starlingx/root
Code Issues Proposed changes
root/build-tools/build-docker-images/stx-debian/Dockerfile.stable
Davlet Panech ac49affe33 stx-debian: remove python 2.x NSS module 
Remove python-nss, which is based on python 2.x and triggers CVE scans.
We don't use python2 in any docker containers any more, so this module,
and python 2.x itself is not required here.

TESTS
================================
Rebuild all StarlingX and OpenStack containers that inherit from
stx-debian

Story: 2011159
Task: 50404

Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: Ifc6e6c8778b2f7438ea76adb8c4f6e08a822ce7c
2024-06-26 13:26:48 -04:00

143 lines
5.2 KiB
Docker
Raw Blame History

# These are overridden by build-stx-debian.sh
ARG DIST=bullseye
ARG RELEASE=11.2
################################################
# ca_certs build stage
################################################
# We need up-to-date SSL certs, otherwise we won't be able to access
# mirror.starlingx.windriver.com; yet the ca-certificates package is
# behind that URL. As a workaround: install ca-certificates from
# upstream debian, then copy the (generated) CA bundle into the.
# main build stage.
FROM debian:${DIST} as ca_certs
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update -y && \
apt-get -y install --no-install-recommends ca-certificates
################################################
# main build stage
################################################
# Start with an the old-ish bullseye release (11.2), then upgrade --
# to make sure packages that come pre-installed in the debian:XXX image
# are older than anything in StarlingX.
FROM debian:${RELEASE}
ENV DEBIAN_FRONTEND=noninteractive
# Disable upstream debian repos
RUN mv /etc/apt/sources.list /etc/apt/sources.list.disabled
# Install apt repos
COPY apt/debian.sources.list /etc/apt/sources.list.d/debian.list.disabled
COPY apt/stx.sources.list /etc/apt/sources.list.d/stx.list.disabled
COPY apt/stx.preferences /etc/apt/preferences.d/stx
# Install layer-specific binary repositories.
# Note: They are all supposed to be disabled by default, but can be optionally
# enabled if it is necessary to build an image that requires
# dependencies that are in repositories not listed in `stx.sources.list`.
COPY apt/*.layer.sources.list /etc/apt/sources.list.d/
RUN for layer in /etc/apt/sources.list.d/*.layer.sources.list; do \
mv "${layer}" "$(echo "${layer}" | sed s/.layer.sources.list/.list.disabled/)"; \
done
# repo templates:
# /etc/apt/sources.list.d/
# debian.list.disabled - vanilla debian repos
# stx.list.disabled - starlingx binary & build repos
#
# To enable a repo list:
# cp /etc/apt/sources.list.d/$repo_list.disabled \
# /etc/apt/sources.list.d/$repo_list
#
# To disable a repo list:
# rm -f /etc/apt/sources.list.d/$repo_list
#
# By default only stx.list is enabled, which includes only the packages
# built by stx tools, and the binary packages from the curated binary
# download lists (bullseye-base.lst etc).
#
# Enabling the upstream repos ("debian.list") is dangerous because it
# may conflict with packages in stx.list.
#
#
# FIXME: apt evaluates these files in alphabetical order, so stx.list
# comes after debian.list. When the local binary repo contains
# the same package/version as the debian repo, apt will download
# it from debian, regardless of the priority in /etc/apt/preferences.
# We should rename these files to make stx.list sort before
# debian.list. This would affect Loci scripts in
# loci/docker/stx-scripts/
#
#
# Copy CA certs from the "ca_certs" build stage. The bundle file was generated
# by ca-certificates in that stage, and will be re-generated when we install
# that package again in the main stage below. That version may be *older* than
# the certs that we are copying here. We assume ca-certificates is regularly
# updated in stx-tools' package download lists, or it is built by us, and contains
# all the certs we might need during docker images build, such as the intermidate
# cert used by mirror.starlingx.windriver.com .
#
RUN mkdir -p /etc/ssl/certs
COPY --from=ca_certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
#
# Upgrade base packages to versions in managed repos
#
RUN cp -f /etc/apt/sources.list.d/stx.list.disabled /etc/apt/sources.list.d/stx.list && \
apt-get -y update && \
apt-get -y upgrade && \
apt-get -y install --no-install-recommends --no-install-suggests \
ca-certificates \
libapache2-mod-wsgi-py3 \
python3-setuptools \
&& \
rm -f /etc/apt/sources.list.d/stx.list && \
apt-get clean && rm -rf /var/lib/apt/lists/*
#
# Enable stx repo only. Packages installs below this point will use
# only the managed locally-built & 3rd-party repos.
#
RUN cp /etc/apt/sources.list.d/stx.list.disabled /etc/apt/sources.list.d/stx.list
#
# Install required packages
#
RUN apt-get update -y && \
apt-get upgrade -y && \
apt-get install -y \
openssh-client \
python3 \
python3-pip \
python3-wheel \
# FIXME: uncomment once qemu is ported to debian (starlingx/integ)
# qemu-utils \
&& \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
# FIXME: these packages are not required by most docker images inheriting
# from this image. However these Python modules are not buildable from
# source (ie by pip) on Debian and require patches. Install the patched
# versions as DEB packages to make sure pip dependencies in derived images
# are satisfied.
#
# A better solution would be to omit them here, but install them in each
# project that requires them; or add wheel subpackages to these DEBs.
RUN apt-get update -y && \
apt-get upgrade -y && \
apt-get install -y \
python3-thriftpy \
python3-nss \
&& \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
View Git Blame Copy Permalink