Skip to content

Commit

Permalink
Merge pull request #40 from dev-sec/hadolint
Browse files Browse the repository at this point in the history
add linting using Hadolint
  • Loading branch information
rndmh3ro authored Oct 25, 2023
2 parents c3ce7a8 + 3c7275a commit f78a53c
Show file tree
Hide file tree
Showing 17 changed files with 118 additions and 78 deletions.
18 changes: 18 additions & 0 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: lint

on:
# yamllint disable-line rule:truthy
push:
branches: [master]
pull_request:
branches: [master]

jobs:
docker:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: hadolint/[email protected]
with:
recursive: true
failure-threshold: warning # info is usually ok
12 changes: 12 additions & 0 deletions .hadolint.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
ignored:
- DL3007 # we don't want to pin versions
- DL3008 # we don't want to pin versions
- DL3013 # we don't want to pin versions
- DL3018 # we don't want to pin versions
- DL3033 # we don't want to pin versions
- DL3041 # we don't want to pin versions
- DL3037 # we don't want to pin versions
- SC2028 # using echo is ok for our case
- SC3009 # we don't care about POSIX compatibility
- SC3010 # we don't care about POSIX compatibility
- SC3037 # we don't care about POSIX compatibility
2 changes: 1 addition & 1 deletion amazon2023-ansible-latest/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ RUN yum makecache --timer && \
python3-pip && \
yum clean all

RUN pip3 install ansible
RUN pip3 install --no-cache-dir ansible

# Disable requiretty.
RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers

Check failure on line 19 in amazon2023-ansible-latest/Dockerfile

View workflow job for this annotation

GitHub Actions / docker

DL3059 info: Multiple consecutive `RUN` instructions. Consider consolidation.
Expand Down
16 changes: 8 additions & 8 deletions arch-ansible-latest/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,13 @@ RUN pacman -S -y \
sudo \
systemd \
&& \
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -vf $i; done); \
rm -vf /lib/systemd/system/multi-user.target.wants/*; \
rm -vf /etc/systemd/system/*.wants/*; \
rm -vf /lib/systemd/system/local-fs.target.wants/*; \
rm -vf /lib/systemd/system/sockets.target.wants/*udev*; \
rm -vf /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -vf /lib/systemd/system/basic.target.wants/*;
for i in /lib/systemd/system/sysinit.target.wants/*; do [ $i == systemd-tmpfiles-setup.service ] || rm -vf $i; done; \
rm -vf /lib/systemd/system/multi-user.target.wants/*; \
rm -vf /etc/systemd/system/*.wants/*; \
rm -vf /lib/systemd/system/local-fs.target.wants/*; \
rm -vf /lib/systemd/system/sockets.target.wants/*udev*; \
rm -vf /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -vf /lib/systemd/system/basic.target.wants/*;

# Update archlinux-keyring.
RUN pacman -S -y \
Expand All @@ -26,7 +26,7 @@ RUN pacman -S -y \
glibc \
python \
ansible \
&& yes | pacman -Scc || true
&& pacman -Scc --noconfirm || true

# Install Ansible inventory file.
RUN mkdir /etc/ansible \
Expand Down
20 changes: 10 additions & 10 deletions centos7-ansible-latest/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,14 @@ ENV LC_ALL en_US.UTF-8

# Install systemd -- See https://hub.docker.com/_/centos/
RUN yum -y update; yum clean all; \

Check failure on line 8 in centos7-ansible-latest/Dockerfile

View workflow job for this annotation

GitHub Actions / docker

SC2086 info: Double quote to prevent globbing and word splitting.
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
for i in /lib/systemd/system/sysinit.target.wants/*; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done; \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;

# Install requirements.
RUN yum makecache fast && \
Expand All @@ -37,8 +37,8 @@ RUN yum -y install yum-plugin-copr libseccomp && \
RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers

# Upgrade pip so cryptography package works.
RUN python3 -m pip install --upgrade pip && \
pip3 install ansible
RUN python3 -m pip install --no-cache-dir --upgrade pip && \
pip3 install --no-cache-dir ansible

# https://molecule.readthedocs.io/en/latest/examples.html#docker-with-non-privileged-user
# Create `ansible` user with sudo permissions and membership in `DEPLOY_GROUP`
Expand Down
20 changes: 10 additions & 10 deletions centos8-ansible-latest/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,14 @@ ENV container=docker

