feat: add dockerfile and build scripts

Signed-off-by: James Petersen <jpetersenames@gmail.com>

Author: found-it

Dockerfile

@@ -0,0 +1,13 @@
+FROM ghcr.io/edera-dev/cross-base-linux-musl:latest@sha256:87ba899ea380bd85c22f194ab2f4f2cf791fc832d27ee20bb00d07ce23771975 AS build
+
+ENV TARGET_LIBC=musl TARGET_VENDOR=unknown DISABLE_CROSS_RS=1
+
+WORKDIR /usr/src/app
+COPY . .
+RUN ./hack/build/cargo.sh build --release --bin preflight
+RUN mv ./target/$(./hack/build/target.sh)/release/preflight /usr/sbin
+
+FROM cgr.dev/chainguard/wolfi-base:latest
+ENTRYPOINT ["/usr/sbin/preflight"]
+COPY --from=build /usr/sbin/preflight /usr/sbin/preflight
+COPY --from=build /usr/src/app/scripts /scripts

hack/build/arch.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+set -e
+
+TOOLS_DIR="$(dirname "${0}")"
+
+RUST_TARGET="$("${TOOLS_DIR}/target.sh")"
+TARGET_ARCH="$(echo "${RUST_TARGET}" | awk -F '-' '{print $1}')"
+
+if [ "${PROTECT_ARCH_ALT_NAME}" = "1" ] || [ "${PROTECT_ARCH_KERNEL_NAME}" = "1" ]; then
+  if [ "${TARGET_ARCH}" = "x86_64" ] && [ "${PROTECT_ARCH_KERNEL_NAME}" != "1" ]; then
+    TARGET_ARCH="amd64"
+  fi
+
+  if [ "${TARGET_ARCH}" = "aarch64" ]; then
+    TARGET_ARCH="arm64"
+  fi
+fi
+
+echo "${TARGET_ARCH}"

hack/build/cargo.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+set -e
+
+TOOLS_DIR="$(dirname "${0}")"
+RUST_TARGET="$("${TOOLS_DIR}/target.sh")"
+
+# `cross` doesn't pass thru the `fmt` command,
+# but `fmt` doesn't require a build anyway.
+IS_FMT_COMMAND="0"
+if [ "${1}" = "fmt" ]; then
+  IS_FMT_COMMAND="1"
+fi
+
+if [ -z "${CARGO}" ]; then
+  if [ "${DISABLE_CROSS_RS}" = "1" ] || [ "${IS_FMT_COMMAND}" = "1" ]; then
+    CARGO="cargo"
+  else
+    if ! command -v cross >/dev/null; then
+      echo "ERROR: 'cross' binary not installed, consider running 'hack/build/install-cross-rs.sh', otherwise local builds may fail due to missing dependencies"
+      exit 1
+    fi
+    CARGO="cross"
+  fi
+fi
+
+git submodule init && git submodule update
+
+if [ "${CARGO_BUILD_STATIC_CRT}" = "1" ]; then
+  export RUSTFLAGS="-Ctarget-feature=+crt-static"
+fi
+
+echo "[${CARGO}] version: $(${CARGO} --version)" >/dev/stderr
+export CARGO_BUILD_TARGET="${RUST_TARGET}"
+echo "[${CARGO}] [${CARGO_BUILD_TARGET}] ${*}" >/dev/stderr
+exec "${CARGO}" "${@}"

hack/build/cross-compile.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+set -e
+
+TOOLS_DIR="$(dirname "${0}")"
+
+RUST_TARGET="$("${TOOLS_DIR}/target.sh")"
+TARGET_ARCH="$(echo "${RUST_TARGET}" | awk -F '-' '{print $1}')"
+
+HOST_ARCH="$(uname -m)"
+
+if [ "${HOST_ARCH}" = "arm64" ]; then
+  HOST_ARCH="aarch64"
+fi
+
+HOST_OS="$(uname -s)"
+HOST_OS="$(echo "${HOST_OS}" | awk -F '_' '{print $1}')"
+HOST_OS="$(echo "${HOST_OS}" | tr '[:upper:]' '[:lower:]')"
+
+if [ "${HOST_OS}" = "mingw64" ]; then
+  HOST_OS="windows"
+fi
+
+if [ -z "${TARGET_OS}" ]; then
+  TARGET_OS="${HOST_OS}"
+fi
+
+# Darwin can cross compile on all architectures to all other supported
+# architectures without cross compilation consideration. For cross-compile
+# check, make sure HOST_ARCH is TARGET_ARCH for comparison.
+if [ "${TARGET_OS}" = "darwin" ]; then
+  HOST_ARCH="${TARGET_ARCH}"
+fi
+
+if [ "${HOST_ARCH}" != "${TARGET_ARCH}" ] || [ "${HOST_OS}" != "${TARGET_OS}" ]; then
+  echo "1"
+else
+  echo "0"
+fi

