Merge f9dfbe9fe1 into 56663023f5

FIXUP: Make tests work after 'podman load -i'
FIXUP: Rename XXX to NOTE
2025-05-15 17:51:50 +02:00 · 2025-03-11 15:40:43 +00:00 · 2025-03-11 17:40:37 +02:00 · 2025-03-11 17:33:05 +02:00 · 2025-03-11 17:33:05 +02:00 · 2025-03-11 17:33:05 +02:00
5 changed files with 40 additions and 20 deletions
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@ -10,7 +10,12 @@ on:

 jobs:
  security-scan-container:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        runs-on:
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+    runs-on: ${{ matrix.runs-on }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@ -51,7 +56,12 @@ jobs:
          severity-cutoff: critical

  security-scan-app:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        runs-on:
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+    runs-on: ${{ matrix.runs-on }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
--- a/.github/workflows/scan_released.yml
+++ b/.github/workflows/scan_released.yml
@ -9,11 +9,10 @@ jobs:
    strategy:
      matrix:
        include:
-          - runs-on: ubuntu-latest
+          - runs-on: ubuntu-24.04
            arch: i686
-          # Do not scan Silicon mac for now to avoid masking release scan results for other plaforms.
-          # - runs-on: macos-latest
-          #   arch: arm64
+          - runs-on: ubuntu-24.04-arm
+            arch: arm64
    runs-on: ${{ matrix.runs-on }}
    steps:
      - name: Checkout
@ -55,7 +54,12 @@ jobs:
          severity-cutoff: critical

  security-scan-app:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        runs-on:
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+    runs-on: ${{ matrix.runs-on }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
--- a/2
+++ b/2
@ -185,7 +185,7 @@ RUN mkdir -p \
 # Copy the /etc and /var directories under the new root directory. Also,
 # copy /etc/, /opt, and /usr to the Dangerzone image rootfs.
 #
-# XXX: We also have to remove the resolv.conf file, in order to not leak any DNS
+# NOTE: We also have to remove the resolv.conf file, in order to not leak any DNS
 # servers added there during image build time.
 RUN cp -r /etc /var /new_root/ \
    && rm /new_root/etc/resolv.conf
--- a/Dockerfile.in
+++ b/Dockerfile.in
@ -185,8 +185,8 @@ RUN mkdir -p \
 # Copy the /etc and /var directories under the new root directory. Also,
 # copy /etc/, /opt, and /usr to the Dangerzone image rootfs.
 #
-# XXX: We also have to remove the resolv.conf file, in order to not leak any DNS
-# servers added there during image build time.
+# NOTE: We also have to remove the resolv.conf file, in order to not leak any
+# DNS servers added there during image build time.
 RUN cp -r /etc /var /new_root/ \
    && rm /new_root/etc/resolv.conf
 RUN cp -r /etc /opt /usr /new_root/home/dangerzone/dangerzone-image/rootfs \
--- a/tests/isolation_provider/test_container.py
+++ b/tests/isolation_provider/test_container.py
@ -8,6 +8,7 @@ from pytest_subprocess import FakeProcess
 from dangerzone import container_utils, errors
 from dangerzone.isolation_provider.container import Container
 from dangerzone.isolation_provider.qubes import is_qubes_native_conversion
+from dangerzone.util import get_resource_path

 from .base import IsolationProviderTermination, IsolationProviderTest

@ -47,7 +48,7 @@ class TestContainer(IsolationProviderTest):
        provider.is_available()

    def test_install_raise_if_image_cant_be_installed(
-        self, mocker: MockerFixture, provider: Container, fp: FakeProcess
+        self, provider: Container, fp: FakeProcess
    ) -> None:
        """When an image installation fails, an exception should be raised"""

@ -68,11 +69,13 @@ class TestContainer(IsolationProviderTest):
            occurrences=2,
        )

-        # Make podman load fail
-        mocker.patch("builtins.open", mocker.mock_open(read_data=""))
-
        fp.register_subprocess(
-            [container_utils.get_runtime(), "load"],
+            [
+                container_utils.get_runtime(),
+                "load",
+                "-i",
+                get_resource_path("container.tar"),
+            ],
            returncode=-1,
        )

@ -80,7 +83,7 @@ class TestContainer(IsolationProviderTest):
            provider.install()

    def test_install_raises_if_still_not_installed(
-        self, mocker: MockerFixture, provider: Container, fp: FakeProcess
+        self, provider: Container, fp: FakeProcess
    ) -> None:
        """When an image keep being not installed, it should return False"""
        fp.register_subprocess(
@ -105,10 +108,13 @@ class TestContainer(IsolationProviderTest):
            occurrences=2,
        )