# Install systemd -- See https://hub.docker.com/_/centos/
RUN yum -y update; yum clean all; \

Check failure on line 6 in centos8-ansible-latest/Dockerfile

View workflow job for this annotation

GitHub Actions / docker

SC2086 info: Double quote to prevent globbing and word splitting.
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
for i in /lib/systemd/system/sysinit.target.wants/*; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done; \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;

# Install Ansible and other requirements.
RUN sed -i -e "s|mirrorlist=|#mirrorlist=|g" -e "s|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g" /etc/yum.repos.d/CentOS-Linux-* \
Expand All @@ -27,8 +27,8 @@ RUN sed -i -e "s|mirrorlist=|#mirrorlist=|g" -e "s|#baseurl=http://mirror.centos
&& yum clean all

# upgrade pip because of the rust dependency error
RUN python3 -m pip install --upgrade pip && \
pip3 install ansible
RUN python3 -m pip install --no-cache-dir --upgrade pip && \
pip3 install --no-cache-dir ansible

# Disable requiretty.
RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers
Expand Down
20 changes: 10 additions & 10 deletions centosstream8-ansible-latest/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,14 @@ ENV container=docker

# Install systemd -- See https://hub.docker.com/_/centos/
RUN yum -y update; yum clean all; \

Check failure on line 6 in centosstream8-ansible-latest/Dockerfile

View workflow job for this annotation

GitHub Actions / docker

SC2086 info: Double quote to prevent globbing and word splitting.
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
for i in /lib/systemd/system/sysinit.target.wants/*; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done; \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;

# Install Ansible and other requirements.
RUN yum makecache --timer \
Expand All @@ -27,8 +27,8 @@ RUN yum makecache --timer \
&& yum clean all

# upgrade pip because of the rust dependency error
RUN python3 -m pip install --upgrade pip && \
pip3 install ansible
RUN python3 -m pip install --no-cache-dir --upgrade pip && \
pip3 install --no-cache-dir ansible

# Disable requiretty.
RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers
Expand Down
4 changes: 2 additions & 2 deletions centosstream9-ansible-latest/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,8 @@ RUN yum makecache --timer \
&& yum clean all

# upgrade pip because of the rust dependency error
RUN python3 -m pip install --upgrade pip && \
pip3 install ansible
RUN python3 -m pip install --no-cache-dir --upgrade pip && \
pip3 install --no-cache-dir ansible

# Disable requiretty.
RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers
Expand Down
11 changes: 7 additions & 4 deletions debian10-ansible-latest/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
FROM debian:buster
LABEL maintainer="Sebastian Gumprich"

RUN apt-get update -y && apt-get install --fix-missing && \
RUN apt-get update -y && apt-get install -y --fix-missing && \

Check failure on line 4 in debian10-ansible-latest/Dockerfile

View workflow job for this annotation

GitHub Actions / docker

DL3015 info: Avoid additional packages by specifying `--no-install-recommends`
DEBIAN_FRONTEND=noninteractive \
apt-get install -y \
python python-yaml sudo \
curl gcc python-pip python-dev libffi-dev libssl-dev systemd
RUN pip install --upgrade cffi && \
pip install ansible
curl gcc python-pip python-dev libffi-dev libssl-dev systemd && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*

RUN pip install --no-cache-dir --upgrade cffi && \
pip install --no-cache-dir ansible

RUN apt-get -f -y --auto-remove remove \
gcc python-pip python-dev libffi-dev libssl-dev && \
Expand Down
5 changes: 4 additions & 1 deletion debian11-ansible-latest/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,10 @@ RUN apt-get update -y && apt-get install -y --no-install-recommends --fix-missin
DEBIAN_FRONTEND=noninteractive \
apt-get install -y --no-install-recommends \
python3 python3-yaml sudo \
curl gcc python3-pip python3-dev libffi-dev libssl-dev systemd
curl gcc python3-pip python3-dev libffi-dev libssl-dev systemd && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*

RUN pip install --no-cache-dir --upgrade cffi && \
pip install --no-cache-dir ansible

