Docker install gcc-c++-x86_64-linux-gnu - linux

How to install gcc-c++-x86_64-linux-gnu inside Docker container on Centos and Rhel based images
I am using CentOS based Image
FROM registry.centos.org/dotnet/dotnet-31-runtime-centos7
Below YUM Command is not working to install the "gcc-c++-x86_64-linux-gnu"
RUN yum install -y centos-release-dotnet centos-release-scl-rh gcc-c++-x86_64-linux-gnu && \
INSTALL_PKGS="rh-nodejs10-npm rh-nodejs10-nodejs-nodemon rh-dotnet31-dotnet-sdk-3.1 rsync" && \
yum install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
rpm -V $INSTALL_PKGS && \
yum clean all -y && \
# yum cache files may still exist (and quite large in size)
rm -rf /var/cache/yum/*
Any pointers on what is wrong with the above command ?

Related

Fixing security vulnerabilities in docker image

I have the following docker file
FROM debian:stable
# Avoid warnings by switching to noninteractive
ENV DEBIAN_FRONTEND=noninteractive
#Versions
ENV HELM_VERSION=v3.10.0
ENV KUBECTL_VERSION=v1.20.9
ENV MAVEN_OPTS="-Djavax.net.ssl.trustStore=/cicd/assets/truststore.jks"
ENV TERRAFORM_VERSION=1.2.0
ENV GOLANG_VERSION=1.19.1
ENV TERRAGRUNT_VERSION=v0.38.7
RUN set -xe \
&& apt-get update -y \
&& apt-get install -y python3-pip
RUN apt-get install zip unzip
#Copy python requirements file
COPY requirements.txt /tmp/pip-tmp/
# Makes the Ansible directories
RUN mkdir /etc/ansible /ansible
RUN mkdir ~/.ssh
# Configure apt and install python packages
RUN apt-get update -y -q \
&& apt-get upgrade -y -q \
&& apt-get install -y wget \
&& apt-get -y install --no-install-recommends apt-utils dialog 2>&1 \
&& apt-get install -y --no-install-recommends apt-utils \
&& apt-get -y install ca-certificates software-properties-common build-essential curl git gettext-base maven sshpass krb5-user \
&& pip --disable-pip-version-check --no-cache-dir install -r /tmp/pip-tmp/requirements.txt \
&& apt-get -y install jq \
&& rm -rf /tmp/pip-tmp
#Install helm
RUN wget https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz \
&& tar -zxvf helm-${HELM_VERSION}-linux-amd64.tar.gz \
&& mv linux-amd64/helm /usr/local/bin/helm
#Install kubectl
RUN curl --silent https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl --output /usr/local/bin/kubectl \
&& chmod +x /usr/local/bin/kubectl
#Install Docker CLI
RUN curl -sSL https://get.docker.com/ | sh \
&& curl -L "https://github.com/docker/compose/releases/download/2.10.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose \
&& chmod +x /usr/local/bin/docker-compose
#Install AWS CLI
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
&& unzip awscliv2.zip \
&& ./aws/install
#Copy Assets
#RUN mkdir -p /cicd
#COPY assets /cicd
#Install helm plugins
#RUN helm plugin add https://github.com/databus23/helm-diff
#RUN helm plugin install /cicd/helm-nexus-push
# Downloading gcloud package
RUN curl https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.tar.gz > /tmp/google-cloud-sdk.tar.gz
# Installing the package
RUN mkdir -p /usr/local/gcloud \
&& tar -C /usr/local/gcloud -xvf /tmp/google-cloud-sdk.tar.gz \
&& /usr/local/gcloud/google-cloud-sdk/install.sh
# Adding the package path to local
ENV PATH $PATH:/usr/local/gcloud/google-cloud-sdk/bin
RUN cd /tmp && \
wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip -d /usr/local/bin && \
rm -rf /tmp/*
RUN cd /tmp && \
wget https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz && \
tar -xzf go${GOLANG_VERSION}.linux-amd64.tar.gz -C /usr/local && \
rm -rf /tmp/*
RUN cd /tmp && \
wget https://github.com/gruntwork-io/terragrunt/releases/download/${TERRAGRUNT_VERSION}/terragrunt_linux_amd64 && \
mv terragrunt_linux_amd64 /usr/local/bin/terragrunt && \
chmod +x /usr/local/bin/terragrunt && \
rm -rf /tmp/*
RUN git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
ENV GOPATH=/usr/local/go
ENV PATH=/usr/local/go/bin:$PATH
ENV CGO_ENABLED=0
RUN go version
RUN terraform --version
RUN terragrunt --version
RUN ansible --version
CMD bash
I build the docker image and upload it to google artifact registry, but I always come across security vulnerabilities I have tried to fix it but unfortunately I'm unable to fix the security vulnerabilities. Please look at the critical errors and let me know how I can fix this, Any recommendation is appreciated. Thank You.
It looks like the DockerFile is trying to a specific version of golang by hand into "/usr/local" rather than using the Debian package manager. According to the info at https://security-tracker.debian.org/tracker/CVE-2021-38297, that bug is fixed in 1.17.3-3 and the Dockerfile are using 1.19.1. So perhaps there is an old golang installation in the base image ... and that is what the scanner is picking up. Check that, and if necessary apt install a newer version.
Likewise, https://security-tracker.debian.org/tracker/CVE-2022-23806 should be fixed by a newer version of golang. See the CVE link for versions.
https://security-tracker.debian.org/tracker/CVE-2015-20107 could be fixed by upgrading to Python 3.10.6-1 or later.
https://security-tracker.debian.org/tracker/CVE-2019-19814 doesn't appear to have a fix from upstream, so there is nothing you can do about it except not use f2fs.
https://security-tracker.debian.org/tracker/CVE-2022-29599 can be fixed by updating the maven-shared-utils package; see the CVE link for versions.
https://security-tracker.debian.org/tracker/CVE-2022-1996 has a fix upstream but it is awaiting triage by the Debian team.
In summary, some of the vulnerabilities can be fixed, but for a couple of them no fix is readily available. So:
Apply the fixes that are available.
Then read the CVEs and accompanying explanations and 1) make a judgement whether they represent a risk that you can take, and 2) figure out if you can mitigate the risk; e.g. by locking down access to the running Docker container.

