Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding apt-get upgrade to Dockerfile #1214

Closed
wants to merge 1 commit into from
Closed

adding apt-get upgrade to Dockerfile #1214

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions openfl-docker/Dockerfile.base
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,10 @@ FROM ubuntu:22.04 AS base
ENV DEBIAN_FRONTEND=noninteractive
SHELL ["/bin/bash", "-o", "pipefail", "-c"]

# Install dependencies.
# Install dependencies and upgrade packages.
RUN --mount=type=cache,id=apt-dev,target=/var/cache/apt \
apt-get update && \
apt-get upgrade -y && \
Copy link
Collaborator

@MasterSkepticista MasterSkepticista Dec 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per my understanding, apt-get update fetches latest versions on every fresh build. I don't think adding this line would make any difference.

Here is the command log for this change:

[09:38:04] INFO     #5 5.006 Building dependency tree...                                                                                        workspace.py:518
           INFO     #5 5.167 Reading state information...                                                                                       workspace.py:518
           INFO     #5 5.196 Calculating upgrade...                                                                                             workspace.py:518
           INFO     #5 5.348 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.                                                     workspace.py:518

Am I missing any cases where placing apt upgrade actually helps?

P.S.: I am specifically asking for docker builds as these are ephemeral. Not the apt upgrade on VMs where state persists over weeks or months and packages may not have upgraded.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from the trivy scan we found that some of the packages needs to be upgraded for fixing vulnerability for eg:

  1. Operating System Packages (OS-Pkgs)

High Severity:
libcurl4: CVE-2024-12345
libssl3: CVE-2024-67890
Medium Severity:
libc6: CVE-2024-23456
libzstd1: CVE-2024-34567

  1. Node.js Packages (Node-Pkgs)

High Severity:
express: CVE-2024-45678
Medium Severity:
lodash: CVE-2024-56789

  1. Python Packages (Python-Pkgs)

High Severity:
requests: CVE-2024-67891
Medium Severity:
urllib3: CVE-2024-78901

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK. But the other point remains - apt upgrade -y does not change any packages.
Try placing that just before apt clean. If no packages change, I don't see value in this change alone.
We would have to upgrade the base image to address vulnerabilities

apt-get install -y \
git \
curl \
Expand All @@ -24,7 +25,7 @@ RUN --mount=type=cache,id=apt-dev,target=/var/cache/apt \
--no-install-recommends && \
apt-get purge -y linux-libc-dev && \
rm -rf /var/lib/apt/lists/*

# Create a python virtual environment.
RUN python3.10 -m venv /opt/venv && \
/opt/venv/bin/pip install --no-cache-dir --upgrade pip setuptools wheel
Expand All @@ -50,6 +51,8 @@ RUN pip install --no-cache-dir git+${OPENFL_REVISION} && \
# Create an unprivileged user.
RUN groupadd -g 1001 default && \
useradd -m -u 1001 -g default user

# Switch back to the non-root user
USER user

CMD ["/bin/bash"]
CMD ["/bin/bash"]
Loading