From 155ecf7e16fa729156d6881a73a18439f5d3de6e Mon Sep 17 00:00:00 2001 From: Oded Date: Wed, 22 Jun 2022 15:42:12 +0300 Subject: [PATCH 1/3] update docker to debian latest --- Dockerfile | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index a8fde254..b26dd849 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,15 @@ # BUILD STAGE --------------------------------------- # split this stage to save time and reduce image size # --------------------------------------------------- -FROM python:3.8-alpine3.11 as BuildStage -# update apk cache -RUN apk update +FROM python:3.8-slim-bullseye as BuildStage +# update apt +RUN apt-get update # TODO: remove this when upgrading to a new alpine version # more details: https://github.com/pyca/cryptography/issues/5771 ENV CRYPTOGRAPHY_DONT_BUILD_RUST=1 # install linux libraries necessary to compile some python packages -RUN apk add --update --no-cache --virtual .build-deps gcc git build-base alpine-sdk python3-dev musl-dev postgresql-dev libffi-dev libressl-dev +# TODO ask asaf about postgres 11 +RUN apt-get install --fix-missing -y gcc git make python3-dev libpq-dev libffi-dev libssl-dev g++ # from now on, work in the /app directory WORKDIR /app/ # Layer dependency install (for caching) @@ -19,11 +20,13 @@ RUN pip install --upgrade pip && pip install --user -r requirements.txt # MAIN IMAGE ---------------------------------------- # most of the time only this image should be built # --------------------------------------------------- -FROM python:3.8-alpine3.11 +FROM python:3.8-slim-bullseye +# update apt +RUN apt-get update # bash is needed for ./start/sh script -RUN apk add --update --no-cache bash curl +RUN apt-get -y install curl # needed for rookout -RUN apk add g++ python3-dev linux-headers +RUN apt-get -y install --fix-missing gcc g++ python3-dev # copy opa from official image (main binary and lib for web assembly) RUN curl -L -o /opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64_static && chmod 755 /opa # copy libraries from build stage From 9bc875e43daa635d17fd3b380aad5813e4acf96b Mon Sep 17 00:00:00 2001 From: Shaul Kremer Date: Wed, 22 Jun 2022 17:29:05 +0300 Subject: [PATCH 2/3] Pulled the libpcre2-8-0 package from Debian Testing to resolve CVE-2022-1586. --- Dockerfile | 7 ++++++- docker-files/testing.list | 1 + docker-files/testing.prefs | 7 +++++++ 3 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 docker-files/testing.list create mode 100644 docker-files/testing.prefs diff --git a/Dockerfile b/Dockerfile index b26dd849..2b94e73f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,12 +21,17 @@ RUN pip install --upgrade pip && pip install --user -r requirements.txt # most of the time only this image should be built # --------------------------------------------------- FROM python:3.8-slim-bullseye +# setup optional testing repo for newer packages +COPY docker-files/testing.list /etc/apt/sources.list.d/ +COPY docker-files/testing.prefs /etc/apt/preferences.d/ # update apt RUN apt-get update # bash is needed for ./start/sh script RUN apt-get -y install curl # needed for rookout RUN apt-get -y install --fix-missing gcc g++ python3-dev +# install newer pcre2 to resolve CVE-2022-1586 +RUN apt-get -y install -t testing libpcre2-8-0 # copy opa from official image (main binary and lib for web assembly) RUN curl -L -o /opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64_static && chmod 755 /opa # copy libraries from build stage @@ -75,4 +80,4 @@ EXPOSE 7000 # expose opa directly EXPOSE 8181 # run gunicorn -CMD ["/start.sh"] \ No newline at end of file +CMD ["/start.sh"] diff --git a/docker-files/testing.list b/docker-files/testing.list new file mode 100644 index 00000000..1e47f3f7 --- /dev/null +++ b/docker-files/testing.list @@ -0,0 +1 @@ +deb http://deb.debian.org/debian bookworm main diff --git a/docker-files/testing.prefs b/docker-files/testing.prefs new file mode 100644 index 00000000..94a4b0c3 --- /dev/null +++ b/docker-files/testing.prefs @@ -0,0 +1,7 @@ +# 100 <= P < 500: causes a version to be installed unless there is a +# version available belonging to some other distribution or the installed +# version is more recent + +Package: * +Pin: release a=testing +Pin-Priority: 400 From 3cdd0bd37d08544ca85edd42a30d08193649a8d2 Mon Sep 17 00:00:00 2001 From: Oded Date: Wed, 22 Jun 2022 22:33:35 +0300 Subject: [PATCH 3/3] downgrade tenacity and remove new code --- horizon/startup/remote_config.py | 7 +++++-- requirements.txt | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/horizon/startup/remote_config.py b/horizon/startup/remote_config.py index ca606071..4a9283b9 100644 --- a/horizon/startup/remote_config.py +++ b/horizon/startup/remote_config.py @@ -1,7 +1,9 @@ import requests from typing import Optional -from tenacity import retry, wait, stop, retry_if_not_exception_type +# TODO: readd after we release the new version of opal (should be next week) +#from tenacity import retry, wait, stop, retry_if_not_exception_type +from tenacity import retry, wait, stop from pydantic import ValidationError from opal_common.logger import logger @@ -50,7 +52,8 @@ class RemoteConfigFetcher: organizations (which is not secure). """ DEFAULT_RETRY_CONFIG = { - 'retry': retry_if_not_exception_type(InvalidPDPTokenException), + # TODO: readd after we release the new version of opal (should be next week) + # 'retry': retry_if_not_exception_type(InvalidPDPTokenException), 'wait': wait.wait_random_exponential(max=10), 'stop': stop.stop_after_attempt(10), 'reraise': True, diff --git a/requirements.txt b/requirements.txt index 3f49a5ad..df52e595 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,7 +7,7 @@ pydantic[email]==1.8.2 starlette==0.14.2 uvicorn[standard] requests==2.25.0 -tenacity>=8.0.1 +tenacity>=6.3.1 Jinja2==3.0.3 logzio-python-handler rook