hack/build/install-cross-rs.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+set -e
+
+# NOTE that Github CI currently looks for this rev in this script as well
+CROSS_RS_REV="e281947ca900da425e4ecea7483cfde646c8a1ea"
+
+cargo install cross --git "https://github.com/cross-rs/cross.git" --rev "${CROSS_RS_REV}" "${@}"

hack/build/target.sh

@@ -0,0 +1,92 @@
+#!/bin/sh
+set -e
+
+if [ -z "${RUST_TARGET}" ] && [ -z "${TARGET_ARCH}" ] && [ -n "${TARGET_DEFAULT_ARCH}" ]; then
+  TARGET_ARCH="${TARGET_DEFAULT_ARCH}"
+fi
+
+if [ -z "${RUST_TARGET}" ] && [ -z "${TARGET_OS}" ] && [ -n "${TARGET_DEFAULT_OS}" ]; then
+  TARGET_OS="${TARGET_DEFAULT_OS}"
+fi
+
+if [ -z "${TARGET_LIBC}" ] && [ -e "/etc/alpine-release" ] && [ "${PROTECT_TARGET_IGNORE_LIBC}" != "1" ]; then
+  TARGET_LIBC="musl"
+  TARGET_VENDOR="alpine"
+fi
+
+if [ -z "${TARGET_VENDOR}" ]; then
+  TARGET_VENDOR="unknown"
+fi
+
+if [ -z "${TARGET_LIBC}" ] || [ "${PROTECT_TARGET_IGNORE_LIBC}" = "1" ]; then
+  TARGET_LIBC="gnu"
+fi
+
+if [ -z "${TARGET_HOST}" ]; then
+  TARGET_HOST="0"
+fi
+
+if [ "${TARGET_HOST}" = "1" ] || [ -z "${TARGET_ARCH}" ]; then
+  TARGET_ARCH="$(uname -m)"
+fi
+
+if [ "${TARGET_ARCH}" = "arm64" ]; then
+  TARGET_ARCH="aarch64"
+fi
+
+if [ "${TARGET_HOST}" = "1" ] || [ -z "${TARGET_OS}" ]; then
+  TARGET_OS="$(uname -s)"
+  TARGET_OS="$(echo "${TARGET_OS}" | awk -F '_' '{print $1}')"
+  TARGET_OS="$(echo "${TARGET_OS}" | tr '[:upper:]' '[:lower:]')"
+
+  if [ "${TARGET_OS}" = "mingw64" ]; then
+    TARGET_OS="windows"
+  fi
+fi
+
+if [ "${TARGET_OS}" = "darwin" ]; then
+  if [ -z "${RUST_TARGET}" ]; then
+    [ "${TARGET_ARCH}" = "x86_64" ] && RUST_TARGET="x86_64-apple-darwin"
+    [ "${TARGET_ARCH}" = "aarch64" ] && RUST_TARGET="aarch64-apple-darwin"
+  fi
+elif [ "${TARGET_OS}" = "windows" ]; then
+  if [ -z "${RUST_TARGET}" ]; then
+    [ "${TARGET_ARCH}" = "x86_64" ] && RUST_TARGET="x86_64-pc-windows-msvc"
+    [ "${TARGET_ARCH}" = "aarch64" ] && RUST_TARGET="aarch64-pc-windows-msvc"
+  fi
+elif [ "${TARGET_OS}" = "freebsd" ]; then
+  if [ -z "${RUST_TARGET}" ]; then
+    [ "${TARGET_ARCH}" = "x86_64" ] && RUST_TARGET="x86_64-${TARGET_VENDOR}-freebsd"
+  fi
+elif [ "${TARGET_OS}" = "netbsd" ]; then
+  if [ -z "${RUST_TARGET}" ]; then
+    [ "${TARGET_ARCH}" = "x86_64" ] && RUST_TARGET="x86_64-${TARGET_VENDOR}-netbsd"
+  fi
+else
+  if [ -z "${RUST_TARGET}" ]; then
+    [ "${TARGET_ARCH}" = "x86_64" ] && RUST_TARGET="x86_64-${TARGET_VENDOR}-linux-${TARGET_LIBC}"
+    [ "${TARGET_ARCH}" = "aarch64" ] && RUST_TARGET="aarch64-${TARGET_VENDOR}-linux-${TARGET_LIBC}"
+    [ "${TARGET_ARCH}" = "riscv64gc" ] && RUST_TARGET="riscv64gc-${TARGET_VENDOR}-linux-${TARGET_LIBC}"
+  fi
+fi
+
+if [ -z "${C_TARGET}" ]; then
+  [ "${TARGET_ARCH}" = "x86_64" ] && C_TARGET="x86_64-linux-${TARGET_LIBC}"
+  [ "${TARGET_ARCH}" = "aarch64" ] && C_TARGET="aarch64-linux-${TARGET_LIBC}"
+fi
+
+if [ "${PROTECT_TARGET_C_MODE}" = "1" ]; then
+  if [ -z "${C_TARGET}" ]; then
+    echo "ERROR: Unable to determine C_TARGET, your os or architecture may not be supported by Edera Protect." >/dev/stderr
+    exit 1
+  fi
+
+  echo "${C_TARGET}"
+else
+  if [ -z "${RUST_TARGET}" ]; then
+    echo "ERROR: Unable to determine RUST_TARGET, your os or architecture may not be supported by Edera Protect." >/dev/stderr
+    exit 1
+  fi
+
+  echo "${RUST_TARGET}"
+fi

