[v12] Backport Distroless OCI builds

.drone.yml

@@ -1222,11 +1222,6 @@ volumes:
 kind: pipeline
 type: kubernetes
 name: push-build-linux-arm64
-environment:
-  BUILDBOX_VERSION: teleport12
-  GID: "1000"
-  RUNTIME: go1.19.7
-  UID: "1000"
 trigger:
   event:
     include:
@@ -1267,9 +1262,9 @@ steps:
   image: golang:1.18-alpine
   commands:
   - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e -workflow
-    release-linux-arm64.yml -workflow-ref=${DRONE_BRANCH} -input oss-teleport-ref=${DRONE_COMMIT}
-    -input upload-artifacts=false -input oss-teleport-repo="${DRONE_REPO}"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -workflow release-linux-arm64.yml -workflow-ref=${DRONE_BRANCH} -input oss-teleport-repo=${DRONE_REPO}
+    -input oss-teleport-ref=${DRONE_COMMIT} -input "upload-artifacts=false" '
   environment:
     GHA_APP_KEY:
       from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
@@ -1316,9 +1311,9 @@ steps:
       # increment these variables when a new major/minor version is released to bump the automatic builds
       # this only needs to be done on the master branch, as that's the branch that the Drone cron is configured for
       # build major version images which are just teleport:x
-      CURRENT_VERSION_ROOT: v11
-      PREVIOUS_VERSION_ONE_ROOT: v10
-      PREVIOUS_VERSION_TWO_ROOT: v9
+      CURRENT_VERSION_ROOT: v12
+      PREVIOUS_VERSION_ONE_ROOT: v11
+      PREVIOUS_VERSION_TWO_ROOT: v10
     commands:
       - apk --update --no-cache add curl go
       - mkdir -p /go/build && cd /go/build
@@ -1400,9 +1395,9 @@ steps:
       # increment these variables when a new major/minor version is released to bump the automatic builds
       # this only needs to be done on the master branch, as that's the branch that the Drone cron is configured for
       # build major version images which are just teleport:x
-      CURRENT_VERSION_ROOT: v11
-      PREVIOUS_VERSION_ONE_ROOT: v10
-      PREVIOUS_VERSION_TWO_ROOT: v9
+      CURRENT_VERSION_ROOT: v12
+      PREVIOUS_VERSION_ONE_ROOT: v11
+      PREVIOUS_VERSION_TWO_ROOT: v10
     commands:
       - apk --update --no-cache add curl go
       - mkdir -p /go/build && cd /go/build
@@ -4943,11 +4938,6 @@ volumes:
 kind: pipeline
 type: kubernetes
 name: build-linux-arm64
-environment:
-  BUILDBOX_VERSION: teleport12
-  GID: "1000"
-  RUNTIME: go1.19.7
-  UID: "1000"
 trigger:
   event:
     include:
@@ -4962,6 +4952,8 @@ workspace:
   path: /go
 clone:
   disable: true
+depends_on:
+- clean-up-previous-build
 steps:
 - name: Check out code
   image: docker:git
@@ -4985,9 +4977,9 @@ steps:
   image: golang:1.18-alpine
   commands:
   - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e -workflow
-    release-linux-arm64.yml -workflow-ref=${DRONE_TAG} -input oss-teleport-ref=${DRONE_TAG}
-    -input upload-artifacts=true -input oss-teleport-repo="${DRONE_REPO}"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -workflow release-linux-arm64.yml -workflow-ref=${DRONE_TAG} -input oss-teleport-repo=${DRONE_REPO}
+    -input oss-teleport-ref=${DRONE_TAG} -input "upload-artifacts=true" '
   environment:
     GHA_APP_KEY:
       from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
@@ -7705,6 +7697,61 @@ volumes:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
+# Generated at dronegen/gha.go (main.ghaBuildPipeline)
+################################################
+
+kind: pipeline
+type: kubernetes
+name: promote-teleport-oci-distroless-images
+trigger:
+  event:
+    include:
+    - promote
+  target:
+    include:
+    - production
+    - promote-distroless
+  repo:
+    include:
+    - gravitational/*
+workspace:
+  path: /go
+clone:
+  disable: true
+steps:
+- name: Check out code
+  image: docker:git
+  commands:
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
+  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
+  - git submodule update --init e
+  - mkdir -pv /go/cache
+  - rm -f /root/.ssh/id_rsa
+  environment:
+    GITHUB_PRIVATE_KEY:
+      from_secret: GITHUB_PRIVATE_KEY
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
+  commands:
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -workflow promote-teleport-oci-distroless.yml -workflow-ref=${DRONE_TAG} -input
+    "release-source-tag=${DRONE_TAG}" '
+  environment:
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+
+---
+################################################
+# Generated using dronegen, do not edit by hand!
+# Use 'make dronegen' to update.
 # Generated at dronegen/mac.go (main.newDarwinPipeline)
 ################################################
 
