diff --git a/.evergreen/config_generator/components/docker_build.py b/.evergreen/config_generator/components/docker_build.py index 5d35f30ef3..c4afbe1c32 100644 --- a/.evergreen/config_generator/components/docker_build.py +++ b/.evergreen/config_generator/components/docker_build.py @@ -7,6 +7,7 @@ from shrub.v3.evg_build_variant import BuildVariant from shrub.v3.evg_command import EvgCommandType from shrub.v3.evg_task import EvgTask, EvgTaskRef +from shrub.v3.evg_command import KeyValueParam, ec2_assume_role, expansions_update TAG = 'docker-build' @@ -24,24 +25,43 @@ class DockerImageBuild(Function): name = 'docker-image-build' - commands = bash_exec( - command_type=EvgCommandType.TEST, - working_dir='mongo-cxx-driver', - script='''\ - set -o errexit - set -o pipefail - docker login -u "${ARTIFACTORY_USER}" --password-stdin artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD}" - set -x - echo "Building Alpine Docker image" - make -C extras/docker/alpine3.19 nocachebuild test - echo "Building Debian Docker image" - make -C extras/docker/bookworm nocachebuild test - echo "Building Red Hat UBI Docker image" - make -C extras/docker/redhat-ubi-9.4 nocachebuild test - echo "Building Ubuntu Docker image" - make -C extras/docker/noble nocachebuild test - ''' - ) + commands = [ + # Avoid inadvertently using a pre-existing and potentially conflicting Docker config. + expansions_update(updates=[KeyValueParam(key='DOCKER_CONFIG', value='${workdir}/.docker')]), + ec2_assume_role(role_arn='arn:aws:iam::901841024863:role/ecr-role-evergreen-ro'), + bash_exec( + command_type=EvgCommandType.SETUP, + include_expansions_in_env=[ + "AWS_ACCESS_KEY_ID", + "AWS_SECRET_ACCESS_KEY", + "AWS_SESSION_TOKEN", + "DOCKER_CONFIG", + ], + script='aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com', + ), + bash_exec( + command_type=EvgCommandType.TEST, + working_dir='mongo-cxx-driver', + env={ + # Use Amazon ECR as pull-through cache for DockerHub to avoid rate limits. + "DEFAULT_SEARCH_REGISTRY": "901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub", + }, + include_expansions_in_env=['DOCKER_CONFIG'], + script='''\ + set -o errexit + set -o pipefail + set -x + echo "Building Alpine Docker image" + make -C extras/docker/alpine3.19 nocachebuild test + echo "Building Debian Docker image" + make -C extras/docker/bookworm nocachebuild test + echo "Building Red Hat UBI Docker image" + make -C extras/docker/redhat-ubi-9.4 nocachebuild test + echo "Building Ubuntu Docker image" + make -C extras/docker/noble nocachebuild test + ''', + ), + ] def functions(): @@ -62,7 +82,7 @@ def tasks(): commands=[ Setup.call(), DockerImageBuild.call(), - ] + ], ) ) diff --git a/.evergreen/config_generator/components/sbom.py b/.evergreen/config_generator/components/sbom.py index 50f7c7cd46..ed01ef68f3 100644 --- a/.evergreen/config_generator/components/sbom.py +++ b/.evergreen/config_generator/components/sbom.py @@ -5,11 +5,17 @@ from config_generator.etc.utils import bash_exec from shrub.v3.evg_build_variant import BuildVariant -from shrub.v3.evg_command import BuiltInCommand, EvgCommandType, ec2_assume_role, expansions_update, s3_put +from shrub.v3.evg_command import ( + BuiltInCommand, + EvgCommandType, + KeyValueParam, + ec2_assume_role, + expansions_update, + s3_put, +) from shrub.v3.evg_task import EvgTask, EvgTaskRef from pydantic import ConfigDict -from typing import Optional TAG = 'sbom' @@ -23,31 +29,50 @@ class CustomCommand(BuiltInCommand): class CheckAugmentedSBOM(Function): name = 'check augmented sbom' commands = [ - ec2_assume_role( - command_type=EvgCommandType.SETUP, - role_arn='${KONDUKTO_ROLE_ARN}', - ), - bash_exec( - command_type=EvgCommandType.SETUP, - include_expansions_in_env=['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_SESSION_TOKEN'], - script='''\ - set -o errexit - set -o pipefail - kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)" - printf "KONDUKTO_TOKEN: %s\\n" "$kondukto_token" >|expansions.kondukto.yml - ''', - ), - expansions_update( - command_type=EvgCommandType.SETUP, - file='expansions.kondukto.yml', - ), + # Authenticate with Kondukto. + *[ + ec2_assume_role( + command_type=EvgCommandType.SETUP, + role_arn='${KONDUKTO_ROLE_ARN}', + ), + bash_exec( + command_type=EvgCommandType.SETUP, + include_expansions_in_env=['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_SESSION_TOKEN'], + script='''\ + set -o errexit + set -o pipefail + kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)" + printf "KONDUKTO_TOKEN: %s\\n" "$kondukto_token" >|expansions.kondukto.yml + ''', + ), + expansions_update( + command_type=EvgCommandType.SETUP, + file='expansions.kondukto.yml', + ), + ], + # Authenticate with Amazon ECR. + *[ + # Avoid inadvertently using a pre-existing and potentially conflicting Docker config. + # Note: podman understands and uses DOCKER_CONFIG despite the name. + expansions_update(updates=[KeyValueParam(key='DOCKER_CONFIG', value='${workdir}/.docker')]), + ec2_assume_role(role_arn='arn:aws:iam::901841024863:role/ecr-role-evergreen-ro'), + bash_exec( + command_type=EvgCommandType.SETUP, + include_expansions_in_env=[ + 'AWS_ACCESS_KEY_ID', + 'AWS_SECRET_ACCESS_KEY', + 'AWS_SESSION_TOKEN', + 'DOCKER_CONFIG', + ], + script='aws ecr get-login-password --region us-east-1 | podman login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com', + ), + ], bash_exec( command_type=EvgCommandType.TEST, working_dir='mongo-cxx-driver', include_expansions_in_env=[ - 'ARTIFACTORY_PASSWORD', - 'ARTIFACTORY_USER', 'branch_name', + 'DOCKER_CONFIG', 'KONDUKTO_TOKEN', ], script='.evergreen/scripts/sbom.sh', diff --git a/.evergreen/generated_configs/functions.yml b/.evergreen/generated_configs/functions.yml index e632dfde7f..16633e220a 100644 --- a/.evergreen/generated_configs/functions.yml +++ b/.evergreen/generated_configs/functions.yml @@ -246,15 +246,33 @@ functions: type: setup params: file: expansions.kondukto.yml + - command: expansions.update + params: + updates: + - { key: DOCKER_CONFIG, value: "${workdir}/.docker" } + - command: ec2.assume_role + params: + role_arn: arn:aws:iam::901841024863:role/ecr-role-evergreen-ro + - command: subprocess.exec + type: setup + params: + binary: bash + include_expansions_in_env: + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY + - AWS_SESSION_TOKEN + - DOCKER_CONFIG + args: + - -c + - aws ecr get-login-password --region us-east-1 | podman login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com - command: subprocess.exec type: test params: binary: bash working_dir: mongo-cxx-driver include_expansions_in_env: - - ARTIFACTORY_PASSWORD - - ARTIFACTORY_USER - branch_name + - DOCKER_CONFIG - KONDUKTO_TOKEN args: - -c @@ -328,26 +346,48 @@ functions: - -c - .evergreen/scripts/compile.sh docker-image-build: - command: subprocess.exec - type: test - params: - binary: bash - working_dir: mongo-cxx-driver - args: - - -c - - | - set -o errexit - set -o pipefail - docker login -u "${ARTIFACTORY_USER}" --password-stdin artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD}" - set -x - echo "Building Alpine Docker image" - make -C extras/docker/alpine3.19 nocachebuild test - echo "Building Debian Docker image" - make -C extras/docker/bookworm nocachebuild test - echo "Building Red Hat UBI Docker image" - make -C extras/docker/redhat-ubi-9.4 nocachebuild test - echo "Building Ubuntu Docker image" - make -C extras/docker/noble nocachebuild test + - command: expansions.update + params: + updates: + - { key: DOCKER_CONFIG, value: "${workdir}/.docker" } + - command: ec2.assume_role + params: + role_arn: arn:aws:iam::901841024863:role/ecr-role-evergreen-ro + - command: subprocess.exec + type: setup + params: + binary: bash + include_expansions_in_env: + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY + - AWS_SESSION_TOKEN + - DOCKER_CONFIG + args: + - -c + - aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com + - command: subprocess.exec + type: test + params: + binary: bash + working_dir: mongo-cxx-driver + env: + DEFAULT_SEARCH_REGISTRY: 901841024863.dkr.ecr.us-east-1.amazonaws.com/dockerhub + include_expansions_in_env: + - DOCKER_CONFIG + args: + - -c + - | + set -o errexit + set -o pipefail + set -x + echo "Building Alpine Docker image" + make -C extras/docker/alpine3.19 nocachebuild test + echo "Building Debian Docker image" + make -C extras/docker/bookworm nocachebuild test + echo "Building Red Hat UBI Docker image" + make -C extras/docker/redhat-ubi-9.4 nocachebuild test + echo "Building Ubuntu Docker image" + make -C extras/docker/noble nocachebuild test fetch-det: - command: subprocess.exec type: setup diff --git a/.evergreen/scripts/sbom.sh b/.evergreen/scripts/sbom.sh index 2791c5fcde..f3949b44e0 100755 --- a/.evergreen/scripts/sbom.sh +++ b/.evergreen/scripts/sbom.sh @@ -3,9 +3,8 @@ set -o errexit set -o pipefail -: "${ARTIFACTORY_USER:?