Move base image to new heredoc format (#780)

* Move base image to new heredoc format

There are no functional changes

* Hadolint

* Hadolint

* Update stackable-base/Dockerfile

Co-authored-by: Razvan-Daniel Mihai <[email protected]>

---------

Co-authored-by: Razvan-Daniel Mihai <[email protected]>

Author: lfrancke

.hadolint.yaml

@@ -25,6 +25,11 @@ ignored:
   # Reason: We inherit the SHELL from our base image and that sets it
   - DL4006
 
+  # Not following: File not included in mock.
+  # https://www.shellcheck.net/wiki/SC1091
+  # Reason: I've yet to see this being useful, where this happens we usually have no way to actually provide the file
+  - SC1091
+
   # Use cd ... || exit in case cd fails.
   # https://github.com/koalaman/shellcheck/wiki/SC2164
   # Reason: Ignoring because we inherit SHELL from the base image which contains "-e" for bash

stackable-base/Dockerfile

@@ -9,21 +9,25 @@ ENV RUST_DEFAULT_TOOLCHAIN_VERSION=1.79.0
 ENV CARGO_CYCLONEDX_CRATE_VERSION=0.4.0
 ENV CARGO_AUDITABLE_CRATE_VERSION=0.6.4
 
-RUN microdnf update --assumeyes && \
-    microdnf --assumeyes install \
-    # Needed to fetch source
-    git \
-    # Needed for compilation
-    gcc && \
-    microdnf clean all
-
-RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain $RUST_DEFAULT_TOOLCHAIN_VERSION && \
-    . "$HOME/.cargo/env" && cargo install cargo-cyclonedx@$CARGO_CYCLONEDX_CRATE_VERSION cargo-auditable@$CARGO_AUDITABLE_CRATE_VERSION
-
-RUN git clone --depth 1 --branch ${CONFIG_UTILS_VERSION} https://github.com/stackabletech/config-utils
-RUN cd ./config-utils && \
-    . $HOME/.cargo/env && \
-    cargo auditable build --release && cargo cyclonedx --output-pattern package --all --output-cdx
+RUN <<EOF
+microdnf update --assumeyes
+
+# git: Needed to fetch source
+# gcc: Needed for compilation
+microdnf --assumeyes install \
+  gcc \
+  git
+microdnf clean all
+rm -rf /var/cache/yum
+
+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain "$RUST_DEFAULT_TOOLCHAIN_VERSION"
+. "$HOME/.cargo/env" && cargo install cargo-cyclonedx@"$CARGO_CYCLONEDX_CRATE_VERSION" cargo-auditable@"$CARGO_AUDITABLE_CRATE_VERSION"
+
+git clone --depth 1 --branch "${CONFIG_UTILS_VERSION}" https://github.com/stackabletech/config-utils
+cd ./config-utils
+. "$HOME/.cargo/env"
+cargo auditable build --release && cargo cyclonedx --output-pattern package --all --output-cdx
+EOF
 
 # Manifest list digest because of multi architecture builds ( https://www.redhat.com/architect/pull-container-image#:~:text=A%20manifest%20list%20exists%20to,system%20on%20a%20specific%20architecture )
 FROM registry.access.redhat.com/ubi9-minimal@sha256:a7d837b00520a32502ada85ae339e33510cdfdbc8d2ddf460cc838e12ec5fa5a AS final
@@ -49,63 +53,86 @@ SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 # https://github.com/stackabletech/docker-images/pull/533
 COPY stackable-base/stackable/dnf.conf /etc/dnf/dnf.conf
 
