From 3869182911991298d7765132b70491500e7cff76 Mon Sep 17 00:00:00 2001
From: Shane Hutchins <shane.hutchins@hitachids.com>
Date: Wed, 8 Jan 2025 09:33:47 -0500
Subject: [PATCH 1/3] updating docker images to resolve remaining
vulnerabilities in azure, gc and ibm images
---
app/Makefile | 8 ++++++++
app/_version.py | 4 ++--
build/Dockerfile | 9 +++------
build/aws/build-aws/Dockerfile | 1 -
build/azure/Dockerfile | 25 ++++++++++++++---------
build/azure/requirements.in | 37 ----------------------------------
build/gc/Dockerfile | 24 ++++++++++++----------
build/ibm/Dockerfile | 35 ++++++++++++--------------------
requirements.txt | 2 +-
9 files changed, 55 insertions(+), 90 deletions(-)
delete mode 100644 build/azure/requirements.in
diff --git a/app/Makefile b/app/Makefile
index df32c5b4..f27bf2e0 100644
--- a/app/Makefile
+++ b/app/Makefile
@@ -42,6 +42,14 @@ build_docker:
cd .. && python3.11 setversion.py app
cd .. && docker build --network host -t $(IMAGE_NAME):$(TAG) -f app/Dockerfile .
+build_all:
+ cd .. && python3.11 setversion.py app
+ cd .. && docker build --network host -t $(IMAGE_NAME):$(TAG) -f app/Dockerfile .
+ cd .. && docker build --network host -t $(IMAGE_NAME):aws -f build/aws/build-aws/Dockerfile .
+ cd .. && docker build --network host -t $(IMAGE_NAME):azure -f build/azure/Dockerfile .
+ cd .. && docker build --network host -t $(IMAGE_NAME):gc -f build/gc/Dockerfile .
+ cd .. && docker build --network host -t $(IMAGE_NAME):ibm -f build/ibm/Dockerfile .
+
# run policy-service locally in docker with gcp backend, assumes opa running locally
run_gcp: gcp_set_token
docker run -it --rm \
diff --git a/app/_version.py b/app/_version.py
index a809823f..153ee9f8 100644
--- a/app/_version.py
+++ b/app/_version.py
@@ -4,8 +4,8 @@ __milestone__ = "M25"
__branch__ = "dev"
__build__ = "0"
__release__ = "a0.dev0"
-__buildtime__ = 1736189202.348354
+__buildtime__ = 1736346610.167947
__commitid__ = ""
__commitmessage__ = """"""
-__committimestamp__ = "2025-01-06T13:46:42.343928"
+__committimestamp__ = "2025-01-08T09:30:10.167717"
__commitrefslug__ = ""
diff --git a/build/Dockerfile b/build/Dockerfile
index 9c7779cf..c400a6a7 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -1,17 +1,14 @@
-# This Dockerfile assumes you used "make build" to convert the AdminUI to static files in frontend/adminui/dist/policyservice
FROM python:3.11.11-slim
# set environment variables
# PYTHONDONTWRITEBYTECODE - Prevents Python from writing pyc files to disc (equivalent to python -B option)
-ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONDONTWRITEBYTECODE=1
# PYTHONUNBUFFERED - Prevents Python from buffering stdout and stderr (equivalent to python -u option)
-ENV PYTHONUNBUFFERED 1
+ENV PYTHONUNBUFFERED=1
WORKDIR /opt
COPY ./app /opt
+#RUN pip install setuptools==75.7.0 --upgrade
RUN pip install --no-cache-dir --upgrade -r /opt/requirements.txt
-# Admin UI POC
-#COPY ./frontend/adminui/dist/policyservice /opt/assets
-
CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--workers", "4, "--port", "8080"]
diff --git a/build/aws/build-aws/Dockerfile b/build/aws/build-aws/Dockerfile
index f8dbd757..cf82c581 100644
--- a/build/aws/build-aws/Dockerfile
+++ b/build/aws/build-aws/Dockerfile
@@ -12,7 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-# This Dockerfile assumes you used "make build" to convert the AdminUI to static files in frontend/adminui/dist/policyservice
FROM public.ecr.aws/docker/library/python:3.11.11-alpine
# set environment variables
diff --git a/build/azure/Dockerfile b/build/azure/Dockerfile
index 6daf1e15..b05df2ed 100644
--- a/build/azure/Dockerfile
+++ b/build/azure/Dockerfile
@@ -1,18 +1,23 @@
-FROM python:3.11.11-slim
+FROM python:3.11.11-alpine
# set environment variables
# PYTHONDONTWRITEBYTECODE - Prevents Python from writing pyc files to disc (equivalent to python -B option)
-# ENV PYTHONDONTWRITEBYTECODE 1 Writing pyc files improves execution time
