From 58fe25e73c6be866919106f11b62e6573bbe77bc Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Thu, 14 Dec 2023 10:47:23 +0100 Subject: [PATCH] refactor: drop pipx again and cleanup containerfile (#355) BREAKING CHANGE: The Python package `pycrypto` has been removed as it is no longer maintained. If some custom Ansible resources (modules, filters, etc.) still rely on this library, this change may cause problems. In this case, it is recommended to inform the affected resource so that it can be updated to a modern cryptography library. Reviewed-on: https://gitea.rknet.org/container/molecule/pulls/355 Co-authored-by: Robert Kaussow Co-committed-by: Robert Kaussow --- .woodpecker/build-container.yml | 3 --- Containerfile.multiarch | 28 ++++++++-------------------- trivy-secret.yaml | 6 ++++++ trivy.yaml | 4 ++++ 4 files changed, 18 insertions(+), 23 deletions(-) create mode 100644 trivy-secret.yaml create mode 100644 trivy.yaml diff --git a/.woodpecker/build-container.yml b/.woodpecker/build-container.yml index 2ce38f1..eb43f5c 100644 --- a/.woodpecker/build-container.yml +++ b/.woodpecker/build-container.yml @@ -24,9 +24,6 @@ steps: TRIVY_NO_PROGRESS: "true" TRIVY_SEVERITY: HIGH,CRITICAL TRIVY_TIMEOUT: 1m - TRIVY_SKIP_FILES: >- - /usr/local/bin/gomplate, - /opt/pipx/venvs/ansible/lib/**/site-packages/ansible_collections/**/modules/*.py publish-dockerhub: group: container diff --git a/Containerfile.multiarch b/Containerfile.multiarch index 1e4268c..20f6b62 100644 --- a/Containerfile.multiarch +++ b/Containerfile.multiarch @@ -19,31 +19,19 @@ ENV PY_COLORS=1 ENV CARGO_NET_GIT_FETCH_WITH_CLI=true ENV ANSIBLE_FORCE_COLOR=true ENV USER=root -ENV PATH=/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin -ENV PIPX_HOME=/opt/pipx -ENV PIPX_BIN_DIR=/usr/local/bin COPY overlay/ / RUN apk add --update --no-cache --virtual .build-deps build-base libffi-dev musl-dev openssl-dev python3-dev cargo && \ - apk add --update --no-cache git openssh-client pipx && \ + apk add --update --no-cache git openssh-client && \ + echo "Installing requirements ..." && \ + pip install -qq --no-cache-dir --upgrade pip && \ + pip install -qq --no-cache-dir boto boto3 botocore apache-libcloud hcloud \ + flaky passlib pytest pytest-testinfra && \ echo "Installing ansible 'v$ANSIBLE_VERSION' ..." && \ - pipx install --include-deps ansible=="$ANSIBLE_VERSION" && \ - echo "Installing molecule version '$MOLECULE_VERSION' ..." && \ - pipx inject --include-apps ansible molecule && \ - pipx inject --include-apps ansible pytest && \ - pipx inject ansible pytest-testinfra && \ - pipx inject ansible molecule-plugins[docker] && \ - pipx inject ansible molecule_hetznercloud && \ - pipx inject ansible boto && \ - pipx inject ansible boto3 && \ - pipx inject ansible botocore && \ - pipx inject ansible hcloud && \ - pipx inject ansible apache-libcloud && \ - pipx inject ansible pycrypto && \ - pipx inject ansible flaky && \ - pipx inject ansible passlib && \ - $PIPX_HOME/shared/bin/pip install -U pip setuptools && \ + pip install -qq --no-cache-dir ansible=="$ANSIBLE_VERSION" && \ + echo "Installing molecule version 'v$MOLECULE_VERSION' ..." && \ + pip install -qq --no-cache-dir molecule=="$MOLECULE_VERSION" molecule-plugins[docker] molecule_hetznercloud; \ apk del .build-deps && \ rm -rf /var/cache/apk/* && \ rm -rf /tmp/* && \ diff --git a/trivy-secret.yaml b/trivy-secret.yaml new file mode 100644 index 0000000..abca175 --- /dev/null +++ b/trivy-secret.yaml @@ -0,0 +1,6 @@ +--- +allow-rules: + - id: private-key + path: .*/ansible/.*/site-packages/ansible_collections/(community|google|netapp)/.*\.py + - id: aws-secret-access-key + path: .*/ansible/.*/site-packages/ansible_collections/amazon/.*\.py diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..e74b43b --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,4 @@ +--- +scan: + skip-files: + - /usr/local/bin/gomplate