[CNG] KAS image needs license file
Summary
When submitting KAS FIPS image for preflight certification with RedHat, it fails because the image doesn't have a license file.
Steps to reproduce
$ docker run -it --rm registry.gitlab.com/gitlab-org/cloud-native/preflight:1.2.1-1 preflight check container registry.gitlab.com/gitlab-org/build/cng/gitlab-kas:master-fips
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
time="2022-09-16T18:38:34Z" level=info msg="certification library version 1.2.1 <commit: 16e00a287ab183eb06e08839d0b87c5c7ab7c548>"
time="2022-09-16T18:39:13Z" level=info msg="check completed: HasRequiredLabel" result=PASSED
time="2022-09-16T18:39:13Z" level=info msg="USER 1000 specified that is non-root"
time="2022-09-16T18:39:13Z" level=info msg="check completed: RunAsNonRoot" result=PASSED
time="2022-09-16T18:39:13Z" level=info msg="check completed: BasedOnUbi" result=PASSED
time="2022-09-16T18:39:29Z" level=info msg="check completed: HasModifiedFiles" result=PASSED
time="2022-09-16T18:39:29Z" level=error msg="Error when checking for /licenses : stat /tmp/preflight-379537932/fs/licenses: no such file or directory"
time="2022-09-16T18:39:29Z" level=info msg="check completed: HasLicense" result=FAILED
time="2022-09-16T18:39:30Z" level=info msg="check completed: HasUniqueTag" result=PASSED
time="2022-09-16T18:39:30Z" level=info msg="check completed: LayerCountAcceptable" result=PASSED
time="2022-09-16T18:39:30Z" level=info msg="check completed: HasNoProhibitedPackages" result=PASSED
{
"image": "registry.gitlab.com/gitlab-org/build/cng/gitlab-kas:master-fips",
"passed": false,
"test_library": {
"name": "github.com/redhat-openshift-ecosystem/openshift-preflight",
"version": "1.2.1",
"commit": "16e00a287ab183eb06e08839d0b87c5c7ab7c548"
},
"results": {
"passed": [
{
"name": "HasRequiredLabel",
"elapsed_time": 0,
"description": "Checking if the required labels (name, vendor, version, release, summary, description) are present in the container metadata."
},
{
"name": "RunAsNonRoot",
"elapsed_time": 1,
"description": "Checking if container runs as the root user because a container that does not specify a non-root user will fail the automatic certification, and will be subject to a manual review before the container can be approved for publication"
},
{
"name": "BasedOnUbi",
"elapsed_time": 451,
"description": "Checking if the container's base image is based upon the Red Hat Universal Base Image (UBI)"
},
{
"name": "HasModifiedFiles",
"elapsed_time": 16442,
"description": "Checks that no files installed via RPM in the base Red Hat layer have been modified"
},
{
"name": "HasUniqueTag",
"elapsed_time": 374,
"description": "Checking if container has a tag other than 'latest', so that the image can be uniquely identified."
},
{
"name": "LayerCountAcceptable",
"elapsed_time": 0,
"description": "Checking if container has less than 40 layers. Too many layers within the container images can degrade container performance."
},
{
"name": "HasNoProhibitedPackages",
"elapsed_time": 340,
"description": "Checks to ensure that the image in use does not include prohibited packages, such as Red Hat Enterprise Linux (RHEL) kernel packages."
}
],
"failed": [
{
"name": "HasLicense",
"elapsed_time": 0,
"description": "Checking if terms and conditions applicable to the software including open source licensing information are present. The license must be at /licenses",
"help": "Check HasLicense encountered an error. Please review the preflight.log file for more information.",
"suggestion": "Create a directory named /licenses and include all relevant licensing and/or terms and conditions as text file(s) in that directory.",
"knowledgebase_url": "https://access.redhat.com/documentation/en-us/red_hat_openshift_certification/4.9/html-single/red_hat_openshift_software_certification_policy_guide/index#assembly-requirements-for-container-images_openshift-sw-cert-policy-introduction",
"check_url": "https://access.redhat.com/documentation/en-us/red_hat_openshift_certification/4.9/html-single/red_hat_openshift_software_certification_policy_guide/index#assembly-requirements-for-container-images_openshift-sw-cert-policy-introduction"
}
],
"errors": []
}
}
Acceptance criteria
-
KAS has a license file in at least the FIPS image