From b220971fe1a04ccce676fd07f6426fc5577ba441 Mon Sep 17 00:00:00 2001
From: Miroslav Ivanov <miroslavi@vmware.com>
Date: Tue, 24 Jan 2023 15:23:14 +0200
Subject: [PATCH 1/4] job-builder: introduced secure base-job-image

As part of our initiative to improve the overall security of the VDK project,
we need to apply some general hardenings to the base job image.

Introduced base job image based on the lightweight Photon OS.
The general hardenings will be applied in a separate PR.

Tested on a local Kind cluster

Signed-off-by: Miroslav Ivanov miroslavi@vmware.com
---
 .../Dockerfile-data-job-base                  | 14 +++++++++++
 .../projects/job-base-image-secure/README.md  | 17 +++++++++++++
 .../job-base-image-secure/publish-job-base.sh | 25 +++++++++++++++++++
 3 files changed, 56 insertions(+)
 create mode 100644 projects/control-service/projects/job-base-image-secure/Dockerfile-data-job-base
 create mode 100644 projects/control-service/projects/job-base-image-secure/README.md
 create mode 100644 projects/control-service/projects/job-base-image-secure/publish-job-base.sh

diff --git a/projects/control-service/projects/job-base-image-secure/Dockerfile-data-job-base b/projects/control-service/projects/job-base-image-secure/Dockerfile-data-job-base
new file mode 100644
index 0000000000..8557a0e560
--- /dev/null
+++ b/projects/control-service/projects/job-base-image-secure/Dockerfile-data-job-base
@@ -0,0 +1,14 @@
+# https://docs.docker.com/develop/develop-images/dockerfile_best-practices
+FROM photon:latest
+
+# Set the working directory
+WORKDIR /job
+
+# Install python
+RUN yum update -y
+RUN yum install python3 python3-pip shadow -y
+RUN ln -fs /usr/bin/python3 /usr/local/bin/python
+
+# Install native dependencies so that requirements in requirements.txt can be installed
+# some (like openssl) should be pre-installed in the base image but let's be explicit
+RUN yum install build-essential -y
diff --git a/projects/control-service/projects/job-base-image-secure/README.md b/projects/control-service/projects/job-base-image-secure/README.md
new file mode 100644
index 0000000000..23d20dc4c1
--- /dev/null
+++ b/projects/control-service/projects/job-base-image-secure/README.md
@@ -0,0 +1,17 @@
+# Job base image
+
+Job base image is the container "base" image used when building per data job custom image during deployment.
+
+This directory provides the source of some base images for standard python versions.
+It's used by default installation of VDK and should also serve as an example on how operators of VDK can build their own base image.
+
+The current base image installs supporting libraries for Oracle database
+and some native bindings necessary for installing from source some python packages which user may specify for their data job.
+
+## Build
+
+To build the job_base images run `./publish-job-base` which will publish new base image to versatiledatakit container registry.
+
+## Use
+
+It's then set in values.yaml of the helm chart as `deploymentDataJobBaseImage` option
diff --git a/projects/control-service/projects/job-base-image-secure/publish-job-base.sh b/projects/control-service/projects/job-base-image-secure/publish-job-base.sh
new file mode 100644
index 0000000000..97fa6042bd
--- /dev/null
+++ b/projects/control-service/projects/job-base-image-secure/publish-job-base.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Copyright 2021 VMware, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+VERSION_TAG="${VERSION_TAG:-"0.1dev"}"
+VDK_DOCKER_REGISTRY_URL=${VDK_DOCKER_REGISTRY_URL:-"registry.hub.docker.com/versatiledatakit"}
+
+function build_and_push_image() {
+    name="$1"
+    docker_file="$2"
+    arguments="$3"
+
+    image_repo="$VDK_DOCKER_REGISTRY_URL/$name"
+    image_tag="$image_repo:$VERSION_TAG"
+
+    docker build -t "$image_tag" -t "$image_repo:latest" -f "$SCRIPT_DIR/$docker_file" $arguments "$SCRIPT_DIR"
+    docker push "$image_tag"
+    docker push "$image_repo:latest"
+}
+
+build_and_push_image \
+    "data-job-base-python-3.10-secure" \
+    Dockerfile-data-job-base

From 1436c8b858c294dbab11834ed23f053f94a1d3d1 Mon Sep 17 00:00:00 2001
From: Miroslav Ivanov <miroslavi@vmware.com>
Date: Tue, 24 Jan 2023 15:49:48 +0200
Subject: [PATCH 2/4] Added CI/CD step for the base image publication

