stx-debian: don't install unmanaged DEBs

Don't install packages from debian.org snapshots repository in the base
image. Such packages are inherited into every container that inherits
from stx-debian, and they trigger CVE scanners. Many derived containers
don't need them.

Specifically:
* Remove "build-essentials" - a meta package with many dependencies
  (build tools)
* Instal "ca-certificates" from the managed repository (ie one created
  from the download lists in starlingx/tools).

TESTS
=============================
* Build all packages
* Build stx-debian
* Build all starlingx and openstack containers

This change causes build failures addressed by a separate review linked
below.

Story: 2011159
Task: 50404

Depends-On: https://review.opendev.org/c/starlingx/utilities/+/922468
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I9764ca475579d43cb63de6507cb90a9c3d4f698f
This commit is contained in:
Davlet Panech 2024-06-21 07:25:17 -04:00
parent 3f4058b566
commit 4d24fa8186

View File

@ -6,10 +6,6 @@ FROM debian:${RELEASE}
ENV DEBIAN_FRONTEND=noninteractive ENV DEBIAN_FRONTEND=noninteractive
# Install latest ca-certificates
RUN apt-get -y update && \
apt-get -y --no-install-recommends --no-install-suggests install ca-certificates
# Disable upstream debian repos # Disable upstream debian repos
RUN mv /etc/apt/sources.list /etc/apt/sources.list.disabled RUN mv /etc/apt/sources.list /etc/apt/sources.list.disabled
@ -62,26 +58,13 @@ RUN for layer in /etc/apt/sources.list.d/*.layer.sources.list; do \
RUN cp -f /etc/apt/sources.list.d/stx.list.disabled /etc/apt/sources.list.d/stx.list && \ RUN cp -f /etc/apt/sources.list.d/stx.list.disabled /etc/apt/sources.list.d/stx.list && \
apt-get -y update && \ apt-get -y update && \
apt-get -y upgrade && \ apt-get -y upgrade && \
rm -f /etc/apt/sources.list.d/stx.list && \ apt-get -y install --no-install-recommends --no-install-suggests \
apt-get clean && rm -rf /var/lib/apt/lists/* ca-certificates \
#
# Install packages provided only by debian.
# FIXME: move these packages + their dependencies to debian download lists in
# starlingx/tools to avoid referencing the debian repo at all.
#
RUN cp -f /etc/apt/sources.list.d/debian.list.disabled /etc/apt/sources.list.d/debian.list && \
cp -f /etc/apt/sources.list.d/stx.list.disabled /etc/apt/sources.list.d/stx.list && \
apt-get update -y && \
apt-get install -y \
libapache2-mod-wsgi-py3 \ libapache2-mod-wsgi-py3 \
python3-setuptools \ python3-setuptools \
build-essential \
&& \ && \
rm -f /etc/apt/sources.list.d/debian.list && \
rm -f /etc/apt/sources.list.d/stx.list && \ rm -f /etc/apt/sources.list.d/stx.list && \
apt-get clean && \ apt-get clean && rm -rf /var/lib/apt/lists/*
rm -rf /var/lib/apt/lists/*
# #
# Enable stx repo only. Packages installs below this point will use # Enable stx repo only. Packages installs below this point will use