Merge branch 'master' into docker_inspect

Author: lphiri

Diff for: README.md

@@ -7,7 +7,7 @@ A rule based 'linter' for [Dockerfiles](https://docs.docker.com/reference/builde
 #Quickstart
 
 1. Change to directory where you have a Dockerfile
-1. run
+2. run
   * Atomic CLI
 
             atomic run projectatomic/dockerfile-lint
@@ -17,6 +17,12 @@ A rule based 'linter' for [Dockerfiles](https://docs.docker.com/reference/builde
             docker run -it --rm --privileged -v `pwd`:/root/ \
                    projectatomic/dockerfile-lint \
                    dockerfile_lint -f Dockerfile
+                   
+By default, the linter runs in strict mode (errors and/or warnings result in non-zero return code). Run the command with '-p'  or '--permissive to
+run in permissive mode:
+            docker run -it --rm --privileged -v `pwd`:/root/ \
+                               projectatomic/dockerfile-lint \
+                               dockerfile_lint -p -f Dockerfile
 
 #Extending and Customizing: Rule Files
 Rule files are written in [yaml](http://www.yaml.org/). See the example rule file **sample_rules.yaml** in the root folder of the project.

Diff for: bin/dockerfile_lint

@@ -8,6 +8,8 @@ var fs = require('fs'),
     commandline = require('commander'),
     logger = require("../lib/logger"),
     config = require('../config/config'),
+    yamlParser = require('js-yaml'),
+    loadRules = require("../lib/rulefile-loader").load,
     DockeFileValidator = require('../');
 
 
@@ -98,16 +100,19 @@ function printJsonResults(results) {
 
 var dockerfileLocation = null;
 var rulefileLocation = null;
-var dockerfile = null;
-var rulefile = null;
+var dockerfile = null ;
+var rulefile = null ;
 var printJson = false;
 var remoteFile = false;
+var strictMode = true;
 
 
 commandline.option('-j, --json', 'Show results in JSON format')
     .option('-r, --rulefile [rulefile] (optional)', 'Rule file', rulefile)
     .option('-f, --dockerfile [dockerfile] (required)', 'File to lint. Accepts a local file or an http(s) URL', dockerfile)
     .option('-v, --verbose', 'Show debugging logs')
+    .option('-p, --permissive', 'Run in permissive mode (return 1 only on error but not on warning)')
+    .option('-e, --export-rules', 'Dump the effective rule file. All other options except -r are ignored.')
     .parse(process.argv);
 
 if (commandline.verbose) {
@@ -119,15 +124,34 @@ if (commandline.json) {
     printJson = true;
 }
 
-if (!commandline.dockerfile) {
+if (!commandline.dockerfile && !commandline.exportRules) {
     commandline.help();
 }
 
-dockerfileLocation = commandline.dockerfile;
 if (commandline.rulefile) {
     rulefileLocation = commandline.rulefile;
 }
 
+if (rulefileLocation !== null) {
+    if (!fs.existsSync(rulefileLocation)) {
+        console.error('ERROR: Rule file not found -> ' + rulefileLocation);
+        process.exit(1);
+    }
+}
+
+if (commandline.exportRules) {
+    var rules = loadRules(rulefileLocation);
+    console.log(yamlParser.dump(rules));
+    process.exit(0);
+}
+
+if (commandline.permissive) {
+    strictMode = false;
+}
+
+dockerfileLocation = commandline.dockerfile;
+
+
 try {
     dockerfile = fs.readFileSync(dockerfileLocation, 'UTF-8');
 } catch (e) {
@@ -138,12 +162,7 @@ try {
         process.exit(1);
     }
 }
-if (rulefileLocation !== null) {
-    if (!fs.existsSync(rulefileLocation)) {
-        console.error('ERROR: Rule file not found -> ' + rulefileLocation);
-        process.exit(1);
-    }
-}
+
 
 function runValidation(dockerfile, rulefileLocation) {
     var validator = new DockeFileValidator(rulefileLocation);
@@ -154,7 +173,7 @@ function runValidation(dockerfile, rulefileLocation) {
         printResults(results);
     }
 