-RUN microdnf update --assumeyes && \
-    microdnf --assumeyes install \
-      # To make debugging easier, includes things like ping \
-      # Added 2024-03: We cannot find any vulnerabilities in the past years \
-      # https://github.com/iputils/iputils \
-      iputils \
-      # To make debugging easier \
-      # Added 2024-03: less has seen three vulnerabilities between 2004 and 2022 which is a risk we're willing to accept for the added convenience \
-      # https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe%3A%2F%3Agnu&cpe_product=cpe%3A%2F%3A%3Aless \
-      # cpe:2.3:a:gnu:less:*:*:*:*:*:*:*:*
-      less \
-      # To make debugging and changing things easier \
-      # Added 2024-03: We checked and it has not seen any vulnerabilities since 2010 (as of 2024-03) we decided to accept it into our base image \
-      # https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=cpe%3A2.3%3Aa%3Agnu%3Anano&search_type=all&isCpeNameSearch=false
-      # cpe:2.3:a:gnu:nano:*:*:*:*:*:*:*:*
-      nano \
-      # To enable kubectl cp \
-      # Added 2024-03: We checked and it has seen eight vulnerabilities since 2001, mostly minor and it's not in executable path so we decided to accept the risk \
-      # https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3Agnu%3Atar%3A-%3A*%3A*%3A*%3A*%3A*%3A*%3A*
-      # cpe:2.3:a:gnu:tar:-:*:*:*:*:*:*:* \
-      tar \
-      # Added only temporarily, removed again below
-      shadow-utils && \
-    groupadd --gid 1000 --system stackable && \
-    useradd --gid stackable --uid 1000 --system stackable -d /stackable && \
-    mkdir /stackable && \
-    chown stackable:stackable /stackable && \
-    microdnf remove shadow-utils && \
-    microdnf clean all && \
-    echo "alias ll='ls -alF --color=auto'" >> /stackable/.bashrc && \
-    echo "alias ls='ls --color=auto'" >> /stackable/.bashrc && \
-    echo "alias ..='cd ..'" >> /stackable/.bashrc && \
-    echo "export PS1='\u@\[\e[36m\]\H\[\e[m\] \[\e[32m\]\$(pwd)\[\e[m\] \\$ '" >> /stackable/.bashrc && \
-    echo -e "if [ -f ~/.bashrc ]; then\n\tsource ~/.bashrc\nfi" >> /stackable/.profile && \
-    chown stackable:stackable /stackable/.bashrc && \
-    chown stackable:stackable /stackable/.profile
+
+# echo won't expand escape sequences. Consider printf.
+# https://github.com/koalaman/shellcheck/wiki/SC2028
+# Reason: This is complaining about the complicated PS1 statement.
+# It seems to work as intended so I'm not going to touch it!
+# hadolint ignore=SC2028
+RUN <<EOF
+microdnf update
+
+# **iputils**
+# To make debugging easier, includes things like ping
+# Added 2024-03: We cannot find any vulnerabilities in the past years
+# https://github.com/iputils/iputils
+#
+# **less**
+# To make debugging easier
+# Added 2024-03: less has seen three vulnerabilities between 2004 and 2022 which is a risk we're willing to accept for the added convenience
+# https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe%3A%2F%3Agnu&cpe_product=cpe%3A%2F%3A%3Aless
+# cpe:2.3:a:gnu:less:*:*:*:*:*:*:*:*
+#
+# **nano**
+# To make debugging and changing things easier
+# Added 2024-03: We checked and it has not seen any vulnerabilities since 2010 (as of 2024-03) we decided to accept it into our base image
+# https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=cpe%3A2.3%3Aa%3Agnu%3Anano&search_type=all&isCpeNameSearch=false
+# cpe:2.3:a:gnu:nano:*:*:*:*:*:*:*:*
+#
+# **tar**
+# To enable kubectl cp
+# Added 2024-03: We checked and it has seen eight vulnerabilities since 2001, mostly minor and it's not in executable path so we decided to accept the risk
+# https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3Agnu%3Atar%3A-%3A*%3A*%3A*%3A*%3A*%3A*%3A*
+# cpe:2.3:a:gnu:tar:-:*:*:*:*:*:*:*
+microdnf install \
+  iputils \
+  less \
+  nano \
+  tar
+
+# Added only temporarily to create the user and group, removed again below
+microdnf install shadow-utils
+groupadd --gid 1000 --system stackable
+useradd --gid stackable --uid 1000 --system stackable -d /stackable
+
+mkdir /stackable
+chown stackable:stackable /stackable
+microdnf remove shadow-utils
+microdnf clean all
+
+{
+  echo "alias ll='ls -alF --color=auto'"
+  echo "alias ls='ls --color=auto'"
+  echo "alias ..='cd ..'"
+  echo "export PS1='\u@\[\e[36m\]\H\[\e[m\] \[\e[32m\]\$(pwd)\[\e[m\] \\$ '"
+} >> /stackable/.bashrc
+
+echo -e "if [ -f ~/.bashrc ]; then\n\tsource ~/.bashrc\nfi" >> /stackable/.profile
+
+chown stackable:stackable /stackable/.bashrc
+chown stackable:stackable /stackable/.profile
 
 # CVE-2023-37920: Remove "e-Tugra" root certificates
 # e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems
 # The package ca-certificates 2023.07.22 fixes the problem, until ubi9-minimal updates to it, we should remove them
 # manually.
-
-RUN if [ "$(rpm -qa ca-certificates)" != "ca-certificates-2023.2.60_v7.0.306-90.1.el9_2.noarch" ]; then \
-    echo "The ca-certificates package was updated. Please check if the e-Tugra root certificates are present. \
-When they have been removed, manually blacklisting them should be removed" && \
-    echo "Let me help you by running trust list --filter=ca-anchors | grep 'E-Tugra'" && \
-    trust list --filter=ca-anchors | grep 'E-Tugra' && \
-    exit 1; \
-  fi
+if [ "$(rpm -qa ca-certificates)" != "ca-certificates-2023.2.60_v7.0.306-90.1.el9_2.noarch" ]; then
+  echo "The ca-certificates package was updated. Please check if the e-Tugra root certificates are present. \
+When they have been removed, manually blacklisting them should be removed"
+  echo "Let me help you by running trust list --filter=ca-anchors | grep 'E-Tugra'"
+  trust list --filter=ca-anchors | grep 'E-Tugra'
+  exit 1;
+fi
+EOF
 
 COPY stackable-base/stackable/ca-cert-blocklist/ /etc/pki/ca-trust/source/blocklist/
-
-RUN update-ca-trust && \
-  if [ "$(trust list --filter=ca-anchors | grep -c 'E-Tugra')" != "0" ]; then \
-    echo "Still found E-Tugra root certificates, this should not happen!" && \
-    exit 1; \
-  fi
+RUN <<EOF
+update-ca-trust
+if [ "$(trust list --filter=ca-anchors | grep -c 'E-Tugra')" != "0" ]; then
+  echo "Still found E-Tugra root certificates, this should not happen!"
+  exit 1;
+fi
+EOF
 
 COPY --from=product-utils-builder --chown=stackable:stackable /config-utils/target/release/config-utils /stackable/config-utils
 COPY --from=product-utils-builder --chown=stackable:stackable /config-utils/config-utils.cdx.xml /stackable/config-utils.cdx.xml