-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Explicitly upgrade openssl in docker file and enforce new version of cryptography #9697
Changes from 4 commits
574d121
f6e41c6
f4ab3e6
51e4bac
fa687b4
09d39a4
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Ensure that the docker container has up to date versions of openssl. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Enforce that `cryptography` dependency is up to date to ensure it has the most recent openssl patches. |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -20,17 +20,19 @@ FROM docker.io/python:${PYTHON_VERSION}-slim as builder | |
|
||
# install the OS build deps | ||
RUN apt-get update && apt-get install -y \ | ||
build-essential \ | ||
libffi-dev \ | ||
libjpeg-dev \ | ||
libpq-dev \ | ||
libssl-dev \ | ||
libwebp-dev \ | ||
libxml++2.6-dev \ | ||
libxslt1-dev \ | ||
rustc \ | ||
zlib1g-dev \ | ||
&& rm -rf /var/lib/apt/lists/* | ||
build-essential \ | ||
libffi-dev \ | ||
libjpeg-dev \ | ||
libpq-dev \ | ||
libssl \ | ||
libssl-dev \ | ||
libwebp-dev \ | ||
libxml++2.6-dev \ | ||
libxslt1-dev \ | ||
openssl \ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. is There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How do we figure this out? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Given that we don't know if anything depends on There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Looks like openssl is already installed in the base image There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yep! Already installed, but not necessarily updated since the base images only get updated ~monthly at best. So good for us to do it here. |
||
rustc \ | ||
zlib1g-dev \ | ||
&& rm -rf /var/lib/apt/lists/* | ||
|
||
# Build dependencies that are not available as wheels, to speed up rebuilds | ||
RUN pip install --prefix="/install" --no-warn-script-location \ | ||
|
@@ -63,14 +65,17 @@ RUN pip install --prefix="/install" --no-warn-script-location \ | |
FROM docker.io/python:${PYTHON_VERSION}-slim | ||
|
||
RUN apt-get update && apt-get install -y \ | ||
curl \ | ||
gosu \ | ||
libjpeg62-turbo \ | ||
libpq5 \ | ||
libwebp6 \ | ||
xmlsec1 \ | ||
libjemalloc2 \ | ||
&& rm -rf /var/lib/apt/lists/* | ||
curl \ | ||
gosu \ | ||
libjpeg62-turbo \ | ||
libpq5 \ | ||
libwebp6 \ | ||
xmlsec1 \ | ||
libjemalloc2 \ | ||
libssl \ | ||
libssl-dev \ | ||
openssl \ | ||
&& rm -rf /var/lib/apt/lists/* | ||
|
||
COPY --from=builder /install /usr/local | ||
COPY ./docker/start.py /start.py | ||
|
@@ -83,4 +88,4 @@ EXPOSE 8008/tcp 8009/tcp 8448/tcp | |
ENTRYPOINT ["/start.py"] | ||
|
||
HEALTHCHECK --interval=1m --timeout=5s \ | ||
CMD curl -fSs http://localhost:8008/health || exit 1 | ||
CMD curl -fSs http://localhost:8008/health || exit 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
possibly the same could be said here.