Remove ION from ANMS images (#231)

* Remove ION from ANMS container images. Only present in testenv.

* tweaking health status

* reducing image context

* Remove inconsistently used DOCKER_CTR_PREFIX variable

* Update and expand checkout test

* Add REFDM roundtrip test case

Author: BrianSipos

.dockerignore

@@ -0,0 +1,27 @@
+# SCM files
+.git/
+.gitignore
+
+# Ignore IDE/IntelliJ Files
+.idea
+*.iml
+
+# Ignore build files
+node_modules
+/puppet/.modules
+# Ignore Compiled Vue App
+/anms-ui/release
+# Ignore Data Directory
+/anms-ui/logs
+
+# Ignore Other Specific Stuff
+*-compose.yaml
+Containerfile
+Dockerfile
+Makefile
+.dockerignore
+gl-sast-report.json
+.metrics-dashboard.yml
+*.md
+*.pdf
+*.docx

.env

@@ -7,8 +7,6 @@
 #MQTT_PORT=11883
 
 
-
-DOCKER_CTR_PREFIX=
 DOCKER_IMAGE_PREFIX=localhost/
 DOCKER_IMAGE_TAG=latest
 
@@ -34,8 +32,8 @@ DB_HEALTHCHECK_USER=healthcheck
 DB_HEALTHCHECK_PASSWORD=healthcheck
 
 GRAFANA_CONTAINER_PORT=3000
-GRAFANA_HOST_PORT=${DOCKER_CTR_PREFIX}grafana:${GRAFANA_CONTAINER_PORT}
-GRAFANA_PROXIES_PATH=localhost/${DOCKER_CTR_PREFIX}grafana
+GRAFANA_HOST_PORT=grafana:${GRAFANA_CONTAINER_PORT}
+GRAFANA_PROXIES_PATH=localhost/grafana
 REDIS_PORT=6379
 JS_AMP_PORT=3001
 ANMS_UI_HTTP_PORT=9030
@@ -48,7 +46,7 @@ LOGSTASH_MONITORING_PORT=9600
 KIBANA_PORT=5601
 ADMINER_PORT=8080
 RENDERER_PORT=8081
-RENDERER_HOST_PORT=${DOCKER_CTR_PREFIX}grafana-image-renderer:${RENDERER_PORT}
+RENDERER_HOST_PORT=grafana-image-renderer:${RENDERER_PORT}
 ION_MGR_PORT=8089
 HTTP_PORT=80
 

.github/workflows/build-test.yaml

@@ -17,7 +17,8 @@ jobs:
     name: Checkout Test (${{matrix.ctrmgr}})
     env:
       AUTHNZ_EMU: "demo"
-      ANMS_COMPOSE_OPTS: "-f docker-compose.yml --profile=full"
+      COMPOSE_PROFILES: "full"
+      ANMS_COMPOSE_OPTS: "-f docker-compose.yml"
       TESTENV_COMPOSE_OPTS: "-f testenv-compose.yml"
       DOCKER_CMD: ${{matrix.ctrmgr}}
       AUTHNZ_PORT: 8084
@@ -43,7 +44,7 @@ jobs:
           echo "DOCKER_IMAGE_TAG=${DOCKER_IMAGE_TAG}" >> $GITHUB_ENV
       - name: Build ANMS
         run: |
-          ${DOCKER_CMD} compose ${ANMS_COMPOSE_OPTS} build builder-base builder-init builder-acelib
+          ${DOCKER_CMD} compose ${ANMS_COMPOSE_OPTS} build builder-base builder-acelib
           ${DOCKER_CMD} compose ${ANMS_COMPOSE_OPTS} build
       - name: Build Agents
         run: ${DOCKER_CMD} compose ${TESTENV_COMPOSE_OPTS} build
@@ -59,6 +60,7 @@ jobs:
           ${DOCKER_CMD} compose ${TESTENV_COMPOSE_OPTS} up -d --force-recreate
           ${DOCKER_CMD} compose ${ANMS_COMPOSE_OPTS} up -d --force-recreate --wait --wait-timeout 600
       - name: Status
+        if: always()
         run: |
           for BADSTATUS in stopped restarting; do
             ${DOCKER_CMD} compose ${ANMS_COMPOSE_OPTS} ps --services --filter status=${BADSTATUS} | tee -a /tmp/notgood
@@ -70,14 +72,7 @@ jobs:
           # Fail if any names are in the file
           ! grep '[^[:space:]]' /tmp/notgood
       - name: Test
-        run: |
-          # Checkout the running gateway+backend
-          ${DOCKER_CMD} build -t checkout-test checkout-test
-          ${DOCKER_CMD} run --network anms -v $PWD:/mnt \
-              -e XUNIT_OUTFILE=/mnt/testresults.xml \
-              -e CHECKOUT_BASE_URL=http://authnz/ \
-              -e SSL_CERT_FILE=/mnt/puppet/modules/apl_test/files/anms/tls/certs/ammos-ca-bundle.crt \
-              checkout-test
+        run: ./checkout-test/run.sh
       - name: Stop
         if: always()
         run: |

