File: ocp4_content

package info (click to toggle)
scap-security-guide 0.1.76-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 110,644 kB
  • sloc: xml: 241,883; sh: 73,777; python: 32,527; makefile: 27
file content (57 lines) | stat: -rw-r--r-- 2,992 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
 
FROM registry.fedoraproject.org/fedora-minimal:latest as builder

WORKDIR /content

RUN microdnf -y install cmake make git /usr/bin/python3 python3-pyyaml python3-jinja2 openscap-utils python3-setuptools

COPY . .

# Enable only certain profiles on ppc64le and s390x
RUN if [ "$(uname -m)" == "x86_64" ]; then \
    echo "Building OpenShift and RHCOS content for x86_64"; \
    else echo "Building OpenShift content for $(uname -m)" && \
        # Disable all profiles first
        find . -name "*.profile" -exec sed -i 's/\(documentation_complete: \).*/\1false/' '{}' \; && \
        # Enable the default.profiles as they maintain a list rules to be added to the datastream
        find . -name "default\.profile" -exec sed -i 's/\(documentation_complete: \).*/\1true/' '{}' \; && \
        sed -i 's/\(documentation_complete: \).*/\1true/' \
        products/ocp4/profiles/pci-dss-node-3-2.profile \
        products/ocp4/profiles/pci-dss-3-2.profile \
        products/ocp4/profiles/pci-dss-node.profile \
        products/ocp4/profiles/pci-dss.profile \
        products/ocp4/profiles/cis-node.profile \
        products/ocp4/profiles/cis.profile \
        products/ocp4/profiles/cis-node-1-4.profile \
        products/ocp4/profiles/cis-1-4.profile \
        products/ocp4/profiles/cis-node-1-5.profile \
        products/ocp4/profiles/cis-1-5.profile \
        products/ocp4/profiles/moderate-node.profile \
        products/ocp4/profiles/moderate.profile \
        products/ocp4/profiles/moderate-node-rev-4.profile \
        products/ocp4/profiles/moderate-rev-4.profile && \
        # Adds DISA-STIG for ppc64le
        if [ "$(uname -m)" = "ppc64le" ]; then \
            find products/rhcos4 -name "*stig*.profile" | xargs sed -i 's/\(documentation_complete: \).*/\1true/' && \
            find products/ocp4 -name "*stig*.profile" | xargs sed -i 's/\(documentation_complete: \).*/\1true/' ; \
        fi && \
        # OCPBUGS-32794: Ensure stability of rules shipped
        # Before building the content we re-enable all profiles as hidden, this will include any rule selected
        # by these profiles in the data stream without creating a profile for them.
        grep -lr 'documentation_complete: false' ./products | xargs -I '{}' \
        sed -i -e 's/\(documentation_complete: \).*/\1true/' -e '/documentation_complete/a hidden: true' {}; \
    fi

# Build the OpenShift, EKS, and RHCOS content for x86 architectures. Only build
# OpenShift content for ppc64le and s390x architectures since we're not
# including any RHCOS profiles on those architectures right now anyway.
RUN if [ "$(uname -m)" = "x86_64" ]; then \
        ./build_product ocp4 rhcos4 eks --datastream-only; \
        elif [ "$(uname -m)" = "ppc64le" ]; then \
        ./build_product ocp4 rhcos4 --datastream-only; \
        else ./build_product ocp4 --datastream-only; \
        fi

FROM registry.access.redhat.com/ubi8/ubi-micro:latest

WORKDIR /
COPY --from=builder /content/build/ssg-*-ds.xml .