From aec184993ae3cd2690913a90950385aeb485496a Mon Sep 17 00:00:00 2001 From: Michele Degges Date: Thu, 10 Feb 2022 15:28:27 -0800 Subject: [PATCH] Initial crt onboarding attempt --- .circleci/config.yml | 236 ---------------- .github/workflows/acceptance-test.yml | 17 ++ .github/workflows/algolia-index.yml | 24 ++ .github/workflows/build.yml | 254 ++++++++++++++++++ .github/workflows/go-test.yml | 40 +++ .github/workflows/go-validate.yml | 55 ++++ .github/workflows/website-docker-image.yml | 28 ++ .release/ci.hcl | 216 +++++++++++++++ .release/docker/README.md | 99 +++++++ .../linux/package/etc/packer.d/packer.env | 0 .../usr/lib/systemd/system/packer.service | 23 ++ .release/linux/postrm | 8 + .release/linux/preinst | 13 + .release/security-scan.hcl | 13 + Dockerfile | 113 ++++++-- Makefile | 45 +++- go.mod | 4 +- go.sum | 6 +- scripts/version.sh | 12 + version/version.go | 26 +- 20 files changed, 958 insertions(+), 274 deletions(-) delete mode 100644 .circleci/config.yml create mode 100644 .github/workflows/acceptance-test.yml create mode 100644 .github/workflows/algolia-index.yml create mode 100644 .github/workflows/build.yml create mode 100644 .github/workflows/go-test.yml create mode 100644 .github/workflows/go-validate.yml create mode 100644 .github/workflows/website-docker-image.yml create mode 100644 .release/ci.hcl create mode 100644 .release/docker/README.md create mode 100644 .release/linux/package/etc/packer.d/packer.env create mode 100644 .release/linux/package/usr/lib/systemd/system/packer.service create mode 100644 .release/linux/postrm create mode 100644 .release/linux/preinst create mode 100644 .release/security-scan.hcl create mode 100755 scripts/version.sh diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index 4dbe181b0..000000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,236 +0,0 @@ -orbs: - win: circleci/windows@1.0.0 - -version: 2.1 - -executors: - golang: - docker: - - image: docker.mirror.hashicorp.services/circleci/golang:1.17 - resource_class: medium+ - darwin: - macos: - xcode: "12.0.0" - -commands: - install-go-run-tests-unix: - parameters: - GOOS: - type: string - GOVERSION: - type: string - HOME: - type: string - default: "~" - steps: - - checkout - - run: curl https://dl.google.com/go/go<< parameters.GOVERSION >>.<< parameters.GOOS >>-amd64.tar.gz | tar -C << parameters.HOME >>/ -xz - - run: << parameters.HOME >>/go/bin/go test ./... -coverprofile=coverage.txt -covermode=atomic - install-go-run-tests-windows: - parameters: - GOVERSION: - type: string - steps: - - checkout - - run: curl https://dl.google.com/go/go<< parameters.GOVERSION >>.windows-amd64.zip --output ~/go<< parameters.GOVERSION >>.windows-amd64.zip - - run: unzip ~/go<< parameters.GOVERSION >>.windows-amd64.zip -d ~/ - - run: ~/go/bin/go test ./... -coverprofile=coverage.txt -covermode=atomic - build-and-persist-packer-binary: - parameters: - GOOS: - type: string - GOARCH: - default: "amd64" - type: string - steps: - - checkout - - run: GOOS=<< parameters.GOOS >> GOARCH=<> go build -ldflags="-s -w -X github.com/hashicorp/packer/version.GitCommit=${CIRCLE_SHA1}" -o ./pkg/packer_<< parameters.GOOS >>_<< parameters.GOARCH >> . - - run: zip ./pkg/packer_<< parameters.GOOS >>_<< parameters.GOARCH >>.zip ./pkg/packer_<< parameters.GOOS >>_<< parameters.GOARCH >> - - run: rm ./pkg/packer_<< parameters.GOOS >>_<< parameters.GOARCH >> - - persist_to_workspace: - root: . - paths: - - ./pkg/ - -# Golang CircleCI 2.0 configuration file -# -# Check https://circleci.com/docs/2.0/language-go/ for more details -jobs: - test-linux: - executor: golang - resource_class: large - working_directory: /go/src/github.com/hashicorp/packer - steps: - - checkout - - run: TESTARGS="-coverprofile=coverage.txt -covermode=atomic" make ci - test-darwin: - executor: darwin - working_directory: ~/go/github.com/hashicorp/packer - steps: - - install-go-run-tests-unix: - GOOS: darwin - GOVERSION: "1.17" - test-windows: - executor: - name: win/vs2019 - shell: bash.exe - steps: - - install-go-run-tests-windows: - GOVERSION: "1.17" - check-mod-tidy: - executor: golang - working_directory: /go/src/github.com/hashicorp/packer - steps: - - checkout - - run: go mod tidy -compat=1.17 - check-lint: - executor: golang - resource_class: xlarge - steps: - - checkout - - run: git fetch --all - - run: - command: make ci-lint - no_output_timeout: 30m - check-fmt: - executor: golang - steps: - - checkout - - run: make fmt-check - check-generate: - executor: golang - working_directory: /go/src/github.com/hashicorp/packer - steps: - - checkout - - run: make generate-check - build_linux: - executor: golang - steps: - - build-and-persist-packer-binary: - GOOS: linux - build_windows: - executor: golang - working_directory: /go/src/github.com/hashicorp/packer - steps: - - build-and-persist-packer-binary: - GOOS: windows - build_darwin: - executor: golang - working_directory: /go/src/github.com/hashicorp/packer - steps: - - build-and-persist-packer-binary: - GOOS: darwin - build_darwin_arm64: - executor: golang - working_directory: /go/src/github.com/hashicorp/packer - steps: - - build-and-persist-packer-binary: - GOOS: darwin - GOARCH: arm64 - build_freebsd: - executor: golang - working_directory: /go/src/github.com/hashicorp/packer - steps: - - build-and-persist-packer-binary: - GOOS: freebsd - build_solaris: - executor: golang - working_directory: /go/src/github.com/hashicorp/packer - steps: - - build-and-persist-packer-binary: - GOOS: solaris - build_openbsd: - executor: golang - working_directory: /go/src/github.com/hashicorp/packer - steps: - - build-and-persist-packer-binary: - GOOS: openbsd - store_artifacts: - executor: golang - steps: - - attach_workspace: - at: . - - store_artifacts: - path: ./pkg/ - destination: / - build-website-docker-image: - docker: - - image: docker.mirror.hashicorp.services/circleci/buildpack-deps - shell: /usr/bin/env bash -euo pipefail -c - steps: - - checkout - - setup_remote_docker - - run: - name: Build Docker Image if Necessary - command: | - IMAGE_TAG=$(cat website/Dockerfile website/package-lock.json | sha256sum | awk '{print $1;}') - echo "Using $IMAGE_TAG" - if curl https://hub.docker.com/v2/repositories/hashicorp/packer-website/tags/$IMAGE_TAG -fsL > /dev/null; then - echo "Dependencies have not changed, not building a new website docker image." - else - cd website/ - docker login -u $WEBSITE_DOCKER_USER -p $WEBSITE_DOCKER_PASS - docker build -t hashicorp/packer-website:$IMAGE_TAG . - docker tag hashicorp/packer-website:$IMAGE_TAG hashicorp/packer-website:latest - docker push hashicorp/packer-website - fi - algolia-index: - docker: - - image: docker.mirror.hashicorp.services/node:14 - steps: - - checkout - - run: - name: Push content to Algolia Index - command: | - if [ "$CIRCLE_REPOSITORY_URL" != "git@github.com:hashicorp/packer.git" ]; then - echo "Not Packer OSS Repo, not indexing Algolia" - exit 0 - fi - cd website/ - npm install -g npm@latest - npm install - npx ts-node --skip-ignore -P ./scripts/tsconfig.json ./scripts/index_search_content.ts - -workflows: - version: 2 - test: - jobs: - - test-linux - - test-darwin - - test-windows - check-code: - jobs: - - check-lint - - check-fmt - - check-mod-tidy - - check-generate - build_packer_binaries: - jobs: - - build_linux - - build_darwin - - build_darwin_arm64 - - build_windows - - build_freebsd - - build_openbsd - - build_solaris - - store_artifacts: - requires: - - build_linux - - build_darwin - - build_darwin_arm64 - - build_windows - - build_freebsd - - build_openbsd - - build_solaris - website: - jobs: - - build-website-docker-image: - filters: - branches: - only: - - master - - algolia-index: - filters: - branches: - only: - - stable-website diff --git a/.github/workflows/acceptance-test.yml b/.github/workflows/acceptance-test.yml new file mode 100644 index 000000000..2f25386fe --- /dev/null +++ b/.github/workflows/acceptance-test.yml @@ -0,0 +1,17 @@ +name: "Acceptance Test" + +on: + schedule: + # Runs every day at midnight + - cron: "0 0 * * *" + +jobs: + acceptnace-test: + runs-on: ubuntu-latest + name: Acceptance Test + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-go@v2 + with: + go-version: '1.17' + - run: make testacc diff --git a/.github/workflows/algolia-index.yml b/.github/workflows/algolia-index.yml new file mode 100644 index 000000000..f52a7c33a --- /dev/null +++ b/.github/workflows/algolia-index.yml @@ -0,0 +1,24 @@ +name: "Algolia index" + +on: + push: + # Sequence of patterns matched against refs/heads + branches: + # Push events on stable-website branch + - 'stable-website' + +jobs: + algolia-index: + runs-on: ubuntu-latest + name: Push content to Algolia Index + if: github.repository == 'hashicorp/packer' && github.ref_name == 'stable-website' + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-node@v2 + with: + node-version: '14' + - run: | + cd website/ + npm install -g npm@latest + npm install + npx ts-node --skip-ignore -P ./scripts/tsconfig.json ./scripts/index_search_content.ts diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 000000000..bf460597a --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,254 @@ +name: build + +on: + push: + # Sequence of patterns matched against refs/heads + branches: + # Push events on main branch + - 'main' + - 'crt-onboarding' # Used for testing ONLY. Must be removed before merging + +env: + PKG_NAME: "packer" + +jobs: + get-product-version: + runs-on: ubuntu-latest + outputs: + product-version: ${{ steps.get-product-version.outputs.product-version }} + steps: + - uses: actions/checkout@v2 + - name: Setup go + uses: actions/setup-go@v2 + with: + go-version: "1.17.5" + - name: get product version + id: get-product-version + run: | + make version + echo "::set-output name=product-version::$(make version)" + + generate-metadata-file: + needs: get-product-version + runs-on: ubuntu-latest + outputs: + filepath: ${{ steps.generate-metadata-file.outputs.filepath }} + steps: + - name: 'Checkout directory' + uses: actions/checkout@v2 + - name: Generate metadata file + id: generate-metadata-file + uses: hashicorp/actions-generate-metadata@main + with: + version: ${{ needs.get-product-version.outputs.product-version }} + product: ${{ env.PKG_NAME }} + + - uses: actions/upload-artifact@v2 + with: + name: metadata.json + path: ${{ steps.generate-metadata-file.outputs.filepath }} + + set-ld-flags: + needs: get-product-version + runs-on: ubuntu-latest + outputs: + ldflags: ${{ steps.generate-ld-flags.outputs.ldflags }} + steps: + - uses: actions/checkout@v2 + - name: 'Generate ld flags' + id: generate-ld-flags + run: | + project="$(go list -m)" + sha="$(git rev-parse HEAD)" + echo "::set-output name=ldflags::"-s -w -X \'$project/version.GitCommit=$sha\'"" + + build-other: + needs: + - get-product-version + - set-ld-flags + runs-on: ubuntu-latest + strategy: + matrix: + goos: [ freebsd, windows, netbsd, openbsd, solaris ] + goarch: [ "386", "amd64", "arm" ] + go: [ "1.17.5" ] + exclude: + - goos: solaris + goarch: 386 + - goos: solaris + goarch: arm + - goos: windows + goarch: arm + fail-fast: true + + name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build + env: + GOPRIVATE: "github.com/hashicorp" + GO111MODULE: on + LD_FLAGS: ${{ needs.set-ld-flags.outputs.ldflags }} + steps: + - uses: actions/checkout@v2 + - name: Setup go + uses: actions/setup-go@v2 + with: + go-version: ${{ matrix.go }} + - name: Setup Git + run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com" + - name: Go Build + env: + GOOS: ${{ matrix.goos }} + GOARCH: ${{ matrix.goarch }} + CGO_ENABLED: 0 + run: | + mkdir -p dist out + unset GOPATH; + go build -v -ldflags "${{ env.LD_FLAGS }}" -o dist/ . + zip -r -j out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip dist/ + - uses: actions/upload-artifact@v2 + with: + name: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip + path: out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip + + build-linux: + needs: + - get-product-version + - set-ld-flags + runs-on: ubuntu-latest + strategy: + matrix: + goos: [linux] + goarch: ["arm", "arm64", "386", "amd64"] + go: [ "1.17.5" ] + fail-fast: true + + name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build + + env: + GOPRIVATE: "github.com/hashicorp" + GO111MODULE: on + LD_FLAGS: ${{ needs.set-ld-flags.outputs.ldflags }} + + steps: + - uses: actions/checkout@v2 + - name: Setup Git + run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com" + - name: Setup go + uses: actions/setup-go@v2 + with: + go-version: ${{ matrix.go }} + - name: Go Build + env: + GOOS: ${{ matrix.goos }} + GOARCH: ${{ matrix.goarch }} + CGO_ENABLED: 0 + run: | + mkdir -p dist out + unset GOPATH; + go build -v -ldflags "${{ env.LD_FLAGS }}" -o dist/ . + zip -r -j out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip dist/ + - uses: actions/upload-artifact@v2 + with: + name: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip + path: out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip + + - name: Linux Packaging + uses: hashicorp/actions-packaging-linux@v1 + with: + name: ${{ github.event.repository.name }} + description: "HashiCorp Packer - A tool for creating identical machine images for multiple platforms from a single source configuration" + arch: ${{ matrix.goarch }} + version: ${{ needs.get-product-version.outputs.product-version }} + maintainer: "HashiCorp" + homepage: "https://www.packer.io/docs" + license: "MPL-2.0" + binary: "dist/${{ env.PKG_NAME }}" + deb_depends: "openssl" + rpm_depends: "openssl" + config_dir: ".release/linux/package/" + preinstall: ".release/linux/preinst" + postremove: ".release/linux/postrm" + - name: Add Linux Package names to env + run: | + echo "RPM_PACKAGE=$(basename out/*.rpm)" >> $GITHUB_ENV + echo "DEB_PACKAGE=$(basename out/*.deb)" >> $GITHUB_ENV + - uses: actions/upload-artifact@v2 + with: + name: ${{ env.RPM_PACKAGE }} + path: out/${{ env.RPM_PACKAGE }} + - uses: actions/upload-artifact@v2 + with: + name: ${{ env.DEB_PACKAGE }} + path: out/${{ env.DEB_PACKAGE }} + + build-darwin: + needs: + - get-product-version + - set-ld-flags + runs-on: macos-latest + strategy: + matrix: + goos: [ darwin ] + goarch: [ "amd64", "arm64" ] + go: [ "1.17.5" ] + fail-fast: true + name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build + + env: + GOPRIVATE: "github.com/hashicorp" + GO111MODULE: on + LD_FLAGS: ${{ needs.set-ld-flags.outputs.ldflags }} + + steps: + - uses: actions/checkout@v2 + - name: Setup go + uses: actions/setup-go@v2 + with: + go-version: ${{ matrix.go }} + - name: Go Build + env: + GOOS: ${{ matrix.goos }} + GOARCH: ${{ matrix.goarch }} + CGO_ENABLED: 0 + run: | + mkdir -p dist out + unset GOPATH; + go build -v -tags "netcgo" -ldflags "${{ env.LD_FLAGS }}" -o dist/ . + zip -r -j out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip dist/ + - uses: actions/upload-artifact@v2 + with: + name: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip + path: out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip + + build-docker: + name: Docker ${{ matrix.arch }} build + needs: + - get-product-version + - build-linux + runs-on: ubuntu-latest + strategy: + matrix: + arch: ["arm", "arm64", "386", "amd64"] + env: + repo: ${{ github.event.repository.name }} + version: ${{ needs.get-product-version.outputs.product-version }} + steps: + - uses: actions/checkout@v2 + - name: Login to Artifactory + uses: docker/login-action@v1 + with: + registry: docker.artifactory.hashicorp.engineering + username: ${{ secrets.ARTIFACTORY_RO_USER }} + password: ${{ secrets.ARTIFACTORY_RO_TOKEN }} + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + with: + image: docker.artifactory.hashicorp.engineering/prodsec-binfmt:latest + - name: Docker Build (Action) + uses: hashicorp/actions-docker-build@v1 + with: + version: ${{env.version}} + target: default + arch: ${{matrix.arch}} + tags: | + docker.io/hashicorp/${{env.repo}}:${{env.version}} + public.ecr.aws/hashicorp/${{env.repo}}:${{env.version}} diff --git a/.github/workflows/go-test.yml b/.github/workflows/go-test.yml new file mode 100644 index 000000000..3ff972f2a --- /dev/null +++ b/.github/workflows/go-test.yml @@ -0,0 +1,40 @@ +name: "Go Test" + +on: + push: + # Sequence of patterns matched against refs/heads + branches: + # Push events on main branch + - 'main' + - 'crt-onboarding' # Used for testing ONLY. Must be removed before merging + pull_request: + paths: + - "**" + +jobs: + linux-go-tests: + runs-on: ubuntu-latest + container: + image: ghcr.io/ghcri/golang:1.17 + name: Linux go tests + steps: + - uses: actions/checkout@v2 + - run: TESTARGS="-coverprofile=coverage.txt -covermode=atomic" make ci + darwin-go-tests: + runs-on: macos-latest + name: Darwin go tests + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-go@v2 + with: + go-version: '1.17' + - run: go test ./... -coverprofile=coverage.txt -covermode=atomic + windows-go-tests: + runs-on: windows-latest + name: Windows go tests + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-go@v2 + with: + go-version: '1.17' + - run: go test ./... -coverprofile=coverage.txt -covermode=atomic \ No newline at end of file diff --git a/.github/workflows/go-validate.yml b/.github/workflows/go-validate.yml new file mode 100644 index 000000000..1e7c716e7 --- /dev/null +++ b/.github/workflows/go-validate.yml @@ -0,0 +1,55 @@ +name: "Go Validate" + +on: + push: + # Sequence of patterns matched against refs/heads + branches: + # Push events on main branch + - 'main' + - 'crt-onboarding' # Used for testing ONLY. Must be removed before merging + pull_request: + paths: + - "**" + +jobs: + check-mod-tidy: + runs-on: ubuntu-latest + name: Go Mod Tidy + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-go@v2 + with: + go-version: '1.17' + - run: go mod tidy + check-lint: + runs-on: ubuntu-latest + name: Lint + steps: + - uses: actions/checkout@v2 + with: + fetch-depth: 0 + - uses: actions/setup-go@v2 + with: + go-version: '1.17' + - run: echo "$GITHUB_SHA" + - run: git fetch --all + - run: echo $(git merge-base origin/master $GITHUB_SHA) + - run: make ci-lint + check-fmt: + runs-on: ubuntu-latest + name: Fmt check + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-go@v2 + with: + go-version: '1.17' + - run: make fmt-check + check-generate: + runs-on: ubuntu-latest + name: Generate check + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-go@v2 + with: + go-version: '1.17' + - run: make generate-check diff --git a/.github/workflows/website-docker-image.yml b/.github/workflows/website-docker-image.yml new file mode 100644 index 000000000..381a250cc --- /dev/null +++ b/.github/workflows/website-docker-image.yml @@ -0,0 +1,28 @@ +name: "Website Docker Image" + +on: + push: + # Sequence of patterns matched against refs/heads + branches: + # Push events on master branch + - 'master' + - 'crt-onboarding' # for testing only. remove before merging. + +jobs: + website-docker-image: + runs-on: ubuntu-latest + name: Build Docker Image if Necessary + steps: + - uses: actions/checkout@v2 + - run: | + IMAGE_TAG=$(cat website/Dockerfile website/package-lock.json | sha256sum | awk '{print $1;}') + echo "Using $IMAGE_TAG" + if curl https://hub.docker.com/v2/repositories/hashicorp/packer-website/tags/$IMAGE_TAG -fsL > /dev/null; then + echo "Dependencies have not changed, not building a new website docker image." + else + cd website/ + docker login -u $WEBSITE_DOCKER_USER -p $WEBSITE_DOCKER_PASS + docker build -t hashicorp/packer-website:$IMAGE_TAG . + docker tag hashicorp/packer-website:$IMAGE_TAG hashicorp/packer-website:latest + docker push hashicorp/packer-website + fi diff --git a/.release/ci.hcl b/.release/ci.hcl new file mode 100644 index 000000000..4c551e900 --- /dev/null +++ b/.release/ci.hcl @@ -0,0 +1,216 @@ +schema = "1" + +project "packer" { + team = "#team-packer" + slack { + notification_channel = "C032JM64THT" + } + github { + organization = "hashicorp" + repository = "packer" + release_branches = [ + "main", + "crt-onboarding" + ] + } +} + +event "merge" { + // "entrypoint" to use if build is not run automatically + // i.e. send "merge" complete signal to orchestrator to trigger build +} + +event "build" { + depends = ["merge"] + action "build" { + organization = "hashicorp" + repository = "packer" + workflow = "build" + } +} + +event "upload-dev" { + depends = ["build"] + action "upload-dev" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "upload-dev" + depends = ["build"] + } + + notification { + on = "fail" + } +} + +event "quality-tests" { + depends = ["upload-dev"] + action "quality-tests" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "quality-tests" + } + + notification { + on = "fail" + } +} + +event "security-scan-binaries" { + depends = ["upload-dev"] + action "security-scan-binaries" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "security-scan-binaries" + config = "security-scan.hcl" + } + + notification { + on = "fail" + } +} + +event "security-scan-containers" { + depends = ["security-scan-binaries"] + action "security-scan-containers" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "security-scan-containers" + config = "security-scan.hcl" + } + + notification { + on = "fail" + } +} + +event "notarize-darwin-amd64" { + depends = ["security-scan-containers"] + action "notarize-darwin-amd64" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "notarize-darwin-amd64" + } + + notification { + on = "fail" + } +} + +event "notarize-windows-386" { + depends = ["notarize-darwin-amd64"] + action "notarize-windows-386" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "notarize-windows-386" + } + + notification { + on = "fail" + } +} + +event "notarize-windows-amd64" { + depends = ["notarize-windows-386"] + action "notarize-windows-amd64" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "notarize-windows-amd64" + } + + notification { + on = "fail" + } +} + +event "sign" { + depends = ["notarize-windows-amd64"] + action "sign" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "sign" + } + + notification { + on = "fail" + } +} + +event "sign-linux-rpms" { + depends = ["sign"] + action "sign-linux-rpms" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "sign-linux-rpms" + } + + notification { + on = "fail" + } +} + +event "verify" { + depends = ["sign-linux-rpms"] + action "verify" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "verify" + } + + notification { + on = "fail" + } +} + +event "promote-staging" { + + action "promote-staging" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "promote-staging" + } + + notification { + on = "fail" + } + + notification { + on = "success" + } +} + + +event "promote-production" { + + action "promote-production" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "promote-production" + } + + notification { + on = "fail" + } + + notification { + on = "success" + } +} + +event "post-publish" { + depends = ["promote-production"] + + action "post-publish" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "post-publish" + } + + notification { + on = "fail" + } + + notification { + on = "success" + } +} \ No newline at end of file diff --git a/.release/docker/README.md b/.release/docker/README.md new file mode 100644 index 000000000..409f7e207 --- /dev/null +++ b/.release/docker/README.md @@ -0,0 +1,99 @@ +# Packer Docker Container + +The root of this repository contains the officially supported HashiCorp Dockerfile to build the hashicorp/packer docker image. The `dev` docker image should be built for local dev and testing, while the production docker image, `default`, is built in CI and makes use of CI-built binaries. The `official` docker image is built using the official binaries from releases.hashicorp.com. + +## Build + +See the Makefile targets in the root of this repository for building Packer images in either +development or release modes: + + - `make docker-dev` or `make docker-full` + - `make docker-multiarch-official` + - `make docker-official` or `make docker-light` + - `make docker` + +### Usage + +This repository automatically builds containers for using the +[`packer`](https://packer.io) command line program. It contains two distinct +varieties of build, an `official` version, aka `light`, which just contains the binary. +It also contains a `dev` version, aka `full`, which compiles the binary from source +inside the container before exposing it for use. + +##### `official` aka `light` (default) + +The `official` version of this container will copy the current stable version of +the binary, taken from releases.hashicorp.com, into the container. It will also +set it for use as the default entrypoint. This will be the best option for most uses, +especially if you are just looking to run the binary from a container. This image +is tagged as both `official` and `light`. +The `latest` tag on DockerHub also points to this version. + +You can use this version with the following: +```shell +docker run hashicorp/packer:official +``` + +##### `dev` aka `full` + +The `dev` version of this container contains all of the source code found in +the current ref of this [repository](https://github.com/hashicorp/packer). Using [Google's +official `golang` image](https://hub.docker.com/_/golang/) as a base, this +container will copy the source from the current branch, build the binary, and +expose it for running. Because all build artifacts