.gitignore

@@ -7,6 +7,8 @@
 .DS_Store
 .project
 .cproject
+.pydevproject
+.settings/
 
 # Python intermediates
 __pycache__

README.md

@@ -126,11 +126,11 @@ To restart the system, use the 'up' and 'down' commands as described in the prev
 
 The top-level `docker-compose.yml` uses the environment defined by the sibling file `.env`.  Note: If using the legacy/deprecated build.sh script, that script may additionally override some environment variables.
 
-Two principal options of the compose configuration, which are both defaulted to empty text, are:
+The principal options of the compose configuration are:
 
 * `DOCKER_IMAGE_PREFIX` which controls any image name prefix added to all ANMS images.
   For a local build, this can be left empty, but for builds intended to be pushed to a Docker image registry this can be set to the full path on the registry before the image names (e.g. `DOCKER_IMAGE_PREFIX=some.host.example.com:5000/path/to/images`).
-
+* `HOST_SOCKDIR` which controls the source of the bind mount on `amp-manager` container for its transport socket. This can either be a volume name, for inter-container or non-root user use, or an absolute path on the host filesystem, used in the production deployment.
 
 
 ### AMP Database Querying

base.Dockerfile

@@ -39,26 +39,6 @@ ENV APP_USER=anms
 RUN groupadd -r -g 9999 ${APP_USER} && \
     useradd -m -r -g ${APP_USER} -u 9999 ${APP_USER}
 
-
-# This image uses systemd init process to manage local services.
-# Derived image targets choose which servies are enabled.
-#
-FROM registry.access.redhat.com/ubi9/ubi-init:9.2  AS anms-init
-
-# Optional APL network configuration from
-# https://aplprod.servicenowservices.com/sp?id=kb_article&sys_id=c0de6fe91b83d85071b143bae54bcb34
-RUN ( \
-      curl -sL http://apllinuxdepot.jhuapl.edu/linux/APL-root-cert/JHUAPL-MS-Root-CA-05-21-2038-B64-text.cer -o /etc/pki/ca-trust/source/anchors/JHUAPL-MS-Root-CA-05-21-2038-B64-text.crt && \
-      update-ca-trust && \
-      echo "Root CA added" \
-    ) || true
-ENV PIP_CERT=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
-ENV PIP_DEFAULT_TIMEOUT=300
-RUN dnf -y install container-tools
-# Container service config
-RUN systemctl disable dnf-makecache.timer
-
-
 # This image includes common libraries used by the aricodec and anms-core
 # containers.
 # Sets environment:

checkout-test/Dockerfile

@@ -26,10 +26,10 @@ FROM localhost/anms-base
 RUN --mount=type=cache,target=/var/cache/yum \
     dnf install -y iputils python3 python3-pip python3-wheel
 
-COPY requirements.txt /usr/src/checkout-test/
+COPY requirements.txt /usr/local/src/checkout-test/
 RUN --mount=type=cache,target=/root/.cache/pip \
-    pip3 install -r /usr/src/checkout-test/requirements.txt
-COPY . /usr/src/checkout-test
+    pip3 install -r /usr/local/src/checkout-test/requirements.txt
+COPY *.sh *.py /usr/local/src/checkout-test
 
 # First argument is the base URL to test
-ENTRYPOINT ["/usr/src/checkout-test/run.sh"]
+ENTRYPOINT ["/usr/local/src/checkout-test/entrypoint.sh"]

checkout-test/entrypoint.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+##
+## Copyright (c) 2023 The Johns Hopkins University Applied Physics
+## Laboratory LLC.
+##
+## This file is part of the Asynchronous Network Management System (ANMS).
+##
+## Licensed under the Apache License, Version 2.0 (the "License");
+## you may not use this file except in compliance with the License.
+## You may obtain a copy of the License at
+##     http://www.apache.org/licenses/LICENSE-2.0
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+##
+## This work was performed for the Jet Propulsion Laboratory, California
+## Institute of Technology, sponsored by the United States Government under
+## the prime contract 80NM0018D0004 between the Caltech and NASA under
+## subcontract 1658085.
+##
+
+# Run similar to:
+#  COMPOSE_PROFILES=full CHECKOUT_BASE_URL=https://authnz/ ./entrypoint.sh
+set -e
+
+export COMPOSE_PROFILES
+export CHECKOUT_BASE_URL
+
+SELFDIR=$(realpath $(dirname "${BASH_SOURCE[0]}"))
+TIMELIMIT=30
+
+CURLOPTS=""
+if [ -n "${SSL_CERT_FILE}" ]
+then
+    echo "Using custom CA from ${SSL_CERT_FILE}"
+    CURLOPTS="${CURLOPTS} --cacert ${SSL_CERT_FILE}"
+fi
+
+if [ -z "${CHECKOUT_BASE_URL}" ]; then
+    echo "Must define CHECKOUT_BASE_URL environment"
+    exit 1
+fi
+echo "Waiting for ${CHECKOUT_BASE_URL} to be available..."
+for IX in $(seq ${TIMELIMIT}); do
+    if curl -sSl $CURLOPTS "${CHECKOUT_BASE_URL}" >/dev/null; then
+        break
+    fi
+    if [ ${IX} -eq ${TIMELIMIT} ]; then
+        echo "No HTTP access after ${IX} seconds!"
+        exit 1
+    fi
+    sleep 1
+done
+echo
+
+echo "Running tests..."
+TESTARGS="--verbose"
+if [ -n "${XUNIT_OUTFILE}" ]; then
+    TESTARGS="${TESTARGS} --junitxml=${XUNIT_OUTFILE}"
+fi
+python3 -m pytest ${TESTARGS} "${SELFDIR}" "$@"

checkout-test/requirements.txt

@@ -3,3 +3,5 @@ requests
 websockets
 werkzeug
 sslscan
+cryptography
+pyopenssl

checkout-test/run.sh

@@ -21,40 +21,14 @@
 ## subcontract 1658085.
 ##
 
-# Run similar to:
-#  CHECKOUT_BASE_URL=http://authnz-emu/ ./run.sh
-set -e
+# Checkout the running gateway+backend by attaching to the 'anms' network
 
-export CHECKOUT_BASE_URL
-SELFDIR=$(realpath $(dirname "${BASH_SOURCE[0]}"))
-TIMELIMIT=30
+DOCKER_CMD=${DOCKER_CMD:-docker}
 
-CURLOPTS=""
-if [ -n "${SSL_CERT_FILE}" ]
-then
-    CURLOPTS="${CURLOPTS} --cacert ${SSL_CERT_FILE}"
-fi
-
-if [ -z "${CHECKOUT_BASE_URL}" ]; then
-    echo "Must define CHECKOUT_BASE_URL environment"
-    exit 1
-fi
-echo "Waiting for ${CHECKOUT_BASE_URL} to be available..."
-for IX in $(seq ${TIMELIMIT}); do
-    if curl -sSl $CURLOPTS "${CHECKOUT_BASE_URL}" >/dev/null; then
-        break
-    fi
-    if [ ${IX} -eq ${TIMELIMIT} ]; then
-        echo "No HTTP access after ${IX} seconds!"
-        exit 1
-    fi
-    sleep 1
-done
-echo
-
-echo "Running tests..."
-TESTARGS="--verbose"
-if [ -n "${XUNIT_OUTFILE}" ]; then
-    TESTARGS="${TESTARGS} --junitxml=${XUNIT_OUTFILE}"
-fi
-python3 -m pytest ${TESTARGS} "${SELFDIR}"
+${DOCKER_CMD} build -t checkout-test checkout-test
+${DOCKER_CMD} run --network anms -v $PWD:/mnt \
+    -e XUNIT_OUTFILE=/mnt/testresults.xml \
+    -e COMPOSE_PROFILES=${COMPOSE_PROFILES} \
+    -e CHECKOUT_BASE_URL=https://authnz/ \
+    -e SSL_CERT_FILE=/mnt/puppet/modules/apl_test/files/anms/tls/certs/ammos-ca-bundle.crt \
+    checkout-test "$@"