-        # Patch open and podman load so that it works
-        mocker.patch("builtins.open", mocker.mock_open(read_data=""))
        fp.register_subprocess(
-            [container_utils.get_runtime(), "load"],
+            [
+                container_utils.get_runtime(),
+                "load",
+                "-i",
+                get_resource_path("container.tar"),
+            ],
        )
        with pytest.raises(errors.ImageNotPresentException):
            provider.install()
@ -195,7 +201,7 @@ class TestContainer(IsolationProviderTest):
        reason="Linux specific",
    )
    def test_linux_skips_desktop_version_check_returns_true(
-        self, mocker: MockerFixture, provider: Container
+        self, provider: Container
    ) -> None:
        assert (True, "") == provider.check_docker_desktop_version()
Author	SHA1	Message	Date
Alex Pyrgiotis	605131eafe	Merge `f9dfbe9fe1` into `56663023f5`	2025-03-11 15:40:43 +00:00
Alex Pyrgiotis	f9dfbe9fe1	FIXUP: Make tests work after 'podman load -i' Some checks are pending Tests / run tests (ubuntu 20.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 22.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.10) (push) Blocked by required conditions Details Tests / run-lint (push) Waiting to run Details Tests / build-container-image (push) Waiting to run Details Tests / Download and cache Tesseract data (push) Waiting to run Details Tests / windows (push) Blocked by required conditions Details Tests / macOS (arch64) (push) Blocked by required conditions Details Tests / macOS (x86_64) (push) Blocked by required conditions Details Tests / build-deb (debian bookworm) (push) Blocked by required conditions Details Tests / build-deb (debian bullseye) (push) Blocked by required conditions Details Tests / build-deb (debian trixie) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / install-deb (debian bookworm) (push) Blocked by required conditions Details Tests / install-deb (debian bullseye) (push) Blocked by required conditions Details Tests / install-deb (debian trixie) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 40) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 41) (push) Blocked by required conditions Details Tests / run tests (debian bookworm) (push) Blocked by required conditions Details Tests / run tests (debian bullseye) (push) Blocked by required conditions Details Tests / run tests (debian trixie) (push) Blocked by required conditions Details Release multi-arch container image / build-push-image (push) Waiting to run Details	2025-03-11 17:40:37 +02:00
Alex Pyrgiotis	49d454693e	FIXUP: Rename XXX to NOTE	2025-03-11 17:33:05 +02:00
Alex Pyrgiotis	31b04b6556	FIXUP: Add comment for needs: prepare	2025-03-11 17:33:05 +02:00
Alex Pyrgiotis	0972542ae3	FIXUP: Remove extraneous comments	2025-03-11 17:33:05 +02:00
Alex Pyrgiotis	222169d7fe	FIXUP: Specify platform by full name	2025-03-11 17:33:05 +02:00
Alex Pyrgiotis	b2ab898843	FIXUP: Handle tarballs with ./ prefix	2025-03-11 17:33:05 +02:00
Alex Pyrgiotis	ee95e86508	FIXUP: Rename repro-build to repro-build.py	2025-03-11 17:33:05 +02:00
Alex Pyrgiotis	542fe93d1f	FIXUP: Rename compressed_container_path envvar	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	92267c723c	FIXUP: Use 'load -i'	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	b8ef87a7fc	FIXUP: Document removal of resolv.conf	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	79d9ae7ee2	FIXUP: Change digest with manifest_type	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	3c90ad9d0b	FIXUP: Move buildkit image alongw with other envvars	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	d9f23170cf	FIXUP: Remove command that checks github token	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	f33b3851d5	FIXUP: Make release image job reusable	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	553b0047c6	ci: Create a CI job that does the following 1. Create a multi-architecture container image for Dangerzone, instead of having two different tarballs (or no option at all) 2. Build the Dangerzone container image on our supported architectures (linux/amd64 and linux/arm64). It so happens that GitHub also offers ARM machine runners, which speeds up the build. 3. Combine the images from these two architectures into one, multi-arch image. 4. Generate provenance info for each manifest, and the root manifest list. 5. Check the image's reproduciblity. Also, remove an older CI action, that is now obsolete. Fixes #1035	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	18ec4758bb	Completely overhaul the `reproduce-image.py` script Make a major change to the `reproduce-image.py` script: drop `diffoci`, build the container image, and ensure it has the exact same hash as the source image. We can drop the `diffoci` script when comparing the two images, because we are now able build bit-for-bit reproducible images.	