diff --git a/.github/workflows/alibidetect_tests.yml b/.github/workflows/alibidetect_tests.yml index ee3596e218..8c7a50d2a6 100644 --- a/.github/workflows/alibidetect_tests.yml +++ b/.github/workflows/alibidetect_tests.yml @@ -4,7 +4,8 @@ on: push: branches: [ master ] pull_request: - branches: [ master ] + # TODO revert before merge to master + branches: [ fix/core-1-CVEs ] jobs: lint: diff --git a/.github/workflows/alibiexplainer_tests.yml b/.github/workflows/alibiexplainer_tests.yml index feb32f51a0..a85df74bb0 100644 --- a/.github/workflows/alibiexplainer_tests.yml +++ b/.github/workflows/alibiexplainer_tests.yml @@ -4,7 +4,8 @@ on: push: branches: [ master ] pull_request: - branches: [ master ] + # TODO revert before merge to master + branches: [ fix/core-1-CVEs ] jobs: lint: diff --git a/.github/workflows/python_lint.yml b/.github/workflows/python_lint.yml index 969400acaa..0b2f97c6a8 100644 --- a/.github/workflows/python_lint.yml +++ b/.github/workflows/python_lint.yml @@ -4,7 +4,8 @@ on: push: branches: [ master ] pull_request: - branches: [ master ] + # TODO revert before merge to master + branches: [ fix/core-1-CVEs ] jobs: python-lint: diff --git a/.github/workflows/python_tests.yml b/.github/workflows/python_tests.yml index e10b2e07e2..ca3db15fc3 100644 --- a/.github/workflows/python_tests.yml +++ b/.github/workflows/python_tests.yml @@ -4,7 +4,8 @@ on: push: branches: [ master ] pull_request: - branches: [ master ] + # TODO revert before merge to master + branches: [ fix/core-1-CVEs ] jobs: python-tests: diff --git a/.github/workflows/security_image_tests_v1.yml b/.github/workflows/security_image_tests_v1.yml deleted file mode 100644 index add33bc0bd..0000000000 --- a/.github/workflows/security_image_tests_v1.yml +++ /dev/null @@ -1,112 +0,0 @@ -name: V1 Security docker image tests - -on: - push: - branches: [ master ] - workflow_dispatch: - -jobs: - security-image-executor: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: security-image-executor - uses: snyk/actions/docker@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: seldonio/seldon-core-executor:1.18.2 - args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=executor/Dockerfile.executor - - security-image-operator: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: security-image-operator - uses: snyk/actions/docker@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: seldonio/seldon-core-operator:1.18.2 - args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=operator/Dockerfile - - security-image-python-base: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: security-image-python-base - uses: snyk/actions/docker@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: seldonio/seldon-core-s2i-python3:1.18.2 - args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=wrappers/s2i/python/Dockerfile - - security-image-python-sklearn: - runs-on: ubuntu-latest - steps: - - name: security-image-python-sklearn - uses: snyk/actions/docker@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: seldonio/sklearnserver:1.18.2 - args: --fail-on=upgradable --app-vulns --severity-threshold=high - - security-image-python-mlflow: - runs-on: ubuntu-latest - steps: - - name: security-image-python-mlflow - uses: snyk/actions/docker@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: seldonio/mlflowserver:1.18.2 - args: --fail-on=upgradable --app-vulns --severity-threshold=high - - security-image-python-xgboost: - runs-on: ubuntu-latest - steps: - - name: security-image-python-xgboost - uses: snyk/actions/docker@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: seldonio/xgboostserver:1.18.2 - args: --fail-on=upgradable --app-vulns --severity-threshold=high - - security-image-alibi-explain: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: security-image-alibi-explain - uses: snyk/actions/docker@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: seldonio/alibiexplainer:1.18.2 - args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=components/alibi-explain-server/Dockerfile - - security-image-alibi-detect: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: security-image-alibi-detect - uses: snyk/actions/docker@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: seldonio/alibi-detect-server:1.18.2 - args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=components/alibi-detect-server/Dockerfile - - security-image-initializer-rclone: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: security-image-request-logger - uses: snyk/actions/docker@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: seldonio/rclone-storage-initializer:1.18.2 - args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=components/rclone-storage-initializer/Dockerfile diff --git a/.github/workflows/security_tests_v1.yml b/.github/workflows/security_tests_v1.yml new file mode 100644 index 0000000000..a9b17cc41c --- /dev/null +++ b/.github/workflows/security_tests_v1.yml @@ -0,0 +1,285 @@ +name: V1 Security Tests + +on: + push: + branches: [ master ] + pull_request: + # TODO revert before merge to master + branches: [ fix/core-1-CVEs ] + workflow_dispatch: + +env: + GOLANG_VERSION: 1.20.9 + +jobs: + python: + runs-on: ubuntu-latest + container: snyk/snyk:python-3.8 + steps: + - uses: actions/checkout@v2 + - name: security-python + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + run: | + pip install -e python/. + snyk test --file=python/setup.py --fail-on=upgradable --severity-threshold=high + + image-executor: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Generate and set docker image tag + run: | + TAG="executor-test-$(date +%s)-$(openssl rand -hex 4)" + echo "SELDON_EXECUTOR_IMG=$TAG" >> $GITHUB_ENV + echo "Generated tag: SELDON_EXECUTOR_IMG" + - name: Build docker image + working-directory: ./executor/ + env: + VERSION: ${{ steps.docker-tag.outputs.value }} + run: | + make docker-build + - name: Scan docker image for CVEs + uses: snyk/actions/docker@master + continue-on-error: false + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.SELDON_EXECUTOR_IMG }} + args: --app-vulns --severity-threshold=high --file=executor/Dockerfile.executor + + image-operator: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Generate and set docker image tag + run: | + TAG="operator-test-$(date +%s)-$(openssl rand -hex 4)" + echo "SELDON_OPERATOR_IMG=$TAG" >> $GITHUB_ENV + echo "Generated tag: SELDON_OPERATOR_IMG" + - name: Build docker image + working-directory: ./operator/ + env: + VERSION: ${{ steps.docker-tag.outputs.value }} + run: | + make docker-build + - name: Scan docker image for CVEs + uses: snyk/actions/docker@master + continue-on-error: false + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.SELDON_OPERATOR_IMG }} + args: --app-vulns --severity-threshold=high --file=operator/Dockerfile + + + build-and-scan-python-images: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Generate and set docker Conda image tag + run: | + TAG_CONDA="sec-tests/conda-base-$(date +%s)-$(openssl rand -hex 