---
 projects/control-service/cicd/.gitlab-ci.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/projects/control-service/cicd/.gitlab-ci.yml b/projects/control-service/cicd/.gitlab-ci.yml
index ea9c0615be..2e2b639aa0 100644
--- a/projects/control-service/cicd/.gitlab-ci.yml
+++ b/projects/control-service/cicd/.gitlab-ci.yml
@@ -140,6 +140,26 @@ control_service_publish_job_base_image:
     changes:
       - projects/control-service/projects/helm_charts/pipelines-control-service/version.txt
 
+control_service_publish_job_base_image-secure:
+  extends: .images:dind
+  stage: publish_artifacts
+  script:
+    - apk add --no-cache bash
+    - docker login --username "${VDK_DOCKER_REGISTRY_USERNAME}" --password "${VDK_DOCKER_REGISTRY_PASSWORD}" "${VDK_DOCKER_REGISTRY_URL}"
+    - cd projects/control-service/projects/job-base-image-secure
+    - export VERSION_TAG="1.$CI_PIPELINE_ID"
+    - bash -ex ./publish-job-base.sh
+  retry: !reference [.control_service_retry, retry_options]
+  only:
+    refs:
+      - main
+      - external_pull_requests
+    changes:
+      - projects/control-service/projects/job-base-image-secure/**/*
+  except:
+    changes:
+      - projects/control-service/projects/helm_charts/pipelines-control-service/version.txt
+
 
 control_service_publish_job_builder_image:
   extends: .images:dind

From 007ac18cc3d6b2b3428c5a2328a76f47acca08b1 Mon Sep 17 00:00:00 2001
From: Miroslav Ivanov <miroslavi@vmware.com>
Date: Wed, 25 Jan 2023 13:52:49 +0200
Subject: [PATCH 3/4] Addressed comments

---
 projects/control-service/cicd/.gitlab-ci.yml    |  1 -
 .../Dockerfile-data-job-base                    |  2 +-
 .../projects/job-base-image-secure/README.md    |  6 +++---
 .../job-base-image/Dockerfile-data-job-base     | 17 -----------------
 4 files changed, 4 insertions(+), 22 deletions(-)

diff --git a/projects/control-service/cicd/.gitlab-ci.yml b/projects/control-service/cicd/.gitlab-ci.yml
index 2e2b639aa0..9c47efdd94 100644
--- a/projects/control-service/cicd/.gitlab-ci.yml
+++ b/projects/control-service/cicd/.gitlab-ci.yml
@@ -153,7 +153,6 @@ control_service_publish_job_base_image-secure:
   only:
     refs:
       - main
-      - external_pull_requests
     changes:
       - projects/control-service/projects/job-base-image-secure/**/*
   except:
diff --git a/projects/control-service/projects/job-base-image-secure/Dockerfile-data-job-base b/projects/control-service/projects/job-base-image-secure/Dockerfile-data-job-base
index 8557a0e560..f02a9e33a4 100644
--- a/projects/control-service/projects/job-base-image-secure/Dockerfile-data-job-base
+++ b/projects/control-service/projects/job-base-image-secure/Dockerfile-data-job-base
@@ -6,7 +6,7 @@ WORKDIR /job
 
 # Install python
 RUN yum update -y
-RUN yum install python3 python3-pip shadow -y
+RUN yum install python3-3.10.0-9.ph4 python3-pip-3.10.0-9.ph4 shadow -y
 RUN ln -fs /usr/bin/python3 /usr/local/bin/python
 
 # Install native dependencies so that requirements in requirements.txt can be installed
diff --git a/projects/control-service/projects/job-base-image-secure/README.md b/projects/control-service/projects/job-base-image-secure/README.md
index 23d20dc4c1..eaaf71e747 100644
--- a/projects/control-service/projects/job-base-image-secure/README.md
+++ b/projects/control-service/projects/job-base-image-secure/README.md
@@ -3,10 +3,10 @@
 Job base image is the container "base" image used when building per data job custom image during deployment.
 
 This directory provides the source of some base images for standard python versions.
-It's used by default installation of VDK and should also serve as an example on how operators of VDK can build their own base image.
+It's used by secured installation of VDK.
 
