Merge pull request #473 from nsacyber/issue-470

[#470] Update CI base images

.ci/docker/Dockerfile.aca

@@ -1,8 +1,18 @@
-FROM hirs/hirs-ci:centos7
+FROM centos:7
 
 # Install packages for installing HIRS ACA
 RUN yum -y update && yum clean all
-RUN yum install -y mariadb-server openssl tomcat java-1.8.0 rpmdevtools coreutils initscripts chkconfig sed grep firewalld policycoreutils && yum clean all
+# install build tools for TPM2 provisioner
+RUN yum install -y epel-release cmake make git gcc-c++ doxygen graphviz protobuf-compiler cppcheck python libssh2-devel openssl libcurl-devel log4cplus-devel protobuf-devel re2-devel tpm2-tss-devel tpm2-abrmd-devel  && yum clean all
+
+# install build tools for ACA
+RUN yum install -y sudo yum install java-1.8.0-openjdk-devel protobuf-compiler rpm-build epel-release cmake make git gcc-c++ doxygen graphviz cppcheck python libssh2-devel openssl libcurl-devel log4cplus-devel protobuf-devel re2-devel tpm2-tss-devel tpm2-abrmd-devel trousers-devel && yum clean all
+# install run time dependencies
+RUN yum install -y mariadb-server openssl tomcat java-1.8.0-openjdk-headless rpmdevtools coreutils initscripts chkconfig sed grep wget which firewalld policycoreutils net-tools git  rpm-build && yum clean all
+
+# Remove TLSv1, TLSv1.1, references to prevent java security from stopping tomcat launch
+RUN sed -i 's/TLSv1,//' /usr/lib/jvm/java-1.8.0-openjdk-1.8.0*/jre/lib/security/java.security
+RUN sed -i 's/TLSv1.1,//' /usr/lib/jvm/java-1.8.0-openjdk-1.8.0*/jre/lib/security/java.security
 
 # Expose ACA Port
-EXPOSE 8443
+EXPOSE 8443

.ci/docker/Dockerfile.tpm2provisioner

@@ -1,12 +1,19 @@
-FROM hirs/hirs-ci:centos7
+FROM centos:7
 
 # Install packages for installing HIRS TPM2 Provisioner
 RUN yum -y update && yum clean all
-RUN yum install -y tpm2-tools libcurl procps-ng wget dbus python-requests python2-future python36-future && yum clean all
 
+# install build dependencies
+RUN yum install -y epel-release cmake make git gcc-c++ doxygen graphviz protobuf-compiler cppcheck python libssh2-devel openssl libcurl-devel log4cplus-devel protobuf-devel re2-devel tpm2-tss-devel tpm2-abrmd-devel && yum clean all
+
+# install run time dependencies 
+RUN yum install -y java-1.8.0 wget util-linux chkconfig sed initscripts coreutils dmidecode trousers tpm-tools && yum clean all
+ 
 # Install PACCOR for Device Info Gathering
 RUN mkdir paccor && pushd paccor && wget https://github.com/nsacyber/paccor/releases/download/v1.1.4r2/paccor-1.1.4-2.noarch.rpm && yum -y install paccor-*.rpm && popd
 
 # Install Software TPM for Provisioning
-RUN mkdir ibmtpm && pushd ibmtpm && wget https://downloads.sourceforge.net/project/ibmswtpm2/ibmtpm1332.tar.gz && tar -zxvf ibmtpm1332.tar.gz && cd src && make -j5 && popd
+RUN mkdir ibmtpm && pushd ibmtpm && wget --no-check-certificate https://downloads.sourceforge.net/project/ibmswtpm2/ibmtpm1332.tar.gz && tar -zxvf ibmtpm1332.tar.gz && cd src && make -j5 && popd
 
+# Install TSS for TPM setup
+RUN mkdir ibmtss && pushd ibmtss && wget --no-check-certificate https://downloads.sourceforge.net/project/ibmtpm20tss/ibmtss1.6.0.tar.gz && tar -zxvf ibmtss1.6.0.tar.gz && cd utils && make -f makefiletpmc && popd

.ci/docker/docker-compose-system-test.yml

@@ -2,14 +2,14 @@ version: "3.1"
 
 services:
    aca:
-      image: hirs/hirs-ci:aca
+      image: ghcr.io/nsacyber/hirs/aca-ci:latest
       container_name: hirs-aca1
       volumes:
          - ../../:/HIRS
       ports:
          - "${HIRS_ACA_PORTAL_PORT}:${HIRS_ACA_PORTAL_CONTAINER_PORT}"
       entrypoint: /bin/bash -c
-      command: [HIRS/.ci/setup/container/setup_aca.sh]
+      command: [tail -f /dev/null;]
       hostname: ${HIRS_ACA_HOSTNAME}
       networks:
          hirs_aca_system_tests:
@@ -18,7 +18,7 @@ services:
               - ${HIRS_ACA_HOSTNAME}
 
    tpmprovisioner:
-      image: hirs/hirs-ci:tpm2provisioner
+      image: ghcr.io/nsacyber/hirs/tpm2provisioner-ci:latest
       container_name: hirs-provisioner1-tpm2
       depends_on:
          - aca

