Use distroless base image

Alpine provides relatively little value, but carries with it a large
amount of security risks. Despite the team's belief that most of the
security risks don't put users in any actual danger, it is a burden
to evalualte them all. Switching to a base image with a smaller attack
surfaces greatly reduces this burden and gives users more assurance
of security.

As part of this change, CGO is disabled. We didn't need it, and it
was adding needless dependencies.

Also, because this change removes the shell from the container, it
replaces the chroot-wrapper script with a binary that does the same
thing.

Co-authored-by: Andrew Kerr <[email protected]>

Dockerfile

@@ -1,25 +1,9 @@
-FROM alpine:3.12
+FROM gcr.io/distroless/static:eddfb5cd7a24d656f77afae595ffe6c232eab847
 
-LABEL maintainer="[email protected]" \
+LABEL maintainers="The NetApp Trident Team" \
       app="trident.netapp.io" \
       description="Trident Storage Orchestrator"
 
-# Use APK mirrors for fault tolerance
-RUN printf "http://dl-2.alpinelinux.org/alpine/v3.12/main\nhttp://dl-3.alpinelinux.org/alpine/v3.12/main\nhttp://dl-4.alpinelinux.org/alpine/v3.12/main\nhttp://dl-5.alpinelinux.org/alpine/v3.12/main\n\nhttp://dl-1.alpinelinux.org/alpine/v3.12/community\nhttp://dl-2.alpinelinux.org/alpine/v3.12/community\nhttp://dl-3.alpinelinux.org/alpine/v3.12/community\nhttp://dl-4.alpinelinux.org/alpine/v3.12/community\nhttp://dl-5.alpinelinux.org/alpine/v3.12/community" > /etc/apk/repositories
-
-RUN apk update || true &&  \
-	apk add coreutils util-linux blkid \
-	lsscsi \
-	e2fsprogs \
-	bash \
-	kmod \
-	curl \
-	jq \
-	ca-certificates
-
-# for go binaries to work inside an alpine container
-RUN mkdir /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2
-
 ARG PORT=8000
 ENV PORT $PORT
 EXPOSE $PORT
@@ -32,33 +16,9 @@ ENV K8S $K8S
 ENV TRIDENT_IP localhost
 ENV TRIDENT_SERVER 127.0.0.1:$PORT
 
-COPY ./scripts/* $BIN $CLI_BIN /usr/local/bin/
-
-RUN mkdir /netapp
-ADD chroot-host-wrapper.sh /netapp
-RUN    ln -s /netapp/chroot-host-wrapper.sh /netapp/blkid \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/blockdev \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/cat \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/dd \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/df \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/free \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/iscsiadm \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/ls \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/lsblk \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/lsscsi \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/mkdir \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/mkfs.ext3 \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/mkfs.ext4 \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/mkfs.xfs \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/mount \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/multipath \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/multipathd \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/pgrep \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/resize2fs \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/rmdir \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/stat \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/umount \
-    && ln -s /netapp/chroot-host-wrapper.sh /netapp/xfs_growfs
-
+COPY $BIN /
+COPY $CLI_BIN /bin/
+ADD chwrap.tar /
 
-CMD ["/usr/bin/env -i PATH='/netapp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' /usr/local/bin/$BIN -port $PORT -crd_persistence -k8s_api_server $K8S"]
+ENTRYPOINT ["/bin/$CLI_BIN"]
+CMD ["version"]

Makefile

@@ -34,6 +34,7 @@ VERSION ?= $(shell cat ${ROOT}/hack/VERSION)
 
 DR_LINUX = docker run --rm \
 	--net=host \
+	-e CGO_ENABLED=0 \
 	-e GOOS=linux \
 	-e GOARCH=$(GOARCH) \
 	-e GOGC=$(GOGC) \
@@ -60,7 +61,7 @@ GO_LINUX = ${DR_LINUX} ${GO_CMD}
 
