From a1bb4b0cc659bcac2c8c5b5daa211387af0e170d Mon Sep 17 00:00:00 2001 From: Md Azam Date: Thu, 7 Dec 2023 10:19:54 -0400 Subject: [PATCH] Replace docker with podman since it is still free to use (#1625) --- .../ibm_cloud_pak_for_security/README.md | 10 +++-- .../ibm_cloud_pak_for_security/_build.sh | 37 +++++++++++-------- 2 files changed, 28 insertions(+), 19 deletions(-) diff --git a/deployment/ibm_cloud_pak_for_security/README.md b/deployment/ibm_cloud_pak_for_security/README.md index e32acced9..e2691f604 100644 --- a/deployment/ibm_cloud_pak_for_security/README.md +++ b/deployment/ibm_cloud_pak_for_security/README.md @@ -1,12 +1,12 @@ # Build and deploy connector images into IBM Cloud Pak for Security (CP4S) -The scripts contained here allow you to build an image of a new or existing connector, and deploy that image into your Kubernetes cluster on your CP4S environment. The are also options for deploying an existing image from a Docker registry and for building an image locally so that you may publish it to a registry of your choice. +The scripts contained here allow you to build an image of a new or existing connector, and deploy that image into your Kubernetes cluster on your CP4S environment. The are also options for deploying an existing image from a Public registry such as docker hub and for building an image locally so that you may publish it to a registry of your choice. The `deploy` script automatically: 1. Installs the required Python libraries. 2. [Packages the desired stix-shifter module](https://github.com/opencybersecurityalliance/stix-shifter/blob/master/adapter-guide/develop-stix-adapter.md#Packaging-individual-connectors) into a wheel file. -3. Builds a Docker image from that wheel file. +3. Builds a container image from that wheel file. 4. Signs the image if a certificate is present. 5. Deploys the image into your cluster. @@ -14,7 +14,7 @@ The `deploy` script automatically: The following needs to be installed on your local machine: * Python 3 -* Docker +* Podman (Other Container manangement tool can be used such as Docker) * OpenShift CLI (`oc`) * Kubernetes CLI (`kubectl`) * OpenSSL (`openssl`) @@ -34,6 +34,10 @@ Since the primary use-case for these scripts is to install a new or updated conn `cloudctl login -a -u -p -n ` + OR + + `oc login -u --server=` + Note: there is a known issue when logged in as `kubeadmin` user via oc command, `oc login -u kubeadmin` 9. Run the deployment script based on one of the following scenarios: diff --git a/deployment/ibm_cloud_pak_for_security/_build.sh b/deployment/ibm_cloud_pak_for_security/_build.sh index 8b791ec46..ea2f23114 100755 --- a/deployment/ibm_cloud_pak_for_security/_build.sh +++ b/deployment/ibm_cloud_pak_for_security/_build.sh @@ -16,9 +16,9 @@ NAMESPACE="$2" validate_cmd openssl validate_cmd python3 validate_cmd pip3 -validate_cmd docker -echo -n "Checking if it is possible to execute docker command.." -docker ps > /dev/null +validate_cmd podman +echo -n "Checking if it is possible to execute podman command.." +podman ps > /dev/null if [ $? -eq 0 ]; then echo "Ok" else @@ -93,7 +93,7 @@ echo $REPOSITORY -REPOSITORY_CERT_DIR=/etc/docker/certs.d/$REPOSITORY/ +REPOSITORY_CERT_DIR=/etc/containers/certs.d/$REPOSITORY/ REPOSITORY_CERT_FILE=${REPOSITORY_CERT_DIR}/ca.crt REPOSITORY_CERT_TMP=ca.crt.tmp @@ -127,15 +127,15 @@ if [ ! -f "$REPOSITORY_CERT_FILE" ]; then sudo cp $REPOSITORY_CERT_TMP $REPOSITORY_CERT_FILE rm -rf $REPOSITORY_CERT_TMP | true if [[ "$OSTYPE" == "darwin"* ]]; then - echo -n "Adding certificate to docker VM... " + echo -n "Adding certificate to podman VM... " sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain $REPOSITORY_CERT_FILE echo 'Ok' - echo -n "Restarting docker... " - killall Docker && open /Applications/Docker.app + echo -n "Restarting podman... " + killall Podman\ Desktop && open /Applications/Podman\ Desktop.app sleep 60 echo 'Ok' - echo -n "Checking docker.." - docker ps > /dev/null + echo -n "Checking podman.." + podman ps > /dev/null if [ $? -eq 0 ]; then echo "Ok" else @@ -164,13 +164,13 @@ if [ -z "${IMAGE_URL}" ]; then fi fi -DOCKER_USER=`oc whoami` -echo "Logging in into internal registry $REPOSITORY as $DOCKER_USER ..." -docker login -u $DOCKER_USER -p `oc whoami -t` $REPOSITORY +REGISTRY_USER=`oc whoami` +echo "Logging in into internal registry $REPOSITORY as $REGISTRY_USER ..." +podman login -u $REGISTRY_USER -p `oc whoami -t` $REPOSITORY if [ ! -z "${IMAGE_URL}" ]; then echo "Pulling ${IMAGE_URL}" - docker pull ${IMAGE_URL} + podman pull ${IMAGE_URL} IMAGE_LOCAL_URL=${IMAGE_URL} IMAGE_PUSH_URL=${REPOSITORY}/${NAMESPACE}/${FILE_PREFIX}${PROJECT_NAME_WITHOUT_DASH}:${TAG} # exit 0 @@ -178,16 +178,21 @@ else IMAGE_LOCAL_URL=${FILE_PREFIX}${PROJECT_NAME_WITHOUT_DASH}:${TAG} IMAGE_PUSH_URL=${REPOSITORY}/${NAMESPACE}/${IMAGE_LOCAL_URL} echo "Building image..." - docker build --no-cache -t ${IMAGE_LOCAL_URL} --build-arg APP=${FILENAME%.whl} --build-arg VERSION=${PROJECT_VERSION} . --platform linux/amd64 + podman build --no-cache -t ${IMAGE_LOCAL_URL} --build-arg APP=${FILENAME%.whl} --build-arg VERSION=${PROJECT_VERSION} . --platform linux/amd64 fi +# Change the registry URL if you use a different image registry IMAGE_POD_URL=image-registry.openshift-image-registry.svc:5000/${NAMESPACE}/${FILE_PREFIX}${PROJECT_NAME_WITHOUT_DASH}:${TAG} echo "retagging image... ${IMAGE_LOCAL_URL} > ${IMAGE_PUSH_URL}" -docker tag ${IMAGE_LOCAL_URL} ${IMAGE_PUSH_URL} +podman tag ${IMAGE_LOCAL_URL} ${IMAGE_PUSH_URL} echo "Pushing image..." -docker push ${IMAGE_PUSH_URL} + +# "tls: failed to verify certificate" exception may occur while pusing the image +# To resolve, Use `--tls-verify=false` if you use internal trusted registry +# Otherwise, make sure the TLS verification is done. +podman push ${IMAGE_PUSH_URL} CR_FILENAME=udi-${PROJECT_NAME}-NEW.yaml BACKUP_FOLDER=backup_${TIMESTAMP}