starlingx/root
Code Issues Proposed changes
root/build-tools/build-docker-images/stx-debian/Dockerfile.stable
Davlet Panech 4d24fa8186 stx-debian: don't install unmanaged DEBs 
Don't install packages from debian.org snapshots repository in the base
image. Such packages are inherited into every container that inherits
from stx-debian, and they trigger CVE scanners. Many derived containers
don't need them.

Specifically:
* Remove "build-essentials" - a meta package with many dependencies
  (build tools)
* Instal "ca-certificates" from the managed repository (ie one created
  from the download lists in starlingx/tools).

TESTS
=============================
* Build all packages
* Build stx-debian
* Build all starlingx and openstack containers

This change causes build failures addressed by a separate review linked
below.

Story: 2011159
Task: 50404

Depends-On: https://review.opendev.org/c/starlingx/utilities/+/922468
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I9764ca475579d43cb63de6507cb90a9c3d4f698f
2024-06-21 08:22:44 -04:00

108 lines
3.8 KiB
Docker
Raw Blame History

# Start with an the old-ish bullseye release (11.2), then upgrade --
# to make sure packages that come pre-installed in the debian:XXX image
# are older than anything in StarlingX.
ARG RELEASE=11.2
FROM debian:${RELEASE}
ENV DEBIAN_FRONTEND=noninteractive
# Disable upstream debian repos
RUN mv /etc/apt/sources.list /etc/apt/sources.list.disabled
# Install apt repos
COPY apt/debian.sources.list /etc/apt/sources.list.d/debian.list.disabled
COPY apt/stx.sources.list /etc/apt/sources.list.d/stx.list.disabled
COPY apt/stx.preferences /etc/apt/preferences.d/stx
# Install layer-specific binary repositories.
# Note: They are all supposed to be disabled by default, but can be optionally
# enabled if it is necessary to build an image that requires
# dependencies that are in repositories not listed in `stx.sources.list`.
COPY apt/*.layer.sources.list /etc/apt/sources.list.d/
RUN for layer in /etc/apt/sources.list.d/*.layer.sources.list; do \
mv "${layer}" "$(echo "${layer}" | sed s/.layer.sources.list/.list.disabled/)"; \
done
# repo templates:
# /etc/apt/sources.list.d/
# debian.list.disabled - vanilla debian repos
# stx.list.disabled - starlingx binary & build repos
#
# To enable a repo list:
# cp /etc/apt/sources.list.d/$repo_list.disabled \
# /etc/apt/sources.list.d/$repo_list
#
# To disable a repo list:
# rm -f /etc/apt/sources.list.d/$repo_list
#
# By default only stx.list is enabled, which includes only the packages
# built by stx tools, and the binary packages from the curated binary
# download lists (bullseye-base.lst etc).
#
# Enabling the upstream repos ("debian.list") is dangerous because it
# may conflict with packages in stx.list.
#
#
# FIXME: apt evaluates these files in alphabetical order, so stx.list
# comes after debian.list. When the local binary repo contains
# the same package/version as the debian repo, apt will download
# it from debian, regardless of the priority in /etc/apt/preferences.
# We should rename these files to make stx.list sort before
# debian.list. This would affect Loci scripts in
# loci/docker/stx-scripts/
#
#
# Upgrade base packages to versions in managed repos
#
RUN cp -f /etc/apt/sources.list.d/stx.list.disabled /etc/apt/sources.list.d/stx.list && \
apt-get -y update && \
apt-get -y upgrade && \
apt-get -y install --no-install-recommends --no-install-suggests \
ca-certificates \
libapache2-mod-wsgi-py3 \
python3-setuptools \
&& \
rm -f /etc/apt/sources.list.d/stx.list && \
apt-get clean && rm -rf /var/lib/apt/lists/*
#
# Enable stx repo only. Packages installs below this point will use
# only the managed locally-built & 3rd-party repos.
#
RUN cp /etc/apt/sources.list.d/stx.list.disabled /etc/apt/sources.list.d/stx.list
#
# Install required packages
#
RUN apt-get update -y && \
apt-get upgrade -y && \
apt-get install -y \
openssh-client \
python3 \
python3-pip \
python3-wheel \
# FIXME: uncomment once qemu is ported to debian (starlingx/integ)
# qemu-utils \
&& \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
# FIXME: these packages are not required by most docker images inheriting
# from this image. However these Python modules are not buildable from
# source (ie by pip) on Debian and require patches. Install the patched
# versions as DEB packages to make sure pip dependencies in derived images
# are satisfied.
#
# A better solution would be to omit them here, but install them in each
# project that requires them; or add wheel subpackages to these DEBs.
RUN apt-get update -y && \
apt-get upgrade -y && \
apt-get install -y \
python3-thriftpy \
python3-nss \
python-nss \
&& \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
View Git Blame Copy Permalink