Expand Down
4 changes: 3 additions & 1 deletion debian12-ansible-latest/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,9 @@ RUN apt-get update -y && apt-get install -y --no-install-recommends --fix-missin
DEBIAN_FRONTEND=noninteractive \
apt-get install -y --no-install-recommends \
python3 python3-yaml sudo \
curl gcc python3-pip python3-dev libffi-dev libssl-dev systemd
curl gcc python3-pip python3-dev libffi-dev libssl-dev systemd && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*

# Allow installing stuff to system Python.
RUN rm -f /usr/lib/python3.11/EXTERNALLY-MANAGED
Expand Down
16 changes: 8 additions & 8 deletions fedora37-ansible-latest/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@ LABEL maintainer="Sebastian Gumprich; Nejc Habjan; Diego Louzan; Max Wittig"

# Enable systemd.
RUN dnf -y install systemd && dnf clean all && \

Check failure on line 5 in fedora37-ansible-latest/Dockerfile

View workflow job for this annotation

GitHub Actions / docker

SC2086 info: Double quote to prevent globbing and word splitting.
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
for i in /lib/systemd/system/sysinit.target.wants/*; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done; \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;

RUN dnf -y update \
&& dnf -y install ansible python python3-libselinux \
Expand Down
16 changes: 8 additions & 8 deletions fedora38-ansible-latest/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@ LABEL maintainer="Sebastian Gumprich, Nejc Habjan, Diego Louzan, Max Wittig"

# Enable systemd.
RUN dnf -y install systemd && dnf clean all && \

Check failure on line 5 in fedora38-ansible-latest/Dockerfile

View workflow job for this annotation

GitHub Actions / docker

SC2086 info: Double quote to prevent globbing and word splitting.
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
for i in /lib/systemd/system/sysinit.target.wants/*; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done; \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;

RUN dnf -y update \
&& dnf -y install ansible python python3-libselinux \
Expand Down
3 changes: 2 additions & 1 deletion opensuse_tumbleweed-ansible-latest/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@ FROM opensuse/tumbleweed:latest
LABEL maintainer="Sebastian Gumprich"
ENV container=docker

RUN zypper install -y python ansible dbus-1 systemd-sysvinit shadow sudo
RUN zypper install -y python ansible dbus-1 systemd-sysvinit shadow sudo && \
zypper clean

RUN cp /usr/lib/systemd/system/dbus.service /etc/systemd/system/; \
sed -i 's/OOMScoreAdjust=-900//' /etc/systemd/system/dbus.service
Expand Down
5 changes: 3 additions & 2 deletions openwrt-ansible-latest/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
FROM openwrt/rootfs:latest
LABEL maintainer="Sebastian Gumprich"

# hadolint ignore=DL4006
RUN mkdir -p /var/lock && \
opkg update && \
if [[ $(opkg list-upgradable) ]]; then opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade; fi && \
opkg install python3 python3-pip python3-cryptography \
sudo bash sed shadow-su shadow-groupadd shadow-useradd shadow-usermod

RUN pip3 install --upgrade pip && \
pip3 install ansible
RUN pip3 install --no-cache-dir --upgrade pip && \
pip3 install --no-cache-dir ansible

# Install Ansible inventory file
RUN mkdir -p /etc/ansible \
Expand Down
20 changes: 10 additions & 10 deletions rocky8-ansible-latest/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,14 @@ ENV container=docker

# Install systemd -- See https://hub.docker.com/_/centos/
RUN yum -y update; yum clean all; \
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
for i in /lib/systemd/system/sysinit.target.wants/*; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done; \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;

# Install Ansible and other requirements.
RUN yum makecache --timer \
Expand All @@ -26,8 +26,8 @@ RUN yum makecache --timer \
&& yum clean all

# upgrade pip because of the rust dependency error
RUN pip3 install --upgrade pip && \
pip3 install ansible
RUN pip3 install --no-cache-dir --upgrade pip && \
pip3 install --no-cache-dir ansible

# Disable requiretty.
RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers
Expand Down
4 changes: 2 additions & 2 deletions rocky9-ansible-latest/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@ RUN yum makecache --timer \
&& yum clean all

# upgrade pip because of the rust dependency error
RUN pip3 install --upgrade pip && \
pip3 install ansible
RUN pip3 install --no-cache-dir --upgrade pip && \
pip3 install --no-cache-dir ansible

# Disable requiretty.
RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers
Expand Down

0 comments on commit f78a53c

Please sign in to comment.