base-job-image: automatic image cleanup (#1636)

# Why
Currently, the base job image contains a lot of binaries/executables
(including the package manager) which increases the attack surface of
the data job.

# What
Integrated [docker-slim](https://github.com/slimtoolkit/slim) in order
to reduce the number of binaries/executables. Docker-slim analyzes the
image and produces a much cleaner one based on the application usage.

# Testing done
Local execution of docker-slim and CI/CD -
https://gitlab.com/vmware-analytics/versatile-data-kit/-/jobs/3768967625.

Signed-off-by: Miroslav Ivanov [email protected]

projects/control-service/cicd/.gitlab-ci.yml

@@ -156,6 +156,13 @@ control_service_publish_job_base_image-secure:
     - docker login --username "${VDK_DOCKER_REGISTRY_USERNAME}" --password "${VDK_DOCKER_REGISTRY_PASSWORD}" "${VDK_DOCKER_REGISTRY_URL}"
     - cd projects/control-service/projects/job-base-image-secure
     - export VERSION_TAG="1.$CI_PIPELINE_ID"
+    # Make the docker-slim tool available to the CI job
+    - >
+        apk add -u curl
+        && curl -L -o ds.tar.gz https://downloads.dockerslim.com/releases/1.37.3/dist_linux.tar.gz
+        && tar -xvf ds.tar.gz
+        && mv dist_linux/docker-slim /usr/local/bin/
+        && mv dist_linux/docker-slim-sensor /usr/local/bin/
     - bash -ex ./publish-job-base.sh
   retry: !reference [.control_service_retry, retry_options]
   rules:

projects/control-service/projects/job-base-image-secure/Dockerfile-data-job-base

@@ -8,7 +8,7 @@ WORKDIR /job
 RUN yum erase toybox -y
 
 # Install python
-RUN yum install python3-3.10.0-9.ph4 python3-pip-3.10.0-9.ph4 shadow -y
+RUN yum install python3-3.10.0-10.ph4 python3-pip-3.10.0-10.ph4 shadow -y
 RUN ln -fs /usr/bin/python3 /usr/local/bin/python
 
 # Install native dependencies so that requirements in requirements.txt can be installed

projects/control-service/projects/job-base-image-secure/publish-job-base.sh

@@ -13,11 +13,30 @@ function build_and_push_image() {
     arguments="$3"
 
     image_repo="$VDK_DOCKER_REGISTRY_URL/$name"
-    image_tag="$image_repo:$VERSION_TAG"
+    image_tag_local="$image_repo:local"
+    image_tag_version="$image_repo:$VERSION_TAG"
+    image_tag_latest="$image_repo:latest"
 
-    docker build -t "$image_tag" -t "$image_repo:latest" -f "$SCRIPT_DIR/$docker_file" $arguments "$SCRIPT_DIR"
-    docker push "$image_tag"
-    docker push "$image_repo:latest"
+    docker build -t "$image_tag_local" -f "$SCRIPT_DIR/$docker_file" "$arguments" "$SCRIPT_DIR"
+
+    docker-slim build \
+    --target "$image_tag_local" \
+    --tag "$image_tag_version" \
+    --tag "$image_tag_latest" \
+    --http-probe=false \
+    --exec "/bin/sh -c \"pip3 list && python3 -m pip install --upgrade pip\"" \
+    --include-bin "/usr/bin/chmod" \
+    --include-bin "/usr/bin/chown" \
+    --include-bin "/usr/bin/rm" \
+    --include-bin "/usr/bin/bash" \
+    --include-bin "/usr/sbin/groupadd" \
+    --include-bin "/usr/sbin/groupdel" \
+    --include-bin "/usr/sbin/useradd" \
+    --include-bin "/usr/sbin/userdel" \
+    --include-path "/usr/lib"
+
+    docker push "$image_tag_version"
+    docker push "$image_tag_latest"
 }
 
 build_and_push_image \

projects/control-service/projects/job-builder-secure/Dockerfile.python.vdk

@@ -35,6 +35,10 @@ ENV VDK_JOB_GITHASH $job_githash
 # Delete system executables
 RUN rm /usr/bin/chmod
 RUN rm /usr/bin/chown
+RUN rm /usr/sbin/groupadd
+RUN rm /usr/sbin/groupdel
+RUN rm /usr/sbin/useradd
+RUN rm /usr/sbin/userdel
 RUN rm /usr/bin/uname
 RUN python -m pip uninstall pip -y