ci: improve multi-arch builds

Author: sebthom

.editorconfig

@@ -9,7 +9,7 @@ end_of_line = lf
 insert_final_newline = true
 trim_trailing_whitespace = true
 indent_style = space
-indent_size = 3
+indent_size = 2
 
 [*.{bat,cmd}]
 end_of_line = crlf

.github/workflows/build.yml

@@ -53,7 +53,7 @@ jobs:
     strategy:
       matrix:
         SOFTHSM_VERSION: [ "latest", "develop" ]
-        DOCKER_BASE_IMAGE: [ alpine:latest, "debian:stable-slim" ]
+        DOCKER_BASE_IMAGE: [ alpine:3, "debian:stable-slim" ]
 
     steps:
     - name: "Show: GitHub context"

.gitignore

@@ -35,3 +35,6 @@ nb-configuration.xml
 # patch
 *.orig
 *.rej
+
+# nektos/act
+.actrc

CODE_OF_CONDUCT.md

@@ -60,7 +60,7 @@ representative at an online or offline event.
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported to the community leaders responsible for enforcement at
-https://vegardit.com/about/legal/.
+https://vegardit.com/en/legal/.
 All complaints will be reviewed and investigated promptly and fairly.
 
 All community leaders are obligated to respect the privacy and security of the

README.md

@@ -16,9 +16,11 @@
 
 > **SoftHSM has been developed for development purposes only. Don't use in production!**
 
-Multi-arch Docker image to run a virtual HSM (Hardware Security Module) network service based on [SoftHSM2](https://github.com/softhsm/SoftHSMv2) and
+A multi-arch Docker image to run a virtual HSM (Hardware Security Module) network service based on [SoftHSM2](https://github.com/softhsm/SoftHSMv2) and
 [pkcs11-proxy](https://github.com/SUNET/pkcs11-proxy/).
 
+Automatically rebuilt **weekly** to include the latest OS security fixes.
+
 Client applications can communicate with the HSM via TCP/TLS using libpkcs11-proxy.so and an OpenSSL TLS-PSK:
 
 ![](doc/aod.png)
@@ -28,11 +30,11 @@ Client applications can communicate with the HSM via TCP/TLS using libpkcs11-pro
 
 |Tag|Description|Base Image
 |-|-|-
-|`:latest` <br> `:latest-alpine` | weekly build of the latest available SoftHSM release | alpine:latest
+|`:latest` <br> `:latest-alpine` | weekly build of the latest available SoftHSM release | alpine:3
 |`:latest-debian` | weekly build of the latest available SoftHSM release | debian:stable-slim
-|`:develop` <br> `:develop-alpine` | weekly build of the development branch | alpine:latest
+|`:develop` <br> `:develop-alpine` | weekly build of the development branch | alpine:3
 |`:develop-debian` | weekly build of the development branch | debian:stable-slim
-|`:2.x` <br> `:2.x-alpine` | weekly build of the latest minor version of the respective <br> major release, e.g. `2.x` may contain release `2.6` | alpine:latest
+|`:2.x` <br> `:2.x-alpine` | weekly build of the latest minor version of the respective <br> major release, e.g. `2.x` may contain release `2.6` | alpine:3
 |`:2.x-debian` | weekly build of the latest minor version of the respective <br> major release, e.g. `2.x` may contain release `2.6` | debian:stable-slim
 
 See all tags at https://hub.docker.com/r/vegardit/softhsm2-pkcs11-proxy/tags

build-image.sh

@@ -5,174 +5,218 @@
 # SPDX-License-Identifier: Apache-2.0
 # SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-softhsm2-pkcs11-proxy
 
-function curl() {
-   command curl -sSfL --connect-timeout 10 --max-time 30 --retry 3 --retry-all-errors "$@"
-}
-
 shared_lib="$(dirname "${BASH_SOURCE[0]}")/.shared"
-[[ -e $shared_lib ]] || curl "https://raw.githubusercontent.com/vegardit/docker-shared/v1/download.sh?_=$(date +%s)" | bash -s v1 "$shared_lib" || exit 1
+[[ -e $shared_lib ]] || curl -sSfL "https://raw.githubusercontent.com/vegardit/docker-shared/v1/download.sh?_=$(date +%s)" | bash -s v1 "$shared_lib" || exit 1
 # shellcheck disable=SC1091  # Not following: $shared_lib/lib/build-image-init.sh was not specified as input
 source "$shared_lib/lib/build-image-init.sh"
 