-The current base image installs supporting libraries for Oracle database
-and some native bindings necessary for installing from source some python packages which user may specify for their data job.
+The current base image installs supporting libraries for some native bindings necessary for installing from source
+some python packages which user may specify for their data job.
 
 ## Build
 
diff --git a/projects/control-service/projects/job-base-image/Dockerfile-data-job-base b/projects/control-service/projects/job-base-image/Dockerfile-data-job-base
index eefa9a14a5..f075ad1e27 100644
--- a/projects/control-service/projects/job-base-image/Dockerfile-data-job-base
+++ b/projects/control-service/projects/job-base-image/Dockerfile-data-job-base
@@ -14,20 +14,3 @@ RUN set -ex \
        && apt-get update \
        && apt-get -y install --no-install-recommends \
               build-essential openssl g++
-
-# Install the native dependencies necessary for cx_Oracle python library
-# See https://oracle.github.io/odpi/doc/installation.html#linux
-RUN set -ex \
-      && echo "Installing native dependencies related to support for cx_Oracle python library ..." \
-      && mkdir -p /opt/lib/native  \
-      && apt-get -y install  --no-install-recommends libaio1 curl unzip \
-      && curl --insecure --output oracle-instantclient.zip https://download.oracle.com/otn_software/linux/instantclient/1911000/instantclient-basic-linux.x64-19.11.0.0.0dbru.zip \
-      && unzip oracle-instantclient.zip -d /opt/lib/native/oracle && rm -f oracle-instantclient.zip \
-      && sh -c "echo /opt/lib/native/oracle/instantclient_19_11 > /etc/ld.so.conf.d/oracle-instantclient.conf" \
-      && ldconfig \
-      && apt-get purge -y --auto-remove curl unzip
-
-# libaio1 - LGPL-2.1+ https://developer.puri.sm/licenses/Librem5/Birch/libaio1/copyright
-# curl - MIT/X* modified https://curl.se/docs/copyright.html
-# unzip - MIT https://github.com/vipsoft/Unzip/blob/master/LICENSE
-# oracle instant client license - Oracle Technology Network Development and Distribution License Agreement https://www.oracle.com/downloads/licenses/instant-client-lic.html

From ab96424e8524c8fe2b351e5159c7e80145850e40 Mon Sep 17 00:00:00 2001
From: Miroslav Ivanov <miroslavi@vmware.com>
Date: Wed, 25 Jan 2023 14:01:08 +0200
Subject: [PATCH 4/4] Revert base-job-image

---
 .../job-base-image/Dockerfile-data-job-base     | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/projects/control-service/projects/job-base-image/Dockerfile-data-job-base b/projects/control-service/projects/job-base-image/Dockerfile-data-job-base
index f075ad1e27..eefa9a14a5 100644
--- a/projects/control-service/projects/job-base-image/Dockerfile-data-job-base
+++ b/projects/control-service/projects/job-base-image/Dockerfile-data-job-base
@@ -14,3 +14,20 @@ RUN set -ex \
        && apt-get update \
        && apt-get -y install --no-install-recommends \
               build-essential openssl g++
+
+# Install the native dependencies necessary for cx_Oracle python library
+# See https://oracle.github.io/odpi/doc/installation.html#linux
+RUN set -ex \
+      && echo "Installing native dependencies related to support for cx_Oracle python library ..." \
+      && mkdir -p /opt/lib/native  \
+      && apt-get -y install  --no-install-recommends libaio1 curl unzip \
+      && curl --insecure --output oracle-instantclient.zip https://download.oracle.com/otn_software/linux/instantclient/1911000/instantclient-basic-linux.x64-19.11.0.0.0dbru.zip \
+      && unzip oracle-instantclient.zip -d /opt/lib/native/oracle && rm -f oracle-instantclient.zip \
+      && sh -c "echo /opt/lib/native/oracle/instantclient_19_11 > /etc/ld.so.conf.d/oracle-instantclient.conf" \
+      && ldconfig \
+      && apt-get purge -y --auto-remove curl unzip
+
+# libaio1 - LGPL-2.1+ https://developer.puri.sm/licenses/Librem5/Birch/libaio1/copyright
+# curl - MIT/X* modified https://curl.se/docs/copyright.html
+# unzip - MIT https://github.com/vipsoft/Unzip/blob/master/LICENSE
+# oracle instant client license - Oracle Technology Network Development and Distribution License Agreement https://www.oracle.com/downloads/licenses/instant-client-lic.html