add multiarch container build (#738)

* add multiarch container build * update changelog --------- Co-authored-by: Jörg Zimmermann <[email protected]>
fkie-cad · Jan 13, 2025 · 3e9cfd5 · 3e9cfd5
1 parent 4938911
commit 3e9cfd5
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 37 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -6,4 +6,6 @@ htmlcov
 logs
 coverage.xml
 notebooks
-
+examples
+target
+logprep.egg-info
diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
@@ -14,15 +14,37 @@ on:
 
 jobs:
   containerbuild:
+    timeout-minutes: 20
     runs-on: ubuntu-latest
     strategy:
       matrix:
         python-version: ["3.11", "3.12", "3.13"]
-
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+
+      - name: Set up SSH
+        uses: MrSquaare/ssh-setup-action@v3
+        with:
+          host: ${{ secrets.DOCKER_BUILD_SERVER_01 }}
+          private-key: ${{ secrets.DOCKER_BUILD_SERVER_IDENTITY_FILE }}
+
+      - name: Set up SSH
+        uses: MrSquaare/ssh-setup-action@v3
+        with:
+          host: ${{ secrets.DOCKER_BUILD_SERVER_02 }}
+          private-key: ${{ secrets.DOCKER_BUILD_SERVER_IDENTITY_FILE }}
+
+      - name: Set up Docker
+        uses: docker/setup-docker-action@v4
+        with:
+          daemon-config: |
+            {
+              "features": {
+                "containerd-snapshotter": true
+              }
+            }
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v2
@@ -44,42 +66,44 @@ jobs:
               file.write(f"tags={', '.join(full_image)}")
           EOF
 
-      - name: Build image and export to Docker
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: docker-container
+          platforms: linux/amd64
+          append: |
+            - endpoint: ssh://root@${{ secrets.DOCKER_BUILD_SERVER_01 }}
+              platforms: linux/arm64
+            - endpoint: ssh://root@${{ secrets.DOCKER_BUILD_SERVER_02 }}
+              platforms: linux/arm64
+
+      - name: Build image and push to registry
         uses: docker/build-push-action@v6
-        id: build
+        id: build-and-push
         with:
           context: .
-          load: true
+          push: true
           build-args: |
             LOGPREP_VERSION=${{ inputs.build-version }}
             PYTHON_VERSION=${{ matrix.python-version }}
+            tags: ${{ steps.image-tag.outputs.tags }}
+            platforms: "linux/arm64,linux/amd64"
           tags: ${{ steps.image-tag.outputs.tags }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Extract image ID from sha256
-        id: imageid
+        id: pushed-imageid
         run: |
           python - <<EOF
           import os
-          digest = "${{ steps.build.outputs.ImageID }}"
+          imageid = "${{ steps.build-and-push.outputs.ImageID }}"
+          digest = "${{ steps.build-and-push.outputs.Digest }}"
           with open(os.environ['GITHUB_OUTPUT'], 'a') as file:
-              file.write(f"imageid={digest.split(':')[1]}")
+              file.write(f"digest={digest.split(':')[1]}")
+              file.write(f"imageid={imageid.split(':')[1]}")
           EOF
 
-      - name: Ensure logprep is available in image
-        run: |
-          docker run --rm ${{ steps.imageid.outputs.imageid }} --version
-
-      - name: Push image
-        uses: docker/build-push-action@v6
-        id: build-and-push
-        with:
-          context: .
-          push: true
-          build-args: |
-            LOGPREP_VERSION=${{ inputs.build-version }}
-            PYTHON_VERSION=${{ matrix.python-version }}
-          tags: ${{ steps.image-tag.outputs.tags }}
-
       - name: Install Cosign
         uses: sigstore/[email protected]
         with:
@@ -88,14 +112,14 @@ jobs:
       - name: Create SBOM of container image
         uses: anchore/sbom-action@v0
         with:
-          image: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
-          artifact-name: logprep@${{ steps.imageid.outputs.imageid }}.spdx.json
-          output-file: logprep@${{ steps.imageid.outputs.imageid }}.spdx.json
+          image: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.Digest }}
+          artifact-name: logprep@${{ steps.pushed-imageid.outputs.digest }}.spdx.json
+          output-file: logprep@${{ steps.pushed-imageid.outputs.digest }}.spdx.json
 
       - name: Sign image with a key and add sbom attestation
         run: |
           cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
-          cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate logprep@${{ steps.imageid.outputs.imageid }}.spdx.json ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
+          cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate logprep@${{ steps.pushed-imageid.outputs.digest }}.spdx.json ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}
         env:
           COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
@@ -116,6 +140,7 @@ jobs:
         uses: aquasecurity/[email protected]
         env:
           TRIVY_CACHE_DIR: ./cache
+          TRIVY_PLATFORM: linux/amd64
         with:
           scan-type: image
           image-ref: ghcr.io/fkie-cad/logprep@${{ steps.build-and-push.outputs.digest }}

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,15 @@
 ### Improvements
 ### Bugfix
 
+## 15.1.0
+### Breaking
+### Features
+
+* add multiarch container builds for AMD64 and ARM64
+
+### Improvements
+### Bugfix
+
 ## 15.0.0
 ### Breaking
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,34 +1,39 @@
 ARG PYTHON_VERSION=3.11
 
-FROM bitnami/python:${PYTHON_VERSION} as build
+FROM bitnami/python:${PYTHON_VERSION} AS base
 ARG LOGPREP_VERSION=latest
-ARG http_proxy
-ARG https_proxy
-ARG no_proxy
 
-ADD . /logprep
-WORKDIR /logprep
+# remove python-dev and upgrade packages
+RUN apt-get update && apt-get purge -y python-dev && \
+    apt-get update && apt-get upgrade -y && apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+FROM base AS prebuild
 
 # Install the Rust toolchain
 RUN curl https://sh.rustup.rs -sSf | bash -s -- -y
 ENV PATH="/root/.cargo/bin:${PATH}"
 
+FROM prebuild AS build
+ADD . /logprep
+WORKDIR /logprep
+
 # Use a python virtual environment
 RUN python -m venv --upgrade-deps /opt/venv
 ENV PATH="/opt/venv/bin:$PATH"
 
 
-RUN if [ "$LOGPREP_VERSION" = "dev" ]; then pip install .;\
-    elif [ "$LOGPREP_VERSION" = "latest" ]; then pip install git+https://github.com/fkie-cad/Logprep.git@latest; \
-    else pip install "logprep==$LOGPREP_VERSION"; fi; \
+RUN if [ "$LOGPREP_VERSION" = "dev" ]; then pip install . ;\
+    elif [ "$LOGPREP_VERSION" = "latest" ]; then pip install git+https://github.com/fkie-cad/Logprep.git@latest ; \
+    else pip install "logprep==$LOGPREP_VERSION" ; fi; \
     /opt/venv/bin/logprep --version
 
 # geoip2 4.8.0 lists a vulnerable setuptools version as a dependency. setuptools is unneeded at runtime, so it is uninstalled.
 # More recent (currently unreleased) versions of geoip2 removed setuptools from dependencies.
 RUN pip uninstall -y setuptools
 
 
-FROM bitnami/python:${PYTHON_VERSION} as prod
+FROM base AS prod
 ARG http_proxy
 ARG https_proxy
 COPY --from=build /opt/venv /opt/venv