Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
github.com/openshift/source-to-image
Source-to-Image (S2I) is a toolkit and workflow for building reproducible container images from source code. S2I produces ready-to-run images by injecting source code into a container image and letting the container prepare that source code for execution. By creating self-assembling builder images, you can version and control your build environments exactly like you use container images to version your runtime environments.
For a deep dive on S2I you can view this presentation.
Want to try it right now? Download the latest release and run:
$ s2i build https://github.com/sclorg/django-ex centos/python-35-centos7 hello-python
$ docker run -p 8080:8080 hello-python
Now browse to http://localhost:8080 to see the running application.
You've just built and run a new container image from source code in a git repository, no Dockerfile necessary.
For a dynamic language like Ruby, the build-time and run-time environments are typically the same. Starting with a builder image that describes this environment - with Ruby, Bundler, Rake, Apache, GCC, and other packages needed to set up and run a Ruby application installed - source-to-image performs the following steps:
config.ru
file.For compiled languages like C, C++, Go, or Java, the dependencies necessary for compilation might dramatically outweigh the size of the actual runtime artifacts. To keep runtime images slim, S2I enables a multiple-step build processes, where a binary artifact such as an executable or Java WAR file is created in the first builder image, extracted, and injected into a second runtime image that simply places the executable in the correct location for execution.
For example, to create a reproducible build pipeline for Tomcat (the popular Java webserver) and Maven:
By placing our build logic inside of images, and by combining the images into multiple steps, we can keep our runtime environment close to our build environment (same JDK, same Tomcat JARs) without requiring build tools to be deployed to production.
Allow build environments to be tightly versioned by encapsulating them within a container image and defining a simple interface (injected source code) for callers. Reproducible builds are a key requirement to enabling security updates and continuous integration in containerized infrastructure, and builder images help ensure repeatability as well as the ability to swap runtimes.
Any existing build system that can run on Linux can be run inside of a container, and each individual builder can also be part of a larger pipeline. In addition, the scripts that process the application source code can be injected into the builder image, allowing authors to adapt existing images to enable source handling.
Instead of building multiple layers in a single Dockerfile, S2I encourages authors to represent an application in a single image layer. This saves time during creation and deployment, and allows for better control over the output of the final image.
Dockerfiles are run without many of the normal operational controls of containers, usually running as root and having access to the container network. S2I can be used to control what permissions and privileges are available to the builder image since the build is launched in a single container. In concert with platforms like OpenShift, source-to-image can enable admins to tightly control what privileges developers have at build time.
Creating builder images is easy. s2i
looks for you to supply the following scripts to use with an
image:
assemble
- builds and/or deploys the sourcerun
- runs the assembled artifactssave-artifacts
(optional) - captures the artifacts from a previous build into the next incremental buildusage
(optional) - displays builder image usage informationAdditionally for the best user experience and optimized s2i
operation we suggest images
to have /bin/sh
and tar
commands available.
See a practical tutorial on how to create a builder image and read a detailed description of the requirements and scripts along with examples of builder images.
The s2i build
workflow is:
s2i
creates a container based on the build image and passes it a tar file that contains:
src
, excluding any files selected by .s2iignore
artifacts
(if applicable - see incremental builds)s2i
sets the environment variables from .s2i/environment
(optional)s2i
starts the container and runs its assemble
scripts2i
waits for the container to finishs2i
commits the container, setting the CMD for the output image to be the run
script and tagging the image with the name provided.Filtering the contents of the source tree is possible if the user supplies a
.s2iignore
file in the root directory of the source repository, where .s2iignore
contains regular
expressions that capture the set of files and directories you want filtered from the image s2i produces.
Specifically:
\n
.filepath.Match
and filepath.Glob
functions.#
character, the line is treated as a comment.!
, the rule is an exception rule, and can undo candidates selected for filtering by prior rules (but only prior rules).Here are some examples to help illustrate:
With specifying subdirectories, the */temp*
rule prevents the filtering of any files starting with temp
that are in any subdirectory that is immediately (or one level) below the root directory.
And the */*/temp*
rule prevents the filtering of any files starting with temp
that are in any subdirectory that is two levels below the root directory.