 GO_MACOS = ${DR_MACOS} ${GO_CMD}
 
-.PHONY = default build trident_build trident_build_all trident_retag tridentctl_build dist dist_tar dist_tag test test_core test_other test_coverage_report clean fmt install vet
+.PHONY = default build trident_build trident_build_all tridentctl_build dist dist_tar dist_tag test test_core test_other test_coverage_report clean fmt install vet
 
 default: dist
 
@@ -75,10 +76,8 @@ endif
 
 ## tag variables
 TRIDENT_TAG := ${TRIDENT_IMAGE}:${TRIDENT_VERSION}
-TRIDENT_TAG_OLD := ${TRIDENT_IMAGE}:${TRIDENT_VERSION}_old
 ifdef REGISTRY_ADDR
 TRIDENT_TAG := ${REGISTRY_ADDR}/${TRIDENT_TAG}
-TRIDENT_TAG_OLD := ${REGISTRY_ADDR}/${TRIDENT_TAG_OLD}
 endif
 DIST_REGISTRY ?= netapp
 TRIDENT_DIST_TAG := ${DIST_REGISTRY}/${TRIDENT_IMAGE}:${TRIDENT_VERSION}
@@ -91,32 +90,23 @@ DEFAULT_TRIDENT_OPERATOR_IMAGE := ${DEFAULT_TRIDENT_OPERATOR_REPO}:${DEFAULT_TRI
 OPERATOR_DIST_TAG := ${DIST_REGISTRY}/${OPERATOR_IMAGE}:${TRIDENT_VERSION}
 
 # Go compiler flags need to be properly encapsulated with double quotes to handle spaces in values
-BUILD_FLAGS = "-X \"${TRIDENT_CONFIG_PKG}.BuildHash=$(GITHASH)\" -X \"${TRIDENT_CONFIG_PKG}.BuildType=$(BUILD_TYPE)\" -X \"${TRIDENT_CONFIG_PKG}.BuildTypeRev=$(BUILD_TYPE_REV)\" -X \"${TRIDENT_CONFIG_PKG}.BuildTime=$(BUILD_TIME)\" -X \"${TRIDENT_CONFIG_PKG}.BuildImage=$(TRIDENT_DIST_TAG)\""
+BUILD_FLAGS = "-s -w -X \"${TRIDENT_CONFIG_PKG}.BuildHash=$(GITHASH)\" -X \"${TRIDENT_CONFIG_PKG}.BuildType=$(BUILD_TYPE)\" -X \"${TRIDENT_CONFIG_PKG}.BuildTypeRev=$(BUILD_TYPE_REV)\" -X \"${TRIDENT_CONFIG_PKG}.BuildTime=$(BUILD_TIME)\" -X \"${TRIDENT_CONFIG_PKG}.BuildImage=$(TRIDENT_DIST_TAG)\""
 
 ## Trident build targets
 
-trident_retag:
-	-docker volume rm $(TRIDENT_VOLUME) || true
-	-docker tag ${TRIDENT_TAG} ${TRIDENT_TAG_OLD}
-	-docker rmi ${TRIDENT_TAG}
-
-operator_retag:
-	cd operator && $(MAKE) retag
-
-trident_build: trident_retag
+trident_build:
 	@mkdir -p ${BIN_DIR}
 	@chmod 777 ${BIN_DIR}
 	@${GO_LINUX} ${BUILD} -ldflags $(BUILD_FLAGS) -o ${TRIDENT_VOLUME_PATH}/bin/${BIN}
 	@${GO_LINUX} ${BUILD} -ldflags $(BUILD_FLAGS) -o ${TRIDENT_VOLUME_PATH}/bin/${CLI_BIN} ${CLI_PKG}
-	cp ${BIN_DIR}/${BIN} .
-	cp ${BIN_DIR}/${CLI_BIN} .
+	@${GO_LINUX} ${BUILD} -ldflags $(BUILD_FLAGS) -o ${TRIDENT_VOLUME_PATH}/bin/chwrap chwrap/chwrap.go
+	cp ${BIN_DIR}/${BIN} ${BIN_DIR}/${CLI_BIN} .
+	chwrap/make-tarball.sh ${BIN_DIR}/chwrap chwrap.tar
 	docker build --build-arg PORT=${PORT} --build-arg BIN=${BIN} --build-arg CLI_BIN=${CLI_BIN} --build-arg K8S=${K8S} -t ${TRIDENT_TAG} --rm .
 ifdef REGISTRY_ADDR
 	docker push ${TRIDENT_TAG}
 endif
-	rm ${BIN}
-	rm ${CLI_BIN}
-	-docker rmi ${TRIDENT_TAG_OLD}
+	rm ${BIN} ${CLI_BIN} chwrap.tar
 