+ENV PYTHONDONTWRITEBYTECODE=1
# PYTHONUNBUFFERED - Prevents Python from buffering stdout and stderr (equivalent to python -u option)
-ENV PYTHONUNBUFFERED 1
-EXPOSE 8080/tcp
+ENV PYTHONUNBUFFERED=1
+
+RUN apk update && apk upgrade
+RUN apk add gcc python3-dev musl-dev linux-headers libffi-dev openssl-dev
+EXPOSE 8080/tcp
WORKDIR /opt
-COPY ./build/azure/requirements.in /opt
-RUN pip install --upgrade pip && pip install pip-tools \
- && pip install setuptools==75.7.0 --upgrade \
- && pip-compile requirements.in -o requirements.full -v \
- && pip install --no-cache-dir --upgrade -r /opt/requirements.full
COPY ./app /opt
+RUN pip install --no-cache-dir --upgrade -r /opt/requirements.txt
+RUN pip install setuptools==75.7.0 --upgrade
+
+# Run as user
+RUN addgroup -S nonroot \
+ && adduser -D nonroot -G nonroot
+USER nonroot
-CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8080", "--workers", "24", "--lifespan", "on", "--loop", "uvloop"]
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8080", "--workers", "4", "--proxy-headers"]
diff --git a/build/azure/requirements.in b/build/azure/requirements.in
deleted file mode 100644
index e580f8ff..00000000
--- a/build/azure/requirements.in
+++ /dev/null
@@ -1,37 +0,0 @@
-# jinja2
-
-# Policy alpine dependencies (Generated by py pipreqs app/ --force)
-boto3
-botocore
-cachetools
-elasticsearch_dsl
-fastapi
-kubernetes
-parameterized
-pydantic==2.1.1
-PyJWT
-Requests
-responses
-uvicorn
-starlette
-starlette_context
-uuid7
-python-multipart
-python-dotenv
-conf
-psutil
-ruamel.yaml
-ruamel.yaml.string
-
-# For performance purposes
-uvloop
-
-#azure dependencies
-msal
-azure-identity
-azure-keyvault-secrets
-azure-storage-blob
-
-# osdu dependences
---extra-index-url https://community.opengroup.org/api/v4/projects/148/packages/pypi/simple
-osdu-api[all]==v0.27.0rc857+059aa618
diff --git a/build/gc/Dockerfile b/build/gc/Dockerfile
index 9c47daa9..b05df2ed 100644
--- a/build/gc/Dockerfile
+++ b/build/gc/Dockerfile
@@ -1,21 +1,23 @@
-# This Dockerfile assumes you used "make build" to convert the AdminUI to static files in frontend/adminui/dist/policyservice
-FROM python:3.11.11-slim
+FROM python:3.11.11-alpine
# set environment variables
# PYTHONDONTWRITEBYTECODE - Prevents Python from writing pyc files to disc (equivalent to python -B option)
-ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONDONTWRITEBYTECODE=1
# PYTHONUNBUFFERED - Prevents Python from buffering stdout and stderr (equivalent to python -u option)
-ENV PYTHONUNBUFFERED 1
-EXPOSE 8080/tcp
+ENV PYTHONUNBUFFERED=1
+
+RUN apk update && apk upgrade
+RUN apk add gcc python3-dev musl-dev linux-headers libffi-dev openssl-dev
+EXPOSE 8080/tcp
WORKDIR /opt
COPY ./app /opt
RUN pip install --no-cache-dir --upgrade -r /opt/requirements.txt
+RUN pip install setuptools==75.7.0 --upgrade
-# Add a non-root user
-RUN groupadd -g 10001 -r nonroot \
- && useradd -g 10001 -r -u 10001 nonroot
-# Run as non-root user
-USER 10001:10001
+# Run as user
+RUN addgroup -S nonroot \
+ && adduser -D nonroot -G nonroot
+USER nonroot
-CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--workers", "4", "--port", "8080"]
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8080", "--workers", "4", "--proxy-headers"]
diff --git a/build/ibm/Dockerfile b/build/ibm/Dockerfile
index d7a54a9e..b05df2ed 100644
--- a/build/ibm/Dockerfile
+++ b/build/ibm/Dockerfile
@@ -1,32 +1,23 @@
-# This Dockerfile assumes you used "make build" to convert the AdminUI to static files in frontend/adminui/dist/policyservice
-# FROM registry.access.redhat.com/ubi8/python-39:1-168
-FROM registry.access.redhat.com/ubi9/python-311
+FROM python:3.11.11-alpine
# set environment variables
# PYTHONDONTWRITEBYTECODE - Prevents Python from writing pyc files to disc (equivalent to python -B option)
ENV PYTHONDONTWRITEBYTECODE=1
# PYTHONUNBUFFERED - Prevents Python from buffering stdout and stderr (equivalent to python -u option)
ENV PYTHONUNBUFFERED=1
