Skip to content
/ container-image-sync Public

In this repository you can find the mechanisms that we use to synchronise upstream and build container images for SD

docs.sighup.io
4 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sighupio/container-image-sync

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

977 Commits
.github
.github
 
 
CVEs
CVEs
 
 
config
config
 
 
modules
modules
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
DEVELOPMENT.md
DEVELOPMENT.md
 
 
README.md
README.md
 
 
mise.toml
mise.toml
 
 

Repository files navigation

Shows a black logo in light color mode and a white one in dark color mode.
Container Image Sync

Table of contents

Introduction

This is a simple mechanism that pulls and pushes or builds container images based on a configuration file (yaml).

The main goal for this repository is to have a central location used to sync on our public SIGHUP registry all the upstream images used by all the SD modules.

The goal of this repository is twofold: build custom images and sync upstream ones used by all the SD modules on our public SIGHUP registry.

Features:

  • Configurable via YAML files
  • Build custom images
  • Skips images if the layers between src and dest are the same using skopeo
  • Everything is executed with bash script scripts/sync.sh that by default will sync all image architectures
  • Execute the vulnerability detection and patching of synced images with amd64 and arm64 architectures

How it works

Inside the folder modules/ there is a subfolder for each SD module with an images.yml file.

Each images.yml file has to have a root attribute: images and its value is an array of objects:

  - name: # Simple description of the image
    source: # Source image. Where to pull the image
    tag: # Tags to sync
      - "xxx"
    destination:
      - # Destination registry

or (when building):

  - name: # Simple description of the image
    source: # Local name used by the newly built image
    build: # Build parameters
      context: # Path where the Dockerfile is stored (relative to images.yml file)
      args: # Build arguments
        - name: # Build argument name
          value: # Build argument value
    tag: # New image tag
      - "xxx"
    destination:
      - # Destination registry

Example images.yml:

  - name: Alpine
    source: docker.io/library/alpine
    tag:
      - "3"
      - "3.12"
      - "3.13"
      - "3.14"
    destinations:
      - registry.sighup.io/fury/alpine

  - name: Grafana
    source: grafana
    build:
      context: custom/grafana
      args:
        - name: GF_INSTALL_PLUGINS
          value: grafana-piechart-panel
    tag:
      - "8.5.5"
    destinations:
      - registry.sighup.io/fury/grafana/grafana

Automated sync execution

This automation runs once a day: "0 2 * * *" and every time someone pushes to the main branch.

Vulnerability detection and patching

The reports of vulnerability scanning and patching are available in the dedicate worflow run page.

On each workflow run, navigate to the Artefacts section where you can find:

  • the cve-reports-vX.Y.Z artefact (zip file) that includes the pre patching and post patching vulnerabilities reports for SD version X.Y.Z.
  • the cve-patch-reports-by-image artefact (zip file) that includes the patching report by image for all the images used in all the supported SD versions.

About

In this repository you can find the mechanisms that we use to synchronise upstream and build container images for SD

docs.sighup.io

Topics

docker registry skopeo container-images fury-distribution

Resources

Readme
Activity
Custom properties

Stars

4 stars

Watchers

8 watching

Forks

2 forks
Report repository

Contributors 27
+ 13 contributors

Languages