Install python 3.5 inside docker with a base image centos7

I am trying to install python 3.5 inside docker with a base image centos7. This is our Dockerfile
FROM base-centos7:0.0.8
# Install basic tools
RUN yum install -y which vim wget git gcc
# Install python 3.5
RUN yum install -y https://repo.ius.io/ius-release-el7.rpm \
&& yum update -y \
&& yum install -y python35u python35u-libs python35u-devel python35u-pip
RUN python3.5 -m pip install --upgrade pip
But during the build, docker build image is failing with the following errors
executor failed running [/bin/sh -c yum install -y https://repo.ius.io/ius-release-el7.rpm
&& yum update -y
&& sudo yum install -y python35u python35u-libs python35u-devel python35u-pip]: exit code: 127.
Can anyone guide me in resolving this issue. and why am I seeing this issue in very first place.
You can use python image from docker hub
https://hub.docker.com/_/python
Example of dockerfile :
FROM python:3.6
RUN mkdir /code
WORKDIR /code
ADD . /code/
RUN pip install -r requirements.txt
EXPOSE 5000
CMD ["python", "/code/app.py"]
i think it's easy , isn't ?
the centos repo uses:
FROM centos/s2i-base-centos7
EXPOSE 8080
ENV PYTHON_VERSION=3.5 \
PATH=$HOME/.local/bin/:$PATH \
PYTHONUNBUFFERED=1 \
PYTHONIOENCODING=UTF-8 \
LC_ALL=en_US.UTF-8 \
LANG=en_US.UTF-8 \
PIP_NO_CACHE_DIR=off
RUN INSTALL_PKGS="rh-python35 rh-python35-python-devel rh-python35-python-setuptools rh-python35-python-pip nss_wrapper \
httpd24 httpd24-httpd-devel httpd24-mod_ssl httpd24-mod_auth_kerb httpd24-mod_ldap \
httpd24-mod_session atlas-devel gcc-gfortran libffi-devel libtool-ltdl enchant" && \
yum install -y centos-release-scl && \
yum -y --setopt=tsflags=nodocs install --enablerepo=centosplus $INSTALL_PKGS && \
rpm -V $INSTALL_PKGS && \
# Remove centos-logos (httpd dependency) to keep image size smaller.
rpm -e --nodeps centos-logos && \
yum -y clean all --enablerepo='*'
source here
The problem is not difficult, I build the image changing
FROM base-centos7:0.0.8 ====> FROM centos:7
You can consult the images version of centos in https://hub.docker.com/_/centos
PD: The container showed: errro exited(1), you should focus on the main process.