Next, to illustrate exception rules, first consider the following example snippet of a .s2iignore
file:
*.md
!README.md
With this exception rule example, README.md will not be filtered, and remain in the image s2i produces. However, with this snippet:
!README.md
*.md
README.md
, if filtered by any prior rules, but then put back in by !README.md
, would be filtered, and not part of the resulting image s2i produces. Since *.md
follows !README.md
, *.md
takes precedence.
Users can also set extra environment variables in the application source code.
They are passed to the build, and the assemble
script consumes them. All
environment variables are also present in the output application image. These
variables are defined in the .s2i/environment
file inside the application sources.
The format of this file is a simple key-value, for example:
FOO=bar
In this case, the value of FOO
environment variable will be set to bar
.
In case you want to use one of the official Dockerfile language stack images for your build you don't have do anything extra. S2I is capable of recognizing the container image with ONBUILD instructions and choosing the OnBuild strategy. This strategy will trigger all ONBUILD instructions and execute the assemble script (if it exists) as the last instruction.
Since the ONBUILD images usually don't provide any entrypoint, in order to use this build strategy you will have to provide one. You can either include the 'run', 'start' or 'execute' script in your application source root folder or you can specify a valid S2I script URL and the 'run' script will be fetched and set as an entrypoint in that case.
s2i
automatically detects:
If a save-artifacts
script exists, a prior image already exists, and the --incremental=true
option is used, the workflow is as follows:
s2i
creates a new container image from the prior build images2i
runs save-artifacts
in this container - this script is responsible for streaming out
a tar of the artifacts to stdouts2i
builds the new output image:
artifacts
directory of the tar
passed to the buildassemble
script is responsible for detecting and using the build
artifactsNOTE: The save-artifacts
script is responsible for streaming out dependencies in a tar file.
go install
You can install the s2i binary using go install
which will download the source-to-image code to your Go module cache, build the s2i binary, and install it into your $GOBIN
, or $GOPATH/bin
if $GOBIN
is not set, or $HOME/go/bin
if the GOPATH environment variable is also not set.
$ go install github.com/openshift/source-to-image/cmd/s2i@latest
You can either follow the installation instructions for Linux (and use the darwin-amd64 link) or you can just install source-to-image with Homebrew:
$ brew install source-to-image
Go to the releases page and download the correct distribution for your machine. Choose either the linux-386 or the linux-amd64 links for 32 and 64-bit, respectively.
Unpack the downloaded tar with
$ tar -xvzf release.tar.gz
.
You should now see an executable called s2i. Either add the location of s2i to your PATH environment variable, or move it to a pre-existing directory in your PATH. For example,
# cp /path/to/s2i /usr/local/bin
will work with most setups.
Download the latest 64-bit Windows release. Extract the zip file through a file browser. Add the extracted directory to your PATH. You can now use s2i from the command line.
Note: We have had some reports of Windows Defender falsely alerting reporting that the Windows binaries contain "Trojan:Win32/Azden.A!cl". This appears to be a common false alert for other applications as well.
Assuming Go, Git, and Docker are installed and configured, execute the following commands:
$ git clone https://github.com/openshift/source-to-image
$ cd source-to-image
$ export PATH=${PATH}:`pwd`/_output/local/bin/`go env GOOS`/`go env GOHOSTARCH`/
$ ./hack/build-go.sh
Since the s2i
command uses the Docker client library, it has to run in the same
security context as the docker
command. For some systems, it is enough to add
yourself into the 'docker' group to be able to work with Docker as 'non-root'.
In the latest versions of Fedora/RHEL, it is recommended to use the sudo
command
as this way is more auditable and secure.
If you are using the sudo docker
command already, then you will have to also use
sudo s2i
to give S2I permission to work with Docker directly.
Be aware that being a member of the 'docker' group effectively grants root access, as described here.
You can start using s2i
right away (see releases)
with the following test sources and publicly available images:
$ s2i build https://github.com/openshift/ruby-hello-world registry.redhat.io/ubi8/ruby-27 test-ruby-app
$ docker run --rm -i -p :8080 -t test-ruby-app
$ s2i build --ref=10.x --context-dir=helloworld https://github.com/wildfly/quickstart openshift/wildfly-101-centos7 test-jee-app
$ docker run --rm -i -p 8080:8080 -t test-jee-app
Want to know more? Read the following resources:
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.