-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[build][FedRAMP]Update docker-base-bullseye to build from python:3.9-slim-bullseye #18998
base: master
Are you sure you want to change the base?
Conversation
…17-slim-bullseye python3.9 3.9.2-1 version in bullseye release has CVEs filed: CVE-2015-20107 (https://security-tracker.debian.org/tracker/CVE-2015-20107) CVE-2020-10735 (https://security-tracker.debian.org/tracker/CVE-2020-10735) CVE-2020-27619 (https://security-tracker.debian.org/tracker/CVE-2020-27619) CVE-2021-28861 (https://security-tracker.debian.org/tracker/CVE-2021-28861) CVE-2021-29921 (https://security-tracker.debian.org/tracker/CVE-2021-29921) CVE-2021-3426 (https://security-tracker.debian.org/tracker/CVE-2021-3426) CVE-2021-3733 (https://security-tracker.debian.org/tracker/CVE-2021-3733) CVE-2021-3737 (https://security-tracker.debian.org/tracker/CVE-2021-3737) CVE-2021-4189 (https://security-tracker.debian.org/tracker/CVE-2021-4189) CVE-2022-0391 (https://security-tracker.debian.org/tracker/CVE-2022-0391) CVE-2022-37454 (https://security-tracker.debian.org/tracker/CVE-2022-37454) CVE-2022-42919 (https://security-tracker.debian.org/tracker/CVE-2022-42919) CVE-2022-45061 (https://security-tracker.debian.org/tracker/CVE-2022-45061) CVE-2023-24329 (https://security-tracker.debian.org/tracker/CVE-2023-24329)
There is no reason to use this outdated docker image. |
But debian slim image is a good idea. |
I updated this PR to use python:3.9.18-slim-bullseye. Using slim debian package with pre-installed python package is for FedRAMP compliance. Python3 official release in Debian Registry is 3.9.2-3 and no plan to update. It does not include security patches included in later patches. 3.11 is not officially supported in bullseye, so using 3.9 version here to avoid breaking issues. |
Official debian docker images (https://hub.docker.com/_/debian) contain actual versions of base system packages and libs because they are updated on regular base (latest update was May 13, 2024). If we select your image as a base layer for
My assumption is that for SONiC we should use debian official images (better to use slim images to reduce size of SONiC image). Debian maintainers provide most critical fixes for old distro packages including python. All your issues are marked as |
@@ -5,7 +5,7 @@ FROM {{ prefix }}multiarch/debian-debootstrap:armhf-bullseye | |||
{% elif CONFIGURED_ARCH == "arm64" and (MULTIARCH_QEMU_ENVIRON == "y" or CROSS_BUILD_ENVIRON == "y") %} | |||
FROM {{ prefix }}multiarch/debian-debootstrap:arm64-bullseye | |||
{% else %} | |||
FROM {{ prefix }}{{DOCKER_BASE_ARCH}}/debian:bullseye |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like adding patches for different vulnerabilities is less maintainable as the vulnerabilities can be found dynamically.
Listed the example commands for how pytion:3.9.19-slim-bullseye image is set up as reference.
https://github.com/docker-library/python/blob/master/3.9/slim-bullseye/Dockerfile
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think if you need to use python version not available in debian:bullseye repo then you have three solutions:
- Build it from sources with all required patches and install to docker-base-bullseye container.
- Install it from some debian repo like we install docker.
- Upgrade all SONiC docker containers to bookworm and use python 3.11.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- python:3.9-slim-bullseye Dockerfile is building from python3.9.19 source.
- python debian does not have newer version after 3.9.2. If adding python3.9 source code as debian dependency, then why not just use option1?
- This PR is to fix security issues in bullseye. It is still in use until bookworm is fully integrated and bookworm needs time to fully roll out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
python:3.9-slim-bullseye Dockerfile is building from python3.9.19 source.
If it's updated version based on debian 11.9 you can try to use it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please LGTM?
@lguohan PTAL at this PR. The |
Can we merge this PR? |
Why I did it
python3=3.9.2-3 version in bullseye release has CVEs filed:
Using slim version of base image python:3.9-slim-bullseye also helps to reduce overall docker container size.
Work item tracking
How I did it
How to verify it
Start a docker container and run bash commands.
Which release branch to backport (provide reason below if selected)