-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use maintained nodejs18-debian12 base image #834
base: master
Are you sure you want to change the base?
Conversation
Thank you for opening this pull request! 🙌 These tips will help get your PR across the finish line:
|
c9d1bc7
to
429f764
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #834 +/- ##
=======================================
Coverage 55.30% 55.30%
=======================================
Files 564 564
Lines 14620 14620
Branches 2668 2668
=======================================
Hits 8085 8085
Misses 6535 6535 ☔ View full report in Codecov by Sentry. |
@ursucarina / @eapolinario I think you should still accept this patch as your base container image is outdated / has security vulnerabilities. Thanks! |
- The nodejs distroless image was last updated 10 months ago and as such there are a number of high severity CVEs present in the last flyteconsole image that shipped v1.10.2 - The existing base image is based on node v18, so for compatibility use the gcr.io/distroless/nodejs18-debian12 image, which is being actively maintained: https://github.com/GoogleContainerTools/distroless/blob/main/nodejs/README.md Signed-off-by: ddl-ebrown <ethan.brown@dominodatalab.com>
429f764
to
144653f
Compare
@ursucarina / @jsonporter can we please rework this change in |
I gave it a try and the image doesn't build locally (
|
That's unusual - we're building flyteconsole from source on top of the updated base image and it's working fine |
This is the actual Dockerfile in use # syntax=docker/dockerfile:experimental
# https://github.com/flyteorg/flyteconsole/blob/master/Dockerfile
# NOTE: this is already based on distroless nodejs container
# https://github.com/GoogleContainerTools/distroless/blob/main/nodejs/README.md
# global ARG used in all build stages
ARG BASE_URL=/flows/console
FROM node:21.7 as builder
SHELL ["/bin/bash", "-c"]
ARG TARGETARCH
ARG BASE_URL
ARG REPO=flyteorg
ARG VER=v1.15.0
ARG PLACEHOLDER_NPM='"version": "0.0.1"'
ENV npm_config_target_arch "${TARGETARCH}"
ENV npm_config_target_platform linux
ENV npm_config_target_libc glibc
# Domino-specific patches
# NOTE: temporarily requires Domino patch to breadcrumb - https://github.com/flyteorg/flyteconsole/pull/861
COPY patches /patches
WORKDIR /my-project/
RUN git clone --depth 1 --branch "${VER}" "https://github.com/${REPO}/flyteconsole" . && \
for f in /patches/*.patch; do [ -f "$f" ] || break; patch -p1 < "$f"; done
# update the internal version - see https://github.com/flyteorg/flyteconsole/blob/master/Makefile#L40
RUN grep "${PLACEHOLDER_NPM}" "website/console/package.json" \
&& sed -i "s/${PLACEHOLDER_NPM}/\"version\": \"${VER:1}\"/g" "website/console/package.json"
# install production dependencies
RUN : \
--mount=type=cache,target=/root/.yarn \
&& yarn workspaces focus --production --all
# build console web app
RUN : \
--mount=type=cache,target=/root/.yarn \
&& BASE_URL=${BASE_URL} yarn workspace @clients/console run build:prod
# copy console build to /app
RUN : \
--mount=type=cache,target=/root/.yarn \
&& mkdir /app \
&& cp -R ./website/console/dist/* /app
FROM gcr.io/distroless/nodejs18-debian12@sha256:3cb543d5a3cec9ec76500f597fb9f71b7f2fc85e2845d6537debd387336f97c1
LABEL org.opencontainers.image.source https://github.com/flyteorg/flyteconsole
COPY --from=builder /app /app
WORKDIR /app
ARG BASE_URL
ENV NODE_ENV=production BASE_URL=$BASE_URL PORT=8080
EXPOSE 8080
USER 1000
CMD ["server.js"] We have automation that bumps the actual sha of the distroless tag regularly, but you can see we build on top of |
TL;DR
The nodejs distroless image was last updated 10 months ago and as such there are a number of high severity CVEs present in the last flyteconsole image that shipped v1.10.2
The existing base image is based on node v18, so for compatibility use the gcr.io/distroless/nodejs18-debian12 image, which is being actively maintained:
https://github.com/GoogleContainerTools/distroless/blob/main/nodejs/README.md
Type
Are all requirements met?
Complete description
Docker scout isn't the most thorough scanner -- but a quick compare:
Current image
Updated image
Follow-up issue
NA