stx-debian: don't install unmanaged DEBs

Don't install packages from debian.org snapshots repository in the base image. Such packages are inherited into every container that inherits from stx-debian, and they trigger CVE scanners. Many derived containers don't need them. Specifically: * Remove "build-essentials" - a meta package with many dependencies (build tools) * Instal "ca-certificates" from the managed repository (ie one created from the download lists in starlingx/tools). TESTS ============================= * Build all packages * Build stx-debian * Build all starlingx and openstack containers This change causes build failures addressed by a separate review linked below. Story: 2011159 Task: 50404 Depends-On: https://review.opendev.org/c/starlingx/utilities/+/922468 Signed-off-by: Davlet Panech <davlet.panech@windriver.com> Change-Id: I9764ca475579d43cb63de6507cb90a9c3d4f698f
2024-06-21 07:25:17 -04:00 · 2024-06-21 07:25:17 -04:00 · 4d24fa8186
commit 4d24fa8186
parent 3f4058b566
1 changed files with 3 additions and 20 deletions
--- a/build-tools/build-docker-images/stx-debian/Dockerfile.stable
+++ b/build-tools/build-docker-images/stx-debian/Dockerfile.stable
@ -6,10 +6,6 @@ FROM debian:${RELEASE}

 ENV DEBIAN_FRONTEND=noninteractive

-# Install latest ca-certificates
-RUN apt-get -y update && \
-    apt-get -y --no-install-recommends --no-install-suggests install ca-certificates
-
 # Disable upstream debian repos
 RUN mv /etc/apt/sources.list /etc/apt/sources.list.disabled

@ -62,26 +58,13 @@ RUN for layer in /etc/apt/sources.list.d/*.layer.sources.list; do \
 RUN cp -f /etc/apt/sources.list.d/stx.list.disabled /etc/apt/sources.list.d/stx.list && \
    apt-get -y update && \
    apt-get -y upgrade && \
-    rm -f /etc/apt/sources.list.d/stx.list && \
-    apt-get clean && rm -rf /var/lib/apt/lists/*
-
-#
-# Install packages provided only by debian.
-# FIXME: move these packages + their dependencies to debian download lists in
-# starlingx/tools to avoid referencing the debian repo at all.
-#
-RUN cp -f /etc/apt/sources.list.d/debian.list.disabled /etc/apt/sources.list.d/debian.list && \
-    cp -f /etc/apt/sources.list.d/stx.list.disabled /etc/apt/sources.list.d/stx.list && \
-    apt-get update -y && \
-    apt-get install -y \
+    apt-get -y install --no-install-recommends --no-install-suggests \
+        ca-certificates \
        libapache2-mod-wsgi-py3 \
        python3-setuptools \
-        build-essential \
        && \
-    rm -f /etc/apt/sources.list.d/debian.list && \
    rm -f /etc/apt/sources.list.d/stx.list && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
+    apt-get clean && rm -rf /var/lib/apt/lists/*

 #
 # Enable stx repo only. Packages installs below this point will use