Image updates for CVE

This PS updates image during build process to get rid of the CVEs and bumps up helm vertion to 3.17.3. In order to decrease the image size *-dev libs are installed only when needed to build/install Python packages. Change-Id: I23f56b986875e1dc4c76fd7bc06fd49a30900967
2025-04-24 19:37:08 +00:00
parent 127c995c3c
commit ba7c902af5
6 changed files with 41 additions and 37 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -191,7 +191,7 @@
      cilium_version: "1.16.0"
      flannel_setup: false
      flannel_version: v0.25.4
-      helm_version: "v3.15.4"
+      helm_version: "v3.17.3"
      crictl_version: "v1.30.1"
      zuul_osh_relative_path: ../../openstack/openstack-helm
      zuul_osh_infra_relative_path: ../../openstack/openstack-helm
--- a/images/pegleg/Dockerfile.ubuntu_jammy
+++ b/images/pegleg/Dockerfile.ubuntu_jammy
@@ -6,7 +6,7 @@
 #   You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit
 ARG FROM=quay.io/airshipit/ubuntu:jammy
 FROM ${FROM}
-ARG CFSSLURL=https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
+ARG CFSSLURL=

 LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode'
 LABEL org.opencontainers.image.url='https://airshipit.org'
@@ -15,6 +15,7 @@ LABEL org.opencontainers.image.source='https://opendev.org/airship/pegleg'
 LABEL org.opencontainers.image.vendor='The Airship Authors'
 LABEL org.opencontainers.image.licenses='Apache-2.0'

+ENV DEBIAN_FRONTEND=noninteractive
 ENV LANG=C.UTF-8
 ENV LC_ALL=C.UTF-8
 ARG DECKHAND_VERSION=branch/master
@@ -25,28 +26,17 @@ RUN set -ex \
    && apt update -qq \
    && apt upgrade -y \
    && apt install -y --no-install-recommends \
-         automake \
         ca-certificates \
         curl \
-         build-essential \
         gettext-base \
-         git \
         gpg \
         gpg-agent \
-         libpq-dev \
-         libssl-dev \
-         libtool \
-         make \
         netbase \
         openssh-client \
         python3-dev \
-         python3-pip \
         python3-setuptools \
-         # this will install libyaml 0.2.22 in Jammy
-         libyaml-dev \
         # this will install golang-cfssl 1.2.0 in Jammy
         golang-cfssl \
-    && python3 -m pip install -U pip \
    && apt autoremove -yqq --purge \
    && apt clean \
    && rm -rf \
@@ -56,33 +46,47 @@ RUN set -ex \
         /usr/share/man \
         /var/lib/apt/lists/* \
         /var/log/* \
-         /var/tmp/*
+         /var/tmp/* \
+    && rm -rf /root/.cache/pip

-ENV LD_LIBRARY_PATH=/usr/local/lib

-# ARG LIBYAML_VERSION=0.2.5
-# RUN set -ex \
-#     && git clone https://github.com/yaml/libyaml.git \
-#     && cd libyaml \
-#     && git checkout $LIBYAML_VERSION \
-#     && ./bootstrap \
-#     && ./configure \
-#     && make \
-#     && make install \
-#     && cd .. \
-#     && rm -fr libyaml

 VOLUME /var/pegleg
 WORKDIR /var/pegleg

 COPY requirements-frozen.txt /opt/pegleg/requirements.txt
-RUN pip3 install -r https://opendev.org/airship/deckhand/raw/${DECKHAND_VERSION}/requirements-frozen.txt \
-    && pip3 install -r https://opendev.org/airship/promenade/raw/${PROMENADE_VERSION}/requirements-frozen.txt \
-    && pip3 install -r https://opendev.org/airship/shipyard/raw/${SHIPYARD_VERSION}/src/bin/shipyard_client/requirements-frozen.txt \
-    && pip3 install --no-cache-dir -r /opt/pegleg/requirements.txt
-
-# COPY tools/install-cfssl.sh /opt/pegleg/tools/install-cfssl.sh
-# RUN /opt/pegleg/tools/install-cfssl.sh ${CFSSLURL}
+RUN set -ex \
+        && buildDeps=' \
+        automake \
+        gcc \
+        libffi-dev \
+        libpq-dev \
+        libssl-dev \
+        libtool \
+        libyaml-dev \
+        libvirt-dev \
+        make \
+        python3-pip \
+        pkg-config \
+        ' \
+        && apt-get -qq update \
+        # Keep git separate so it's not removed below
+        && apt-get install -y $buildDeps git --no-install-recommends \
+        && python3 -m pip install -U pip \
+        && pip3 install -r https://opendev.org/airship/deckhand/raw/${DECKHAND_VERSION}/requirements-frozen.txt \
+        && pip3 install -r https://opendev.org/airship/promenade/raw/${PROMENADE_VERSION}/requirements-frozen.txt \
+        && pip3 install -r https://opendev.org/airship/shipyard/raw/${SHIPYARD_VERSION}/src/bin/shipyard_client/requirements-frozen.txt \
+        && pip3 install --no-cache-dir -r /opt/pegleg/requirements.txt \
+        && apt-get purge -y --auto-remove $buildDeps \
+        && apt-get autoremove -yqq --purge \
+        && apt-get clean \
+        && rm -rf \
+            /var/lib/apt/lists/* \
+            /tmp/* \
+            /var/tmp/* \
+            /usr/share/man \
+            /usr/share/doc \
+            /usr/share/doc-base

