Available Nexus Proxy Repositories
Iron Bank's Nexus proxy provides package repositories access within Iron Bank's Gitlab pipelines. These include OS package manager proxies, as well as language-specific proxies, to speed up hardening by enabling you to leverage your project's native package manager.
Current proxy sources:
These require no additional setup from within your container and work naturally within our pipelines. If you had previously added packages to the hardening_manifest.yaml
that are available via these proxy repositories and its corresponding package manager, you can safely remove them from there provided that you've read the sections below and followed the instructions to use your runtime's native package manager.
What if the package I want isn't in one of these sources?
If the package you want is not currently proxied, then it must be added to the hardening_manifest.yaml
resources section so our CI pipeline can download it prior to the internet disconnected build stage.
Pin Your Dependencies
Pin your package versions. Iron Bank does nightly rebuilds of master
so you don't want your package versions to update beyond what's expected for your container, especially when using Renovate. Things can break as a result. Use ~= or exact versions to avoid this.
UBI
You can use yum/dnf as normal to the upstream default Red Hat provided repoistories for the version of UBI you are using.
APK (Alpine)
You will need to ensure to run an update and upgrade before installing any apk files so the metadata cache is downloaded during the container build, such as RUN apk update && apk --no-cache upgrade && apk add --no-cache ...
. If you need to add a specific apk or apk version that isn't in the Alpine respository you can add it to the hardening_manifes.yaml
such as:
- url: https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/gosu-1.16-r0.apk
filename: gosu.apk
validation:
type: sha256
value: e6d44626b23236d3a597106945f4b190f2638737533bd9ebe8d63233ca83a62e
Both the main
and community
repositories for the current version of Alpine are available via Nexus.
SLE
This can be used just like you could anywhere else. RUN zypper update && zyper install ...
Debian
Similar to SLE and Alpine, make sure you run RUN apt update && apt upgrade
to ensure you have the latest metadata and core packages installed. Other than that you can use this like anywhere else
Python
For example when using pip
for Python packages we strongly recommend using a requirements.txt file to list your dependencies and pin their versions.
ansible==1.8.0
pyyaml==6.0
Also, it is important to note that pip will resolve dependencies automatically. You just need to add the top level dependencies to your requirements.txt
, otherwise Renovate (if enabled) may advance a dependency beyond what the top level supports.
NodeJS
When using npm
for Node.js packages be sure to take full advantage of your package.json for pinning versions of dependencies.
In package.json, list the package under dependencies. You can optionally include a semantic version.
{
"dependencies": {
"@package_name": "^1.0.0"
}
}
Ruby
When working with Ruby Gems we recommend that you utilize the Ruby Gems patterns guide for tips on managing your dependencies. If you are dealing with a lot of gem dependencies in your container, we recommend that you utilize Bundler which does a great job of managing a complex version manifest for many gems.
One caveat is that, if you are using a Ruby base image, Bundler will not recognize the inherited gems and will attempt to install its dependencies even if doing so would overwrite the version you are trying to inherit from the base image. An example of this work around can be seen in the fluentd-elasticsearch project where Bundler would overwrite the version of fluentd inherited from the ironbank/opensource/fluentd/fluentd
parent image. This required us to gem install
only the specific gem and version we desired, and add a matchString to renovate.json
to tell Renovate to also update that version.
Basic gem install
a particular version.
gem install mypackage -v '>= 1.0.0'
If using bundler
here is an example Gemfile
that you would have at the project root. Then install via bundler install
.
source 'https://rubygems.org'
gem 'nokogiri'
gem 'rack', '~> 2.0.1'
gem 'rspec'
If you are doing a local build and your package is not found in the normal "non-proxied" package repository, the proxy repositories within Iron Bank obviously won't find them either. Be sure to always check there first if you find that something was missing from your build.
Request a new source for nexus to proxy
Follow the steps below to request a new source be proxied by nexus:
- Create an issue in the dccscr repo
- The title of your issue should be in the following format:
Requesting <insert name> nexus proxy
- Choose the "Feature Request" issue template
- Add the following labels:
- feature
- pipeline
- review