 
 #################################################
-# specify target image repo/tag
+# declare image meta
 #################################################
 image_repo=${DOCKER_IMAGE_REPO:-vegardit/softhsm2-pkcs11-proxy}
-base_image_name=${DOCKER_BASE_IMAGE:-alpine:3}
-case $base_image_name in
-   *alpine*) base_image_linux_flavor=alpine ;;
-   *debian*) base_image_linux_flavor=debian ;;
-   *) echo "ERROR: Unsupported base image $base_image_name"; exit 1 ;;
+base_image=${DOCKER_BASE_IMAGE:-alpine:3}
+case $base_image in
+  *alpine*) base_image_linux_flavor=alpine ;;
+  *debian*) base_image_linux_flavor=debian ;;
+  *) echo "ERROR: Unsupported base image $base_image"; exit 1 ;;
 esac
 
 app_version=${SOFTHSM_VERSION:-latest}
 case $app_version in \
-   latest)
-      #app_version=$(curl https://github.com/softhsm/SoftHSMv2/releases/latest | sed -n "s/.*releases\/tag\/\([0-9]\.[0-9]\.[0-9]\)['\"].*/\1/p" | head -1)
-      app_version=$(curl https://github.com/softhsm/SoftHSMv2/tags | sed -n "s/.*releases\/tag\/\([0-9]\.[0-9]\.[0-9]\)['\"].*/\1/p" | head -1)
-      softhsm_source_url=https://codeload.github.com/softhsm/SoftHSMv2/tar.gz/refs/tags/$app_version
-      app_version_is_latest=1
-     ;;
-   develop)
-      softhsm_source_url=https://codeload.github.com/softhsm/SoftHSMv2/tar.gz/refs/heads/develop
-     ;;
-   *)
-      softhsm_source_url=https://codeload.github.com/softhsm/SoftHSMv2/tar.gz/refs/tags/$app_version
-     ;;
+  latest)
+    #app_version=$(curl https://github.com/softhsm/SoftHSMv2/releases/latest | sed -n "s/.*releases\/tag\/\([0-9]\.[0-9]\.[0-9]\)['\"].*/\1/p" | head -1)
+    app_version=$(curl https://github.com/softhsm/SoftHSMv2/tags | sed -n "s/.*releases\/tag\/\([0-9]\.[0-9]\.[0-9]\)['\"].*/\1/p" | head -1)
+    softhsm_source_url=https://codeload.github.com/softhsm/SoftHSMv2/tar.gz/refs/tags/$app_version
+    app_version_is_latest=1
+    ;;
+  develop) softhsm_source_url=https://codeload.github.com/softhsm/SoftHSMv2/tar.gz/refs/heads/develop ;;
+  *)       softhsm_source_url=https://codeload.github.com/softhsm/SoftHSMv2/tar.gz/refs/tags/$app_version ;;
 esac
 log INFO "app_version=$app_version"
 log INFO "softhsm_source_url=$softhsm_source_url"
 
+platforms="linux/amd64,linux/arm64/v8"  # linux/arm/v7
 
-#################################################
-# calculate tags
-#################################################
-declare -a tags=()
+declare -A image_meta=(
+  [authors]="Vegard IT GmbH (vegardit.com)"
+  [title]="$image_repo"
+  [description]="Docker image to run a virtual HSM (Hardware Security Module) network service based on SoftHSM2 and pkcs11-proxy"
+  [source]="$(git config --get remote.origin.url)"
+  [revision]="$(git rev-parse --short HEAD)"
+  [version]="$(git rev-parse --short HEAD)"
+  [created]="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+)
 