4)" + echo "CONDA_BASE_IMAGE=$TAG_CONDA" >> $GITHUB_ENV + TAG_PYTHON="sec-tests/python-base-$(date +%s)-$(openssl rand -hex 4)" + echo "PYTHON_BASE_IMAGE=$TAG_PYTHON" >> $GITHUB_ENV + echo "Generated tag: PYTHON_BASE_IMAGE" + - name: Build (Conda Base Image) + working-directory: ./wrappers/s2i/python + run: | + make CONDA_BASE_IMAGE=${{ env.CONDA_BASE_IMAGE}} VERSION=test docker-build-conda-base + docker save -o /tmp/conda-image.tar ${{ env.CONDA_BASE_IMAGE}}:test + - name: Upload artifact + uses: actions/upload-artifact@v4 + with: + name: conda-image + path: /tmp/conda-image.tar + - name: Scan Conda image + id: scan-conda + uses: snyk/actions/docker@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.CONDA_BASE_IMAGE}}:test + args: --app-vulns --severity-threshold=high --file=wrappers/s2i/python/Dockerfile.conda + + - name: Build (Base Wrapper) + working-directory: ./wrappers/s2i/python + run: | + make CONDA_BASE_IMAGE=${{ env.CONDA_BASE_IMAGE}} VERSION=test IMAGE_NAME=${{ env.PYTHON_BASE_IMAGE}} docker-build PYTHON_VERSION=3.8.10 + docker save -o /tmp/python-base-image.tar ${{ env.PYTHON_BASE_IMAGE}}:test + - name: Upload artifact + uses: actions/upload-artifact@v4 + with: + name: python-base-image + path: /tmp/python-base-image.tar + - name: Scan Python base image + id: scan-python-base + uses: snyk/actions/docker@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.PYTHON_BASE_IMAGE}}:test + args: --app-vulns --severity-threshold=high --file=wrappers/s2i/python/Dockerfile + + - name: Install CLI tools from OpenShift Mirror + uses: redhat-actions/openshift-tools-installer@v1 + with: + github_pat: ${{ github.token }} + source: "github" + s2i: "latest" + + - name: Build (sklearn) + id: build-sklearn + continue-on-error: true + working-directory: ./servers/sklearnserver + run: | + export SKLEARN_IMAGE_TAG="sec-tests/sklearn-$(date +%s)-$(openssl rand -hex 4)" + echo "SKLEARN_IMAGE_TAG=$SKLEARN_IMAGE_TAG" >> $GITHUB_ENV + make IMAGE_NAME=$SKLEARN_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build + - name: Scan sklearn + id: scan-sklearn + if: steps.build-sklearn.outcome == 'success' + uses: snyk/actions/docker@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.SKLEARN_IMAGE_TAG}}:test + args: --fail-on=upgradable --app-vulns --severity-threshold=high + + - name: Clean up Docker image + if: always() + run: docker rmi ${{ env.SKLEARN_IMAGE_TAG}}:test + + - name: Build (mlflow) + id: build-mlflow + continue-on-error: true + working-directory: ./servers/mlflowserver + run: | + export MLFLOW_IMAGE_TAG="sec-tests/mlflow-$(date +%s)-$(openssl rand -hex 4)" + echo "MLFLOW_IMAGE_TAG=$MLFLOW_IMAGE_TAG" >> $GITHUB_ENV + make IMAGE_NAME=$MLFLOW_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build + - name: Scan mlflow + id: scan-mlflow + if: steps.build-mlflow.outcome == 'success' + uses: snyk/actions/docker@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.MLFLOW_IMAGE_TAG}}:test + args: --fail-on=upgradable --app-vulns --severity-threshold=high + + + - name: Clean up Docker image + if: always() + run: docker rmi ${{ env.MLFLOW_IMAGE_TAG}}:test + + - name: Build (xgboost) + id: build-xgboost + continue-on-error: true + working-directory: ./servers/xgboostserver + run: | + export XGBOOST_IMAGE_TAG="sec-tests/xgbost-$(date +%s)-$(openssl rand -hex 4)" + echo "XGBOOST_IMAGE_TAG=$XGBOOST_IMAGE_TAG" >> $GITHUB_ENV + make IMAGE_NAME=$XGBOOST_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build + - name: Scan xgboost + id: scan-xgboost + if: steps.build-xgboost.outcome == 'success' + uses: snyk/actions/docker@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.XGBOOST_IMAGE_TAG}}:test + args: --fail-on=upgradable --app-vulns --severity-threshold=high + + - name: Clean up Docker image + if: always() + run: docker rmi ${{ env.XGBOOST_IMAGE_TAG}}:test + + - name: Build (alibi explain) + id: build-alibi-explain + continue-on-error: true + working-directory: ./components/alibi-explain-server + run: | + export ALIBI_EXPLAIN_IMAGE_TAG="sec-tests/alibi-explain-$(date +%s)-$(openssl rand -hex 4)" + echo "ALIBI_EXPLAIN_IMAGE_TAG=$ALIBI_EXPLAIN_IMAGE_TAG" >> $GITHUB_ENV + make IMAGE=$ALIBI_EXPLAIN_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}} docker-build + - name: Scan alibi explain + id: scan-alibi-explain + if: steps.build-alibi-explain.outcome == 'success' + uses: snyk/actions/docker@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.ALIBI_EXPLAIN_IMAGE_TAG}}:test + args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=components/alibi-explain-server/Dockerfile + + + - name: Clean up Docker image + if: always() + run: docker rmi ${{ env.ALIBI_EXPLAIN_IMAGE_TAG}}:test + + + - name: Check for image scan failures + if: always() + run: | + if [ "${{ steps.scan-alibi-explain.outcome }}" != "success" ] || \ + [ "${{ steps.scan-xgboost.outcome }}" != "success" ] || \ + [ "${{ steps.scan-sklearn.outcome }}" != "success" ] || \ + [ "${{ steps.scan-python-base.outcome }}" != "success" ] || \ + [ "${{ steps.scan-conda.outcome }}" != "success" ] || \ + [ "${{ steps.scan-mlflow.outcome }}" != "success" ]; then + echo "One or more docker image scans did not succeed" + exit 1 + fi + +# TODO had to comment out due to GH runner out of disk space, image can be built locally if needed, or may have to use +# own runner +# - name: Build (alibi detect) +# id: build-alibi-detect +# continue-on-error: true +# working-directory: ./components/alibi-detect-server +# run: | +# export ALIBI_DETECT_IMAGE_TAG="sec-tests/alibi-detect-$(date +%s)-$(openssl rand -hex 4)" +# echo "ALIBI_DETECT_IMAGE_TAG=$ALIBI_DETECT_IMAGE_TAG" >> $GITHUB_ENV +# make IMAGE=$ALIBI_DETECT_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}} docker-build +# - name: Scan alibi detect +# if: steps.build-alibi-detect.outcome == 'success' +# uses: snyk/actions/docker@master +# continue-on-error: true +# env: +# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} +# with: +# image: ${{ env.ALIBI_DETECT_IMAGE_TAG}}:test +# args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=components/alibi-detect-server/Dockerfile + + security-image-initializer-rclone: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build (rclone initializer) + working-directory: ./components/rclone-storage-initializer + run: | + export RCLONE_IMAGE_TAG="sec-tests.io/rclone-$(date +%s)-$(openssl rand -hex 4):test" + echo "RCLONE_IMAGE_TAG=$RCLONE_IMAGE_TAG" >> $GITHUB_ENV + make IMAGE_TAG=$RCLONE_IMAGE_TAG docker-build + - name: Scan rclone + uses: snyk/actions/docker@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.RCLONE_IMAGE_TAG }} + args: --app-vulns --severity-threshold=high --file=components/rclone-storage-initializer/Dockerfile diff --git a/.github/workflows/test-executor.yml b/.github/workflows/test-executor.yml index 6ad93f27cf..8feb26374d 100644 --- a/.github/workflows/test-executor.yml +++ b/.github/workflows/test-executor.yml @@ -5,7 +5,8 @@ on: push: branches: [ master ] pull_request: - branches: [ master ] + # TODO