@@ -9084,6 +9131,64 @@ volumes:
 - name: dockersock
   temp: {}
 
+---
+################################################
+# Generated using dronegen, do not edit by hand!
+# Use 'make dronegen' to update.
+# Generated at dronegen/gha.go (main.ghaBuildPipeline)
+################################################
+
+kind: pipeline
+type: kubernetes
+name: build-teleport-oci-distroless-images
+trigger:
+  event:
+    include:
+    - tag
+  ref:
+    include:
+    - refs/tags/v*
+  repo:
+    include:
+    - gravitational/*
+workspace:
+  path: /go
+clone:
+  disable: true
+depends_on:
+- clean-up-previous-build
+- build-linux-amd64-deb
+- build-linux-arm64-deb
+steps:
+- name: Check out code
+  image: docker:git
+  commands:
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
+  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
+  - git submodule update --init e
+  - mkdir -pv /go/cache
+  - rm -f /root/.ssh/id_rsa
+  environment:
+    GITHUB_PRIVATE_KEY:
+      from_secret: GITHUB_PRIVATE_KEY
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
+  commands:
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -workflow release-teleport-oci-distroless.yml -workflow-ref=${DRONE_TAG} -input
+    oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} '
+  environment:
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+
 ---
 ################################################
 # Generated using dronegen, do not edit by hand!
@@ -18836,6 +18941,7 @@ depends_on:
 - teleport-container-images-branch-promote
 - publish-apt-new-repos
 - publish-yum-new-repos
+- promote-teleport-oci-distroless-images
 steps:
 - name: Check if commit is tagged
   image: alpine
@@ -18931,6 +19037,6 @@ volumes:
   temp: {}
 ---
 kind: signature
-hmac: f5af446289f01b1a1438966e1bd476d98e6162629cce1fe80cde804f93d62748
+hmac: 7d7d840c1a9c98e6e3dd084acb1c1aa474ae0daf4855820c4a65e589a1765dc7
 
 ...

build.assets/charts/Dockerfile-distroless

@@ -0,0 +1,25 @@
+ARG BASE_IMAGE=gcr.io/distroless/cc-debian11
+
+FROM debian:11 AS staging
+RUN apt-get update 
+COPY fetch-debs ./
+RUN ./fetch-debs dumb-init libpam0g libaudit1 libcap-ng0
+
+FROM debian:11 AS teleport
+# NOTE that the TELEPORT_RELEASE_INFIX *must* include the leading dash if set
+ARG TELEPORT_RELEASE_INFIX
+ARG TELEPORT_VERSION
+ARG TARGETARCH
+ENV TELEPORT_DEB_FILE_NAME=teleport${TELEPORT_RELEASE_INFIX}_${TELEPORT_VERSION}_${TARGETARCH}.deb
+COPY $TELEPORT_DEB_FILE_NAME ./$TELEPORT_DEB_FILE_NAME
+RUN dpkg-deb -R $TELEPORT_DEB_FILE_NAME /opt/staging && \
+    mkdir -p /opt/staging/etc/teleport && \
+    mkdir -p /opt/staging/var/lib/dpkg/status.d/ && \
+    mv /opt/staging/DEBIAN/control /opt/staging/var/lib/dpkg/status.d/teleport && \
+    rm -rf /opt/staging/DEBIAN
+
+FROM $BASE_IMAGE
+COPY --from=teleport /opt/staging /
+COPY --from=staging /opt/staging/root /
+COPY --from=staging /opt/staging/status /var/lib/dpkg/status.d
+ENTRYPOINT ["/usr/bin/dumb-init", "/usr/local/bin/teleport", "start", "-c", "/etc/teleport/teleport.yaml"]