}" -: "${ARTIFACTORY_PASSWORD:?}" : "${branch_name:?}" +: "${DOCKER_CONFIG:?}" : "${KONDUKTO_TOKEN:?}" command -v podman >/dev/null || { @@ -18,9 +17,7 @@ command -v jq >/dev/null || { exit 1 } -podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" - -silkbomb="artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0" +silkbomb="901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0" # Ensure latest version of SilkBomb is being used. podman pull "${silkbomb:?}" diff --git a/etc/garasign_dist_file.sh b/etc/garasign_dist_file.sh index 70746d6bbb..6644486725 100755 --- a/etc/garasign_dist_file.sh +++ b/etc/garasign_dist_file.sh @@ -19,15 +19,8 @@ if ! command -v gpg >/dev/null; then echo "gpg is required to verify distribution tarball signature" 1>&2 fi -artifactory_creds=~/.secrets/artifactory-creds.txt garasign_creds=~/.secrets/garasign-creds.txt -unset ARTIFACTORY_USER ARTIFACTORY_PASSWORD -# shellcheck source=/dev/null -. "${artifactory_creds:?}" -: "${ARTIFACTORY_USER:?"missing ARTIFACTORY_USER in ${artifactory_creds:?}"}" -: "${ARTIFACTORY_PASSWORD:?"missing ARTIFACTORY_PASSWORD in ${artifactory_creds:?}"}" - unset GRS_CONFIG_USER1_USERNAME GRS_CONFIG_USER1_PASSWORD # shellcheck source=/dev/null . "${garasign_creds:?}" @@ -37,10 +30,8 @@ unset GRS_CONFIG_USER1_USERNAME GRS_CONFIG_USER1_PASSWORD dist_file="${1:?}" dist_file_signed="${dist_file:?}.asc" -"${launcher:?}" login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" - # Ensure latest version of Garasign is being used. -"${launcher:?}" pull artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-gpg +"${launcher:?}" pull 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/garasign-gpg plugin_commands=( gpg --yes -v --armor -o "${dist_file_signed:?}" --detach-sign "${dist_file:?}" @@ -51,7 +42,7 @@ plugin_commands=( --rm \ -v "$(pwd):$(pwd)" \ -w "$(pwd)" \ - artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-gpg + 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/garasign-gpg # Validate the signature file works as intended. ( diff --git a/etc/garasign_release_tag.sh b/etc/garasign_release_tag.sh index a84930df7d..eacb7d0e1b 100755 --- a/etc/garasign_release_tag.sh +++ b/etc/garasign_release_tag.sh @@ -17,25 +17,16 @@ if ! command -v "${launcher:?}" >/dev/null; then echo "${launcher:?} is required to create a GPG-signed release tag" 1>&2 fi -artifactory_creds=~/.secrets/artifactory-creds.txt garasign_creds=~/.secrets/garasign-creds.txt -unset ARTIFACTORY_USER ARTIFACTORY_PASSWORD -# shellcheck source=/dev/null -. "${artifactory_creds:?}" -: "${ARTIFACTORY_USER:?"missing ARTIFACTORY_USER in ${artifactory_creds:?}"}" -: "${ARTIFACTORY_PASSWORD:?"missing ARTIFACTORY_PASSWORD in ${artifactory_creds:?}"}" - unset GRS_CONFIG_USER1_USERNAME GRS_CONFIG_USER1_PASSWORD # shellcheck source=/dev/null . "${garasign_creds:?}" : "${GRS_CONFIG_USER1_USERNAME:?"missing GRS_CONFIG_USER1_USERNAME in ${garasign_creds:?}"}" : "${GRS_CONFIG_USER1_PASSWORD:?"missing GRS_CONFIG_USER1_PASSWORD in ${garasign_creds:?}"}" -"${launcher:?}" login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" - # Ensure latest version of Garasign is being used. -"${launcher:?}" pull artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-git +"${launcher:?}" pull 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/garasign-git # Sign using "MongoDB C++ Release Signing Key " from https://pgp.mongodb.com/ (cpp-driver). git_tag_command=( @@ -57,7 +48,7 @@ plugin_commands+=" && ${git_tag_command[*]:?