Merge branch 'main' into copilot/add-opensuse-15-6

Author: richlander

eng/docker-tools/DEV-GUIDE.md

@@ -25,4 +25,6 @@
 
 !!! Changes made in this directory are subject to being overwritten by automation !!!
 
-The files in this directory are shared by all .NET Docker repos. If you need to make changes to these files, open an issue or submit a pull request in https://github.com/dotnet/docker-tools.
+The files in this directory are shared by all .NET Docker repos. If you need to make changes to these files, open an issue or submit a pull request in https://github.com/dotnet/docker-tools.
+
+For guidance on using this infrastructure, see the [Developer Guide](DEV-GUIDE.md).

eng/docker-tools/readme.md

@@ -39,6 +39,15 @@ parameters:
 - name: enableSbom
   type: boolean
   default: false
+# Network isolation policy that will be enabled for jobs. The default policy
+# allows all outbound connections except for public package feeds and known
+# malicious endpoints. If this policy breaks the build, then it can be set to
+# "Permissive" temporarily until external dependencies are resolved.
+# See the network isolation documentation for more details:
+# https://eng.ms/docs/coreai/devdiv/one-engineering-system-1es/1es-build/cloudbuild/security/1espt-network-isolation
+- name: networkIsolationPolicy
+  type: string
+  default: Permissive,CFSClean
 
 resources:
   repositories:
@@ -53,6 +62,8 @@ extends:
     baseTemplate: v1/1ES.${{ iif(contains(variables['Build.DefinitionName'], '-official'), 'Official', 'Unofficial') }}.PipelineTemplate.yml@1ESPipelineTemplates
     templateParameters:
       pool: ${{ parameters.pool }}
+      settings:
+        networkIsolationPolicy: ${{ parameters.networkIsolationPolicy }}
       sdl:
         sbom:
           enabled: ${{ parameters.enableSbom }}

eng/docker-tools/templates/1es.yml

@@ -47,6 +47,8 @@ stages:
     internalProjectName: "internal"
     publicProjectName: "public"
 
+    # publishConfig schema is defined in src/ImageBuilder/Configuration/PublishConfiguration.cs.
+    # This will get converted to JSON and placed in appsettings.json to be loaded by ImageBuilder at runtime.
     publishConfig:
       internalMirrorAcr:
         server: $(acr-staging-test.server)

eng/docker-tools/templates/stages/dotnet/publish-config-nonprod.yml

@@ -47,6 +47,8 @@ stages:
     internalProjectName: "internal"
     publicProjectName: "public"
 
+    # publishConfig schema is defined in src/ImageBuilder/Configuration/PublishConfiguration.cs.
+    # This will get converted to JSON and placed in appsettings.json to be loaded by ImageBuilder at runtime.
     publishConfig:
       internalMirrorAcr:
         server: $(acr-staging.server)

eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml

@@ -66,7 +66,7 @@ variables:
 - name: default1ESInternalPoolName
   value: NetCore1ESPool-Internal
 - name: default1ESInternalPoolImage
-  value: 1es-ubuntu-2204
+  value: Azure-Linux-3-Amd64
 
 - template: /eng/docker-tools/templates/variables/sdl-pool.yml@self
 

eng/docker-tools/templates/variables/common.yml

@@ -1,5 +1,5 @@
 variables:
-  imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2852433
+  imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2862284
   imageNames.imageBuilder: $(imageNames.imageBuilderName)
   imageNames.imageBuilder.withrepo: imagebuilder-withrepo:$(Build.BuildId)-$(System.JobId)
   imageNames.testRunner: mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux3.0-docker-testrunner

eng/docker-tools/templates/variables/docker-images.yml

@@ -0,0 +1,60 @@
+FROM library/fedora:43
+
+RUN dnf upgrade --refresh -y \
+    && dnf config-manager addrepo --from-repofile=https://packages.microsoft.com/fedora/43/prod/config.repo \
+    && dnf install --setopt=install_weak_deps=False --setopt tsflags=nodocs -y \
+        # Base toolchain we need to build anything (clang, cmake, make and the like)
+        clang \
+        cmake \
+        dnf-plugins-core \
+        findutils \
+        gdb \
+        glibc-langpack-en \
+        lldb-devel \
+        llvm-devel \
+        make \
+        pigz \
+        python \
+        which \
+        # Tools used by build automation
+        azure-cli \
+        git \
+        jq \
+        tar \
+        procps \
+        zip \
+        # Dependencies of CoreCLR, Mono and CoreFX
+        autoconf \
+        automake \
+        brotli-devel \
+        cpio \
+        glibc-locale-source \
+        iputils \
+        krb5-devel \
+        libcurl-devel \
+        libicu-devel \
+        libomp-devel \
+        libtool \
+        libunwind-devel \
+        libuuid-devel \
+        lttng-ust-devel \
+        openssl-devel \
+        rapidjson-devel \
+        uuid-devel \
+        zlib-devel \
+        # Dependencies for VMR/source-build tests
+        iproute \
+        elfutils \
+        file \
+        # Dependencies to support globalization
+        icu \
+    && dnf clean all
+
+# Install the latest non-preview powershell release.
+RUN LATEST_TAG=$(curl -L https://api.github.com/repos/powershell/powershell/releases/latest | jq -r '.tag_name') \
+    && curl -L https://github.com/PowerShell/PowerShell/releases/download/$LATEST_TAG/powershell-${LATEST_TAG#*v}-linux-x64.tar.gz -o /tmp/powershell.tar.gz \
+    && mkdir -p /opt/microsoft/powershell \
+    && tar zxf /tmp/powershell.tar.gz -C /opt/microsoft/powershell \
+    && chmod +x /opt/microsoft/powershell/pwsh \
+    && ln -s /opt/microsoft/powershell/pwsh /usr/bin/pwsh \
+    && rm -f /tmp/powershell.tar.gz

src/fedora/43/amd64/Dockerfile

@@ -15,6 +15,18 @@
             }
           ]
         },
+        {
+          "platforms": [
+            {
+              "dockerfile": "src/fedora/43/amd64",
+              "os": "linux",
+              "osVersion": "fedora43",
+              "tags": {
+                "fedora-43-amd64": {}
+              }
+            }
+          ]
+        },
         {
           "platforms": [
             {