build.assets/charts/fetch-debs

@@ -0,0 +1,11 @@
+#!/bin/bash 
+mkdir -p /opt/staging/root
+mkdir -p /opt/staging/status
+
+for pkg in "$@"; do
+    apt-get download "$pkg" && dpkg-deb -R $pkg*.deb /tmp/$pkg
+    cp /tmp/$pkg/DEBIAN/control /opt/staging/status/$pkg
+    rm -r /tmp/$pkg/DEBIAN
+    cp -r /tmp/$pkg/* /opt/staging/root
+    rm -rf /tmp/$pkg
+done

build.assets/charts/smoke_tests/00_simple_start/test.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+docker run --rm --entrypoint /usr/local/bin/teleport --platform $1 $2 -- version

build.assets/charts/smoke_tests/01_pam/config.yaml

@@ -0,0 +1,31 @@
+version: v3
+teleport:
+  nodename: sshd 
+  data_dir: /var/lib/teleport
+  log:
+    output: stderr
+    severity: INFO
+    format:
+      output: text
+  join_params:
+      method: token
+      token_name: NotARealToken
+  auth_server: localhost:3025
+  diag_addr: ""
+auth_service:
+  enabled: no
+ssh_service:
+  enabled: "yes"
+  commands:
+  - name: hostname
+    command: [hostname]
+    period: 1m0s
+  # Configures PAM integration. See our PAM guide for more details
+  # (https://goteleport.com/docs/features/ssh-pam/).
+  pam:
+    enabled: yes
+    service_name: "sshd"
+    use_pam_auth: true
+
+proxy_service:
+  enabled: no

build.assets/charts/smoke_tests/01_pam/test.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Given an ssh node configuration with use_pam_auth enabled, Teleport
+# will test if PAM is available. If PAM is not installed correctly, 
+# Teleport will exit immediately with a nonzero status. 
+#
+# If teleport is still up when the timeout expires, then we're 
+# probably OK
+timeout --preserve-status 10s docker run --platform $1 --rm --entrypoint /usr/local/bin/teleport -v "$(pwd):/etc/teleport" $2 start -c /etc/teleport/config.yaml

build.assets/charts/smoke_tests/README.md

@@ -0,0 +1,36 @@
+# Docker Image Smoke Tests
+
+This directory contains some smoke tests for our Docker images. Smoke tests are 
+quick go-or-no-go tests to check and see if the images we're shipping meet some 
+basic functionality standard.
+
+At the time of writing, that statndard is pretty low:
+ 1. does `teleport` start at all, and
+ 2. does the `PAM` soubsystem come up when loaded by `teleport`. 
+
+How do we raise the bar? More and better tests!
+
+## Running smoke tests
+
+```bash
+$ ./run $PLATFORM $IMAGE_UNDER_TEST $TELEPORT_RELEASE
+```
+Where
+ * `$PLATFORM` is the platform to test, in a format acceptable to `docker run`
+ * `$IMAGE_UNDER_TEST` is the URL of the image to test
+ * `$TELEPORT_RELEASE` is the release of teleport included in the
+   `$IMAGE_UNDER_TEST` image. Must be either `oss` or `enterprise`.
+
+## Writing a smoke test
+
+1. Create a directory under this `smoketest` root.
+2. Add an executable bash script in this directory. This script must
+    1. be named `test.sh`
+    2. be executable (i.e. has `+x` permissions),
+    3. take three arguments: 
+       1. the name of the docker image to test, and
+       2. the platform to test it on
+       3. The release of Teleport contained in the image, either `oss` or `enterprise`.
+    4. return `0` on success, nonzero on error
+
+

build.assets/charts/smoke_tests/run

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+pushd () {
+    command pushd "$@" > /dev/null
+}
+
+popd () {
+    command popd "$@" > /dev/null
+}
+
+echo ">>> Prefetching image under test: $2"
+docker pull --platform $1 $2
+
+for test in **/test.sh
+do
+  testdir=$(dirname $test)
+  echo ""
+  echo ">>> Smoke test: $testdir"
+  pushd $testdir
+  if ! ./test.sh $1 $2; then
+    echo "Test Failed"
+    exit 1
+  fi
+  popd
+done