revert before merge to master + branches: [fix/core-1-CVEs] workflow_dispatch: diff --git a/.github/workflows/test-operator.yml b/.github/workflows/test-operator.yml index 0d265a110f..a0b207a860 100644 --- a/.github/workflows/test-operator.yml +++ b/.github/workflows/test-operator.yml @@ -5,7 +5,8 @@ on: push: branches: [master] pull_request: - branches: [master] + # TODO revert before merge to master + branches: [fix/core-1-CVEs] workflow_dispatch: diff --git a/components/alibi-detect-server/Dockerfile b/components/alibi-detect-server/Dockerfile index 2dd3889453..a379d9033f 100644 --- a/components/alibi-detect-server/Dockerfile +++ b/components/alibi-detect-server/Dockerfile @@ -12,6 +12,8 @@ LABEL name="Seldon Alibi Detect Server" \ FROM base as builder +USER root + RUN microdnf update -y && \ microdnf install -y \ unzip \ @@ -51,7 +53,7 @@ ENV POETRY_VIRTUALENVS_CREATE false ## dependencies causing false positives in Snyk. COPY poetry.lock pyproject.toml ./ COPY _seldon_core ./_seldon_core -RUN poetry install && \ +RUN poetry install --no-dev && \ rm ~/.cache/pip -rf && \ rm -f /opt/conda/lib/python3.8/site-packages/gslib/vendored/boto/requirements.txt \ /opt/conda/lib/python3.8/site-packages/gslib/vendored/oauth2client/docs/requirements.txt \ @@ -59,7 +61,7 @@ RUN poetry install && \ # Add licences RUN mkdir /licenses -RUN mkdir ./licenses && pip-licenses --from=mixed --format=csv --output-file=./licenses/license_info.csv && \ +RUN mkdir ./licenses && pip install pip-licenses && pip-licenses --from=mixed --format=csv --output-file=./licenses/license_info.csv && \ pip-licenses --from=mixed --format=plain-vertical --with-license-file --no-license-path --output-file=./licenses/license.txt RUN cp ./licenses/* /licenses @@ -71,12 +73,14 @@ COPY version.txt version.txt FROM base as final WORKDIR /microservice +USER root + ENV RCLONE_CONFIG_GS_TYPE="google cloud storage" \ RCLONE_CONFIG_GS_ANONYMOUS="true" \ DRIFT_ARTIFACTS_DIR="/mnt/artifacts/" # mesa-libGL: this is to avoid "ImportError: libGL.so.1" from opencv -RUN microdnf install -y mesa-libGL +RUN microdnf clean all && microdnf install -y mesa-libGL RUN microdnf update -y COPY --from=builder /microservice /microservice @@ -86,7 +90,7 @@ COPY --from=builder /licenses /licenses # This is to have writable numba and keops cache directories ENV NUMBA_CACHE_DIR /tmp/numba-cache -RUN mkdir /.cache && \ +RUN mkdir -p /.cache && \ chown -R 8888:0 /.cache && \ chmod -R 776 /.cache diff --git a/components/alibi-explain-server/Dockerfile b/components/alibi-explain-server/Dockerfile index 724567fe7c..54891475d2 100644 --- a/components/alibi-explain-server/Dockerfile +++ b/components/alibi-explain-server/Dockerfile @@ -12,6 +12,8 @@ LABEL name="Seldon Alibi Wrapper" \ FROM base as builder +USER root + # Install Python / Conda RUN microdnf update -y && \ pip install --upgrade pip setuptools wheel && \ diff --git a/components/rclone-storage-initializer/Dockerfile b/components/rclone-storage-initializer/Dockerfile index 1c8ac24cf3..615fb94adc 100644 --- a/components/rclone-storage-initializer/Dockerfile +++ b/components/rclone-storage-initializer/Dockerfile @@ -1,4 +1,4 @@ -FROM rclone/rclone:1.64.2 as builder +FROM rclone/rclone:1.71.2 as builder RUN mkdir /licenses && wget -O /licenses/license.txt https://raw.githubusercontent.com/rclone/rclone/master/COPYING diff --git a/components/rclone-storage-initializer/Makefile b/components/rclone-storage-initializer/Makefile index bf0b94fb15..33a50e3802 100644 --- a/components/rclone-storage-initializer/Makefile +++ b/components/rclone-storage-initializer/Makefile @@ -5,8 +5,10 @@ VERSION ?