+declare -a tags=()
 if [[ $app_version == develop ]]; then
-   tags+=("$image_repo:develop-$base_image_linux_flavor") # :develop-alpine
-   if [[ $base_image_linux_flavor == alpine ]]; then
-      tags+=("$image_repo:develop") # :develop
-   fi
+  tags+=("develop-$base_image_linux_flavor") # :develop-alpine
+  if [[ $base_image_linux_flavor == alpine ]]; then
+    tags+=("develop") # :develop
+  fi
 else
-   if [[ $app_version =~ ^[0-9]+\..*$ ]]; then
-      tags+=("$image_repo:${app_version%%.*}.x-$base_image_linux_flavor") # :2.x-alpine
-      if [[ $base_image_linux_flavor == alpine ]]; then
-         tags+=("$image_repo:${app_version%%.*}.x-$base_image_linux_flavor") # :2.x
-      fi
-   fi
-
-   if [[ ${app_version_is_latest:-} == 1 ]]; then
-      tags+=("$image_repo:latest-$base_image_linux_flavor") # :latest-alpine
-      if [[ $base_image_linux_flavor == alpine ]]; then
-         tags+=("$image_repo:latest") # :latest
-      fi
-   fi
+  if [[ $app_version =~ ^[0-9]+\..*$ ]]; then
+    tags+=("${app_version%%.*}.x-$base_image_linux_flavor") # :2.x-alpine
+    if [[ $base_image_linux_flavor == alpine ]]; then
+      tags+=("${app_version%%.*}.x-$base_image_linux_flavor") # :2.x
+    fi
+  fi
+  if [[ ${app_version_is_latest:-} == 1 ]]; then
+    tags+=("latest-$base_image_linux_flavor") # :latest-alpine
+    if [[ $base_image_linux_flavor == alpine ]]; then
+      tags+=("latest") # :latest
+    fi
+  fi
 fi
 
-tag_args=()
-for t in "${tags[@]}"; do
-  tag_args+=( --tag "$t" )
-done
-
-image_name=${tags[0]}
-
 
 #################################################
-# build the image
+# decide if multi-arch build
 #################################################
-log INFO "Building docker image [$image_name]..."
-if [[ $OSTYPE == "cygwin" || $OSTYPE == "msys" ]]; then
-   project_root=$(cygpath -w "$project_root")
+if [[ ${DOCKER_PUSH:-} == "true" || ${DOCKER_PUSH_GHCR:-} == "true" ]]; then
+  build_multi_arch="true"
 fi
 
-case $base_image_name in
-   *alpine*) dockerfile="alpine.Dockerfile" ;;
-   *debian*) dockerfile="debian.Dockerfile" ;;
-   *) echo "ERROR: Unsupported base image $base_image_name"; exit 1 ;;
-esac
+
+#################################################
+# prepare docker
+#################################################
+run_step -- docker version
 
 # https://github.com/docker/buildx/#building-multi-platform-images
-set -x
+run_step -- docker buildx version  # ensures buildx is enabled
 
-docker --version
 export DOCKER_BUILDKIT=1
-export DOCKER_CLI_EXPERIMENTAL=1 # prevents "docker: 'buildx' is not a docker command."
+export DOCKER_CLI_EXPERIMENTAL=1 # prevents "docker: 'buildx' is not a docker command." in older Docker versions
+
+if [[ ${build_multi_arch:-} == "true" ]]; then
+  # Use a temporary local registry to work around Docker/Buildx/BuildKit quirks,
+  # enabling us to build/test multiarch images locally before pushing.
+  run_step -- start_docker_registry LOCAL_REGISTRY
 
-# Register QEMU emulators for all architectures so Docker can run and build multi-arch images
-docker run --privileged --rm ghcr.io/dockerhub-mirror/tonistiigi__binfmt --install all
+  # Register QEMU emulators so Docker can run and build multi-arch images
+  run_step "Install QEMU emulators" -- \
+    docker run --privileged --rm ghcr.io/dockerhub-mirror/tonistiigi__binfmt --install all
+fi
 
 # https://docs.docker.com/build/buildkit/configure/#resource-limiting
 echo "
 [worker.oci]
   max-parallelism = 3
 " | sudo tee /etc/buildkitd.toml
 