}" --rm \ -v "$(pwd):$(pwd)" \ -w "$(pwd)" \ - artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-git + 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/garasign-git # Validate the release tag is signed as intended. ( diff --git a/etc/releasing.md b/etc/releasing.md index 225c69164b..86e6dff633 100644 --- a/etc/releasing.md +++ b/etc/releasing.md @@ -55,13 +55,19 @@ Some release steps require one or more of the following secrets. ``` - See [Jira: Personal Access Tokens (PATs)](https://wiki.corp.mongodb.com/spaces/TOGETHER/pages/218995581/Jira+Personal+Access+Tokens+PATs) for steps to create a token. -- Artifactory credentials. - - Location: `~/.secrets/artifactory-creds.txt`: - - Format: - ```bash - ARTIFACTORY_USER= - ARTIFACTORY_PASSWORD= - ``` +- Amazon ECR credentials + - Description: use [Amazon CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) to obtain [short-term credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-authentication-short-term.html) with [AWS IAM Identity Center](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html): + - Instructions: + - Configure a `` (e.g. "amazon-ecr") with the following options using `aws configure sso` or modifying `$HOME/.aws/config`: + - `sso_session`: `` (e.g. username, purpose, etc.) + - `sso_account_id`: `901841024863` (aka `devprod-platforms-ecr`) + - `sso_region`: `us-east-1` + - `sso_registration_scopes`: `sso:account:access` (default) + - `sso_role_name`: `ECRScopedAccess` (default) + - `sso_start_url`: `https://d-9067613a84.awsapps.com/start#/` + - (Re-)authenticate by running `aws sso login --profile ` or `aws sso login --sso-session `. + - Forward the short-term credentials to `podman` or `docker`: + - `aws ecr get-login-password --profile | podman login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com` - Garasign credentials - Location: `~/.secrets/garasign-creds.txt` - Format: @@ -114,22 +120,18 @@ All issues with an Impact level of "Medium" or greater which do not have a "Mong ### SBOM Lite +Ensure the container engine (e.g. `podman` or `docker`) is authenticated with the DevProd-provided Amazon ECR instance. + Ensure the list of bundled dependencies in `etc/purls.txt` is up-to-date. If not, update `etc/purls.txt`. If `etc/purls.txt` was updated, update the SBOM Lite document using the following command(s): ```bash -# Artifactory credentials. -. $HOME/.secrets/artifactory-creds.txt - -# Output: "Login succeeded!" -podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" - # Ensure latest version of SilkBomb is being used. -podman pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 +podman pull 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 # Output: "... writing sbom to file" -podman run -it --rm -v "$(pwd):/pwd" artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 \ +podman run -it --rm -v "$(pwd):/pwd" 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \ update --refresh --no-update-sbom-version -p "/pwd/etc/purls.txt" -i "/pwd/etc/cyclonedx.sbom.json" -o "/pwd/etc/cyclonedx.sbom.json" ``` @@ -322,7 +324,7 @@ The following secrets are required by this script: - GitHub Personal Access Token. - Jira Personal Access Token. -- Artifactory credentials. +- Amazon ECR credentials. - Garasign credentials. Run the release script with the name of the tag to be created as an argument and @@ -449,17 +451,11 @@ The new branch should be continuously tested on Evergreen. Update the "Display N Update `etc/cyclonedx.sbom.json` with a new unique serial number for the next upcoming patch release (e.g. for `1.3.1` following the release of `1.3.0`): ```bash -# Artifactory credentials. -. $HOME/.secrets/artifactory-creds.txt - -# Output: "Login succeeded!" -podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" - # Ensure latest version of SilkBomb is being used. -podman pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 +podman pull 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 # Output: "... writing sbom to file" -podman run -it --rm -v "$(pwd):/pwd" artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 \ +podman run -it --rm -v "$(pwd):/pwd" 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \ update --refresh --generate-new-serial-number -p "/pwd/etc/purls.txt" -i "/pwd/etc/cyclonedx.sbom.json" -o "/pwd/etc/cyclonedx.sbom.json" ``` @@ -533,17 +529,11 @@ In `README.md`, sync the "Driver Development