Optimize docker image build size with curl

I need to install on docker the latest version of curl
when using the following the docker size is ~140MB
FROM debian:10.7
RUN apt-get update && \
apt-get install --no-install-recommends -y curl wget ca-certificates
This use curl 7.64
when using the following
FROM debian:10.7
RUN apt-get update && \
apt-get install --yes --no-install-recommends wget build-essential ca-certificates libcurl4 && \
wget https://curl.se/download/curl-7.73.0.tar.gz && \
tar -xvf curl-7.73.0.tar.gz && cd curl-7.74.0 && \
./configure && make && make install && \
apt-get purge -y --auto-remove build-essential && \
The docker image size is 240MB, I've tried to remove the build essintials which reduce the size from 440 to 240 , is there a way to remove this additional ~100MB ?
In fact, you are close to the solution. The one you missed is to delete the curl source package.
So next should make the image reduce:
FROM debian:10.7
RUN apt-get update && \
apt-get install --yes --no-install-recommends wget build-essential ca-certificates libcurl4 && \
wget https://curl.se/download/curl-7.73.0.tar.gz && \
tar -xvf curl-7.73.0.tar.gz && cd curl-7.73.0 && \
./configure && make && make install && \
apt-get purge -y --auto-remove build-essential && \
cd .. && rm -fr curl-7.73.0.tar.gz curl-7.73.0
Without Curl:
$ docker images abc:1
REPOSITORY TAG IMAGE ID CREATED SIZE
abc 1 d742bfdf5fa6 25 seconds ago 148MB
With curl & source package delete:
$ docker images abc:2
REPOSITORY TAG IMAGE ID CREATED SIZE
abc 2 afe3d404852a 27 minutes ago 151MB
Additional, if you delete apt cache with rm -rf /var/lib/apt/lists/* in Dockerfile, if will be smaller:
$ docker images abc:3
REPOSITORY TAG IMAGE ID CREATED SIZE
abc 3 5530b0e9b44f 2 minutes ago 134MB
Another solution maybe use multistage-build, you could use ./configure --prefix=xxx to set a default install location, then stage1 just used to build curl, while stage2 copy the xxx folder from stage1 to final image.
You should inclide rm -rf /var/lib/apt/lists/* into your RUN instruction to remove apt index files and might include apt-get clean to remove any other remaining package file.
Apart from that, you could also try using the slim image version, according to Docker Hub debian:10.7-slim is almost half size (~24Mb vs ~48Mb)
Finally, you can execute du -h | sort -h on a container from your generated image to find out where is the remaining space usage.
Using multistage-build as suggested by atline :
FROM debian:10.7 AS builder
WORKDIR /app
RUN mkdir /app/usr2
RUN apt-get update && \
apt-get install --yes --no-install-recommends wget build-essential ca-certificates libcurl4 && \
wget https://curl.se/download/curl-7.73.0.tar.gz && \
tar -xvf curl-7.73.0.tar.gz && cd curl-7.73.0 && \
./configure --prefix=/app/usr2 && make install
FROM debian:10.7
RUN apt-get update && \
apt-get install --no-install-recommends -y wget ca-certificates &&\
rm -rf /var/lib/apt/lists/*
COPY --from=builder /app/usr2/. /usr
Final size is 129MB