 tridentctl_build:
 	@mkdir -p ${BIN_DIR}

chwrap/chwrap.go

@@ -0,0 +1,80 @@
+/*
+ *  Copyright (c) 2020 NetApp
+ *  All rights reserved
+ */
+
+package main
+
+import (
+	"os"
+	"strings"
+
+	"golang.org/x/sys/unix"
+)
+
+func validBinary(path string) bool {
+	var stat unix.Stat_t
+	if err := unix.Stat(path, &stat); nil != err {
+		// Can't stat file
+		return false
+	}
+	if (stat.Mode&unix.S_IFMT) != unix.S_IFREG && (stat.Mode&unix.S_IFMT) != unix.S_IFLNK {
+		// Not a regular file or symlink
+		return false
+	}
+	if 0 == stat.Mode&unix.S_IRUSR || 0 == stat.Mode&unix.S_IXUSR {
+		// Not readable or not executable
+		return false
+	}
+	return true
+}
+
+func findBinary(prefix, binary string) string {
+	for _, part1 := range []string{"usr/local/", "usr/", ""} {
+		for _, part2 := range []string{"sbin", "bin"} {
+			path := "/" + part1 + part2 + "/" + binary
+			if validBinary(prefix + path) {
+				return path
+			}
+		}
+	}
+	return ""
+}
+
+func modifyEnv(oldEnv []string) []string {
+	var newEnv []string
+	for _, e := range oldEnv {
+		if !strings.HasPrefix(e, "PATH=") {
+			newEnv = append(newEnv, e)
+		}
+	}
+	newEnv = append(newEnv, "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin")
+	return newEnv
+}
+
+func main() {
+	// First modify argv0 to strip off any absolute or relative paths
+	argv := os.Args
+	binary := argv[0]
+	idx := strings.LastIndexByte(binary, '/')
+	if 0 <= idx {
+		binary = binary[idx+1:]
+	}
+	// Now implement the path search logic, but in the host's filesystem
+	argv0 := findBinary("/host", binary)
+	if "" == argv0 {
+		panic(binary + " not found")
+	}
+	// Chroot in the the host's FS
+	if err := unix.Chroot("/host"); nil != err {
+		panic(err)
+	}
+	// Change cwd to the root
+	if err := unix.Chdir("/"); nil != err {
+		panic(err)
+	}
+	// Exec the intended binary
+	if err := unix.Exec(argv0, argv, modifyEnv(os.Environ())); nil != err {
+		panic(err)
+	}
+}

chwrap/make-tarball.sh

@@ -0,0 +1,12 @@
+#!/bin/sh -e
+
+[ -n "$1" ] && [ -n "$2" ] || exit 1
+
+PREFIX=/tmp/$(uuidgen)
+mkdir -p $PREFIX/netapp
+cp "$1" $PREFIX/netapp/chwrap
+for BIN in blkid blockdev cat dd df free iscsiadm ls lsblk lsscsi mkdir mkfs.ext3 mkfs.ext4 mkfs.xfs mount multipath multipathd pgrep resize2fs rmdir stat umount xfs_growfs ; do
+  ln -s chwrap $PREFIX/netapp/$BIN
+done
+tar --owner=0 --group=0 -C $PREFIX -cf "$2" netapp
+rm -rf $PREFIX

cli/cmd/pause.go

@@ -0,0 +1,27 @@
+/*
+ *  Copyright (c) 2020 NetApp
+ *  All rights reserved
+ */
+
+package cmd
+
+import (
+	"time"
+
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	RootCmd.AddCommand(pauseCmd)
+}
+
+var pauseCmd = &cobra.Command{
+	Use:    "pause",
+	Short:  "Sleep forever",
+	Hidden: true,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		for {
+			time.Sleep(time.Second)
+		}
+	},
+}