 COPY . /opt/pegleg
 RUN pip3 install -e /opt/pegleg --use-pep517
--- a/tools/gate/roles/airship-run-script-set/defaults/main.yaml
+++ b/tools/gate/roles/airship-run-script-set/defaults/main.yaml
@@ -19,7 +19,7 @@ osh_params:
  container_distro_version: focal
  # feature_gates:
 site: airskiff
-HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz
+HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.17.3-linux-amd64.tar.gz
 HTK_COMMIT: cfff60ec10a6c386f38db79bb9f59a552c2b032f
 OSH_INFRA_COMMIT: cfff60ec10a6c386f38db79bb9f59a552c2b032f
 OSH_COMMIT: 2d9457e34ca4200ed631466bd87569b0214c92e7
--- a/tools/gate/roles/airship-run-script-set/tasks/main.yaml
+++ b/tools/gate/roles/airship-run-script-set/tasks/main.yaml
@@ -35,7 +35,7 @@
        FEATURE_GATES: "{{ osh_params.feature_gates | default('') }}"
        RUN_HELM_TESTS: "{{ run_helm_tests | default('yes') }}"
        PL_SITE: "{{ site | default('airskiff') }}"
-        HELM_ARTIFACT_URL: "{{ HELM_ARTIFACT_URL | default('https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz') }}"
+        HELM_ARTIFACT_URL: "{{ HELM_ARTIFACT_URL | default('https://get.helm.sh/helm-v3.17.3-linux-amd64.tar.gz') }}"
        HTK_COMMIT: "{{ HTK_COMMIT | default('cfff60ec10a6c386f38db79bb9f59a552c2b032f') }}"
        OSH_INFRA_COMMIT: "{{ OSH_INFRA_COMMIT | default('cfff60ec10a6c386f38db79bb9f59a552c2b032f') }}"
        OSH_COMMIT: "{{ OSH_COMMIT | default('2d9457e34ca4200ed631466bd87569b0214c92e7') }}"
--- a/tools/gate/roles/airship-run-script/defaults/main.yaml
+++ b/tools/gate/roles/airship-run-script/defaults/main.yaml
@@ -19,7 +19,7 @@ osh_params:
  container_distro_version: focal
  # feature_gates:
 site: airskiff
-HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz
+HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.17.3-linux-amd64.tar.gz
 HTK_COMMIT: cfff60ec10a6c386f38db79bb9f59a552c2b032f
 OSH_INFRA_COMMIT: cfff60ec10a6c386f38db79bb9f59a552c2b032f
 OSH_COMMIT: 2d9457e34ca4200ed631466bd87569b0214c92e7
--- a/tools/gate/roles/airship-run-script/tasks/main.yaml
+++ b/tools/gate/roles/airship-run-script/tasks/main.yaml
@@ -32,7 +32,7 @@
    FEATURE_GATES: "{{ osh_params.feature_gates | default('') }}"
    RUN_HELM_TESTS: "{{ run_helm_tests | default('yes') }}"
    PL_SITE: "{{ site | default('airskiff') }}"
-    HELM_ARTIFACT_URL: "{{ HELM_ARTIFACT_URL | default('https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz') }}"
+    HELM_ARTIFACT_URL: "{{ HELM_ARTIFACT_URL | default('https://get.helm.sh/helm-v3.17.3-linux-amd64.tar.gz') }}"
    HTK_COMMIT: "{{ HTK_COMMIT | default('cfff60ec10a6c386f38db79bb9f59a552c2b032f') }}"
    OSH_INFRA_COMMIT: "{{ OSH_INFRA_COMMIT | default('cfff60ec10a6c386f38db79bb9f59a552c2b032f') }}"
    OSH_COMMIT: "{{ OSH_COMMIT | default('2d9457e34ca4200ed631466bd87569b0214c92e7') }}"