src/lib.rs

@@ -77,6 +77,7 @@ impl CheckGroupResult {
 
 pub trait CheckGroup {
     fn name(&self) -> &str;
+    fn id(&self) -> &str;
     fn description(&self) -> &str;
     fn run(&self) -> CheckGroupResult;
 }

src/main.rs

@@ -11,14 +11,18 @@ use std::env;
 
 fn main() -> Result<()> {
     env_logger::init();
-    let checks: Vec<Box<dyn CheckGroup>> = vec![Box::new(SystemChecks), Box::new(ScriptChecks)];
+
+    let groups: Vec<Box<dyn CheckGroup>> = vec![Box::new(SystemChecks), Box::new(ScriptChecks)];
 
     let mut final_result = Passed;
 
     // Run each check group
-    for check in checks {
-        info!("Running Group [{}] - {}", check.name(), check.description());
-        let check_group_result = check.run();
+    for group in groups {
+        // if group.id() == "ScriptedChecks" {
+        //     continue;
+        // }
+        info!("Running Group [{}] - {}", group.name(), group.description());
+        let check_group_result = group.run();
         check_group_result.log_group();
         if env::var("EDERA_PREFLIGHT_VERBOSE").unwrap_or_default() == "true" {
             check_group_result.log_individual_checks();

src/script/mod.rs

@@ -10,10 +10,11 @@ use std::fs;
 use std::path::PathBuf;
 use std::process::Command;
 
-pub struct ScriptChecks;
-
+const GROUP_IDENTIFIER: &str = "ScriptedChecks";
 const NAME: &str = "Scripted Checks";
 
+pub struct ScriptChecks;
+
 impl ScriptChecks {
     pub fn run_all(&self) -> CheckGroupResult {
         let mut results = Vec::new();
@@ -126,6 +127,10 @@ impl ScriptChecks {
 }
 
 impl CheckGroup for ScriptChecks {
+    fn id(&self) -> &str {
+        GROUP_IDENTIFIER
+    }
+
     fn name(&self) -> &str {
         NAME
     }

src/system/mod.rs

@@ -3,13 +3,15 @@ use super::{
     CheckResultValue::{Errored, Failed, Passed},
 };
 
+use log::debug;
 use sysinfo::System;
 
-pub struct SystemChecks;
-
+const GROUP_IDENTIFIER: &str = "SystemChecks";
 const NAME: &str = "System Checks";
 const MINIMUM_MEMORY: u64 = 10000;
 
+pub struct SystemChecks;
+
 impl SystemChecks {
     pub fn run_all(&self) -> CheckGroupResult {
         let results = vec![self.enough_memory(), self.erroring(), self.failing()];
@@ -39,6 +41,7 @@ impl SystemChecks {
         sys.refresh_all();
 
         let total_mem = sys.total_memory();
+        debug!("total memory = {total_mem}");
 
         let mut result = Passed;
         if total_mem < MINIMUM_MEMORY {
@@ -60,6 +63,10 @@ impl SystemChecks {
 }
 
 impl CheckGroup for SystemChecks {
+    fn id(&self) -> &str {
+        GROUP_IDENTIFIER
+    }
+
     fn name(&self) -> &str {
         NAME
     }