《OpenShift / RHEL / DevSecOps 汇总目录》
文本已在 OpenShift 4.10 环境中进行验证。

准备 Quarkus 环境

先按照《OpenShift 之 Quarkus（1）创建第一个Quarkus应用》一文安装 Quarkus 运行环境。

根据测试应用生成应用镜像

编译成可执行程序

1. 下载测试应用代码。

$ git clone https://github.com/quarkusio/quarkus-quickstarts.git && cd quarkus-quickstarts/getting-started

2. 将应用编译成 native 可执行程序。

./mvnw install -Dnative
...
以上内容忽略
========================================================================================================================
GraalVM Native Image: Generating 'getting-started-1.0.0-SNAPSHOT-runner' (executable)...
========================================================================================================================
[1/7] Initializing...                                                                                   (16.4s @ 0.17GB)
 Version info: 'GraalVM 22.2.0 Java 11 CE'
 Java version info: '11.0.16+8-jvmci-22.2-b06'
 C compiler: gcc (redhat, x86_64, 8.5.0)
 Garbage collector: Serial GC
 4 user-specific feature(s)
 - io.quarkus.runner.Feature: Auto-generated class by Quarkus from the existing extensions
 - io.quarkus.runtime.graal.DisableLoggingFeature: Disables INFO logging during the analysis phase for the [org.jboss.threads] categories
 - io.quarkus.runtime.graal.ResourcesFeature: Register each line in META-INF/quarkus-native-resources.txt as a resource on Substrate VM
 - org.graalvm.home.HomeFinderFeature: Finds GraalVM paths and its version number
[2/7] Performing analysis...  [WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by io.netty.util.internal.ReflectionUtil (file:/home/lab-user/quarkus-quickstarts/getting-started/target/getting-started-1.0.0-SNAPSHOT-native-image-source-jar/lib/io.netty.netty-common-4.1.82.Final.jar) to constructor java.nio.DirectByteBuffer(long,int)
WARNING: Please consider reporting this to the maintainers of io.netty.util.internal.ReflectionUtil
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
**********]                                                             (142.3s @ 0.84GB)
   9,832 (89.17%) of 11,026 classes reachable
  14,885 (59.32%) of 25,094 fields reachable
  48,936 (56.70%) of 86,305 methods reachable
     410 classes,   581 fields, and 1,464 methods registered for reflection
      69 classes,    88 fields, and    55 methods registered for JNI access
       5 native libraries: dl, pthread, rt, stdc++, z
[3/7] Building universe...                                                                              (21.5s @ 1.00GB)
[4/7] Parsing methods...      [****]                                                                    (16.5s @ 1.58GB)
[5/7] Inlining methods...     [***]                                                                     (10.5s @ 1.55GB)
[6/7] Compiling methods...    [***********]                                                            (123.4s @ 1.30GB)
[7/7] Creating image...                                                                                  (8.3s @ 1.03GB)
  18.72MB (47.87%) for code area:    31,047 compilation units
  19.92MB (50.95%) for image heap:  244,692 objects and 10 resources
 470.30KB ( 1.17%) for other data
  39.09MB in total
------------------------------------------------------------------------------------------------------------------------
Top 10 packages in code area:                               Top 10 object types in image heap:
   1.58MB sun.security.ssl                                     4.02MB byte[] for code metadata
   1.14MB java.lang.invoke                                     2.39MB java.lang.Class
 930.07KB java.util                                            2.22MB java.lang.String
 688.34KB com.sun.crypto.provider                              2.06MB byte[] for general heap data
 475.48KB sun.security.x509                                    1.76MB byte[] for java.lang.String
 411.59KB java.lang                                          921.75KB com.oracle.svm.core.hub.DynamicHubCompanion
 394.81KB io.netty.buffer                                    568.03KB java.util.HashMap$Node
 373.94KB java.util.concurrent                               491.65KB byte[] for reflection metadata
 365.51KB java.io                                            443.55KB java.lang.String[]
 343.68KB io.netty.handler.codec.http2                       350.23KB c.o.svm.core.hub.DynamicHub$ReflectionMetadata
  11.88MB for 363 more packages                                3.71MB for 2410 more object types
------------------------------------------------------------------------------------------------------------------------
                        22.5s (6.4% of total time) in 73 GCs | Peak RSS: 2.57GB | CPU load: 1.94
------------------------------------------------------------------------------------------------------------------------
Produced artifacts:
 /home/lab-user/quarkus-quickstarts/getting-started/target/getting-started-1.0.0-SNAPSHOT-native-image-source-jar/getting-started-1.0.0-SNAPSHOT-runner (executable)
 /home/lab-user/quarkus-quickstarts/getting-started/target/getting-started-1.0.0-SNAPSHOT-native-image-source-jar/getting-started-1.0.0-SNAPSHOT-runner.build_artifac                     ts.txt (txt)

生成不同类型的应用镜像

1. 创建基于 distroless 类型镜像的 Dockerfile。

cat << EOF > src/main/docker/Dockerfile.native-distroless
FROM quay.io/quarkus/quarkus-distroless-image:1.0
COPY target/*-runner /application
 
EXPOSE 8080
USER nonroot
 
CMD ["./application", "-Dquarkus.http.host=0.0.0.0"]
EOF

2. 确认 src/main/docker/ 目录下有 5 个 Dockerfile，其中 native 是基于 UBI + 可执行程序的镜像，native-micro 是基于 UBI-Mirco + 可执行程序的镜像，native-distroless 是基于 distroless + 可执行程序的镜像。

$ ls src/main/docker/
Dockerfile.jvm     Dockerfile.legacy-jar     Dockerfile.native     Dockerfile.native-distroless     Dockerfile.native-micro

3. 基于 jvm、native、native-micro、native-distroless 创建镜像，并推送到临时 ttl.sh 镜像库中。

IMAGE_TYPES="jvm native native-micro native-distroless"
for IMAGE_TAG in $IMAGE_TYPES; do
	podman build -f src/main/docker/Dockerfile.$IMAGE_TAG -t quarkus-quickstart/getting-started:$IMAGE_TAG .
	IMAGE_NAME=$IMAGE_TAG-$(uuidgen)
	podman tag localhost/quarkus-quickstart/getting-started:$IMAGE_TAG ttl.sh/${IMAGE_NAME}:4h
	podman push ttl.sh/${IMAGE_NAME}:4h
done

4. 确认基于 distroless 镜像最小，只有 65.4 MB；基于 native-micro 的镜像稍大，是 72.1 MB；基于 native 的镜像更大，是 138 MB；而基于 jvm 最大，有 598 MB。

$ podman images
REPOSITORY                                                     TAG                IMAGE ID      CREATED        SIZE
localhost/quarkus-quickstart/getting-started                   native-micro       7c90b521df0f  5 minutes ago  72.1 MB
ttl.sh/native-micro-cf93abf3-a203-4edf-b7e3-b7c86a155a61       4h                 7c90b521df0f  5 minutes ago  72.1 MB
localhost/quarkus-quickstart/getting-started                   native             cf13324892c8  6 minutes ago  138 MB
ttl.sh/native-539298eb-8930-467c-89a4-819e03d1b761             4h                 cf13324892c8  6 minutes ago  138 MB
localhost/quarkus-quickstart/getting-started                   jvm                a5a202e36990  6 minutes ago  598 MB
ttl.sh/jvm-0a7749aa-e6fd-4d6f-a83e-57835233ff8b                4h                 a5a202e36990  6 minutes ago  598 MB
localhost/quarkus-quickstart/getting-started                   native-distroless  a84a6ddd6d97  3 hours ago    65.4 MB
ttl.sh/native-distroless-ddc9d7b2-10b1-4567-9ce7-e365ab6f4e32  4h                 a84a6ddd6d97  3 hours ago    65.4 MB
quay.io/quarkus/quarkus-distroless-image                       1.0                58ef131f7440  11 days ago    24.5 MB
quay.io/quarkus/quarkus-micro-image                            1.0                6b6c6d8c6722  11 days ago    31.2 MB
registry.access.redhat.com/ubi8/ubi-minimal                    8.3                332744c1854d  18 months ago  105 MB

镜像漏洞扫描

1. 如果有 RHACS 环境，可以在 RHACS 的 IMAGES 页面中使用 MANAGE WATCHES 功能检测上述生成的 4 个镜像。
   
2. 可以看出上述基于 jvm 生成的应用镜像包含的漏洞最多，而 native-mirco 和 distroless 镜像漏洞比较少。