos:7 + +# Install packages for installing HIRS ACA +RUN yum -y update && yum clean all +# install build tools for TPM2 provisioner +RUN yum install -y epel-release cmake make git gcc-c++ doxygen graphviz protobuf-compiler cppcheck python libssh2-devel openssl libcurl-devel log4cplus-devel protobuf-devel re2-devel tpm2-tss-devel tpm2-abrmd-devel && yum clean all + +# install build tools for ACA +RUN yum install -y sudo yum install java-1.8.0-openjdk-devel protobuf-compiler rpm-build epel-release cmake make git gcc-c++ doxygen graphviz cppcheck python libssh2-devel openssl libcurl-devel log4cplus-devel protobuf-devel re2-devel tpm2-tss-devel tpm2-abrmd-devel trousers-devel && yum clean all +# install run time dependencies +RUN yum install -y mariadb-server openssl tomcat java-1.8.0-openjdk-headless rpmdevtools coreutils initscripts chkconfig sed grep wget which firewalld policycoreutils net-tools git rpm-build && yum clean all + +# Remove TLSv1, TLSv1.1, references to prevent java security from stopping tomcat launch +RUN sed -i 's/TLSv1,//' /usr/lib/jvm/java-1.8.0-openjdk-1.8.0*/jre/lib/security/java.security +RUN sed -i 's/TLSv1.1,//' /usr/lib/jvm/java-1.8.0-openjdk-1.8.0*/jre/lib/security/java.security + +RUN mkdir /hirs + +# Expose ACA Port +EXPOSE 8443 8080 + +COPY ../../package/rpm/RPMS/noarch/HIRS_AttestationCA*.el7.noarch.rpm / +COPY ../../scripts/aca_image_setup.sh / +CMD ["sh","/aca_image_setup.sh"] +RUN yum install -y HIRS_AttestationCA*.el7.noarch.rpm \ No newline at end of file diff --git a/.github/workflows/build_aca_image.yml b/.github/workflows/build_aca_image.yml index edbff388..7e799c14 100644 --- a/.github/workflows/build_aca_image.yml +++ b/.github/workflows/build_aca_image.yml @@ -1,3 +1,64 @@ name: ACA Docker Image Build -on: - workflow_dispatch +on: + release: + types: [ published ] + workflow_dispatch: + inputs: + imagename: + description: 'ACA Docker Image Name' + default: 'aca-centos7' + required: false + type: string +jobs: +# run the package script for HIRS ACA, Provisioners, tcg_rim_tool, and tcg_eventlog_tool + Package: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v2 + - name: Set up JDK 11 + uses: actions/setup-java@v2 + with: + java-version: '8' + distribution: 'adopt' + server-id: github # Value of the distributionManagement/repository/id field of the pom.xml + settings-path: ${{ github.workspace }} # location for the settings.xml file + package_centos: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v2 + - name: directory setup + run: | + mkdir -p artifacts/jars + mkdir -p artifacts/wars + mkdir -p artifacts/rpms + - name: Create HIRS packages + run: | + echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u $ --password-stdin + docker run --rm \ + -v $(pwd):/HIRS hirs/hirs-ci:centos7 /bin/bash \ + -c 'pushd /HIRS; \ + sh package/package.centos.sh; \ + cp /HIRS/package/rpm/RPMS/noarch/* /.; \ + cp /HIRS/package/rpm/RPMS/x86_64/* /.; \ + cp /HIRS/scripts/aca_image_setup.sh /.; \ + popd;' \ + - name: Build and publish a release Docker image for ${{ github.repository }} + if: github.event_name == 'release' + uses: macbre/push-to-ghcr@master + with: + image_name: nsacyber/hirs/aca-centos7 + github_token: ${{ secrets.GHCR_TOKEN }} + dockerfile: "./.ci/docker/Dockerfile.acaimage" + - name: Build and publish a Docker image for ${{ github.repository }} + if: github.event_name == 'workflow_dispatch' + uses: macbre/push-to-ghcr@master + with: + image_name: nsacyber/hirs/${{ inputs.imagename }} + github_token: ${{ secrets.GITHUB_TOKEN }} + dockerfile: "./.ci/docker/Dockerfile.acaimage" \ No newline at end of file diff --git a/scripts/aca_image_setup.sh b/scripts/aca_image_setup.sh new file mode 100644 index 00000000..9f4d61fc --- /dev/null +++ b/scripts/aca_image_setup.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# Setup db + +if [[ $(pgrep -c -u mysql mysqld) -ne 0 ]]; then + echo "shutting down ..." + usr/bin/mysqladmin -u root shutdown -p; + fi + +/usr/libexec/mariadb-prepare-db-dir +nohup /usr/bin/mysqld_safe --basedir=/usr &>/dev/null & +MYSQLD_PID=$(pgrep -u mysql mysqld) +/usr/libexec/mariadb-wait-ready $MYSQLD_PID + +mysql -fu root < /opt/hirs/scripts/common/db_create.sql.el7 +mysql -fu root < /opt/hirs/scripts/common/secure_mysql.sql + +# Start tomcat +/usr/libexec/tomcat/server start