Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[build][FedRAMP]Update docker-base-bullseye to build from python:3.9-slim-bullseye #18998

Open
wants to merge 6 commits into
base: master
Choose a base branch
from

Conversation

baxia-lan
Copy link
Contributor

@baxia-lan baxia-lan commented May 18, 2024

Why I did it

python3=3.9.2-3 version in bullseye release has CVEs filed:

Using slim version of base image python:3.9-slim-bullseye also helps to reduce overall docker container size.

Work item tracking

How I did it

How to verify it

Start a docker container and run bash commands.

$ python3 --version
Python 3.9.19

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205
  • 202211
  • 202305

@k-v1
Copy link
Contributor

k-v1 commented May 18, 2024

python 3.9.17-slim-bullseye 6b9a3e5fd109 10 months ago 124MB

There is no reason to use this outdated docker image.
New images include multiple fixes for other system packages like glibc.

@k-v1
Copy link
Contributor

k-v1 commented May 18, 2024

But debian slim image is a good idea.
I don't understand why we don't use them.
Upd: PR #19008 to fix this.

@baxia-lan baxia-lan changed the title [build][FedRAMP]Update docker-base-bullseye to build from python:3.9.17-slim-bullseye [build][FedRAMP]Update docker-base-bullseye to build from python:3.9.18-slim-bullseye May 20, 2024
@baxia-lan
Copy link
Contributor Author

python 3.9.17-slim-bullseye 6b9a3e5fd109 10 months ago 124MB

There is no reason to use this outdated docker image. New images include multiple fixes for other system packages like glibc.

I updated this PR to use python:3.9.18-slim-bullseye. Using slim debian package with pre-installed python package is for FedRAMP compliance. Python3 official release in Debian Registry is 3.9.2-3 and no plan to update. It does not include security patches included in later patches. 3.11 is not officially supported in bullseye, so using 3.9 version here to avoid breaking issues.

@k-v1
Copy link
Contributor

k-v1 commented May 20, 2024

python 3.9.17-slim-bullseye 6b9a3e5fd109 10 months ago 124MB

There is no reason to use this outdated docker image. New images include multiple fixes for other system packages like glibc.

I updated this PR to use python:3.9.18-slim-bullseye. Using slim debian package with pre-installed python package is for FedRAMP compliance. Python3 official release in Debian Registry is 3.9.2-3 and no plan to update. It does not include security patches included in later patches. 3.11 is not officially supported in bullseye, so using 3.9 version here to avoid breaking issues.

Official debian docker images (https://hub.docker.com/_/debian) contain actual versions of base system packages and libs because they are updated on regular base (latest update was May 13, 2024).
Your image python:3.9.18-slim-bullseye is based on bullseye-20240110-slim. So it's still outdated.

If we select your image as a base layer for docker-base-bullseye then we get:

  1. New version of python. But it may be incompatible with some python packages from debian repo because they are tested with python 3.9.2.
  2. Critical vulnerabilities in system packages like glibc because your docker image includes oudated version of system packages and we don't do apt-get full upgrade or even apt-get upgrade when build docker-base-bullseye.

My assumption is that for SONiC we should use debian official images (better to use slim images to reduce size of SONiC image). Debian maintainers provide most critical fixes for old distro packages including python. All your issues are marked as python3.9 <no-dsa> (Minor issue) by debian maintainers. That's why they are not fixed.

@@ -5,7 +5,7 @@ FROM {{ prefix }}multiarch/debian-debootstrap:armhf-bullseye
{% elif CONFIGURED_ARCH == "arm64" and (MULTIARCH_QEMU_ENVIRON == "y" or CROSS_BUILD_ENVIRON == "y") %}
FROM {{ prefix }}multiarch/debian-debootstrap:arm64-bullseye
{% else %}
FROM {{ prefix }}{{DOCKER_BASE_ARCH}}/debian:bullseye
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

debian

Is there a solution just patching python in old FROM image?

Copy link
Contributor Author

@baxia-lan baxia-lan May 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like adding patches for different vulnerabilities is less maintainable as the vulnerabilities can be found dynamically.
Listed the example commands for how pytion:3.9.19-slim-bullseye image is set up as reference.
https://github.com/docker-library/python/blob/master/3.9/slim-bullseye/Dockerfile

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think if you need to use python version not available in debian:bullseye repo then you have three solutions:

  1. Build it from sources with all required patches and install to docker-base-bullseye container.
  2. Install it from some debian repo like we install docker.
  3. Upgrade all SONiC docker containers to bookworm and use python 3.11.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. python:3.9-slim-bullseye Dockerfile is building from python3.9.19 source.
  2. python debian does not have newer version after 3.9.2. If adding python3.9 source code as debian dependency, then why not just use option1?
  3. This PR is to fix security issues in bullseye. It is still in use until bookworm is fully integrated and bookworm needs time to fully roll out.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

python:3.9-slim-bullseye Dockerfile is building from python3.9.19 source.

If it's updated version based on debian 11.9 you can try to use it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please LGTM?

@baxia-lan baxia-lan changed the title [build][FedRAMP]Update docker-base-bullseye to build from python:3.9.18-slim-bullseye [build][FedRAMP]Update docker-base-bullseye to build from python:3.9-slim-bullseye May 21, 2024
@baxia-lan
Copy link
Contributor Author

@lguohan PTAL at this PR. The python:3.9-slim-bullseye needs to be uploaded to Azure which I don't have permission.

@baxia-lan
Copy link
Contributor Author

Can we merge this PR?

@baxia-lan baxia-lan enabled auto-merge (squash) September 12, 2024 05:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants