|
| 1 | +# Chef Automate Container - Dockerfile for Scanning |
| 2 | +# Based on Ubuntu 25.10 with systemd support for Chef Automate deployment |
| 3 | +FROM ubuntu:25.10 |
| 4 | + |
| 5 | +# Build arguments for Chef Automate release channel and license |
| 6 | +ARG CHANNEL=current |
| 7 | +ARG LICENSE_ID |
| 8 | + |
| 9 | +# Avoid interactive prompts during package installation |
| 10 | +ENV DEBIAN_FRONTEND=noninteractive |
| 11 | + |
| 12 | +# Update package list and install dependencies |
| 13 | +# Combine RUN commands to reduce layers and improve caching |
| 14 | +RUN apt-get update && apt-get install -y \ |
| 15 | + bash \ |
| 16 | + curl \ |
| 17 | + wget \ |
| 18 | + ca-certificates \ |
| 19 | + unzip \ |
| 20 | + systemd \ |
| 21 | + systemd-sysv \ |
| 22 | + python3 \ |
| 23 | + jq \ |
| 24 | + && rm -rf /var/lib/apt/lists/* |
| 25 | + |
| 26 | +# Download and install Chef Automate CLI |
| 27 | +# Reference: https://docs.chef.io/automate/install/ |
| 28 | +# Uses chefdownload-commercial API: /{channel}/automate/download?p=linux&m=amd64&v=latest&eol=false&license_id={license} |
| 29 | +RUN curl -L "https://chefdownload-commercial.chef.io/current/automate/download?p=linux&m=amd64&v=latest&eol=false&license_id=${LICENSE_ID}" \ |
| 30 | + -o /tmp/chef-automate.zip \ |
| 31 | + && unzip /tmp/chef-automate.zip -d /tmp \ |
| 32 | + && mv /tmp/chef-automate /usr/local/bin/chef-automate \ |
| 33 | + && chmod +x /usr/local/bin/chef-automate \ |
| 34 | + && rm /tmp/chef-automate.zip |
| 35 | + |
| 36 | +# Install Grype vulnerability scanner |
| 37 | +# Using official Anchore installation script |
| 38 | +RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh \ |
| 39 | + | sh -s -- -b /usr/local/bin |
| 40 | + |
| 41 | +# Verify installations |
| 42 | +# Note: chef-automate version requires deployment, so we just verify the binary exists |
| 43 | +RUN test -f /usr/local/bin/chef-automate && echo "chef-automate binary present" && grype version |
| 44 | + |
| 45 | +# Set working directory |
| 46 | +WORKDIR /root |
| 47 | + |
| 48 | +# Entry point must be systemd for Automate to deploy properly |
| 49 | +# Chef Automate requires systemd to manage services (PostgreSQL, Elasticsearch, etc.) |
| 50 | +# Container must be run with --privileged and proper cgroup mounts: |
| 51 | +# docker run -d --privileged --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw automate:latest |
| 52 | +ENTRYPOINT ["/lib/systemd/systemd"] |
| 53 | + |
| 54 | +# Metadata labels |
| 55 | +LABEL maintainer="Chef Software <info@chef.io>" |
| 56 | +LABEL description="Chef Automate container with Grype for vulnerability scanning" |
| 57 | +LABEL version="1.0" |
0 commit comments