-    if (results.error.count > 0) {
+    if ((results.error.count > 0) || (strictMode && results.warn.count > 0)) {
         process.exit(1);
     } else {
         process.exit(0);

Diff for: lib/linter.js

@@ -3,7 +3,8 @@
 var helper = require('./linter-utils'),
     parser = require('./parser'),
     loadRules = require('./rulefile-loader').load,
-    logger = require('./logger');
+    logger = require('./logger'),
+    _ = require('lodash');
 
 //TODO move to utils
 function printObject(obj) {
@@ -61,12 +62,6 @@ function validateCommand(command, context, result) {
 function Linter(ruleFilePath) {
     if (!ruleFilePath) logger.info("No rule file provided, using default rules");
     this.rules = loadRules(ruleFilePath);
-    this.context = {
-        rules: this.rules,
-        validInstructionsRegex: helper.createValidCommandRegex(this.rules.general.valid_instructions),
-        requiredInstructions: helper.createReqInstructionHash(this.rules),
-        requiredNameVals: helper.createRequiredNameValDict(this.rules)
-    };
     helper.initLineRulesRegexes(this.rules);
 }
 
@@ -76,12 +71,26 @@ function Linter(ruleFilePath) {
  */
 Linter.prototype.getProfile = function () {
     return this.rules.profile;
-};
+}
+
+
+Linter.prototype.initContext = function(){
+    var ruleCopy = _.cloneDeep(this.rules);
+    this.context = {
+        rules: ruleCopy,
+        validInstructionsRegex: helper.createValidCommandRegex(ruleCopy.general.valid_instructions),
+        requiredInstructions: helper.createReqInstructionHash(ruleCopy),
+        requiredNameVals: helper.createRequiredNameValDict(ruleCopy)
+    };
+}
 
 /**
  * Validate  dockerfile contents string and returns the array of analysis
  * results.
  *
+ * The validate can be called safely multiple times with the same instance of
+ * of the Linter
+ *
  * @param contents {String}  The dockerfile file content.
  * @returns        {Array}
  */
@@ -92,6 +101,7 @@ Linter.prototype.validate = function (contents) {
         }]);
     }
     var result = helper.newResult();
+    this.initContext(); //start with a clean context to allow multiple calls.
     var options = {includeComments: false};
     var commands = parser.parse(contents, options);
     // @see  parser.parse for format of commands

Diff for: lib/rulefile-loader.js

@@ -65,6 +65,7 @@ function load(ruleFilePath) {
     var baseRuleLocation = fs.readFileSync(config.BASE_RULES, 'UTF-8');
     var rules = yamlParser.safeLoad(baseRuleLocation);
     if (!ruleFilePath) {
+        logger.debug("Effective rule set is :\n" + yamlParser.dump(rules));
         return rules;
     } else {
         var includedRuleProfiles = [];
@@ -78,6 +79,7 @@ function load(ruleFilePath) {
             delete profile.sourceFilename; // no longer needed part of hack!
             extend(rules, profile);
         });
+        logger.debug("Effective rule set is :\n" + yamlParser.dump(rules));
         return rules;
     }
 }

