Available Nexus Proxy Repositories

Iron Bank's Nexus proxy provides package repositories access within Iron Bank's Gitlab pipelines. These include OS package manager proxies, as well as language-specific proxies, to speed up hardening by enabling you to leverage your project's native package manager.

Current proxy sources:

• PyPi
• Go Proxy
• NPM
• Ruby Gems
• UBI
• Debian
• Alpine

These require no additional setup from within your container and work naturally within our pipelines. If you had previously added packages to the hardening_manifest.yaml that are available via these proxy repositories and its corresponding package manager, you can safely remove them from there provided that you've read the sections below and followed the instructions to use your runtime's native package manager.

What if the package I want isn't in one of these sources?

If the package you want is not currently proxied, then it must be added to the hardening_manifest.yaml resources section so our CI pipeline can download it prior to the internet disconnected build stage.

Pin Your Dependencies

Pin your package versions. Iron Bank does nightly rebuilds of master so you don't want your package versions to update beyond what's expected for your container, especially when using Renovate. Things can break as a result. Use ~= or exact versions to avoid this.

UBI

You can use yum/dnf as normal to the upstream default Red Hat provided repoistories for the version of UBI you are using.

APK (Alpine)

You will need to ensure to run an update and upgrade before installing any apk files so the metadata cache is downloaded during the container build, such as RUN apk update && apk --no-cache upgrade && apk add --no-cache .... If you need to add a specific apk or apk version that isn't in the Alpine respository you can add it to the hardening_manifes.yaml such as:

- url: https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/gosu-1.16-r0.apk
  filename: gosu.apk
  validation:
    type: sha256
    value: e6d44626b23236d3a597106945f4b190f2638737533bd9ebe8d63233ca83a62e

Both the main and community repositories for the current version of Alpine are available via Nexus.

SLE

This can be used just like you could anywhere else. RUN zypper update && zyper install ...

Debian

Similar to SLE and Alpine, make sure you run RUN apt update && apt upgrade to ensure you have the latest metadata and core packages installed. Other than that you can use this like anywhere else

Python

For example when using pip for Python packages we strongly recommend using a requirements.txt file to list your dependencies and pin their versions.

ansible==1.8.0
pyyaml==6.0

Also, it is important to note that pip will resolve dependencies automatically. You just need to add the top level dependencies to your requirements.txt, otherwise Renovate (if enabled) may advance a dependency beyond what the top level supports.

NodeJS

When using npm for Node.js packages be sure to take full advantage of your package.json for pinning versions of dependencies.

In package.json, list the package under dependencies. You can optionally include a semantic version.

{
  "dependencies": {
    "@package_name": "^1.0.0"
  }
}

Ruby

When working with Ruby Gems we recommend that you utilize the Ruby Gems patterns guide for tips on managing your dependencies. If you are dealing with a lot of gem dependencies in your container, we recommend that you utilize Bundler which does a great job of managing a complex version manifest for many gems.

One caveat is that, if you are using a Ruby base image, Bundler will not recognize the inherited gems and will attempt to install its dependencies even if doing so would overwrite the version you are trying to inherit from the base image. An example of this work around can be seen in the fluentd-elasticsearch project where Bundler would overwrite the version of fluentd inherited from the ironbank/opensource/fluentd/fluentd parent image. This required us to gem install only the specific gem and version we desired, and add a matchString to renovate.json to tell Renovate to also update that version.

Basic gem install a particular version.

gem install mypackage -v '>= 1.0.0'

If using bundler here is an example Gemfile that you would have at the project root. Then install via bundler install.

source 'https://rubygems.org'
gem 'nokogiri'
gem 'rack', '~> 2.0.1'
gem 'rspec'

If you are doing a local build and your package is not found in the normal "non-proxied" package repository, the proxy repositories within Iron Bank obviously won't find them either. Be sure to always check there first if you find that something was missing from your build.

Request a new source for nexus to proxy

Follow the steps below to request a new source be proxied by nexus:

• Create an issue in the dccscr repo
• The title of your issue should be in the following format:

Requesting <insert name> nexus proxy

• Choose the "Feature Request" issue template
• Add the following labels:
• feature
• pipeline
• review