-USER root
-WORKDIR /opt
-
-COPY . /opt
-
-RUN pip install --no-cache-dir --upgrade -r requirements_setversion.txt
-RUN pip install --no-cache-dir --upgrade -r ./app/requirements.txt
-RUN python ./setversion.py app
-
-# RUN pip list
+RUN apk update && apk upgrade
+RUN apk add gcc python3-dev musl-dev linux-headers libffi-dev openssl-dev
-# RUN chown -R 1001:0 /opt
-
-# RUN pip show uvicorn
-
-WORKDIR /opt/app
-RUN pwd
+EXPOSE 8080/tcp
+WORKDIR /opt
+COPY ./app /opt
+RUN pip install --no-cache-dir --upgrade -r /opt/requirements.txt
+RUN pip install setuptools==75.7.0 --upgrade
-USER 1001
-# RUN python -m uvicorn app.main:app --reload
-CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8080"]
+# Run as user
+RUN addgroup -S nonroot \
+ && adduser -D nonroot -G nonroot
+USER nonroot
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8080", "--workers", "4", "--proxy-headers"]
diff --git a/requirements.txt b/requirements.txt
index 7c468fa8..2c097667 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -18,4 +18,4 @@ google-cloud-storage
# osdu dependences
--extra-index-url https://community.opengroup.org/api/v4/projects/148/packages/pypi/simple
-osdu-api[all]==v0.27.1
+osdu-api[all]==v0.28.0.dev904+ab6e3f55
--
GitLab
From ae941761c0e833fc54422c3396b12dd412ec4ce8 Mon Sep 17 00:00:00 2001
From: Shane Hutchins <shane.hutchins@hitachids.com>
Date: Wed, 8 Jan 2025 10:11:34 -0500
Subject: [PATCH 2/3] update azure test pipeline to use apline image
---
devops/azure/override-stages.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/devops/azure/override-stages.yml b/devops/azure/override-stages.yml
index f213f432..eb3dee0b 100644
--- a/devops/azure/override-stages.yml
+++ b/devops/azure/override-stages.yml
@@ -96,7 +96,7 @@ azure_test_py:
name: $CI_REGISTRY_IMAGE/${CI_PROJECT_NAME}-${CI_COMMIT_REF_SLUG}:${CI_COMMIT_SHA}
entrypoint: [""]
before_script:
- - apt-get update && apt-get install -y curl jq
+ - apk update && apk install -y curl jq
- pip install -q -r ./requirements_dev.txt
- export BEARER_TOKEN=$(curl -ks -XPOST "https://login.microsoftonline.com/${AZURE_TENANT_ID}/oauth2/token" -d "grant_type=client_credentials&client_id=${AZURE_PRINCIPAL_ID}&client_secret=${AZURE_PRINCIPAL_SECRET}&resource=${AZURE_APP_ID}" | jq --raw-output '.access_token')
- if [ -z $BEARER_TOKEN ]; then echo "[ERROR] Not able to get token (BEARER_TOKEN)"; exit 1; fi
--
GitLab
From 2cc6357da74e58475bf7b561a8af3192162b0b19 Mon Sep 17 00:00:00 2001
From: Shane Hutchins <shane.hutchins@hitachids.com>
Date: Wed, 8 Jan 2025 10:54:39 -0500
Subject: [PATCH 3/3] updating azure image and integration test
---
build/azure/Dockerfile | 1 +
devops/azure/override-stages.yml | 1 -
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/build/azure/Dockerfile b/build/azure/Dockerfile
index b05df2ed..59da3566 100644
--- a/build/azure/Dockerfile
+++ b/build/azure/Dockerfile
@@ -8,6 +8,7 @@ ENV PYTHONUNBUFFERED=1
RUN apk update && apk upgrade
RUN apk add gcc python3-dev musl-dev linux-headers libffi-dev openssl-dev
+RUN apk add curl jq
EXPOSE 8080/tcp
WORKDIR /opt
diff --git a/devops/azure/override-stages.yml b/devops/azure/override-stages.yml
index eb3dee0b..3f7629cc 100644
--- a/devops/azure/override-stages.yml
+++ b/devops/azure/override-stages.yml
@@ -96,7 +96,6 @@ azure_test_py:
name: $CI_REGISTRY_IMAGE/${CI_PROJECT_NAME}-${CI_COMMIT_REF_SLUG}:${CI_COMMIT_SHA}
entrypoint: [""]
before_script:
- - apk update && apk install -y curl jq
- pip install -q -r ./requirements_dev.txt
- export BEARER_TOKEN=$(curl -ks -XPOST "https://login.microsoftonline.com/${AZURE_TENANT_ID}/oauth2/token" -d "grant_type=client_credentials&client_id=${AZURE_PRINCIPAL_ID}&client_secret=${AZURE_PRINCIPAL_SECRET}&resource=${AZURE_APP_ID}" | jq --raw-output '.access_token')
- if [ -z $BEARER_TOKEN ]; then echo "[ERROR] Not able to get token (BEARER_TOKEN)"; exit 1; fi
--
GitLab