Diff for: sample_rules/basic_rules.yaml

@@ -2,23 +2,24 @@
   profile:
     name: "Default"
     description: "Default Profile. Checks basic syntax."
+    includes:
+      - recommended_label_rules.yaml
   line_rules: 
     FROM: 
       paramSyntaxRegex: /^[a-z0-9./-]+(:[a-z0-9.]+)?$/
       rules: 
         - 
           label: "is_latest_tag"
           regex: /latest/
-          level: "info"
+          level: "error"
           message: "base image uses 'latest' tag"
-          description: "using the 'latest' tag may cause unpredictable builds. It is recommended that a specific tag is used in the FROM line."
+          description: "using the 'latest' tag may cause unpredictable builds. It is recommended that a specific tag is used in the FROM line or *-released which is the latest supported release."
           reference_url: 
             - "https://docs.docker.com/reference/builder/"
             - "#from"
-        - 
           label: "no_tag"
           regex: /^[:]/
-          level: "warn"
+          level: "error"
           message: "No tag is used"
           description: "lorem ipsum tar"
           reference_url: 
@@ -32,18 +33,83 @@
       rules: 
         - 
           label: "no_yum_clean_all"
-          regex: /yum ((?!clean all).)* .+/
+          regex: /yum(?!.+clean all|.+\.repo)/g
           level: "warn"
           message: "yum clean all is not used"
           description: "the yum cache will remain in this layer making the layer unnecessarily large"
-          reference_url: "None"
+          reference_url: 
+            - "http://docs.projectatomic.io/container-best-practices/#"
+            - "_clear_packaging_caches_and_temporary_package_downloads"
         - 
+          label: "yum_update_all"
+          regex: /yum(.+update all|.+upgrade|.+update)/g
+          level: "warn"
+          message: "updating the entire base image may add unnecessary size to the container"
+          description: "update the entire base image may add unnecessary size to the container"
+          reference_url: 
+            - "http://docs.projectatomic.io/container-best-practices/#"
+            - "_clear_packaging_caches_and_temporary_package_downloads"
+        -
+          label: "no_dnf_clean_all"
+          regex: /dnf(?!.+clean all|.+\.repo)/g
+          level: "warn"
+          message: "dnf clean all is not used"
+          description: "the dnf cache will remain in this layer making the layer unnecessarily large"
+          reference_url: 
+            - "http://docs.projectatomic.io/container-best-practices/#"
+            - "_clear_packaging_caches_and_temporary_package_downloads"
+        -
+          label: "no_rvm_cleanup_all"
+          regex: /rvm install(?!.+cleanup all)/g
+          level: "warn"
+          message: "rvm cleanup is not used"
+          description: "the rvm cache will remain in this layer making the layer unnecessarily large"
+          reference_url: 
+            - "http://docs.projectatomic.io/container-best-practices/#"
+            - "_clear_packaging_caches_and_temporary_package_downloads"
+        -
+          label: "no_gem_clean_all"
+          regex: /gem install(?!.+cleanup|.+\rvm cleanup all)/g
+          level: "warn"
+          message: "gem cleanup all is not used"
+          description: "the gem cache will remain in this layer making the layer unnecessarily large"
+          reference_url: 
+            - "http://docs.projectatomic.io/container-best-practices/#"
+            - "_clear_packaging_caches_and_temporary_package_downloads" 
+        -
+          label: "no_apt-get_clean"
+          regex: /apt-get install(?!.+clean)/g
+          level: "warn"
+          message: "apt-get clean is not used"
+          description: "the apt-get cache will remain in this layer making the layer unnecessarily large"
+          reference_url: 
+            - "http://docs.projectatomic.io/container-best-practices/#"
+            - "_clear_packaging_caches_and_temporary_package_downloads" 
+        -
+          label: "privileged_run_container"
+          regex: /privileged/
+          level: "warn"
+          message: "a privileged run container is allowed access to host devices"
+          description: "Does this run need to be privileged?"
+          reference_url: 
+            - "http://docs.docker.com/engine/reference/run/#"
+            - "runtime-privilege-and-linux-capabilities"
+        -
           label: "installing_ssh"
           regex: /ssh/
           level: "warn"
           message: "installing SSH in a container is not recommended"
           description: "Do you really need SSH in this image?"
-          reference_url: "https://github.com/jpetazzo/nsenter"
+          reference_url: "https://github.com/jpetazzo/nsenter"	
+        - 
+          label: "no_ampersand_usage"
+          regex: /\;/
+          level: "warn"
+          message: "using ; instead of && will evaluate each expression regardless of the success of the previous command"
+          description: "RUN do_1 && do_2: The ampersands change the resulting evaluation into do_1 and then do_2 only if do_1 was successful."
+          reference_url:
+            - "http://docs.projectatomic.io/container-best-practices/#"
+            - "#_using_semi_colons_vs_double_ampersands"
     EXPOSE: 
       paramSyntaxRegex: /^[0-9]+([0-9\s]+)?$/
       rules: []
@@ -58,8 +124,8 @@
     ENTRYPOINT: 
       paramSyntaxRegex: /.+/
       rules: []
-    VOLUME: 
-      paramSyntaxRegex: /^~?([A-z0-9\/_.-]+|\["[A-z0-9\/_.-]+"\])$/
+    VOLUME:
+      paramSyntaxRegex: /.+/
       rules: []
     USER: 
       paramSyntaxRegex: /^[a-z_][a-z0-9_]{0,30}$/
@@ -74,7 +140,7 @@
     - 
       instruction: "MAINTAINER"
       count: 1
-      level: "info"
+      level: "error"
       message: "Maintainer is not defined"
       description: "The MAINTAINER line is useful for identifying the author in the form of MAINTAINER Joe Smith <[email protected]>"
       reference_url: 