are included, it should be quite a bit larger than +the `official` image. This version of the container is most useful for development or +debugging. + +You can use this version with the following: +```shell +docker run hashicorp/packer:dev +``` + +#### Running a build: + +The easiest way to run a command that references a configuration with one or more template files, is to mount a volume for the local workspace. + +Running `packer init` +```shell +docker run \ + -v `pwd`:/workspace -w /workspace \ + -e PACKER_PLUGIN_PATH=/workspace/.packer.d/plugins \ + hashicorp/packer:latest \ + init . +``` + +~> **Note**: packer init is available from Packer v1.7.0 and later + +The command will mount the working directory (`pwd`) to `workspace`, which is the working directory (`-w`) inside the container. +Any plugin installed with `packer init` will be installed under the directory specified under the `PACKER_PLUGIN_PATH` environment variable. `PACKER_PLUGIN_PATH` must be set to a path inside the volume mount so that plugins can become available at `packer build`. + +Running `packer build` +```shell +docker run \ + -v `pwd`:/workspace -w /workspace \ + -e PACKER_PLUGIN_PATH=/workspace/.packer.d/plugins \ + hashicorp/packer:latest \ + build . +``` +##### Building old-legacy JSON templates + +For old-legacy JSON, the build command must specify the template file(s). + +```shell +docker run \ + -v `pwd`:/workspace -w /workspace \ + hashicorp/packer:latest \ + build template.json +``` + +For the [manual installation](https://www.packer.io/docs/plugins#installing-plugins) of third-party plugins, we recommended that plugin binaries are placed under a sub-directory under the working directory. Add `-e PACKER_PLUGIN_PATH=/workspace/` to the command above to tell Packer where the plugins are. + +To pass a var file (`var.json`) to the build command: + +```shell +docker run \ + -v `pwd`:/workspace -w /workspace \ + hashicorp/packer:latest \ + build --var-file var.json template.json +``` +`var.json` is expected to be inside the local working directory (`pwd`) and in the container's workspace mount. diff --git a/.release/linux/package/etc/packer.d/packer.env b/.release/linux/package/etc/packer.d/packer.env new file mode 100644 index 000000000..e69de29bb diff --git a/.release/linux/package/usr/lib/systemd/system/packer.service b/.release/linux/package/usr/lib/systemd/system/packer.service new file mode 100644 index 000000000..f97725ad5 --- /dev/null +++ b/.release/linux/package/usr/lib/systemd/system/packer.service @@ -0,0 +1,23 @@ +[Unit] +Description="HashiCorp Packer - A tool for creating identical machine images for multiple platforms from a single source configuration" +Documentation=https://www.packer.io/docs +StartLimitIntervalSec=60 +StartLimitBurst=3 + +[Service] +EnvironmentFile=-/etc/packer.d/packer.env +User=packer +Group=packer +ProtectSystem=full +ProtectHome=read-only +ExecStart=/usr/bin/packer server -config=/etc/packer.d +ExecReload=/bin/kill --signal HUP $MAINPID +KillMode=process +KillSignal=SIGINT +Restart=on-failure +RestartSec=5 +TimeoutStopSec=30 +LimitMEMLOCK=infinity + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/.release/linux/postrm b/.release/linux/postrm new file mode 100644 index 000000000..0f32404c5 --- /dev/null +++ b/.release/linux/postrm @@ -0,0 +1,8 @@ +#!/bin/bash + +if [ "$1" = "purge" ] +then + userdel packer +fi + +exit 0 \ No newline at end of file diff --git a/.release/linux/preinst b/.release/linux/preinst new file mode 100644 index 000000000..d5068c896 --- /dev/null +++ b/.release/linux/preinst @@ -0,0 +1,13 @@ +#!/bin/bash + +set -eu + +USER="packer" + +if ! id -u $USER > /dev/null 2>&1; then + useradd \ + --system \ + --user-group \ + --shell /bin/false \ + $USER +fi \ No newline at end of file diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl new file mode 100644 index 000000000..4b0717c73 --- /dev/null +++ b/.release/security-scan.hcl @@ -0,0 +1,13 @@ +container { + dependencies = false + alpine_secdb = true + secrets = false +} + +binary { + secrets = true + go_modules = true + osv = true + oss_index = true + nvd = true +} \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 0b5f50a1b..b10df47ba 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,30 +1,97 @@ -FROM docker.mirror.hashicorp.services/ubuntu:16.04 +# This Dockerfile contains multiple targets. +# Use 'docker build --target= .' to build one. +# e.g. `docker build --target=official-light .