Merge pull request #188 from lukaszstolarczuk/docker

[CI] Add first dockers and trivy workflow

Author: bratpiorka

.github/docker/README.md

@@ -0,0 +1,52 @@
+# Content
+
+Dockerfiles and scripts placed in this directory are intended to be used as
+development process vehicles and part of continuous integration process.
+
+Images built out of those recipes may be used with Docker or podman as
+development environment. If you want to use below instructions with `podman`,
+simply replace word `docker` with `podman`.
+
+# How to build docker image
+
+To build docker image on local machine enter the root dir of the repository and execute:
+
+```sh
+docker build -t ur:ubuntu-22.04 -f .github/docker/ubuntu-22.04.Dockerfile .
+```
+
+To set any build time variable (e.g., an optional ARG from docker recipe), add to the command (after `build`), e.g.:
+
+```sh
+ --build-arg TEST_DEPS=""
+```
+
+One other example of using these extra build arguments are proxy settings. They are required for accessing network
+(e.g., to download dependencies within docker), if a host is using a proxy server. Example usage:
+
+```sh
+ --build-arg https_proxy=http://proxy.com:port --build-arg http_proxy=http://proxy.com:port
+```
+
+# How to use docker image
+
+To run docker container (using the previously built image) execute:
+
+```sh
+docker run --shm-size=4G -v /your/workspace/path/:/opt/workspace:z -w /opt/workspace/ -it ur:ubuntu-22.04 /bin/bash
+```
+
+To set (or override) any docker environment variable, add to the command (after `run`):
+
+```sh
+ -e ENV_VARIABLE=VALUE
+```
+
+To start as a non-root user (created within our Dockerfiles), add to the command (after `run`):
+
+```sh
+ --user test_user
+```
+
+If you want to run a docker container using your specific user, please follow up, e.g.,
+with [this article](https://jtreminio.com/blog/running-docker-containers-as-current-host-user/).

.github/docker/ubuntu-20.04.Dockerfile

@@ -0,0 +1,63 @@
+# Copyright (C) 2024 Intel Corporation
+# Under the Apache License v2.0 with LLVM Exceptions. See LICENSE.TXT.
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+#
+# Dockerfile - a 'recipe' for Docker to build an image of ubuntu-based
+#              environment for building the Unified Memory Framework project.
+#
+
+# Pull base image ("20.04")
+FROM registry.hub.docker.com/library/ubuntu@sha256:f2034e7195f61334e6caff6ecf2e965f92d11e888309065da85ff50c617732b8
+
+# Set environment variables
+ENV OS ubuntu
+ENV OS_VER 20.04
+ENV NOTTY 1
+ENV DEBIAN_FRONTEND noninteractive
+
+# Base development packages
+ARG BASE_DEPS="\
+	build-essential \
+	cmake \
+	git"
+
+# UMF's dependencies
+ARG UMF_DEPS="\
+	libjemalloc-dev \
+	libhwloc-dev \
+	libtbb-dev"
+
+# Dependencies for tests (optional)
+ARG TEST_DEPS="\
+	libnuma-dev"
+
+# Miscellaneous for our builds/CI (optional)
+ARG MISC_DEPS="\
+	clang \
+	g++-7 \
+	python3-pip \
+	sudo \
+	whois"
+
+# Update and install required packages
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+	${BASE_DEPS} \
+	${UMF_DEPS} \
+	${TEST_DEPS} \
+	${MISC_DEPS} \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get clean all
+
+# Prepare a dir (accessible by anyone)
+RUN mkdir --mode 777 /opt/umf/
+
+# Additional dependencies (installed via pip)
+COPY third_party/requirements.txt /opt/umf/requirements.txt
+RUN pip3 install --no-cache-dir -r /opt/umf/requirements.txt
+
+# Add a new (non-root) 'test_user'
+ENV USER test_user
+ENV USERPASS pass
+RUN useradd -m "${USER}" -g sudo -p "$(mkpasswd ${USERPASS})"

.github/docker/ubuntu-22.04.Dockerfile

@@ -0,0 +1,62 @@
+# Copyright (C) 2024 Intel Corporation
+# Under the Apache License v2.0 with LLVM Exceptions. See LICENSE.TXT.
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+#
+# Dockerfile - a 'recipe' for Docker to build an image of ubuntu-based
+#              environment for building the Unified Memory Framework project.
+#
+
+# Pull base image ("22.04")
+FROM registry.hub.docker.com/library/ubuntu@sha256:e6173d4dc55e76b87c4af8db8821b1feae4146dd47341e4d431118c7dd060a74
+
+# Set environment variables
+ENV OS ubuntu
+ENV OS_VER 22.04
+ENV NOTTY 1
+ENV DEBIAN_FRONTEND noninteractive
+
+# Base development packages
+ARG BASE_DEPS="\
+	build-essential \
+	cmake \
+	git"
+
+# UMF's dependencies
+ARG UMF_DEPS="\
+	libjemalloc-dev \
+	libhwloc-dev \
+	libtbb-dev"
+
+# Dependencies for tests (optional)
+ARG TEST_DEPS="\
+	libnuma-dev"
+
+# Miscellaneous for our builds/CI (optional)
+ARG MISC_DEPS="\
+	clang \
+	python3-pip \
+	sudo \
+	whois"
+
+# Update and install required packages
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+	${BASE_DEPS} \
+	${UMF_DEPS} \
+	${TEST_DEPS} \
+	${MISC_DEPS} \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get clean all
+
+# Prepare a dir (accessible by anyone)
+RUN mkdir --mode 777 /opt/umf/
+
+# Additional dependencies (installed via pip)
+COPY third_party/requirements.txt /opt/umf/requirements.txt
+RUN pip3 install --no-cache-dir -r /opt/umf/requirements.txt
+
+# Add a new (non-root) 'test_user'
+ENV USER test_user
+ENV USERPASS pass
+RUN useradd -m "${USER}" -g sudo -p "$(mkpasswd ${USERPASS})"

.github/workflows/trivy.yml

@@ -0,0 +1,46 @@
+# Runs linter for Docker files
+name: Trivy
+
+# Due to lower score on Scorecard we're running this separately from
+# "PR/push" workflow. For some reason permissions weren't properly set
+# or recognized (by Scorecard). If Scorecard changes its behavior we can
+# use 'workflow_call' trigger.
+on:
+  push:
+  pull_request:
+    paths:
+      - '.github/docker/*Dockerfile'
+      - '.github/workflows/trivy.yml'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  trivy:
+    name: Trivy
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Clone the git repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Run Trivy
+        uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # v0.17.0
+        with:
+          scan-type: 'config'
+          hide-progress: false
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: 1  # Fail if issue found
+          # See .trivyignore file with suppressions
+
+      - name: Upload results
+        uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
+        with:
+          sarif_file: 'trivy-results.sarif'

.trivyignore

@@ -0,0 +1,10 @@
+# Docs: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#trivyignore
+
+# In docker files:
+# non-root user is always created within docker, but we switch it only in CI workflows;
+# not enforcing non-root user makes it easier for developers to use their own users in local container
+AVD-DS-0002
+
+# In docker files:
+# HEALTHCHECK is not required for development, nor in CI (failed docker = failed CI)
+AVD-DS-0026