-docker buildx version # ensures buildx is enabled
-docker buildx create --config /etc/buildkitd.toml --use # prevents: error: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
-trap 'docker buildx stop' EXIT
-# shellcheck disable=SC2154,SC2046  # base_layer_cache_key is referenced but not assigned / Quote this to prevent word splitting
-docker buildx build "$project_root" \
-   --file "image/$dockerfile" \
-   --progress=plain \
-   --pull \
-   --build-arg INSTALL_SUPPORT_TOOLS="${INSTALL_SUPPORT_TOOLS:-0}" \
-   `# using the current date as value for BASE_LAYER_CACHE_KEY, i.e. the base layer cache (that holds system packages with security updates) will be invalidate once per day` \
-   --build-arg BASE_LAYER_CACHE_KEY="$base_layer_cache_key" \
-   --build-arg BASE_IMAGE="$base_image_name" \
-   --build-arg BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \
-   --build-arg GIT_BRANCH="${GIT_BRANCH:-$(git rev-parse --abbrev-ref HEAD)}" \
-   --build-arg GIT_COMMIT_DATE="$(date -d "@$(git log -1 --format='%at')" --utc +'%Y-%m-%d %H:%M:%S UTC')" \
-   --build-arg GIT_COMMIT_HASH="$(git rev-parse --short HEAD)" \
-   --build-arg GIT_REPO_URL="$(git config --get remote.origin.url)" \
-   --build-arg SOFTHSM_SOURCE_URL="$softhsm_source_url" \
-   --build-arg PKCS11_PROXY_SOURCE_URL="https://codeload.github.com/smallstep/pkcs11-proxy/tar.gz/refs/heads/master" \
-   `#--build-arg PKCS11_PROXY_SOURCE_URL="https://codeload.github.com/scobiej/pkcs11-proxy/tar.gz/refs/heads/osx-openssl1-1"` \
-   `#--build-arg PKCS11_PROXY_SOURCE_URL="https://codeload.github.com/SUNET/pkcs11-proxy/tar.gz/refs/heads/master"` \
-   $(if [[ ${ACT:-} == "true" || ${DOCKER_PUSH:-} != "true" ]]; then \
-      echo -n "--load --output type=docker"; \
-   else \
-      echo -n "--platform linux/amd64,linux/arm64" `# ,linux/arm/v7"`; \
-   fi) \
-   "${tag_args[@]}" \
-   $(if [[ ${DOCKER_PUSH:-} == "true" ]]; then echo -n "--push"; fi) \
-   "$@"
-set +x
+builder_name="bx-$(date +%s)-$RANDOM"
+run_step "Configure buildx builder" -- docker buildx create \
+  --name "$builder_name" \
+  --bootstrap \
+  --config /etc/buildkitd.toml \
+  --driver-opt network=host `# required for buildx to access the temporary registry` \
+  --driver docker-container \
+  --driver-opt image=ghcr.io/dockerhub-mirror/moby__buildkit:latest
+trap 'docker buildx rm --force "$builder_name"' EXIT
 
-if [[ ${DOCKER_PUSH:-} == "true" ]]; then
-   docker image pull "$image_name"
+
+#################################################
+# build the image
+#################################################
+image_name=image_repo:${tags[0]}
+
+case $base_image in
+  *alpine*) dockerfile="alpine.Dockerfile" ;;
+  *debian*) dockerfile="debian.Dockerfile" ;;
+  *) echo "ERROR: Unsupported base image $base_image"; exit 1 ;;
+esac
+
+build_opts=(
+  --file "image/$dockerfile"
+  --builder "$builder_name"
+  --progress=plain
+  --pull
+  # using the current date as value for BASE_LAYER_CACHE_KEY, i.e. the base layer cache (that holds system packages with security updates) will be invalidate once per day
+  --build-arg BASE_LAYER_CACHE_KEY="$base_layer_cache_key"
+  --build-arg BASE_IMAGE="$base_image"
+  --build-arg GIT_BRANCH="${GIT_BRANCH:-$(git rev-parse --abbrev-ref HEAD)}"
+  --build-arg GIT_COMMIT_DATE="$(date -d "@$(git log -1 --format='%at')" --utc +'%Y-%m-%d %H:%M:%S UTC')"
+  --build-arg SOFTHSM_SOURCE_URL="$softhsm_source_url"
+  --build-arg PKCS11_PROXY_SOURCE_URL="https://codeload.github.com/smallstep/pkcs11-proxy/tar.gz/refs/heads/master"
+  #--build-arg PKCS11_PROXY_SOURCE_URL="https://codeload.github.com/scobiej/pkcs11-proxy/tar.gz/refs/heads/osx-openssl1-1"
+  #--build-arg PKCS11_PROXY_SOURCE_URL="https://codeload.github.com/SUNET/pkcs11-proxy/tar.gz/refs/heads/master"
+  --build-arg INSTALL_SUPPORT_TOOLS="${INSTALL_SUPPORT_TOOLS:-0}"
+)
+
+for key in "${!image_meta[@]}"; do
+  build_opts+=(--build-arg "OCI_${key}=${image_meta[$key]}")
+  if [[ ${build_multi_arch:-} == "true" ]]; then
+    build_opts+=(--annotation "index:org.opencontainers.image.${key}=${image_meta[$key]}")
+  fi
+done
+
+if [[ ${build_multi_arch:-} == "true" ]]; then
+  build_opts+=(--push)
+  build_opts+=(--sbom=true) # https://docs.docker.com/build/metadata/attestations/sbom/#create-sbom-attestations
+  build_opts+=(--platform "$platforms")
+  build_opts+=(--tag "$LOCAL_REGISTRY/$image_name")
+else
+  build_opts+=(--output "type=docker,load=true")
+  build_opts+=(--tag "$image_name")
 fi
 