Status" table with the updated tabl Update `etc/cyclonedx.sbom.json` with a new unique serial number for the next upcoming non-patch release (e.g. for `1.4.0` following the release of `1.3.0`): ```bash -# Artifactory credentials. -. $HOME/.secrets/artifactory-creds.txt - -# Output: "Login succeeded!" -podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" - # Ensure latest version of SilkBomb is being used. -podman pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 +podman pull 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 # Output: "... writing sbom to file" -podman run -it --rm -v "$(pwd):/pwd" artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 \ +podman run -it --rm -v "$(pwd):/pwd" 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \ update --refresh --generate-new-serial-number -p "/pwd/etc/purls.txt" -i "/pwd/etc/cyclonedx.sbom.json" -o "/pwd/etc/cyclonedx.sbom.json" ``` diff --git a/extras/docker/Dockerfile.j2 b/extras/docker/Dockerfile.j2 index 0d5bbbdd35..0f975042f2 100644 --- a/extras/docker/Dockerfile.j2 +++ b/extras/docker/Dockerfile.j2 @@ -1,3 +1,6 @@ +# Allow setting the "default" container image registry to use for image short names (e.g. to Amazon ECR). +ARG default_search_registry=docker.io + FROM {{ base_image }} AS builder ARG MONGOCXX_VERSION={{ mongocxx_version }} diff --git a/extras/docker/Makefile.j2 b/extras/docker/Makefile.j2 index c5f154cb1a..41105d8856 100644 --- a/extras/docker/Makefile.j2 +++ b/extras/docker/Makefile.j2 @@ -1,14 +1,15 @@ MONGOCXX_VERSION={{ mongocxx_version }} DOCKER=docker +DEFAULT_SEARCH_REGISTRY?=docker.io .PHONY: build build: - $(DOCKER) build . \ + $(DOCKER) build --build-arg default_search_registry=$(DEFAULT_SEARCH_REGISTRY) . \ -t mongodb/mongo-cxx-driver:$(MONGOCXX_VERSION)-{{ distro }} .PHONY: nocachebuild nocachebuild: - $(DOCKER) build . \ + $(DOCKER) build --build-arg default_search_registry=$(DEFAULT_SEARCH_REGISTRY) . \ --no-cache \ -t mongodb/mongo-cxx-driver:$(MONGOCXX_VERSION)-{{ distro }} @@ -18,6 +19,6 @@ run: | $(filter nocachebuild build, $(MAKECMDGOALS)) .PHONY: test test: | $(filter nocachebuild build, $(MAKECMDGOALS)) - $(DOCKER) build . --no-cache -f TestDockerfile -t test-mongocxx-driver-image:$(MONGOCXX_VERSION)-{{ distro }} + $(DOCKER) build --build-arg default_search_registry=$(DEFAULT_SEARCH_REGISTRY) . \ + --no-cache -f TestDockerfile -t test-mongocxx-driver-image:$(MONGOCXX_VERSION)-{{ distro }} $(DOCKER) run test-mongocxx-driver-image:$(MONGOCXX_VERSION)-{{ distro }} - diff --git a/extras/docker/TestDockerfile.j2 b/extras/docker/TestDockerfile.j2 index 9991557e6c..6cf88e0938 100644 --- a/extras/docker/TestDockerfile.j2 +++ b/extras/docker/TestDockerfile.j2 @@ -1,4 +1,7 @@ -FROM mongodb/mongo-cxx-driver:{{ mongocxx_version }}-{{ distro }} +# Allow setting the "default" container image registry to use for image short names (e.g. to Amazon ECR). +ARG DEFAULT_SEARCH_REGISTRY=docker.io + +FROM ${DEFAULT_SEARCH_REGISTRY}/mongodb/mongo-cxx-driver:{{ mongocxx_version }}-{{ distro }} WORKDIR /build @@ -15,4 +18,3 @@ RUN g++ \ -lbsoncxx CMD /build/test - diff --git a/extras/docker/alpine3.19/Dockerfile b/extras/docker/alpine3.19/Dockerfile index 6753368ec0..3f6e980de0 100644 --- a/extras/docker/alpine3.19/Dockerfile +++ b/extras/docker/alpine3.19/Dockerfile @@ -1,7 +1,10 @@ # DO NOT EDIT THIS FILE DIRECTLY # This file was auto generated from the template file Dockerfile.j2 using the generate.py script -FROM artifactory.corp.mongodb.com/dockerhub/library/alpine:3.19 AS builder +# Allow setting the "default" container image registry to use for image short names (e.g. to Amazon ECR). +ARG default_search_registry=docker.io + +FROM ${default_search_registry}/library/alpine:3.19 AS builder ARG MONGOCXX_VERSION=3.10.1 ARG MONGOC_VERSION=1.27.1 @@ -60,8 +63,10 @@ RUN wget https://github.com/mongodb/mongo-cxx-driver/archive/refs/tags/r${MONGOC cmake --build mongocxx-build --config RelWithDebInfo && \ cmake --install mongocxx-build --config RelWithDebInfo --prefix /opt/mongocxx -FROM artifactory.corp.mongodb.com/dockerhub/library/alpine:3.19 +FROM ${default_search_registry}/library/alpine:3.19 RUN apk update && apk upgrade && apk add --no-cache openssl3 libstdc++ libc6-compat COPY --from=builder /opt/mongocxx /usr/local + +RUN true diff --git a/extras/docker/alpine3.19/Makefile b/extras/docker/alpine3.19/Makefile index 0973545c02..1ffbb2ac22 100644 --- a/extras/docker/alpine3.19/Makefile +++ b/extras/docker/alpine3.19/Makefile @@ -3,15 +3,16 @@ MONGOCXX_VERSION=3.10.1 DOCKER=docker +DEFAULT_SEARCH_REGISTRY?