Uplift Promenade image to address CVEs

The current Promenade image is vulnerable to several CVEs:
CVE-2019-3462
CVE-2018-16865
CVE-2018-16864

Which Ubuntu 16.04/18.04 addresses.
This patchset makes the following changes:
1. Adds new distro specific dockerfiles for xenial/bionic.
2. Updates gates to be specific about the ubuntu image being
   checked.
3. Updates .zuul.yaml checks/gates/post jobs for xenial/bionic.
4. Updates build-image.sh docker build for specific dockerfile
   specified in config.sh (IMAGE_PROMENADE_DISTRO).

Change-Id: I89e5297a3baa8c2d2c142e5e29932476fc628398

.zuul.yaml

@@ -20,7 +20,8 @@
       jobs:
         - openstack-tox-pep8
         - airship-promenade-lint-ws
-        - airship-promenade-docker-build-gate
+        - airship-promenade-docker-build-gate-ubuntu_xenial
+        - airship-promenade-docker-build-gate-ubuntu_bionic
         - airship-promenade-chart-build-gate
         - airship-promenade-chart-build-latest-htk
         - airship-promenade-unit-py35
@@ -31,7 +32,8 @@
       jobs:
         - openstack-tox-pep8
         - airship-promenade-lint-ws
-        - airship-promenade-docker-build-gate
+        - airship-promenade-docker-build-gate-ubuntu_xenial
+        - airship-promenade-docker-build-gate-ubuntu_bionic
         - airship-promenade-chart-build-gate
         - airship-promenade-unit-py35
         - airship-promenade-genesis-gate
@@ -39,7 +41,8 @@
 
     post:
       jobs:
-        - airship-docker-build-post
+        - airship-promenade-docker-build-post-ubuntu_xenial
+        - airship-promenade-docker-build-post-ubuntu_bionic
         - promenade-upload-git-mirror
 
 - nodeset:
@@ -63,6 +66,8 @@
       - openstack/openstack-helm-infra
     timeout: 3600
     nodeset: airship-promenade-single-node-bionic
+    vars:
+      distro: ubuntu_bionic
 
 - job:
     name: airship-promenade-genesis-containerd-gate
@@ -73,6 +78,8 @@
       - openstack/openstack-helm-infra
     timeout: 3600
     nodeset: airship-promenade-single-node-bionic
+    vars:
+      distro: ubuntu_bionic
 
 - job:
     name: airship-promenade-lint-ws
@@ -117,11 +124,12 @@
     nodeset: airship-promenade-single-node
 
 - job:
-    name: airship-promenade-docker-build-gate
+    name: airship-promenade-docker-build-gate-ubuntu_xenial
     run: tools/zuul/playbooks/docker-image-build.yaml
     nodeset: airship-promenade-single-node
     vars:
       publish: false
+      distro: ubuntu_xenial
       tags:
         dynamic:
           patch_set: true
@@ -131,13 +139,49 @@
       - ^tests/.*$
       - ^tools/.*$
 - job:
-    name: airship-docker-build-post
+    name: airship-promenade-docker-build-gate-ubuntu_bionic
     run: tools/zuul/playbooks/docker-image-build.yaml
-    nodeset: ubuntu-xenial
+    nodeset: airship-promenade-single-node
+    vars:
+      publish: false
+      distro: ubuntu_bionic
+      tags:
+        dynamic:
+          patch_set: true
+    irrelevant-files:
+      - ^charts/.*$
+      - ^etc/.*$
+      - ^tests/.*$
+      - ^tools/.*$
+- job:
+    name: airship-promenade-docker-build-post-ubuntu_xenial
+    run: tools/zuul/playbooks/docker-image-build.yaml
+    nodeset: airship-promenade-single-node
     secrets:
       - airship_promenade_quay_creds
     vars:
       publish: true
+      distro: ubuntu_xenial
+      tags:
+        dynamic:
+          branch: true
+          commit: true
+        static:
+          - latest
+    irrelevant-files:
+      - ^charts/.*$
+      - ^etc/.*$
+      - ^tests/.*$
+      - ^tools/.*$
+- job:
+    name: airship-promenade-docker-build-post-ubuntu_bionic
+    run: tools/zuul/playbooks/docker-image-build.yaml
+    nodeset: airship-promenade-single-node
+    secrets:
+      - airship_promenade_quay_creds
+    vars:
+      publish: true
+      distro: ubuntu_bionic
       tags:
         dynamic:
           branch: true

Makefile

@@ -25,10 +25,11 @@ PUSH_IMAGE        ?= false
 # use this variable for image labels added in internal build process
 LABEL             ?= org.airshipit.build=community
 COMMIT            ?= $(shell git rev-parse HEAD)
+DISTRO            ?= ubuntu_bionic
 PYTHON            = python3
 CHARTS            := $(patsubst charts/%/.,%,$(wildcard charts/*/.))
-IMAGE             := ${DOCKER_REGISTRY}/${IMAGE_PREFIX}/${IMAGE_NAME}:${IMAGE_TAG}
-PYTHON_BASE_IMAGE ?= python:3.6
+IMAGE             := ${DOCKER_REGISTRY}/${IMAGE_PREFIX}/${IMAGE_NAME}:${IMAGE_TAG}-${DISTRO}
+BASE_IMAGE        ?=
 