` +# +# All non-dev targets have a VERSION argument that must be provided +# via --build-arg=VERSION= when building. +# e.g. --build-arg VERSION=1.11.2 +# +# `default` is the production docker image which cannot be built locally. +# For local dev and testing purposes, please build and use the `dev` docker image. -ENV DEBIAN_FRONTEND noninteractive -RUN apt-get update && apt-get install -y \ - locales \ - openssh-server \ - sudo +# Development docker image +# This image includes all source code found in this repository. +# This is primarily used for development and debugging. +FROM docker.mirror.hashicorp.services/alpine:latest as dev -RUN locale-gen en_US.UTF-8 +RUN apk add --no-cache git bash openssl ca-certificates -RUN if ! getent passwd vagrant; then useradd -d /home/vagrant -m -s /bin/bash vagrant; fi \ - && echo 'vagrant ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers \ - && mkdir -p /etc/sudoers.d \ - && echo 'vagrant ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers.d/vagrant \ - && chmod 0440 /etc/sudoers.d/vagrant +ADD bin/packer /bin/packer -RUN mkdir -p /home/vagrant/.ssh \ - && chmod 0700 /home/vagrant/.ssh \ - && wget --no-check-certificate \ - https://raw.github.com/hashicorp/vagrant/master/keys/vagrant.pub \ - -O /home/vagrant/.ssh/authorized_keys \ - && chmod 0600 /home/vagrant/.ssh/authorized_keys \ - && chown -R vagrant /home/vagrant/.ssh +ENTRYPOINT ["/bin/packer"] -RUN mkdir -p /run/sshd -CMD /usr/sbin/sshd -D \ - -o UseDNS=no \ - -o PidFile=/tmp/sshd.pid +# Official docker image that includes binaries from releases.hashicorp.com. This +# downloads the release from releases.hashicorp.com and therefore requires that +# the release is published before building the Docker image. +FROM docker.mirror.hashicorp.services/alpine:latest as official + +# This is the release of Packer to pull in. +ARG VERSION + +LABEL name="Packer" \ + maintainer="HashiCorp Packer Team " \ + vendor="HashiCorp" \ + version=$VERSION \ + release=$VERSION \ + summary="Packer is a tool for creating identical machine images for multiple platforms from a single source configuration." \ + description="Packer is a tool for creating identical machine images for multiple platforms from a single source configuration. Please submit issues to https://github.com/hashicorp/packer/issues" + +# This is the location of the releases. +ENV HASHICORP_RELEASES=https://releases.hashicorp.com + +RUN set -eux && \ + apk add --no-cache git bash wget openssl gnupg && \ + gpg --keyserver keyserver.ubuntu.com --recv-keys C874011F0AB405110D02105534365D9472D7468F && \ + mkdir -p /tmp/build && \ + cd /tmp/build && \ + apkArch="$(apk --print-arch)" && \ + case "${apkArch}" in \ + aarch64) packerArch='arm64' ;; \ + armhf) packerArch='arm' ;; \ + x86) packerArch='386' ;; \ + x86_64) packerArch='amd64' ;; \ + *) echo >&2 "error: unsupported architecture: ${apkArch} (see ${HASHICORP_RELEASES}/packer/${VERSION}/)" && exit 1 ;; \ + esac && \ + wget ${HASHICORP_RELEASES}/packer/${VERSION}/packer_${VERSION}_linux_${packerArch}.zip && \ + wget ${HASHICORP_RELEASES}/packer/${VERSION}/packer_${VERSION}_SHA256SUMS && \ + wget ${HASHICORP_RELEASES}/packer/${VERSION}/packer_${VERSION}_SHA256SUMS.sig && \ + gpg --batch --verify packer_${VERSION}_SHA256SUMS.sig packer_${VERSION}_SHA256SUMS && \ + grep packer_${VERSION}_linux_${packerArch}.zip packer_${VERSION}_SHA256SUMS | sha256sum -c && \ + unzip -d /tmp/build packer_${VERSION}_linux_${packerArch}.zip && \ + cp /tmp/build/packer /bin/packer && \ + cd /tmp && \ + rm -rf /tmp/build && \ + gpgconf --kill all && \ + apk del gnupg openssl && \ + rm -rf /root/.gnupg && \ + # Tiny smoke test to ensure the binary we downloaded runs + packer version + +ENTRYPOINT ["/bin/packer"] + + +# Production docker image +# Remember, this cannot be built locally +FROM docker.mirror.hashicorp.services/alpine:latest as default + +ARG VERSION +ARG BIN_NAME + +# TARGETARCH and TARGETOS are set automatically when --platform is provided. +ARG TARGETOS TARGETARCH + +LABEL name="Packer" \ + maintainer="HashiCorp Packer Team " \ + vendor="HashiCorp" \ + version=$VERSION \ + release=$VERSION \ + summary="Packer is a tool for creating identical machine images for multiple platforms from a single source configuration." \ + description="Packer is a tool for creating identical machine images for multiple platforms from a single source configuration. Please submit issues to https://github.com/hashicorp/packer/issues" + +RUN apk add --no-cache git bash wget openssl gnupg + +COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/ + +ENTRYPOINT ["/bin/packer"] diff --git a/Makefile b/Makefile index 71e3a33e5..88fe05783 100644 --- a/Makefile +++ b/Makefile @@ -25,7 +25,7 @@ GOLDFLAGS=-X $(GIT_IMPORT).GitCommit=$(GIT_COMMIT)$(GIT_DIRTY) $(LDFLAGS) export GOLDFLAGS .PHONY: bin checkversion ci ci-lint default install-build-deps install-gen-deps fmt fmt-docs fmt-examples generate install-lint-deps lint \ - releasebin test testacc testrace + releasebin test testacc testrace version default: install-build-deps install-gen-deps generate dev @@ -75,6 +75,45 @@ dev: ## Build and install a development build @cp $(GOPATH)/bin/packer bin/packer @cp $(GOPATH)/bin/packer pkg/$(GOOS)_$(GOARCH) +# Docker build variables and targets +REGISTRY_NAME?=docker.io/hashicorp +IMAGE_NAME=packer +VERSION?