=docker.io .PHONY: build build: - $(DOCKER) build . \ + $(DOCKER) build --build-arg default_search_registry=$(DEFAULT_SEARCH_REGISTRY) . \ -t mongodb/mongo-cxx-driver:$(MONGOCXX_VERSION)-alpine3.19 .PHONY: nocachebuild nocachebuild: - $(DOCKER) build . \ + $(DOCKER) build --build-arg default_search_registry=$(DEFAULT_SEARCH_REGISTRY) . \ --no-cache \ -t mongodb/mongo-cxx-driver:$(MONGOCXX_VERSION)-alpine3.19 @@ -21,5 +22,6 @@ run: | $(filter nocachebuild build, $(MAKECMDGOALS)) .PHONY: test test: | $(filter nocachebuild build, $(MAKECMDGOALS)) - $(DOCKER) build . --no-cache -f TestDockerfile -t test-mongocxx-driver-image:$(MONGOCXX_VERSION)-alpine3.19 + $(DOCKER) build --build-arg default_search_registry=$(DEFAULT_SEARCH_REGISTRY) . \ + --no-cache -f TestDockerfile -t test-mongocxx-driver-image:$(MONGOCXX_VERSION)-alpine3.19 $(DOCKER) run test-mongocxx-driver-image:$(MONGOCXX_VERSION)-alpine3.19 diff --git a/extras/docker/alpine3.19/TestDockerfile b/extras/docker/alpine3.19/TestDockerfile index c4c87e26e1..64fb4fc53c 100644 --- a/extras/docker/alpine3.19/TestDockerfile +++ b/extras/docker/alpine3.19/TestDockerfile @@ -1,7 +1,10 @@ # DO NOT EDIT THIS FILE DIRECTLY # This file was auto generated from the template file TestDockerfile.j2 using the generate.py script -FROM mongodb/mongo-cxx-driver:3.10.1-alpine3.19 +# Allow setting the "default" container image registry to use for image short names (e.g. to Amazon ECR). +ARG DEFAULT_SEARCH_REGISTRY=docker.io + +FROM ${DEFAULT_SEARCH_REGISTRY}/mongodb/mongo-cxx-driver:3.10.1-alpine3.19 WORKDIR /build diff --git a/extras/docker/bookworm/Dockerfile b/extras/docker/bookworm/Dockerfile index f45992a717..d4b667a247 100644 --- a/extras/docker/bookworm/Dockerfile +++ b/extras/docker/bookworm/Dockerfile @@ -1,7 +1,10 @@ # DO NOT EDIT THIS FILE DIRECTLY # This file was auto generated from the template file Dockerfile.j2 using the generate.py script -FROM artifactory.corp.mongodb.com/dockerhub/library/debian:12-slim AS builder +# Allow setting the "default" container image registry to use for image short names (e.g. to Amazon ECR). +ARG default_search_registry=docker.io + +FROM ${default_search_registry}/library/debian:12-slim AS builder ARG MONGOCXX_VERSION=3.10.1 ARG MONGOC_VERSION=1.27.1 @@ -60,7 +63,7 @@ RUN wget https://github.com/mongodb/mongo-cxx-driver/archive/refs/tags/r${MONGOC cmake --build mongocxx-build --config RelWithDebInfo && \ cmake --install mongocxx-build --config RelWithDebInfo --prefix /opt/mongocxx -FROM artifactory.corp.mongodb.com/dockerhub/library/debian:12-slim +FROM ${default_search_registry}/library/debian:12-slim RUN apt update && apt upgrade -y && apt install -y libssl3 && rm -rf /var/lib/apt/lists/* diff --git a/extras/docker/bookworm/Makefile b/extras/docker/bookworm/Makefile index ec9a707bcb..a608799eb0 100644 --- a/extras/docker/bookworm/Makefile +++ b/extras/docker/bookworm/Makefile @@ -3,15 +3,16 @@ MONGOCXX_VERSION=3.10.1 DOCKER=docker +DEFAULT_SEARCH_REGISTRY?=docker.io .PHONY: build build: - $(DOCKER) build . \ + $(DOCKER) build --build-arg default_search_registry=$(DEFAULT_SEARCH_REGISTRY) . \ -t mongodb/mongo-cxx-driver:$(MONGOCXX_VERSION)-bookworm .PHONY: nocachebuild nocachebuild: - $(DOCKER) build . \ + $(DOCKER) build --build-arg default_search_registry=$(DEFAULT_SEARCH_REGISTRY) . \ --no-cache \ -t mongodb/mongo-cxx-driver:$(MONGOCXX_VERSION)-bookworm @@ -21,5 +22,6 @@ run: | $(filter nocachebuild build, $(MAKECMDGOALS)) .PHONY: test test: | $(filter nocachebuild build, $(MAKECMDGOALS)) - $(DOCKER) build . --no-cache -f TestDockerfile -t test-mongocxx-driver-image:$(MONGOCXX_VERSION)-bookworm + $(DOCKER) build --build-arg default_search_registry=$(DEFAULT_SEARCH_REGISTRY) . \ + --no-cache -f TestDockerfile -t test-mongocxx-driver-image:$(MONGOCXX_VERSION)-bookworm $(DOCKER) run test-mongocxx-driver-image:$(MONGOCXX_VERSION)-bookworm diff --git a/extras/docker/bookworm/TestDockerfile b/extras/docker/bookworm/TestDockerfile index daa9471f1a..3f89d440c5 100644 --- a/extras/docker/bookworm/TestDockerfile +++ b/extras/docker/bookworm/TestDockerfile @@ -1,7 +1,10 @@ # DO NOT EDIT THIS FILE DIRECTLY # This file was auto generated from the template file TestDockerfile.j2 using the generate.py script -FROM mongodb/mongo-cxx-driver:3.10.1-bookworm +# Allow setting the "default" container image registry to use for image short names (e.g. to Amazon ECR). +ARG DEFAULT_SEARCH_REGISTRY=docker.io + +FROM ${DEFAULT_SEARCH_REGISTRY}/mongodb/mongo-cxx-driver:3.10.1-bookworm WORKDIR /build diff --git a/extras/docker/generate.py b/extras/docker/generate.py index 43521f2bf2..dadf42638a 100755 --- a/extras/docker/generate.py +++ b/extras/docker/generate.py @@ -1,5 +1,12 @@ #!/usr/bin/env python3 +# /// script +# requires-python = ">=3.8" +# dependencies = [ +# "jinja2", +# ] +# /// + from jinja2 import Environment from jinja2 import FileSystemLoader @@ -11,6 +18,9 @@ def render_template(template_filename, context): env = Environment(loader=FileSystemLoader(".")) + env.trim_blocks = True + env.lstrip_blocks = True + env.keep_trailing_newline = True template = env.get_template(template_filename) rendered = template.render(context) return rendered @@ -30,9 +40,9 @@ def render_template(template_filename, context): "redhat-ubi-9.4", ] base_image = { - "alpine3.19": "artifactory.corp.mongodb.com/dockerhub/library/alpine:3.19", - "bookworm": "artifactory.corp.mongodb.com/dockerhub/library/debian:12-slim", - "noble": "artifactory.corp.mongodb.com/dockerhub/library/ubuntu:24.04", + "alpine3.19": "${default_search_registry}/library/alpine:3.19", + "bookworm": "${default_search_registry}/library/debian:12-slim", + "noble": "${default_search_registry}/library/ubuntu:24.04", "redhat-ubi-9.4": "registry.access.redhat.com/ubi9/ubi-minimal:9.4", } test_dependency_install_command = { @@ -54,14 +64,14 @@ def render_template(template_filename, context): "redhat-ubi-9.4": "microdnf upgrade -y && microdnf install -y openssl", } post_install_commands = { - "alpine3.19": "", - "bookworm": "\nRUN ldconfig\n", - "noble": "\nRUN ldconfig\n", + "alpine3.19": "\nRUN true", + "bookworm": "\nRUN ldconfig", + "noble": "\nRUN ldconfig", "redhat-ubi-9.4": ( "\n" "RUN ldconfig\n" "\n" - 'ENV LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:/usr/local/lib64/"\n' + 'ENV LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:/usr/local/lib64/"' ), } for template, output_filename in templates: diff --git a/extras/docker/noble/Dockerfile b/extras/docker/noble/Dockerfile index a31cf2fa90..610f9a2a7e 100644 --- a/extras/docker/noble/Dockerfile +++ b/extras/docker/noble/Dockerfile @@ -1,7 +1,10 @@ # DO NOT EDIT THIS FILE DIRECTLY # This file was auto generated from the template file Dockerfile.j2 using the generate.py script -FROM artifactory.corp.mongodb.com/dockerhub/library/ubuntu:24.04 AS builder +# Allow setting the "default" container image registry to use for image short names (e.g. to Amazon ECR). +ARG default_search_registry=docker.io + +FROM ${default_search_registry}/library/ubuntu:24.04 AS builder ARG MONGOCXX_VERSION=3.10.1 ARG MONGOC_VERSION=1.27.1 @@ -60,7 +63,7 @@ RUN wget https://github.com/mongodb/mongo-cxx-driver/archive/refs/tags/r${MONGOC cmake --build mongocxx-build --config RelWithDebInfo && \ cmake --install mongocxx-build --config RelWithDebInfo --prefix /opt/mongocxx -FROM artifactory.corp.mongodb.com/dockerhub/library/ubuntu:24.04 +FROM ${default_search_registry}/library/ubuntu:24.04 RUN apt update && apt upgrade -y && apt install -y libssl3 && rm -rf /var/lib/apt/lists/* diff --git a/extras/docker/noble/Makefile b/extras/docker/noble/Makefile index 0bb61c0b7d..1857a4ba95 100644 --- a/extras/docker/noble/Makefile +++ b/extras/docker/noble/Makefile @@ -3,15 +3,16 @@ MONGOCXX_VERSION=3.10.1 DOCKER=docker +DEFAULT_SEARCH_REGISTRY?