ROX-24283: enable strictfipsruntime in the Konflux build #1709
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -71,7 +71,7 @@ GOPATH_WD_OVERRIDES := -w /src -e GOPATH=/go | |
| IMAGE_BUILD_FLAGS := -e CGO_ENABLED=$(CGO_ENABLED) -e GOOS=linux -e GOARCH=$(GOARCH) | ||
| IMAGE_BUILD_ARGS = --build-arg LABEL_VERSION=$(TAG) --build-arg LABEL_RELEASE=$(TAG) --build-arg QUAY_TAG_EXPIRATION=$(QUAY_TAG_EXPIRATION) | ||
| BUILD_FLAGS := CGO_ENABLED=$(CGO_ENABLED) GOOS=linux GOARCH=$(GOARCH) | ||
| BUILD_CMD := go build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=$(TAG)" -tags="$(GOTAGS)" -o image/scanner/bin/scanner ./cmd/clair | ||
| NODESCAN_BUILD_CMD := go build -trimpath -o tools/bin/local-nodescanner ./tools/local-nodescanner | ||
|
|
||
|
There was a problem hiding this comment. (not about this line) Similarly there's Lines 117 to 120 in ff7e0f3 There was a problem hiding this comment. This updater just runs in CI and isn't shipped to customers, so no need to be FIPS-built |
||
| ##################################################################### | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -10,6 +10,9 @@ ARG SCANNER_TAG | |
| RUN if [[ "$SCANNER_TAG" == "" ]]; then >&2 echo "error: required SCANNER_TAG arg is unset"; exit 6; fi | ||
| ENV RELEASE_TAG="${SCANNER_TAG}" | ||
|
|
||
| # TODO(ROX-27054): Remove the redundant strictfipsruntime option if one is found to be so | ||
|
There was a problem hiding this comment. I don't love the way this comment reads, but it's the best I could come up with. There was a problem hiding this comment. lgtm. I'd prefer "remove -tags=strictfipsruntime when GOEXPERIMENT is checked by check-payload" but that may be too much information. There was a problem hiding this comment. Honestly I think I prefer the more info in David's suggestion (perhaps even add a link to check-payload so readers can find it) |
||
| ENV GOEXPERIMENT=strictfipsruntime | ||
| ENV GOTAGS=strictfipsruntime | ||
|
Comment on lines
+14
to
+15
There was a problem hiding this comment. I forgot: do these both There was a problem hiding this comment. I think we do not want the tag set because "The -tag method can technically work on 1.17+, but the environment variable method is preferred." (https://docs.google.com/presentation/d/10O9MIItuPW1fCN4dPaGTxSHAE4KhqISMKAxNGdmPyV4/edit#slide=id.g227165bb50a_0_0) check-payload accepts the tag for golang <=1.16 and goexperiment var for golang >=1.17 openshift/check-payload#143 (comment) discussion in https://issues.redhat.com/browse/OCPBUGS-24612 There was a problem hiding this comment. From my reading of the info you shared, for us it should be sufficient to only keep There was a problem hiding this comment. I tried doing this in stackrox/stackrox#12909, but only setting There was a problem hiding this comment. Perhaps the GOEXPERIMENT variable is not getting carried through and we're relying on the tags? There was a problem hiding this comment. Weird. If There was a problem hiding this comment. It looks like GOEXPERIMENT is not found on the built binaries. So I think that is why the tags are needed right now. There was a problem hiding this comment. I'll try checking in a way separate from check-payload. Maybe check-payload is wrong. There was a problem hiding this comment.
This. I'll report the issue to check-payload. There was a problem hiding this comment. What's the conclusion of this? Just keeping both?
Comment on lines
+14
to
+15
There was a problem hiding this comment. +1 to @davdhacs suggestion to add a |
||
| ENV GOFLAGS="" | ||
| ENV CI=1 | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does not seem to me that
local-nodescanneris included in the final Scanner image. Is this correct?Is it a development tool? Does anyone still use it?
@Maddosaurus
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a development tool. From what I can tell, the (old) RHCOS node scanner runs as a container in the collector pod called
node-inventorywhich runs the usual scanner binary/scannerfrom within the usual scanner image._rox.image.scanner.fullRefhttps://github.com/stackrox/stackrox/blob/master/image/templates/helm/stackrox-secured-cluster/templates/collector.yaml.htpl#L196Looks like the typical scanner main function was modified to run the scanner in "node inventory mode" - https://github.com/stackrox/scanner/blob/master/cmd/clair/main.go#L279
So I'd say it's accurate to keep this command out
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this is correct to not be included in the image.
local-nodescanneris a tool that enables local testing and debugging of Scanner v2 Node Scanning code without the need to deploy ACS.It is similar to the tools for collector and sensor we have over in the main stackrox repo 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you Ross and Matthias, while you answered about FIPS part for the
local-nodescanner, it will be good to know whether we need to keep and maintain this tool. Therefore:Is there any value to keep it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As long as we support Scanner V2 Node Scanning, this tool should stay in place to enable effective debugging and troubleshooting of Node Scanning code.