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	038e95b513	Fix a Podman regression regarding Buildkit images Loading an image built with Buildkit in Podman 3.4 messes up its name. The tag somehow becomes the name of the loaded image. We know that older Podman versions are not generally affected, since Podman v3.0.1 on Debian Bullseye works properly. Also, Podman v4.0 is not affected, so it makes sense to target only Podman v3.4 for a fix. The fix is simple, tag the image properly based on the expected tag from `share/image-id.txt` and delete the incorrect tag. Refs containers/podman/#16490	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	d3d04b22ec	Fix references to container.tar.gz Find all references to the `container.tar.gz` file, and replace them with references to `container.tar`. Moreover, remove the `--no-save` argument of `build-image.py` since we now always save the image. Finally, fix some stale references to Poetry, which are not necessary anymore.	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	0042e131f6	Build container image using `repro-build` Invoke the `repro-build` script when building a container image, instead of the underlying Docker/Podman commands. The `repro-build` script handles the underlying complexity to call Docker/Podman in a manner that makes the image reproducible. Moreover, mirror some arguments from the `repro-build` script, so that consumers of `build-image.py` can pass them to it. Important: the resulting image will be in .tar format, not .tar.gz, starting from this commit. This means that our tests will be broken for the next few commits. Fixes #1074	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	a2acbeff53	Vendor `repro-build` script Vendor the `repro-build` script in our codebase, which will be used to build our container image in a reproducible manner. We prefer to copy it verbatim for the time-being, since its interface is not stable enough, and the repro-build repo is not reviewed after all. In the future, we want to store this script in a separate place, and pull it when necessary. Refs #1085	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	be8005f72b	Remove sources of non-determinism from our image Make our container image more reproducible, by changing the following in our Dockerfile: 1. Touch `/etc/apt/sources.list` with a UTC timestamp. Else, builds on different countries (!?) may result to different Unix epochs for the same date, and therefore different modification time for the file. 2. Turn the third column of `/etc/shadow` (date of last password change) for the `dangerzone` user into a constant number. 3. Fix r-s file permissions in some copied files, due to inconsistent COPY behavior in containerized vs non-containerized Buildkit. This requires creating a full file hierarchy in a separate directory (see new_root/). 4. Set a specific modification time for the entrypoint script, because rewrite-timestamp=true does not overwrite it.	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	712b309dbf	Bump container image parameters Bump all the values in Dockerfile.env, since there are new releases out for all of them.	2025-03-11 17:33:03 +02:00
Alex Pyrgiotis	56663023f5	ci: Security scan ARM images Some checks failed Scan latest app and container / security-scan-app (ubuntu-24.04) (push) Has been cancelled Details Scan latest app and container / security-scan-app (ubuntu-24.04-arm) (push) Has been cancelled Details Tests / build-deb (ubuntu 22.04) (push) Has been cancelled Details Tests / windows (push) Has been cancelled Details Tests / macOS (arch64) (push) Has been cancelled Details Tests / build-deb (ubuntu 24.04) (push) Has been cancelled Details Tests / macOS (x86_64) (push) Has been cancelled Details Tests / build-deb (debian bookworm) (push) Has been cancelled Details Tests / build-deb (debian bullseye) (push) Has been cancelled Details Tests / build-deb (debian trixie) (push) Has been cancelled Details Tests / build-deb (ubuntu 20.04) (push) Has been cancelled Details Tests / build-deb (ubuntu 24.10) (push) Has been cancelled Details Tests / install-deb (debian bookworm) (push) Has been cancelled Details Tests / install-deb (debian bullseye) (push) Has been cancelled Details Tests / install-deb (debian trixie) (push) Has been cancelled Details Tests / install-deb (ubuntu 20.04) (push) Has been cancelled Details Tests / install-deb (ubuntu 22.04) (push) Has been cancelled Details Tests / install-deb (ubuntu 24.04) (push) Has been cancelled Details Tests / install-deb (ubuntu 24.10) (push) Has been cancelled Details Tests / build-install-rpm (fedora 40) (push) Has been cancelled Details Tests / build-install-rpm (fedora 41) (push) Has been cancelled Details Tests / run tests (debian bookworm) (push) Has been cancelled Details Tests / run tests (debian bullseye) (push) Has been cancelled Details Tests / run tests (debian trixie) (push) Has been cancelled Details Tests / run tests (fedora 40) (push) Has been cancelled Details Tests / run tests (fedora 41) (push) Has been cancelled Details Tests / run tests (ubuntu 20.04) (push) Has been cancelled Details Tests / run tests (ubuntu 22.04) (push) Has been cancelled Details Tests / run tests (ubuntu 24.04) (push) Has been cancelled Details Tests / run tests (ubuntu 24.10) (push) Has been cancelled Details Scan ARM images using Anchore's scan action, by utilizing the Ubuntu ARM runners provided by GitHub. While our ARM images are used only in macOS silicon platforms, we can use the Ubuntu ARM runners just for scanning. Closes #1008	2025-03-10 18:45:26 +02:00