 HELM_PIDFILE ?= $(abspath ./.helm-pid)
 
@@ -97,14 +98,16 @@ dry-run-%: helm-lint-%
 $(CHARTS): $(addprefix dry-run-,$(CHARTS)) chartbanner
 	$(HELM) package -d charts charts/$@
 
+_BASE_IMAGE_ARG := $(if $(BASE_IMAGE),--build-arg FROM="${BASE_IMAGE}" ,)
+
 build_promenade:
 ifeq ($(USE_PROXY), true)
 	docker build --network host -t $(IMAGE) --label $(LABEL) \
 		--label "org.opencontainers.image.revision=$(COMMIT)" \
 		--label "org.opencontainers.image.created=$(shell date --rfc-3339=seconds --utc)" \
 		--label "org.opencontainers.image.title=$(IMAGE_NAME)" \
-		-f ./Dockerfile \
-		--build-arg FROM=$(PYTHON_BASE_IMAGE) \
+	        -f images/promenade/Dockerfile.${DISTRO} \
+                $(_BASE_IMAGE_ARG) \
 		--build-arg http_proxy=$(PROXY) \
 		--build-arg https_proxy=$(PROXY) \
 		--build-arg HTTP_PROXY=$(PROXY) \
@@ -116,8 +119,8 @@ else
 		--label "org.opencontainers.image.revision=$(COMMIT)" \
 		--label "org.opencontainers.image.created=$(shell date --rfc-3339=seconds --utc)" \
 		--label "org.opencontainers.image.title=$(IMAGE_NAME)" \
-		-f ./Dockerfile \
-		--build-arg FROM=$(PYTHON_BASE_IMAGE) .
+	        -f images/promenade/Dockerfile.${DISTRO} \
+		$(_BASE_IMAGE_ARG) .
 endif
 ifeq ($(PUSH_IMAGE), true)
 	docker push $(IMAGE)

images/promenade/Dockerfile.ubuntu_bionic

@@ -0,0 +1,73 @@
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ARG FROM=ubuntu:18.04
+FROM ${FROM}
+
+LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' \
+      org.opencontainers.image.url='https://airshipit.org' \
+      org.opencontainers.image.documentation='https://airship-promenade.readthedocs.org' \
+      org.opencontainers.image.source='https://opendev.org/airship/promenade' \
+      org.opencontainers.image.vendor='The Airship Authors' \
+      org.opencontainers.image.licenses='Apache-2.0'
+
+VOLUME /etc/promenade
+VOLUME /target
+
+RUN mkdir /opt/promenade
+WORKDIR /opt/promenade
+
+ENV PORT 9000
+EXPOSE $PORT
+
+ENV LANG=C.UTF-8
+ENV LC_ALL=C.UTF-8
+
+ENTRYPOINT ["/opt/promenade/entrypoint.sh"]
+
+RUN set -ex \
+    && apt-get update -qq \
+    && apt-get install --no-install-recommends -y \
+        ca-certificates \
+        curl \
+        dnsutils \
+        gcc \
+        git \
+        gpg \
+        gpg-agent \
+        libpcre3-dev \
+        libyaml-dev \
+        python3-dev \
+        python3-pip \
+        python3-setuptools \
+        rsync \
+    && ln -s /usr/bin/python3 /usr/bin/python \
+    && curl -Lo /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \
+    && chmod 555 /usr/local/bin/cfssl \
+    && python3 -m pip install -U pip \
+    && apt-get autoremove -yqq --purge \
+    && apt-get clean \
+    && useradd -u 1000 -g users -d /opt/promenade promenade \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY requirements-frozen.txt /opt/promenade
+RUN pip3 install --no-cache-dir -r requirements-frozen.txt
+
+# Setting promenade version for BPR
+ENV PBR_VERSION 0.8.0
+
+COPY . /opt/promenade
+RUN pip3 install -e /opt/promenade
+
+USER promenade

images/promenade/Dockerfile.ubuntu_xenial

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-ARG FROM=python:3.6
+ARG FROM=ubuntu:16.04
 FROM ${FROM}
 
 LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' \
@@ -31,27 +31,42 @@ WORKDIR /opt/promenade
 ENV PORT 9000
 EXPOSE $PORT
 
-# Setting promenade version for BPR
-ENV PBR_VERSION 0.8.0
+ENV LANG=C.UTF-8
+ENV LC_ALL=C.UTF-8
 
 ENTRYPOINT ["/opt/promenade/entrypoint.sh"]
 
 RUN set -ex \
+    && apt-get update -qq \
+    && apt-get install --no-install-recommends -y \
+        ca-certificates \
+        curl \
+        dnsutils \
+        gcc \
+        git \
+        libpcre3-dev \
+        libssl-dev \
+        libyaml-dev \
+        python3-dev \
+        python3-pip \
+        python3-setuptools \
+        rsync \
+    && ln -s /usr/bin/python3 /usr/bin/python \
     && curl -Lo /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \
     && chmod 555 /usr/local/bin/cfssl \
+    && python3 -m pip install -U pip \
+    && apt-get autoremove -yqq --purge \
     && apt-get clean \
-    && apt-get update -q \
-    && apt-get install --no-install-recommends -y \
-        dnsutils \
-        libyaml-dev \
-        rsync \
     && useradd -u 1000 -g users -d /opt/promenade promenade \
     && rm -rf /var/lib/apt/lists/*
 