= $(shell cat ../../version.txt) DOCKER_REGISTRY ?= seldonio KIND_NAME ?= kind +IMAGE_TAG = ${DOCKER_REGISTRY}/${IMAGE}:${VERSION} + docker-build: - docker build --file=Dockerfile --force-rm=true -t ${DOCKER_REGISTRY}/${IMAGE}:${VERSION} . + docker build --file=Dockerfile --force-rm=true -t ${IMAGE_TAG} . docker-push: docker push ${DOCKER_REGISTRY}/${IMAGE}:${VERSION} diff --git a/executor/Dockerfile.executor b/executor/Dockerfile.executor index edece35595..8d4674cc17 100644 --- a/executor/Dockerfile.executor +++ b/executor/Dockerfile.executor @@ -54,7 +54,7 @@ COPY api/rest/openapi/ /openapi/ RUN chmod -R 666 /openapi/ \ && chmod 777 /openapi/open-inference -FROM registry.access.redhat.com/ubi9/ubi-minimal +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.6 WORKDIR / COPY --from=builder /workspace/executor . diff --git a/executor/Makefile b/executor/Makefile index 5c8673ea0e..cfb18225a1 100644 --- a/executor/Makefile +++ b/executor/Makefile @@ -5,7 +5,7 @@ VERSION ?= $(shell cat ../version.txt) DOCKER_REGISTRY ?= seldonio IMAGE_NAME_BASE=seldon-core-executor -IMG ?= ${DOCKER_REGISTRY}/${IMAGE_NAME_BASE}:${VERSION} +SELDON_EXECUTOR_IMG ?= ${DOCKER_REGISTRY}/${IMAGE_NAME_BASE}:${VERSION} KIND_NAME ?= kind @@ -92,10 +92,10 @@ copy_openapi_resources: # Build the docker image docker-build: copy_operator copy_openapi_resources - docker build -f Dockerfile.executor -t ${IMG} . + docker build -f Dockerfile.executor -t ${SELDON_EXECUTOR_IMG} . docker-push: - docker push ${IMG} + docker push ${SELDON_EXECUTOR_IMG} # Red Hat Related @@ -103,16 +103,16 @@ docker-push: # password can be found at: https://connect.redhat.com/projects/5e9b34726c2dde3913c2bb65/overview project=5e9b34726c2dde3913c2bb65 redhat-image-scan: - docker pull ${IMG} + docker pull ${SELDON_EXECUTOR_IMG} source ~/.config/seldon/seldon-core/redhat-image-passwords.sh && \ echo $${rh_password_executor} | docker login -u redhat-isv-containers+${project}-robot quay.io --password-stdin - docker tag ${IMG} quay.io/redhat-isv-containers/${project}:${VERSION} + docker tag ${SELDON_EXECUTOR_IMG} quay.io/redhat-isv-containers/${project}:${VERSION} docker push quay.io/redhat-isv-containers/${project}:${VERSION} source ~/.config/seldon/seldon-core/redhat-image-passwords.sh && \ preflight check container quay.io/redhat-isv-containers/${project}:${VERSION} --docker-config=${HOME}/.docker/config.json --certification-project-id=${project} --pyxis-api-token=$${pyxis_api_token} --submit kind-image-install: docker-build - kind load -v 3 docker-image ${IMG} --name ${KIND_NAME} + kind load -v 3 docker-image ${SELDON_EXECUTOR_IMG} --name ${KIND_NAME} .PHONY: clean diff --git a/operator/Dockerfile b/operator/Dockerfile index b8b8d9514d..15957c77b6 100644 --- a/operator/Dockerfile +++ b/operator/Dockerfile @@ -45,7 +45,7 @@ RUN wget -O mitchellh-cli.tar.gz https://github.com/mitchellh/cli/archive/master RUN wget -O mitchellh-gox.tar.gz https://github.com/mitchellh/gox/archive/master.tar.gz RUN wget -O mozilla-tls-observatory.tar.gz https://github.com/mozilla/tls-observatory/archive/master.tar.gz -FROM registry.access.redhat.com/ubi9/ubi-minimal +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.6 WORKDIR / COPY --from=builder /workspace/manager . diff --git a/operator/Makefile b/operator/Makefile index d7db42ff93..0cf6dba3e6 100644 --- a/operator/Makefile +++ b/operator/Makefile @@ -5,7 +5,7 @@ VERSION ?