=docker.io .PHONY: build build: - $(DOCKER) build . \ + $(DOCKER) build --build-arg default_search_registry=$(DEFAULT_SEARCH_REGISTRY) . \ -t mongodb/mongo-cxx-driver:$(MONGOCXX_VERSION)-noble .PHONY: nocachebuild nocachebuild: - $(DOCKER) build . \ + $(DOCKER) build --build-arg default_search_registry=$(DEFAULT_SEARCH_REGISTRY) . \ --no-cache \ -t mongodb/mongo-cxx-driver:$(MONGOCXX_VERSION)-noble @@ -21,5 +22,6 @@ run: | $(filter nocachebuild build, $(MAKECMDGOALS)) .PHONY: test test: | $(filter nocachebuild build, $(MAKECMDGOALS)) - $(DOCKER) build . --no-cache -f TestDockerfile -t test-mongocxx-driver-image:$(MONGOCXX_VERSION)-noble + $(DOCKER) build --build-arg default_search_registry=$(DEFAULT_SEARCH_REGISTRY) . \ + --no-cache -f TestDockerfile -t test-mongocxx-driver-image:$(MONGOCXX_VERSION)-noble $(DOCKER) run test-mongocxx-driver-image:$(MONGOCXX_VERSION)-noble diff --git a/extras/docker/noble/TestDockerfile b/extras/docker/noble/TestDockerfile index fd5fa3b43b..2497b8b8be 100644 --- a/extras/docker/noble/TestDockerfile +++ b/extras/docker/noble/TestDockerfile @@ -1,7 +1,10 @@ # DO NOT EDIT THIS FILE DIRECTLY # This file was auto generated from the template file TestDockerfile.j2 using the generate.py script -FROM mongodb/mongo-cxx-driver:3.10.1-noble +# Allow setting the "default" container image registry to use for image short names (e.g. to Amazon ECR). +ARG DEFAULT_SEARCH_REGISTRY=docker.io + +FROM ${DEFAULT_SEARCH_REGISTRY}/mongodb/mongo-cxx-driver:3.10.1-noble WORKDIR /build diff --git a/extras/docker/redhat-ubi-9.4/Dockerfile b/extras/docker/redhat-ubi-9.4/Dockerfile index 380f23d701..96166413f2 100644 --- a/extras/docker/redhat-ubi-9.4/Dockerfile +++ b/extras/docker/redhat-ubi-9.4/Dockerfile @@ -1,6 +1,9 @@ # DO NOT EDIT THIS FILE DIRECTLY # This file was auto generated from the template file Dockerfile.j2 using the generate.py script +# Allow setting the "default" container image registry to use for image short names (e.g. to Amazon ECR). +ARG default_search_registry=docker.io + FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4 AS builder ARG MONGOCXX_VERSION=3.10.1 diff --git a/extras/docker/redhat-ubi-9.4/Makefile b/extras/docker/redhat-ubi-9.4/Makefile index 839c86867c..58b0e16832 100644 --- a/extras/docker/redhat-ubi-9.4/Makefile +++ b/extras/docker/redhat-ubi-9.4/Makefile @@ -3,15 +3,16 @@ MONGOCXX_VERSION=3.10.1 DOCKER=docker +DEFAULT_SEARCH_REGISTRY?=docker.io .PHONY: build build: - $(DOCKER) build . \ + $(DOCKER) build --build-arg default_search_registry=$(DEFAULT_SEARCH_REGISTRY) . \ -t mongodb/mongo-cxx-driver:$(MONGOCXX_VERSION)-redhat-ubi-9.4 .PHONY: nocachebuild nocachebuild: - $(DOCKER) build . \ + $(DOCKER) build --build-arg default_search_registry=$(DEFAULT_SEARCH_REGISTRY) . \ --no-cache \ -t mongodb/mongo-cxx-driver:$(MONGOCXX_VERSION)-redhat-ubi-9.4 @@ -21,5 +22,6 @@ run: | $(filter nocachebuild build, $(MAKECMDGOALS)) .PHONY: test test: | $(filter nocachebuild build, $(MAKECMDGOALS)) - $(DOCKER) build . --no-cache -f TestDockerfile -t test-mongocxx-driver-image:$(MONGOCXX_VERSION)-redhat-ubi-9.4 + $(DOCKER) build --build-arg default_search_registry=$(DEFAULT_SEARCH_REGISTRY) . \ + --no-cache -f TestDockerfile -t test-mongocxx-driver-image:$(MONGOCXX_VERSION)-redhat-ubi-9.4 $(DOCKER) run test-mongocxx-driver-image:$(MONGOCXX_VERSION)-redhat-ubi-9.4 diff --git a/extras/docker/redhat-ubi-9.4/TestDockerfile b/extras/docker/redhat-ubi-9.4/TestDockerfile index 1c71a9eda1..35436e5279 100644 --- a/extras/docker/redhat-ubi-9.4/TestDockerfile +++ b/extras/docker/redhat-ubi-9.4/TestDockerfile @@ -1,7 +1,10 @@ # DO NOT EDIT THIS FILE DIRECTLY # This file was auto generated from the template file TestDockerfile.j2 using the generate.py script -FROM mongodb/mongo-cxx-driver:3.10.1-redhat-ubi-9.4 +# Allow setting the "default" container image registry to use for image short names (e.g. to Amazon ECR). +ARG DEFAULT_SEARCH_REGISTRY=docker.io + +FROM ${DEFAULT_SEARCH_REGISTRY}/mongodb/mongo-cxx-driver:3.10.1-redhat-ubi-9.4 WORKDIR /build diff --git a/extras/docker/test.cpp.j2 b/extras/docker/test.cpp.j2 index 5c22e38f1c..d45fd4c2a7 100644 --- a/extras/docker/test.cpp.j2 +++ b/extras/docker/test.cpp.j2 @@ -8,4 +8,3 @@ int main(void) { std::cout << "mongo-cxx-driver version: " << MONGOCXX_VERSION_STRING << std::endl; std::cout << "THE {{ distro }} IMAGE WORKS!" << std::endl; } -