=1.7.10 +IMAGE_TAG=$(REGISTRY_NAME)/$(IMAGE_NAME):$(VERSION) +IMAGE_TAG_DEV=$(REGISTRY_NAME)/$(IMAGE_NAME):latest-$(shell git rev-parse --short HEAD) + +docker: docker-official +docker-light: docker-official + +# Builds from the releases.hashicorp.com official binary +docker-official: + docker build \ + --tag $(IMAGE_TAG) \ + --tag hashicorp/packer:latest \ + --target=official \ + --build-arg VERSION=$(VERSION) \ + . + +# Builds multiarch from the releases.hashicorp.com official binary +docker-multiarch-official: + docker buildx build \ + --tag $(IMAGE_TAG) \ + --tag hashicorp/packer:latest \ + --target=official \ + --build-arg VERSION=$(VERSION) \ + --platform linux/amd64,linux/arm64 \ + . + +# Builds from the locally generated binary in ./bin/ +# To generate the local binary, run `make dev` +docker-dev: export GOOS=linux +docker-dev: export GOARCH=amd64 +docker-dev: dev + @docker build \ + --tag $(IMAGE_TAG_DEV) \ + --target=dev \ + . + lint: install-lint-deps ## Lint Go code @if [ ! -z $(PKG_NAME) ]; then \ echo "golangci-lint run ./$(PKG_NAME)/..."; \ @@ -161,3 +200,7 @@ vet: ## Vet Go code help: @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' + +# This is used for release builds by .github/workflows/build.yml +version: + @$(CURDIR)/scripts/version.sh version/version.go \ No newline at end of file diff --git a/go.mod b/go.mod index 491f168d2..dd5c42d34 100644 --- a/go.mod +++ b/go.mod @@ -17,10 +17,10 @@ require ( github.com/hako/durafmt v0.0.0-20200710122514-c0fb7b4da026 github.com/hashicorp/go-checkpoint v0.0.0-20171009173528-1545e56e46de github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840 - github.com/hashicorp/go-getter/v2 v2.0.0 + github.com/hashicorp/go-getter/v2 v2.0.1 github.com/hashicorp/go-multierror v1.1.1 github.com/hashicorp/go-uuid v1.0.2 - github.com/hashicorp/go-version v1.3.0 + github.com/hashicorp/go-version v1.4.0 github.com/hashicorp/hcl/v2 v2.11.1 github.com/hashicorp/hcp-sdk-go v0.15.1-0.20220112153249-f565607d7cc4 github.com/hashicorp/packer-plugin-amazon v1.0.6 diff --git a/go.sum b/go.sum index 2aa75d28c..a251796fe 100644 --- a/go.sum +++ b/go.sum @@ -633,8 +633,9 @@ github.com/hashicorp/go-getter/gcs/v2 v2.0.0-20200604122502-a6995fa1edad/go.mod github.com/hashicorp/go-getter/s3/v2 v2.0.0-20200604122502-a6995fa1edad h1:hwk5mQRwVvZc/f+So1kHbOhW/f7P2fEcCr2D5pSk9sI= github.com/hashicorp/go-getter/s3/v2 v2.0.0-20200604122502-a6995fa1edad/go.mod h1:kcB6Mv+0wzYXbQjTAeD/Pb85145WcFk2EElpe02fuoE= github.com/hashicorp/go-getter/v2 v2.0.0-20200511090339-3107ec4af37a/go.mod h1:QJ+LwRM91JBKBLyHoKBrcmi49i9Tu/ItpgTNXWSnpGM= -github.com/hashicorp/go-getter/v2 v2.0.0 h1:wamdcQazMBZK6VwUo3HAOWLkcOJBWBoXPKfmf7/S17w= github.com/hashicorp/go-getter/v2 v2.0.0/go.mod h1:w65fE5glbccYjndAuj1kA5lnVBGZYEaH0e5qA1kpIks= +github.com/hashicorp/go-getter/v2 v2.0.1 h1:cHb4azguMwy0NRlEX5U3mT17HM7I17vd8RjBmrJ+1lY= +github.com/hashicorp/go-getter/v2 v2.0.1/go.mod h1:w65fE5glbccYjndAuj1kA5lnVBGZYEaH0e5qA1kpIks= github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd/go.mod h1:9bjs9uLqI8l75knNv3lV1kA55veR+WUPSiKIWcQHudI= github.com/hashicorp/go-hclog v0.8.0/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= @@ -680,8 +681,9 @@ github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= -github.com/hashicorp/go-version v1.3.0 h1:McDWVJIU/y+u1BRV06dPaLfLCaT7fUTJLp5r04x7iNw= github.com/hashicorp/go-version v1.3.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go-version v1.4.0 h1:aAQzgqIrRKRa7w75CKpbBxYsmUoPjzVm1W59ca1L0J4= +github.com/hashicorp/go-version v1.4.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= diff --git a/scripts/version.sh b/scripts/version.sh new file mode 100755 index 000000000..c854cab30 --- /dev/null +++ b/scripts/version.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash +set -euo pipefail + +version_file=$1 +version=$(awk '$1 == "Version" && $2 == "=" { gsub(/"/, "", $3); print $3 }' < "${version_file}") +prerelease=$(awk '$1 == "VersionPrerelease" && $2 == "=" { gsub(/"/, "", $3); print $3 }' < "${version_file}") + +if [ -n "$prerelease" ]; then + echo "${version}-${prerelease}" +else + echo "${version}" +fi \ No newline at end of file diff --git a/version/version.go b/version/version.go index 9ca3115c1..5ec5b8751 100644 --- a/version/version.go +++ b/version/version.go @@ -5,16 +5,22 @@ import ( pluginVersion "github.com/hashicorp/packer-plugin-sdk/version" ) -// The git commit that was compiled. This will be filled in by the compiler. -var GitCommit string - -// The main version number that is being run at the moment. -const Version = "1.7.11" - -// A pre-release marker for the version. If this is "" (empty string) -// then it means that it is a final release. Otherwise, this is a pre-release -// such as "dev" (in development), "beta", "rc1", etc. -const VersionPrerelease = "dev" +var ( + // The git commit that was compiled. This will be filled in by the compiler. + GitCommit string + GitDescribe string + + // Whether cgo is enabled or not; set at build time + CgoEnabled bool + + // The main version number that is being run at the moment. + Version = "1.7.11" + // A pre-release marker for the version. If this is "" (empty string) + // then it means that it is a final release. Otherwise, this is a pre-release + // such as "dev" (in development), "beta", "rc1", etc. + VersionPrerelease = "dev" + VersionMetadata = "" +) var PackerVersion *pluginVersion.PluginVersion