+if [[ $OSTYPE == "cygwin" || $OSTYPE == "msys" ]]; then
+  project_root=$(cygpath -w "$project_root")
+fi
+
+run_step "Building docker image [$image_name]..." -- \
+  docker buildx build "${build_opts[@]}" "$project_root"
+
 
 #################################################
-# test image
+# load image into local docker daemon for testing
 #################################################
-echo
-log INFO "Testing docker image [$image_name]..."
-(set -x; docker run --rm "$image_name" /usr/local/bin/softhsm2-util --version)
-echo
+if [[ ${build_multi_arch:-} == "true" ]]; then
+  run_step "Load image into local daemon for testing" @@ "
+    docker pull '$LOCAL_REGISTRY/$image_name';
+    docker tag '$LOCAL_REGISTRY/$image_name' '$image_name'
+  "
+fi
 
 
 #################################################
 # perform security audit
 #################################################
 if [[ ${DOCKER_AUDIT_IMAGE:-1} == "1" ]]; then
+  run_step "Auditing docker image [$image_name]" -- \
    bash "$shared_lib/cmd/audit-image.sh" "$image_name"
 fi
 
 
 #################################################
-# push image to ghcr.io
+# test image
+#################################################
+run_step "Testing docker image [$image_name]" -- \
+  docker run --pull=never --rm "$image_name" /usr/local/bin/softhsm2-util --version
+
+
+#################################################
+# push image
 #################################################
+function regctl() {
+  run_step "regctl ${*}" -- \
+    docker run --rm \
+    -u "$(id -u):$(id -g)" -e HOME -v "$HOME:$HOME" \
+    -v /etc/docker/certs.d:/etc/docker/certs.d:ro \
+    --network host `# required to access the temporary registry` \
+    ghcr.io/regclient/regctl:latest \
+    --host "reg=$LOCAL_REGISTRY,tls=disabled" \
+    "${@}"
+}
+
+if [[ ${DOCKER_PUSH:-} == "true" ]]; then
+  for tag in "${tags[@]}"; do
+    regctl image copy --referrers "$LOCAL_REGISTRY/$image_name" "docker.io/$image_repo:$tag"
+  done
+fi
 if [[ ${DOCKER_PUSH_GHCR:-} == "true" ]]; then
-   for tag in "${tags[@]}"; do
-      set -x
-      docker run --rm \
-         -u "$(id -u):$(id -g)" -e HOME -v "$HOME:$HOME" \
-         -v /etc/docker/certs.d:/etc/docker/certs.d:ro \
-         ghcr.io/regclient/regctl:latest \
-         image copy "$tag" "ghcr.io/$tag"
-      set +x
-   done
+  for tag in "${tags[@]}"; do
+    regctl image copy --referrers "$LOCAL_REGISTRY/$image_name" "ghcr.io/$image_repo:$tag"
+  done
 fi