Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[build][FedRAMP]Update docker-base-bullseye to build from python:3.9-slim-bullseye #18998

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

[build][FedRAMP]Update docker-base-bullseye to build from python:3.9-slim-bullseye #18998

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f98ed29
[build][FedRAMP]Update docker-base-bullseye to build from python:3.9.…
baxia-lan May 18, 2024
cc5da0c
Update base docker image to pythono:3.9.18-slim-bullseye
baxia-lan May 20, 2024
c1de297
Update base docker image to pythono:3.9-slim-bullseye
baxia-lan May 21, 2024
4408d7e
Merge branch 'master' into master
baxia-lan Jul 10, 2024
fc09794
Merge branch 'sonic-net:master' into master
baxia-lan Sep 12, 2024
a770515
Merge branch 'sonic-net:master' into master
baxia-lan Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion dockers/docker-base-bullseye/Dockerfile.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ FROM {{ prefix }}multiarch/debian-debootstrap:armhf-bullseye
{% elif CONFIGURED_ARCH == "arm64" and (MULTIARCH_QEMU_ENVIRON == "y" or CROSS_BUILD_ENVIRON == "y") %}
FROM {{ prefix }}multiarch/debian-debootstrap:arm64-bullseye
{% else %}
FROM {{ prefix }}{{DOCKER_BASE_ARCH}}/debian:bullseye
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

debian

Is there a solution just patching python in old FROM image?

Copy link
Contributor Author

@baxia-lan baxia-lan May 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like adding patches for different vulnerabilities is less maintainable as the vulnerabilities can be found dynamically.
Listed the example commands for how pytion:3.9.19-slim-bullseye image is set up as reference.
https://github.com/docker-library/python/blob/master/3.9/slim-bullseye/Dockerfile

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think if you need to use python version not available in debian:bullseye repo then you have three solutions:

  1. Build it from sources with all required patches and install to docker-base-bullseye container.
  2. Install it from some debian repo like we install docker.
  3. Upgrade all SONiC docker containers to bookworm and use python 3.11.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. python:3.9-slim-bullseye Dockerfile is building from python3.9.19 source.
  2. python debian does not have newer version after 3.9.2. If adding python3.9 source code as debian dependency, then why not just use option1?
  3. This PR is to fix security issues in bullseye. It is still in use until bookworm is fully integrated and bookworm needs time to fully roll out.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

python:3.9-slim-bullseye Dockerfile is building from python3.9.19 source.

If it's updated version based on debian 11.9 you can try to use it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please LGTM?

FROM {{ prefix }}{{DOCKER_BASE_ARCH}}/python:3.9.18-slim-bullseye
{% endif %}

# Clean documentation in FROM image
Expand Down
4 changes: 4 additions & 0 deletions files/build/versions/dockers/docker-base-bullseye/versions-deb-bullseye
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
build-essential==12.9
ca-certificates==20210119
curl==7.74.0-1.3+deb11u11
iproute2==5.10.0-4
Expand All @@ -8,6 +9,8 @@ libbpf0==1:0.3-2
libbrotli1==1.0.9-2+b2
libbsd0==0.11.3-1+deb11u1
libc6==2.31-13+deb11u10
libc6==2.31-13+deb11u8
libc6-dev==2.31-13+deb11u8
libcap2==1:2.44-1
libcap2-bin==1:2.44-1
libcurl4==7.74.0-1.3+deb11u11
Expand Down Expand Up @@ -51,6 +54,7 @@ libsqlite3-0==3.34.1-3
libssh2-1==1.9.0-2
libssl-dev==1.1.1n-0+deb11u5+fips
libssl1.1==1.1.1n-0+deb11u5+fips
libtinfo6==6.2+20201114-2+deb11u2
libwrap0==7.6.q-31
libxtables12==1.8.7-1
libzmq5==4.3.4-1+deb11u1
Expand Down
Loading