Diff for: sample_rules/recommended_label_rules.yaml

@@ -0,0 +1,71 @@
+---
+  profile:
+    name: "Label"
+    description: "Label checking rule file."
+  line_rules:
+    LABEL:
+       #paramSyntaxRegex: /.+/
+       # Use defined_label_rules to defined a set of labels for your dockerfile
+       # In this example, the labels "Vendor","Authoritative_Registry","BZComponent"
+       # have been defined. A label value is 'valid' if matches the regular
+       # expression 'valueRegex', otherwise an warn is logged with the string "message"
+       # at level 'level'.  'reference_url' provides a web link where the user can
+       # get more information about the rule.
+       #
+       defined_namevals:
+           Name:
+             valueRegex: /([\w]+)./
+             message: "Label 'Name' is missing or has invalid format"
+             level: "warn"
+             required: true
+             reference_url:
+               - "http://docs.projectatomic.io/container-best-practices/#"
+               - "_recommended_labels_for_your_project"
+           Version:
+             valueRegex: /[\d+.\d+]+/
+             message: "Label 'Version' is missing or has invalid format"
+             level: "warn"
+             required: true
+             reference_url:
+               - "http://docs.projectatomic.io/container-best-practices/#"
+               - "_recommended_labels_for_your_project"
+           Release:
+             valueRegex: /[\d+.\d+]+/
+             message: "Label 'Release' is missing or has invalid format"
+             level: "warn"
+             required: true
+             reference_url:
+               - "http://docs.projectatomic.io/container-best-practices/#"
+               - "_recommended_labels_for_your_project"
+           Architecture:
+             valueRegex: /[\w]*[6,8][4,6]|[.]*86[.]*64/
+             message: "Label 'Architure' is missing or has invalid format: x86, i386, x86_64"
+             level: "warn"
+             required: true
+             reference_url:
+               - "http://docs.projectatomic.io/container-best-practices/#"
+               - "_recommended_labels_for_your_project"
+           Vendor:
+             valueRegex: /([\w]+).+/
+             message: "Label 'Vendor' is missing or has invalid format"
+             level: "warn"
+             required: true
+             reference_url:
+               - "http://docs.projectatomic.io/container-best-practices/#"
+               - "_recommended_labels_for_your_project"
+
+  # The 'required_instructions' lists mandatory instructions
+  #
+  #required_instructions:
+    #
+    # This rule says, you must have 1 "LABEL" instruction
+   # -
+   #   instruction: "LABEL"
+   #   count: 1
+   #   level: "warn"
+   #   message: "No LABELs are defined"
+   #   description: "Labels are needed because...."
+   #   reference_url:
+   #     - "https://docs.docker.com/reference/builder/"
+   #     - "#label"
+