.ci/setup/container/setup_aca.sh

@@ -6,11 +6,22 @@ set -e
 
 # Prevent rebuild of packages if they already exist
 cd /HIRS
+echo "Building and packaging the ACA"
 if [ ! -d package/rpm/RPMS ]; then
-    ./package/package.centos.sh
+     mkdir -p /HIRS/logs/aca/
+     sh package/package.centos.sh &> /HIRS/logs/aca/aca_build.log
 fi
-yum install -y package/rpm/RPMS/noarch/HIRS_AttestationCA*.el7.noarch.rpm
-
-echo "ACA Loaded!"
-
-tail -f /dev/null
+echo "Building and packaging the ACA completed"
+echo "Installing the ACA"
+yum install -y package/rpm/RPMS/noarch/HIRS_AttestationCA*.el7.noarch.rpm &> /HIRS/logs/aca/aca_install.log
+filename=package/rpm/RPMS/noarch/HIRS_AttestationCA*.el7.noarch.rpm
+echo "================================================================================"
+echo "Installing:"
+echo "       HIRS_AttestationCA"
+echo "                   $filename" 
+echo ""
+echo "Transaction Summary"
+echo "================================================================================"
+echo "Install  1 Package"
+echo ""
+echo "********************* End of ACA installation *********************"m

.ci/setup/container/tpm2_common.sh

@@ -18,14 +18,9 @@ function installProvisioner {
 
 # use ibm tss to properly clear tpm pcr values
 function setTpmPcrValues {
-  mkdir /ibmtss
   pushd /ibmtss  > /dev/null
-    echo "Installing IBM TSS to set the TPM simulator intial values correctly..."
-    wget --no-check-certificate https://downloads.sourceforge.net/project/ibmtpm20tss/ibmtss1.6.0.tar.gz > /dev/null
-    tar -zxvf ibmtss1.6.0.tar.gz > /dev/null
+    echo "Starting IBM TSS to set the TPM simulator initial values correctly..."
     cd utils
-    make -f makefiletpmc > /dev/null
-    cd ../utils
     ./startup
   popd  > /dev/null
 }

.ci/system-tests/run_system_tests.sh

@@ -27,11 +27,14 @@ popd > /dev/null
 pushd .ci/system-tests > /dev/null
 source sys_test_common.sh
 
+# Build, Package, and Install HIRS ACA (2+ minutes) then wait for systems tests...
+docker exec $aca_container sh -c "/HIRS/.ci/setup/container/setup_aca.sh"
+echo "ACA Loaded!"
 echo "ACA Container info: $(checkContainerStatus $aca_container)";
-echo "TPM2 Provisioner Container info: $(checkContainerStatus $tpm2_container)";
 
 # Install HIRS provioner and setup tpm2 emulator
 docker exec $tpm2_container /HIRS/.ci/setup/container/setup_tpm2provisioner.sh
+echo "TPM2 Provisioner Container info: $(checkContainerStatus $tpm2_container)";
 
 # ********* Execute system tests here, add tests as needed ************* 
 echo "******** Setup Complete Begin HIRS System Tests ******** "

.github/workflows/system_test.yml

@@ -16,19 +16,15 @@ jobs:
       packages: write
     steps:
     - uses: actions/checkout@v2
-    - name: Set up JDK 8
-      uses: actions/setup-java@v2
-      with:
-        java-version: '8'
-        distribution: 'adopt'
-        server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
-        settings-path: ${{ github.workspace }} # location for the settings.xml file  
     - name: ACA TPM2 Tests
       continue-on-error: true
       shell: bash
       run: |
         sudo apt-get install -y curl
-        echo ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} | docker login -u ${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin
+        export JAVA_HOME="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0*/jre/bin"
+        echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
+        # comment out the line above and uncomment the line below to run in a forked repo.
+        #echo "${{ secrets.PKG_PWD }}" | docker login ghcr.io -u $ --password-stdin
         bash .ci/system-tests/run_system_tests.sh
     - name: Archive System Test Log files
       uses: actions/upload-artifact@v2
@@ -43,4 +39,4 @@ jobs:
           exit 0;
         else
           exit 1;
-        fi
+        fi