 COPY requirements-frozen.txt /opt/promenade
-RUN pip install --no-cache-dir -r requirements-frozen.txt
+RUN pip3 install --no-cache-dir -r requirements-frozen.txt
+
+# Setting promenade version for BPR
+ENV PBR_VERSION 0.8.0
 
 COPY . /opt/promenade
-RUN pip install -e /opt/promenade
+RUN pip3 install -e /opt/promenade
 
 USER promenade

requirements-frozen.txt

@@ -111,6 +111,7 @@ vine==1.3.0
 wcwidth==0.1.7
 WebOb==1.8.5
 websocket-client==0.56.0
+wheel==0.34.2
 Werkzeug==0.14.1
 wrapt==1.11.2
 yappi==1.0

tools/dev-build.sh

@@ -6,7 +6,10 @@ SCRIPT_DIR=$(realpath $(dirname $0))
 SOURCE_DIR=$(realpath $SCRIPT_DIR/..)
 
 echo === Building image ===
-docker build -t quay.io/airshipit/promenade:master ${SOURCE_DIR}
+docker build \
+  -t quay.io/airshipit/promenade:master \
+  -f "${SOURCE_DIR}/images/promenade/Dockerfile.${DISTRO}" \
+  ${SOURCE_DIR}
 
 export PROMENADE_DEBUG=${PROMENADE_DEBUG:-1}
 

tools/g2/lib/config.sh

@@ -2,6 +2,7 @@ export TEMP_DIR=${TEMP_DIR:-$(mktemp -d)}
 export BASE_IMAGE_SIZE=${BASE_IMAGE_SIZE:-68719476736}
 export BASE_IMAGE_URL=${BASE_IMAGE_URL:-https://cloud-images.ubuntu.com/releases/16.04/release/ubuntu-16.04-server-cloudimg-amd64-disk1.img}
 export IMAGE_PROMENADE=${IMAGE_PROMENADE:-quay.io/airshipit/promenade:master}
+export IMAGE_PROMENADE_DISTRO=${IMAGE_PROMENADE_DISTRO:-ubuntu_bionic}
 export IMAGE_HYPERKUBE=${IMAGE_HYPERKUBE:-gcr.io/google_containers/hyperkube-amd64:v1.17.3}
 export NGINX_DIR="${TEMP_DIR}/nginx"
 export NGINX_URL="http://192.168.77.1:7777"

tools/g2/stages/build-image.sh

@@ -13,11 +13,13 @@ then
   docker build -q \
     --network host \
     -t "${IMAGE_PROMENADE}" \
+    -f "${WORKSPACE}/images/promenade/Dockerfile.${IMAGE_PROMENADE_DISTRO}" \
     "${WORKSPACE}"
 else
     docker build -q \
       --network host \
       -t "${IMAGE_PROMENADE}" \
+      -f "${WORKSPACE}/images/promenade/Dockerfile.${IMAGE_PROMENADE_DISTRO}" \
       --build-arg "HTTP_PROXY=${HTTP_PROXY:-}" \
       --build-arg "HTTPS_PROXY=${HTTPS_PROXY:-}" \
       --build-arg "NO_PROXY=${NO_PROXY:-}" \

tools/zuul/playbooks/deploy-promenade-containerd.yaml

@@ -17,6 +17,7 @@
       HTTPS_PROXY: ""
       NO_PROXY: ""
       PROMENADE_TMP_LOCAL: "cache"
+      DISTRO: "{{ distro }}"
   become: true
   tasks:
     - name: Install docker

tools/zuul/playbooks/deploy-promenade.yaml

@@ -17,6 +17,7 @@
       HTTPS_PROXY: ""
       NO_PROXY: ""
       PROMENADE_TMP_LOCAL: "cache"
+      DISTRO: "{{ distro }}"
   become: true
   tasks:
     - name: Install docker

tools/zuul/playbooks/docker-image-build.yaml

@@ -52,6 +52,8 @@
             var: publish
         - debug:
             var: tags
+        - debug:
+            var: distro
         - debug:
             var: zuul
         - debug:
@@ -77,6 +79,7 @@
             chdir: "{{ zuul.project.src_dir }}"
             target: images
             params:
+              DISTRO: "{{ distro }}"
               IMAGE_TAG: "{{ item }}"
           with_items: "{{ image_tags.stdout_lines }}"
 
@@ -101,6 +104,7 @@
             params:
               DOCKER_REGISTRY: "quay.io"
               IMAGE_PREFIX: "airshipit"
+              DISTRO: "{{ distro }}"
               IMAGE_TAG: "{{ item }}"
               COMMIT: "{{ zuul.newrev | default('') }}"
               PUSH_IMAGE: "true"