cli/k8s_client/yaml_factory.go

@@ -287,7 +287,7 @@ spec:
       - name: trident-main
         image: {TRIDENT_IMAGE}
         command:
-        - /usr/local/bin/trident_orchestrator
+        - /trident_orchestrator
         args:
         - "--crd_persistence"
         - "--k8s_pod"
@@ -443,7 +443,7 @@ spec:
         - containerPort: 8443
         - containerPort: 8001
         command:
-        - /usr/local/bin/trident_orchestrator
+        - /trident_orchestrator
         args:
         - "--crd_persistence"
         - "--k8s_pod"
@@ -577,7 +577,7 @@ spec:
         - containerPort: 8443
         - containerPort: 8001
         command:
-        - /usr/local/bin/trident_orchestrator
+        - /trident_orchestrator
         args:
         - "--crd_persistence"
         - "--k8s_pod"
@@ -699,7 +699,7 @@ spec:
         - containerPort: 8443
         - containerPort: 8001
         command:
-        - /usr/local/bin/trident_orchestrator
+        - /trident_orchestrator
         args:
         - "--crd_persistence"
         - "--k8s_pod"
@@ -833,7 +833,7 @@ spec:
         - containerPort: 8443
         - containerPort: 8001
         command:
-        - /usr/local/bin/trident_orchestrator
+        - /trident_orchestrator
         args:
         - "--crd_persistence"
         - "--k8s_pod"
@@ -1017,7 +1017,7 @@ spec:
           allowPrivilegeEscalation: true
         image: {TRIDENT_IMAGE}
         command:
-        - /usr/local/bin/trident_orchestrator
+        - /trident_orchestrator
         args:
         - "--no_persistence"
         - "--rest=false"
@@ -1035,7 +1035,7 @@ spec:
         - name: CSI_ENDPOINT
           value: unix://plugin/csi.sock
         - name: PATH
-          value: /netapp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+          value: /netapp:/bin
         volumeMounts:
         - name: plugin-dir
           mountPath: /plugin
@@ -1154,7 +1154,7 @@ spec:
           allowPrivilegeEscalation: true
         image: {TRIDENT_IMAGE}
         command:
-        - /usr/local/bin/trident_orchestrator
+        - /trident_orchestrator
         args:
         - "--no_persistence"
         - "--rest=false"
@@ -1172,7 +1172,7 @@ spec:
         - name: CSI_ENDPOINT
           value: unix://plugin/csi.sock
         - name: PATH
-          value: /netapp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+          value: /netapp:/bin
         volumeMounts:
         - name: plugin-dir
           mountPath: /plugin
@@ -1499,8 +1499,8 @@ spec:
   - name: trident-main
     imagePullPolicy: IfNotPresent
     image: {TRIDENT_IMAGE}
-    command: ["sleep"]
-    args: ["60"]
+    command: ["tridentctl"]
+    args: ["pause"]
   {IMAGE_PULL_SECRETS}
   nodeSelector:
     beta.kubernetes.io/os: linux

contrib/trident.service.example

@@ -6,7 +6,7 @@ After=docker.service
 [Service]
 Type=Simple
 Restart=always
-ExecStart=/usr/local/bin/trident --config=/etc/netappdvp/configuration.json
+ExecStart=/trident --config=/etc/netappdvp/configuration.json
 
 [Install]
 WantedBy=multi-user.target

deploy/bundle.yaml

@@ -354,7 +354,7 @@ spec:
     spec:
       containers:
       - command:
-        - /usr/local/bin/trident-operator
+        - /trident-operator
         - --debug
         env:
         - name: POD_NAME

deploy/operator.yaml

@@ -22,7 +22,7 @@ spec:
         - name: trident-operator
           image: netapp/trident-operator:20.10.0
           command:
-          - "/usr/local/bin/trident-operator"
+          - "/trident-operator"
           - "--debug"
           imagePullPolicy: IfNotPresent
           env:

docker-compose.yml

@@ -9,7 +9,7 @@ services:
      - /dev:/dev
     privileged: true
     tty: true
-    command: /usr/local/bin/trident_orchestrator -address "" -port "${PORT}" -etcd_v2 http://etcd:2379 -k8s_api_server "${K8S}"
+    command: /trident_orchestrator -address "" -port "${PORT}" -etcd_v2 http://etcd:2379 -k8s_api_server "${K8S}"
     depends_on:
      - etcd  
   etcd:

docs/docker/install/host_config.rst

@@ -131,7 +131,7 @@ Traditional Install Method (Docker <= 1.12)
       tar zxf trident-installer-19.10.0.tar.gz
 
       # move to a location in the bin path
-      sudo mv trident-installer/extras/bin/trident /usr/local/bin
+      sudo mv trident-installer/extras/bin/trident /usr/local/bin/
       sudo chown root:root /usr/local/bin/trident
       sudo chmod 755 /usr/local/bin/trident