Keep RPM DB in mariner distroless images (#429)

* Keep RPM DB in mariner distroless images This introduces parity in scanning Signed-off-by: Peter Engelbert <pengelbert@microsoft.com> * Remove dead code Signed-off-by: Peter Engelbert <pengelbert@microsoft.com> * Fix rpm manifest check in moby-runc test fixture It was checking for manifest files. We are no longer removing the manifest files, so the check now looks for the rpmdb. Signed-off-by: Peter Engelbert <pengelbert@microsoft.com> --------- Signed-off-by: Peter Engelbert <pengelbert@microsoft.com> Co-authored-by: Peter Engelbert <pengelbert@microsoft.com>
Azure · Nov 11, 2024 · 97bffce · 97bffce
1 parent 47991be
commit 97bffce
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 59 deletions.
diff --git a/frontend/azlinux/handle_container.go b/frontend/azlinux/handle_container.go
@@ -67,7 +67,7 @@ func specToContainerLLB(w worker, spec *dalec.Spec, targetKey string, rpmDir llb
 
 	installOpts := []installOpt{atRoot(workPath)}
 	installOpts = append(installOpts, importRepos...)
-	installOpts = append(installOpts, []installOpt{noGPGCheck, withManifests, installWithConstraints(opts)}...)
+	installOpts = append(installOpts, []installOpt{noGPGCheck, installWithConstraints(opts)}...)
 
 	rootfs = builderImg.Run(
 		w.Install(pkgs, installOpts...),

diff --git a/frontend/azlinux/install.go b/frontend/azlinux/install.go
@@ -10,8 +10,6 @@ import (
 )
 
 type installConfig struct {
-	// Tells the installer to create the distroless rpm manifest.
-	manifest bool
 	// Disables GPG checking when installing RPMs.
 	// this is needed when installing unsigned RPMs.
 	noGPGCheck bool
@@ -49,10 +47,6 @@ func withMounts(opts ...llb.RunOption) installOpt {
 	}
 }
 
-func withManifests(cfg *installConfig) {
-	cfg.manifest = true
-}
-
 func atRoot(root string) installOpt {
 	return func(cfg *installConfig) {
 		cfg.root = root
@@ -86,40 +80,6 @@ func setInstallOptions(cfg *installConfig, opts []installOpt) {
 	}
 }
 
-func manifestScript(workPath string, opts ...llb.ConstraintsOpt) llb.State {
-	mfstDir := filepath.Join(workPath, "var/lib/rpmmanifest")
-	mfst1 := filepath.Join(mfstDir, "container-manifest-1")
-	mfst2 := filepath.Join(mfstDir, "container-manifest-2")
-	rpmdbDir := filepath.Join(workPath, "var/lib/rpm")
-
-	chrootedPaths := []string{
-		filepath.Join(workPath, "/usr/local/bin"),
-		filepath.Join(workPath, "/usr/local/sbin"),
-		filepath.Join(workPath, "/usr/bin"),
-		filepath.Join(workPath, "/usr/sbin"),
-		filepath.Join(workPath, "/bin"),
-		filepath.Join(workPath, "/sbin"),
-	}
-	chrootedPathEnv := strings.Join(chrootedPaths, ":")
-
-	return llb.Scratch().File(llb.Mkfile("manifest.sh", 0o700, []byte(`
-#!/usr/bin/env sh
-
-# If the rpm command is in the rootfs then we don't need to do anything
-# If not then this is a distroless image and we need to generate manifests of the installed rpms and cleanup the rpmdb.
-
-PATH="`+chrootedPathEnv+`" command -v rpm && exit 0
-
-set -e
-
-mkdir -p `+mfstDir+`
-
-rpm --dbpath=`+rpmdbDir+` -qa > `+mfst1+`
-rpm --dbpath=`+rpmdbDir+` -qa --qf "%{NAME}\t%{VERSION}-%{RELEASE}\t%{INSTALLTIME}\t%{BUILDTIME}\t%{VENDOR}\t(none)\t%{SIZE}\t%{ARCH}\t%{EPOCHNUM}\t%{SOURCERPM}\n" > `+mfst2+`
-rm -rf `+rpmdbDir+`
-`)), opts...)
-}
-
 func importGPGScript(keyPaths []string) string {
 	// all keys that are included should be mounted under this path
 	keyRoot := "/etc/pki/rpm-gpg"
@@ -133,8 +93,6 @@ func importGPGScript(keyPaths []string) string {
 	return importScript
 }
 
-const manifestSh = "manifest.sh"
-
 func tdnfInstall(cfg *installConfig, relVer string, pkgs []string) llb.RunOption {
 	cmdFlags := tdnfInstallFlags(cfg)
 	// tdnf makecache is needed to ensure that the package metadata is up to date if extra repo
@@ -157,15 +115,6 @@ func tdnfInstall(cfg *installConfig, relVer string, pkgs []string) llb.RunOption
 			llb.SourcePath("/import-keys.sh")))
 	}
 
-	if cfg.manifest {
-		mfstScript := manifestScript(cfg.root, cfg.constraints...)
-
-		manifestPath := filepath.Join("/tmp", manifestSh)
-		runOpts = append(runOpts, llb.AddMount(manifestPath, mfstScript, llb.SourcePath(manifestSh)))
-
-		cmdArgs += "; " + manifestPath
-	}
-
 	runOpts = append(runOpts, dalec.ShArgs(cmdArgs))
 	runOpts = append(runOpts, cfg.mounts...)
 

diff --git a/test/fixtures/moby-runc.yml b/test/fixtures/moby-runc.yml
@@ -42,15 +42,12 @@ x-azl: &azl
     - name: mariner rpm manifest files
       files:
         /var/lib/rpmmanifest/container-manifest-1:
-          contains:
-            - "moby-runc-${VERSION}-"
-            - "libseccomp-"
+          not_exist: true
         /var/lib/rpmmanifest/container-manifest-2:
-          contains:
-            - "moby-runc-${VERSION}-"
-            - "libseccomp-"
-        /var/lib/rpm:
           not_exist: true
+        /var/lib/rpm:
+          is_dir: true
+        /var/lib/rpm/rpmdb.sqlite:
 
 targets: # Distro specific build requirements
   azlinux3: