From 4d24fa818699732a53b0eb28b1e9cd04b1f33bff Mon Sep 17 00:00:00 2001 From: Davlet Panech Date: Fri, 21 Jun 2024 07:25:17 -0400 Subject: [PATCH] stx-debian: don't install unmanaged DEBs Don't install packages from debian.org snapshots repository in the base image. Such packages are inherited into every container that inherits from stx-debian, and they trigger CVE scanners. Many derived containers don't need them. Specifically: * Remove "build-essentials" - a meta package with many dependencies (build tools) * Instal "ca-certificates" from the managed repository (ie one created from the download lists in starlingx/tools). TESTS ============================= * Build all packages * Build stx-debian * Build all starlingx and openstack containers This change causes build failures addressed by a separate review linked below. Story: 2011159 Task: 50404 Depends-On: https://review.opendev.org/c/starlingx/utilities/+/922468 Signed-off-by: Davlet Panech Change-Id: I9764ca475579d43cb63de6507cb90a9c3d4f698f --- .../stx-debian/Dockerfile.stable | 23 +++---------------- 1 file changed, 3 insertions(+), 20 deletions(-) diff --git a/build-tools/build-docker-images/stx-debian/Dockerfile.stable b/build-tools/build-docker-images/stx-debian/Dockerfile.stable index f9814e94..d4395637 100644 --- a/build-tools/build-docker-images/stx-debian/Dockerfile.stable +++ b/build-tools/build-docker-images/stx-debian/Dockerfile.stable @@ -6,10 +6,6 @@ FROM debian:${RELEASE} ENV DEBIAN_FRONTEND=noninteractive -# Install latest ca-certificates -RUN apt-get -y update && \ - apt-get -y --no-install-recommends --no-install-suggests install ca-certificates - # Disable upstream debian repos RUN mv /etc/apt/sources.list /etc/apt/sources.list.disabled @@ -62,26 +58,13 @@ RUN for layer in /etc/apt/sources.list.d/*.layer.sources.list; do \ RUN cp -f /etc/apt/sources.list.d/stx.list.disabled /etc/apt/sources.list.d/stx.list && \ apt-get -y update && \ apt-get -y upgrade && \ - rm -f /etc/apt/sources.list.d/stx.list && \ - apt-get clean && rm -rf /var/lib/apt/lists/* - -# -# Install packages provided only by debian. -# FIXME: move these packages + their dependencies to debian download lists in -# starlingx/tools to avoid referencing the debian repo at all. -# -RUN cp -f /etc/apt/sources.list.d/debian.list.disabled /etc/apt/sources.list.d/debian.list && \ - cp -f /etc/apt/sources.list.d/stx.list.disabled /etc/apt/sources.list.d/stx.list && \ - apt-get update -y && \ - apt-get install -y \ + apt-get -y install --no-install-recommends --no-install-suggests \ + ca-certificates \ libapache2-mod-wsgi-py3 \ python3-setuptools \ - build-essential \ && \ - rm -f /etc/apt/sources.list.d/debian.list && \ rm -f /etc/apt/sources.list.d/stx.list && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists/* + apt-get clean && rm -rf /var/lib/apt/lists/* # # Enable stx repo only. Packages installs below this point will use