Azure CLI in a Docker Container

I have an Ubuntu 18.04 Docker image that I need Azure CLI installed in. For a Docker image, it seems the preferred way is to use pip, however, I have other pip Azure libraries needed in the container that overlap with the CLI install and get blown away because Azure CLI requires older versions; then making it so I can't run my python scripts.
I have tried to use the script installer but that hasn't worked and errored out because I believe the install is interactive.
The last option I can find is the manual apt install, though I am not sure this is a correct way nor do I have a good idea of how to replicate that in a Dockerfile.
Is there a preferred/good way of getting Azure CLI in a container not using pip?
FROM ubuntu:18.04
RUN apt-get update && apt-get -y upgrade && \
apt-get -f -y install curl python3-pip python-pip && \
pip3 install --upgrade pip && \
pip2 install --upgrade pip && \
pip3 install azure-storage-blob==12.3.0 & \\
pip3 install azure-cli
I have a preference to use the package manager to install dependencies, it's why I will do something like that:
Add base dependencies for https repostory and curl
Add the gpg key and repository for the CLI
Add the CLI
This is the Dockerfile with thoses steps:
FROM ubuntu:18.04
RUN apt-get update && apt-get -y upgrade && \
apt-get -f -y install curl apt-transport-https lsb-release gnupg python3-pip python-pip && \
curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > /etc/apt/trusted.gpg.d/microsoft.asc.gpg && \
CLI_REPO=$(lsb_release -cs) && \
echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ ${CLI_REPO} main" \
> /etc/apt/sources.list.d/azure-cli.list && \
apt-get update && \
apt-get install -y azure-cli && \
rm -rf /var/lib/apt/lists/*
In addition, I clean up the apt cache by removing /var/lib/apt/lists. Tt reduces the image size, since the apt cache is not stored in a layer.
See: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt#option-1-install-with-one-command
RUN curl -LsS https://aka.ms/InstallAzureCLIDeb | bash && rm -rf /var/lib/apt/lists/*

yum in dockerfile - There are no enabled repos

I am having issues with installing python3 with yum in dockerfile. I did look on internet, I did try few things, not working. Its just small thing but not able to figure it out. When I try to build below docker file I do get error . I get error at line -
RUN yum install -y oracle-epel-release-el7
There are no enabled repos.
Run "yum repolist all" to see the repos you have.
You can enable repos with yum-config-manager --enable <repo>
The docker file is below.
FROM openjdk:13-jdk-slim
ARG MAVEN_VERSION=3.6.3
ARG USER_HOME_DIR="/root"
ARG SHA=c35a1803a6e70a126e80b2b3ae33eed961f83ed74d18fcd16909b2d44d7dada3203f1ffe726c17ef8dcca2dcaa9fca676987befeadc9b9f759967a8cb77181c0
ARG BASE_URL=https://apache.osuosl.org/maven/maven-3/${MAVEN_VERSION}/binaries
# Install prerequisites
RUN apt-get update && apt-get install -y curl
RUN apt-get update && apt-get install -y yum
RUN mkdir -p /usr/share/maven /usr/share/maven/ref \
&& curl -fsSL -o /tmp/apache-maven.tar.gz ${BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz \
&& echo "${SHA} /tmp/apache-maven.tar.gz" | sha512sum -c - \
&& tar -xzf /tmp/apache-maven.tar.gz -C /usr/share/maven --strip-components=1 \
&& rm -f /tmp/apache-maven.tar.gz \
&& ln -s /usr/share/maven/bin/mvn /usr/bin/mvn
ENV MAVEN_HOME /usr/share/maven
ENV MAVEN_CONFIG "$USER_HOME_DIR/.m2"
# Install Python 3.6
RUN yum install -y oracle-epel-release-el7
RUN yum install -y python36
# Install AWS CLI
RUN pip3 install awscli
CMD ["/bin/bash"]
Why mix apt and yum? You're already using apt-get, just use it to install your python too:
apt-get install python3.6

Resources