= $(shell cat ../version.txt) DOCKER_REGISTRY ?= seldonio IMAGE_NAME_BASE=seldon-core-operator -IMG ?= ${DOCKER_REGISTRY}/${IMAGE_NAME_BASE}:${VERSION} +SELDON_OPERATOR_IMG ?= ${DOCKER_REGISTRY}/${IMAGE_NAME_BASE}:${VERSION} SUPPORTED_K8S_VERSIONS := 1.23 1.24 1.25 1.26 1.27 1.28 1.29 1.30 1.31 1.32 1.33 KIND_NAME ?= kind @@ -26,7 +26,7 @@ endif .PHONY:show_image show_image: - echo ${IMG} + echo ${SELDON_OPERATOR_IMG} all: manager @@ -93,51 +93,51 @@ uninstall: manifests # Deploy controller in the configured Kubernetes cluster in ~/.kube/config deploy: manifests - cd config/manager && kustomize edit set image controller=${IMG} + cd config/manager && kustomize edit set image controller=${SELDON_OPERATOR_IMG} go tool kustomize build config/default | kubectl apply -f - --force-conflicts=true --server-side=true undeploy: manifests - cd config/manager && kustomize edit set image controller=${IMG} + cd config/manager && kustomize edit set image controller=${SELDON_OPERATOR_IMG} go tool kustomize build config/default | kubectl delete -f - undeploy-namespaced1: manifests - cd config/manager && kustomize edit set image controller=${IMG} + cd config/manager && kustomize edit set image controller=${SELDON_OPERATOR_IMG} go tool kustomize build config/namespaced1 | kubectl delete -f - undeploy-namespaced2: manifests - cd config/manager && kustomize edit set image controller=${IMG} + cd config/manager && kustomize edit set image controller=${SELDON_OPERATOR_IMG} go tool kustomize build config/namespaced2 | kubectl delete -f - undeploy-controllerid: manifests - cd config/manager && kustomize edit set image controller=${IMG} + cd config/manager && kustomize edit set image controller=${SELDON_OPERATOR_IMG} go tool kustomize build config/controllerid | kubectl delete -f - undeploy-lite: manifests - cd config/manager && kustomize edit set image controller=${IMG} + cd config/manager && kustomize edit set image controller=${SELDON_OPERATOR_IMG} go tool kustomize build config/lite | kubectl delete -f - deploy-local: manifests - cd config/manager && kustomize edit set image controller=${IMG} + cd config/manager && kustomize edit set image controller=${SELDON_OPERATOR_IMG} go tool kustomize build config/local | kubectl apply -f - deploy-namespaced1: manifests - cd config/manager && kustomize edit set image controller=${IMG} + cd config/manager && kustomize edit set image controller=${SELDON_OPERATOR_IMG} go tool kustomize build config/namespaced1 | kubectl apply -f - deploy-namespaced2: manifests - cd config/manager && kustomize edit set image controller=${IMG} + cd config/manager && kustomize edit set image controller=${SELDON_OPERATOR_IMG} go tool kustomize build config/namespaced2 | kubectl apply -f - deploy-controllerid: manifests - cd config/manager && kustomize edit set image controller=${IMG} + cd config/manager && kustomize edit set image controller=${SELDON_OPERATOR_IMG} go tool kustomize build config/controllerid | kubectl apply -f - deploy-cert: manifests - cd config/manager && kustomize edit set image controller=${IMG} + cd config/manager && kustomize edit set image controller=${SELDON_OPERATOR_IMG} go tool kustomize build config/cert | kubectl apply -f - deploy-lite: manifests - cd config/manager && kustomize edit set image controller=${IMG} + cd config/manager && kustomize edit set image controller=${SELDON_OPERATOR_IMG} go tool kustomize build config/lite | kubectl apply -f - @@ -172,14 +172,14 @@ create-client: test # Build the docker image docker-build: generate-resources - docker build . -t ${IMG} + docker build . -t ${SELDON_OPERATOR_IMG} docker-push: - docker push ${IMG} + docker push ${SELDON_OPERATOR_IMG} # Installing Images in Kind CLusters kind-image-install: docker-build - kind load -v 3 docker-image ${IMG} --name ${KIND_NAME} + kind load -v 3 docker-image ${SELDON_OPERATOR_IMG} --name ${KIND_NAME} # find or download controller-gn # download controller-gen if necessary @@ -352,10 +352,10 @@ update_openshift_certified: create_certified_bundle_image push_certified_bundle_ # password can be found at: https://connect.redhat.com/projects/5e6352370307ea9e345f6084/overview project=5e6352370307ea9e345f6084 redhat-image-scan: - docker pull ${IMG} + docker pull ${SELDON_OPERATOR_IMG} source ~/.config/seldon/seldon-core/redhat-image-passwords.sh && \ echo $${rh_password_operator} | docker login -u redhat-isv-containers+${project}-robot quay.io --password-stdin - docker tag ${IMG} quay.io/redhat-isv-containers/${project}:${VERSION} + docker tag ${SELDON_OPERATOR_IMG} quay.io/redhat-isv-containers/${project}:${VERSION} docker push quay.io/redhat-isv-containers/${project}:${VERSION} source ~/.config/seldon/seldon-core/redhat-image-passwords.sh && \ preflight check container quay.io/redhat-isv-containers/${project}:${VERSION} --docker-config=${HOME}/.docker/config.json --certification-project-id=${project} --pyxis-api-token=$${pyxis_api_token} --submit diff --git a/servers/mlflowserver/Makefile b/servers/mlflowserver/Makefile index d51c734b6a..15fb44dc1e 100644 --- a/servers/mlflowserver/Makefile +++ b/servers/mlflowserver/Makefile @@ -7,11 +7,13 @@ IMAGE_NAME_BASE = mlflowserver IMAGE_NAME = ${DOCKER_REGISTRY}/${IMAGE_NAME_BASE} KIND_NAME ?= kind +BASE_IMAGE = ${DOCKER_REGISTRY}/seldon-core-s2i-python38:${VERSION} + docker-build: s2i build \ -E environment \ ./mlflowserver \ - ${DOCKER_REGISTRY}/seldon-core-s2i-python38:${VERSION} \ + ${BASE_IMAGE} \ ${IMAGE_NAME}:${VERSION} docker-push: diff --git a/servers/sklearnserver/Makefile b/servers/sklearnserver/Makefile index f27b3ac92e..764205a892 100644 --- a/servers/sklearnserver/Makefile +++ b/servers/sklearnserver/Makefile @@ -7,11 +7,13 @@ IMAGE_NAME_BASE = sklearnserver IMAGE_NAME = ${DOCKER_REGISTRY}/${IMAGE_NAME_BASE} KIND_NAME ?= kind +BASE_IMAGE = ${DOCKER_REGISTRY}/seldon-core-s2i-python38:${VERSION} + docker-build: s2i build \ -E environment \ ./sklearnserver \ - ${DOCKER_REGISTRY}/seldon-core-s2i-python38:${VERSION} \ + ${BASE_IMAGE} \ ${IMAGE_NAME}:${VERSION} docker-push: diff --git a/servers/xgboostserver/Makefile b/servers/xgboostserver/Makefile index 7bfbac9263..2d4c02c836 100644 --- a/servers/xgboostserver/Makefile +++ b/servers/xgboostserver/Makefile @@ -7,11 +7,13 @@ IMAGE_NAME_BASE=xgboostserver IMAGE_NAME = ${DOCKER_REGISTRY}/${IMAGE_NAME_BASE} KIND_NAME ?= kind +BASE_IMAGE = ${DOCKER_REGISTRY}/seldon-core-s2i-python38:${VERSION} + docker-build: s2i build \ -E environment \ ./xgboostserver \ - ${DOCKER_REGISTRY}/seldon-core-s2i-python38:${VERSION} \ + ${BASE_IMAGE} \ ${IMAGE_NAME}:${VERSION} docker-push: diff --git a/wrappers/s2i/python/Dockerfile.conda b/wrappers/s2i/python/Dockerfile.conda index 9fce8466f0..e337c8285d 100644 --- a/wrappers/s2i/python/Dockerfile.conda +++ b/wrappers/s2i/python/Dockerfile.conda @@ -1,4 +1,4 @@ -FROM registry.access.redhat.com/ubi9/ubi-minimal +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.6 ENV LANG=C.UTF-8 LC_ALL=C.UTF-8 ENV PATH /opt/conda/bin:$PATH