tree: add labels.json and security OCI labels for Clair scanning

Containerfile

@@ -1,15 +1,27 @@
 # This builds the final OCP/OKD node image on top of the base CoreOS image. For
 # instructions on how to build this, see `docs/building.md`.
 
-FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev:c9s-coreos as build
+ARG IMAGE_FROM=registry.ci.openshift.org/coreos/stream-coreos-base:10
+FROM ${IMAGE_FROM} as build
 ARG OPENSHIFT_CI=0
 RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/etc/yum.repos.d/secret.repo /run/src/build-node-image.sh
 
 FROM build as metadata
+ARG IMAGE_NAME
+ARG IMAGE_CPE
+ARG TARGETARCH
 RUN --mount=type=bind,target=/run/src /run/src/scripts/generate-metadata
+RUN --mount=type=bind,target=/run/src /run/src/scripts/generate-labels
 
 FROM build
 COPY --from=metadata /usr/share/openshift /usr/share/openshift
+COPY --from=metadata /usr/share/buildinfo /usr/share/buildinfo
+ARG IMAGE_NAME
+ARG IMAGE_CPE
+ARG TARGETARCH
+LABEL name=${IMAGE_NAME}
+LABEL cpe=${IMAGE_CPE}
+LABEL architecture=${TARGETARCH}
 LABEL io.openshift.metalayer=true
 # Add a hack to get OpenShift tests working again because a
 # revert of the new architecture happened in

build-args-10.2-4.22.conf

@@ -0,0 +1,3 @@
+IMAGE_FROM=registry.ci.openshift.org/coreos/rhel-coreos-base:10.2
+IMAGE_NAME=openshift/ose-rhel-coreos-10
+IMAGE_CPE=cpe:/a:redhat:openshift:4.22::el10

build-args-9.8-4.22.conf

@@ -0,0 +1,3 @@
+IMAGE_FROM=registry.ci.openshift.org/coreos/rhel-coreos-base:9.8
+IMAGE_NAME=openshift/ose-rhel-coreos-9
+IMAGE_CPE=cpe:/a:redhat:openshift:4.22::el9

build-args-c10s-4.22.conf

@@ -0,0 +1,2 @@
+IMAGE_FROM=registry.ci.openshift.org/coreos/stream-coreos-base:10
+# SCOS/OKD: no labels.json or OCI labels for name/cpe

docs/building.md

@@ -27,28 +27,29 @@ SCOS or RHCOS image (see building instructions in
 
 ## Building
 
-If the base image is SCOS, then the OKD node image is built (`stream-coreos`).
-If the base image is RHCOS, then the OCP node image is built (`rhel-coreos`).
-The default base image is SCOS.
+Each variant has a `build-args-*.conf` file that specifies the base image
+and metadata for that build. Choose the appropriate one for your target:
 
-To build SCOS:
+- `build-args-9.8-4.22.conf` — RHCOS on RHEL 9.8
+- `build-args-10.2-4.22.conf` — RHCOS on RHEL 10.2
+- `build-args-c10s-4.22.conf` — SCOS on CentOS Stream 10
 
-```
-podman build . --secret id=yumrepos,src=/path/to/all.repo \
-  -v /etc/pki/ca-trust:/etc/pki/ca-trust:ro \
-  --security-opt label=disable -t localhost/stream-coreos:4.21
-```
-
-To build RHCOS, the command is identical, but you must pass in the RHCOS base
-image using `--from`:
+To build:
 
 ```
-podman build --from quay.io/openshift-release-dev/ocp-v4.0-art-dev:rhel-9.6-coreos ...
+podman build . --build-arg-file build-args-c10s-4.22.conf \
+  --secret id=yumrepos,src=/path/to/all.repo \
+  -v /etc/pki/ca-trust:/etc/pki/ca-trust:ro \
+  --security-opt label=disable -t localhost/stream-coreos:4.22
 ```
 
-To build from a local OCI archive (e.g. from a cosa workdir), you can use the
-`oci-archive` transport:
+To override the base image (e.g. to use a locally built OCI archive),
+pass `--from`:
 
 ```
-podman build --from oci-archive:$(ls builds/latest/x86_64/*.ociarchive) ...
+podman build . --build-arg-file build-args-c10s-4.22.conf \
+  --from oci-archive:$(ls builds/latest/x86_64/*.ociarchive) \
+  --secret id=yumrepos,src=/path/to/all.repo \
+  -v /etc/pki/ca-trust:/etc/pki/ca-trust:ro \
+  --security-opt label=disable -t localhost/stream-coreos:4.22
 ```

packages-openshift.yaml

@@ -8,7 +8,6 @@ conditional-include:
   - if:
     - osversion != "rhel-9.8"
     - osversion != "rhel-10.2"
-    - osversion != "centos-9"
     - osversion != "centos-10"
     include:
       repos: [ENOEXIST] # We want an error in this case
@@ -28,15 +27,6 @@ conditional-include:
         - rhel-10.2-early-kernel
         - rhel-10.2-fast-datapath
         - rhel-10.2-server-ose-4.22
-  - if: osversion == "centos-9"
-    include:
-      repos:
-        - c9s-baseos
-        - c9s-appstream
-        - c9s-sig-nfv
-        - c9s-sig-cloud-okd
-        # XXX: this shouldn't be here; see related XXX in build-node-image.sh
-        - rhel-9.8-server-ose-4.22-okd
   - if: osversion == "centos-10"
     include:
       repos:

scripts/generate-labels

@@ -0,0 +1,56 @@
+#!/usr/bin/python3 -u
+
+"""
+This script generates /usr/share/buildinfo/labels.json, which provides embedded
+metadata for security scanners that only have filesystem access (not OCI image
+metadata).
+"""
+
+import datetime
+import json
+import os
+import sys
+
+LABELS_FILE = "/usr/share/buildinfo/labels.json"
+
+
+def main():
+    image_name = os.environ.get('IMAGE_NAME', '')
+    image_cpe = os.environ.get('IMAGE_CPE', '')
+    target_arch = os.environ.get('TARGETARCH', '')
+
+    if not all([image_name, image_cpe, target_arch]):
+        return
+
+    # Ideally the creation date we set here is consistent with the creation date
+    # of the OCI image itself. We'll get that once we're hermetic and we hook
+    # up SOURCE_DATE_EPOCH. So prepare for that eventuality, but for now just
+    # use the current time (which will be a few seconds different from the OCI
+    # timestamp, which is still fine for our purposes).
+    source_date_epoch = os.environ.get('SOURCE_DATE_EPOCH', '')
+    if source_date_epoch:
+        created = datetime.datetime.fromtimestamp(
+            int(source_date_epoch), tz=datetime.timezone.utc
+        ).strftime('%Y-%m-%dT%H:%M:%SZ')
+    else:
+        created = datetime.datetime.now(
+            tz=datetime.timezone.utc
+        ).strftime('%Y-%m-%dT%H:%M:%SZ')
+
+    # this schema is documented at:
+    # https://github.com/RedHatProductSecurity/security-data-guidelines/blob/main/schema/embedded_metadata.v1.schema.json
+    labels = {
+        'architecture': target_arch,
+        'cpe': image_cpe,
+        'name': image_name,
+        'org.opencontainers.image.created': created,
+    }
+
+    os.makedirs(os.path.dirname(LABELS_FILE), exist_ok=True)
+    with open(LABELS_FILE, encoding='utf-8', mode='w') as f:
+        json.dump(labels, f, sort_keys=True, indent=2)
+        f.write('\n')
+
+
+if __name__ == '__main__':
+    sys.exit(main())