[build][FedRAMP]Update docker-base-bullseye to build from python:3.9-slim-bullseye

[baxia-lan]

Why I did it

python3=3.9.2-3 version in bullseye release has CVEs filed:

• CVE-2023-24535 (https://security-tracker.debian.org/tracker/CVE-2023-24535)
  • CVE-2023-27043 (https://security-tracker.debian.org/tracker/CVE-2023-27043)
  • CVE-2023-40217 (https://security-tracker.debian.org/tracker/CVE-2023-40217)
  • CVE-2015-20107 (https://security-tracker.debian.org/tracker/CVE-2015-20107)
  • CVE-2020-10735 (https://security-tracker.debian.org/tracker/CVE-2020-10735)
  • CVE-2020-27619 (https://security-tracker.debian.org/tracker/CVE-2020-27619)
  • CVE-2021-28861 (https://security-tracker.debian.org/tracker/CVE-2021-28861)
  • CVE-2021-29921 (https://security-tracker.debian.org/tracker/CVE-2021-29921)
  • CVE-2021-3426 (https://security-tracker.debian.org/tracker/CVE-2021-3426)
  • CVE-2021-3733 (https://security-tracker.debian.org/tracker/CVE-2021-3733)
  • CVE-2021-3737 (https://security-tracker.debian.org/tracker/CVE-2021-3737)
  • CVE-2021-4189 (https://security-tracker.debian.org/tracker/CVE-2021-4189)
  • CVE-2022-0391 (https://security-tracker.debian.org/tracker/CVE-2022-0391)
  • CVE-2022-37454 (https://security-tracker.debian.org/tracker/CVE-2022-37454)
  • CVE-2022-42919 (https://security-tracker.debian.org/tracker/CVE-2022-42919)
  • CVE-2022-45061 (https://security-tracker.debian.org/tracker/CVE-2022-45061)
  • CVE-2023-24329 (https://security-tracker.debian.org/tracker/CVE-2023-24329)

Using slim version of base image python:3.9-slim-bullseye also helps to reduce overall docker container size.

Work item tracking

How I did it

How to verify it

Start a docker container and run bash commands.

$ python3 --version
Python 3.9.19

Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006
• 202012
• 202106
• 202111
• 202205
• 202211
• 202305

[k-v1]

python 3.9.17-slim-bullseye 6b9a3e5fd109 10 months ago 124MB

There is no reason to use this outdated docker image.
New images include multiple fixes for other system packages like glibc.

[k-v1]

But debian slim image is a good idea.
I don't understand why we don't use them.
Upd: PR #19008 to fix this.

[baxia-lan]

python 3.9.17-slim-bullseye 6b9a3e5fd109 10 months ago 124MB

There is no reason to use this outdated docker image. New images include multiple fixes for other system packages like glibc.

I updated this PR to use python:3.9.18-slim-bullseye. Using slim debian package with pre-installed python package is for FedRAMP compliance. Python3 official release in Debian Registry is 3.9.2-3 and no plan to update. It does not include security patches included in later patches. 3.11 is not officially supported in bullseye, so using 3.9 version here to avoid breaking issues.

[k-v1]

python 3.9.17-slim-bullseye 6b9a3e5fd109 10 months ago 124MB

There is no reason to use this outdated docker image. New images include multiple fixes for other system packages like glibc.

I updated this PR to use python:3.9.18-slim-bullseye. Using slim debian package with pre-installed python package is for FedRAMP compliance. Python3 official release in Debian Registry is 3.9.2-3 and no plan to update. It does not include security patches included in later patches. 3.11 is not officially supported in bullseye, so using 3.9 version here to avoid breaking issues.

Official debian docker images (https://hub.docker.com/_/debian) contain actual versions of base system packages and libs because they are updated on regular base (latest update was May 13, 2024).
Your image python:3.9.18-slim-bullseye is based on bullseye-20240110-slim. So it's still outdated.

If we select your image as a base layer for docker-base-bullseye then we get:

1. New version of python. But it may be incompatible with some python packages from debian repo because they are tested with python 3.9.2.
2. Critical vulnerabilities in system packages like glibc because your docker image includes oudated version of system packages and we don't do apt-get full upgrade or even apt-get upgrade when build docker-base-bullseye.

My assumption is that for SONiC we should use debian official images (better to use slim images to reduce size of SONiC image). Debian maintainers provide most critical fixes for old distro packages including python. All your issues are marked as python3.9 <no-dsa> (Minor issue) by debian maintainers. That's why they are not fixed.

[qiluo-msft]

debian

Is there a solution just patching python in old FROM image?

[baxia-lan]

I feel like adding patches for different vulnerabilities is less maintainable as the vulnerabilities can be found dynamically.
Listed the example commands for how pytion:3.9.19-slim-bullseye image is set up as reference.
https://github.com/docker-library/python/blob/master/3.9/slim-bullseye/Dockerfile

[k-v1]

I think if you need to use python version not available in debian:bullseye repo then you have three solutions:

1. Build it from sources with all required patches and install to docker-base-bullseye container.
2. Install it from some debian repo like we install docker.
3. Upgrade all SONiC docker containers to bookworm and use python 3.11.

[baxia-lan]

1. python:3.9-slim-bullseye Dockerfile is building from python3.9.19 source.
2. python debian does not have newer version after 3.9.2. If adding python3.9 source code as debian dependency, then why not just use option1?
3. This PR is to fix security issues in bullseye. It is still in use until bookworm is fully integrated and bookworm needs time to fully roll out.

[k-v1]

python:3.9-slim-bullseye Dockerfile is building from python3.9.19 source.

If it's updated version based on debian 11.9 you can try to use it.

[baxia-lan]

Could you please LGTM?

[baxia-lan]

@lguohan PTAL at this PR. The python:3.9-slim-bullseye needs to be uploaded to Azure which I don't have permission.

[baxia-lan]

Can we merge this PR?