Update container image to address vulnerabilities (#1000)

We were previously installing OS-vendored versions of our Python dependencies as that was easiest when on Alpine and dealing with `musl`. We're now on a Debian-base image so `pip` packages will be well-tested, compatible, and more up-to-date than the OS-vendored ones. I also added `g++` and `build-essentials` to the image to support ARM/Apple Silicon builds.
NOAA-GSL · Jul 7, 2023 · 82f23f9 · 82f23f9
2 parents 2177a97 + dbba68d
commit 82f23f9
Showing 1 changed file with 17 additions and 7 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -35,10 +35,12 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     bash \
     ca-certificates \
     python3 \
-    python3-numpy \
     python3-pip \
-    python3-pymysql \
-    && apt-get clean && rm -rf /var/lib/apt/lists/*
+    && apt-get clean && rm -rf /var/lib/apt/lists/* \
+    && python3 -m pip install --upgrade --no-cache-dir pip wheel setuptools \
+    && python3 -m pip install --no-cache-dir \
+      numpy \
+      pymysql
 
 # Set Environment
 ENV APP_FOLDER=/usr/app
@@ -70,9 +72,17 @@ RUN mkdir -p ${SETTINGS_DIR} \
     && chown node:node ${APP_BUNDLE_FOLDER}/bundle/programs/server/fileCache \
     && chmod 644 ${APP_BUNDLE_FOLDER}/bundle/programs/server/fileCache
 
-# Install the Meteor app's NPM dependencies and update the OS in the container
-RUN bash $SCRIPTS_FOLDER/build-meteor-npm-dependencies.sh
-RUN apt-get update && apt-get -y upgrade && apt-get clean && apt-get clean && rm -rf /var/lib/apt/lists/*
+# Install the Meteor app's NPM dependencies
+# g++ & build-essential are needed for Apple Silicon builds
+RUN apt-get update && apt-get install -y --no-install-recommends g++ build-essential \
+    && bash $SCRIPTS_FOLDER/build-meteor-npm-dependencies.sh \
+    && apt-get purge -y g++ build-essential \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Update the OS packages in the container
+RUN apt-get update \
+    && apt-get -y upgrade \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
 
 EXPOSE ${PORT}
 USER node
@@ -89,7 +99,7 @@ LABEL version=${BUILDVER} code.branch=${COMMITBRANCH} code.commit=${COMMITSHA}
 
 
 # Create a stage with the root user for debugging
-# Note - you'll need to override the entrypoint if you want a shell (docker run --entrypoint /bin/bash ...)
+# Note - you'll need to override the entrypoint if you want a shell (docker run -it --entrypoint /bin/bash ...)
 FROM production AS debug
 USER root