`
FROM php:8.1-apache
RUN apt-get update
...
...
RUN docker-php-ext-install mysqli pdo_mysql && docker-php-ext-enable mysqli pdo_mysql
**RUN docker-php-ext-install exif && docker-php-ext-enable exif
RUN apt-get update && apt-get install -y libmagickwand-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*
# install imagick
# Version is not officially released https://pecl.php.net/get/imagick but following works for PHP 8
RUN mkdir -p /usr/src/php/ext/imagick; \
curl -fsSL https://github.com/Imagick/imagick/archive/06116aa24b76edaf6b1693198f79e6c295eda8a9.tar.gz | tar xvz -C "/usr/src/php/ext/imagick" --strip 1; \
docker-php-ext-install imagick;
#install some base extensions
RUN apt-get update && apt-get install -y \
zlib1g-dev \
libzip-dev
RUN docker-php-ext-install zip
#gd
#RUN docker-php-ext-install gd && docker-php-ext-enable gd
RUN docker-php-ext-configure gd --with-freetype=/usr/include/ --with-jpeg=/usr/include/ \
&& docker-php-ext-install gd
#intl
RUN apt-get -y update \
&& apt-get install -y libicu-dev \
&& docker-php-ext-configure intl \
&& docker-php-ext-install intl**
RUN a2enmod rewrite
`
Once the docker image is build and push to ECR, I'm getting the 1 critical on Vulnerability part, this happens after adding the modules into the Dockerfile. Can anyone help me to reduce the size and which image to use.
Related
I have the following docker file
FROM debian:stable
# Avoid warnings by switching to noninteractive
ENV DEBIAN_FRONTEND=noninteractive
#Versions
ENV HELM_VERSION=v3.10.0
ENV KUBECTL_VERSION=v1.20.9
ENV MAVEN_OPTS="-Djavax.net.ssl.trustStore=/cicd/assets/truststore.jks"
ENV TERRAFORM_VERSION=1.2.0
ENV GOLANG_VERSION=1.19.1
ENV TERRAGRUNT_VERSION=v0.38.7
RUN set -xe \
&& apt-get update -y \
&& apt-get install -y python3-pip
RUN apt-get install zip unzip
#Copy python requirements file
COPY requirements.txt /tmp/pip-tmp/
# Makes the Ansible directories
RUN mkdir /etc/ansible /ansible
RUN mkdir ~/.ssh
# Configure apt and install python packages
RUN apt-get update -y -q \
&& apt-get upgrade -y -q \
&& apt-get install -y wget \
&& apt-get -y install --no-install-recommends apt-utils dialog 2>&1 \
&& apt-get install -y --no-install-recommends apt-utils \
&& apt-get -y install ca-certificates software-properties-common build-essential curl git gettext-base maven sshpass krb5-user \
&& pip --disable-pip-version-check --no-cache-dir install -r /tmp/pip-tmp/requirements.txt \
&& apt-get -y install jq \
&& rm -rf /tmp/pip-tmp
#Install helm
RUN wget https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz \
&& tar -zxvf helm-${HELM_VERSION}-linux-amd64.tar.gz \
&& mv linux-amd64/helm /usr/local/bin/helm
#Install kubectl
RUN curl --silent https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl --output /usr/local/bin/kubectl \
&& chmod +x /usr/local/bin/kubectl
#Install Docker CLI
RUN curl -sSL https://get.docker.com/ | sh \
&& curl -L "https://github.com/docker/compose/releases/download/2.10.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose \
&& chmod +x /usr/local/bin/docker-compose
#Install AWS CLI
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
&& unzip awscliv2.zip \
&& ./aws/install
#Copy Assets
#RUN mkdir -p /cicd
#COPY assets /cicd
#Install helm plugins
#RUN helm plugin add https://github.com/databus23/helm-diff
#RUN helm plugin install /cicd/helm-nexus-push
# Downloading gcloud package
RUN curl https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.tar.gz > /tmp/google-cloud-sdk.tar.gz
# Installing the package
RUN mkdir -p /usr/local/gcloud \
&& tar -C /usr/local/gcloud -xvf /tmp/google-cloud-sdk.tar.gz \
&& /usr/local/gcloud/google-cloud-sdk/install.sh
# Adding the package path to local
ENV PATH $PATH:/usr/local/gcloud/google-cloud-sdk/bin
RUN cd /tmp && \
wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip -d /usr/local/bin && \
rm -rf /tmp/*
RUN cd /tmp && \
wget https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz && \
tar -xzf go${GOLANG_VERSION}.linux-amd64.tar.gz -C /usr/local && \
rm -rf /tmp/*
RUN cd /tmp && \
wget https://github.com/gruntwork-io/terragrunt/releases/download/${TERRAGRUNT_VERSION}/terragrunt_linux_amd64 && \
mv terragrunt_linux_amd64 /usr/local/bin/terragrunt && \
chmod +x /usr/local/bin/terragrunt && \
rm -rf /tmp/*
RUN git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
ENV GOPATH=/usr/local/go
ENV PATH=/usr/local/go/bin:$PATH
ENV CGO_ENABLED=0
RUN go version
RUN terraform --version
RUN terragrunt --version
RUN ansible --version
CMD bash
I build the docker image and upload it to google artifact registry, but I always come across security vulnerabilities I have tried to fix it but unfortunately I'm unable to fix the security vulnerabilities. Please look at the critical errors and let me know how I can fix this, Any recommendation is appreciated. Thank You.
It looks like the DockerFile is trying to a specific version of golang by hand into "/usr/local" rather than using the Debian package manager. According to the info at https://security-tracker.debian.org/tracker/CVE-2021-38297, that bug is fixed in 1.17.3-3 and the Dockerfile are using 1.19.1. So perhaps there is an old golang installation in the base image ... and that is what the scanner is picking up. Check that, and if necessary apt install a newer version.
Likewise, https://security-tracker.debian.org/tracker/CVE-2022-23806 should be fixed by a newer version of golang. See the CVE link for versions.
https://security-tracker.debian.org/tracker/CVE-2015-20107 could be fixed by upgrading to Python 3.10.6-1 or later.
https://security-tracker.debian.org/tracker/CVE-2019-19814 doesn't appear to have a fix from upstream, so there is nothing you can do about it except not use f2fs.
https://security-tracker.debian.org/tracker/CVE-2022-29599 can be fixed by updating the maven-shared-utils package; see the CVE link for versions.
https://security-tracker.debian.org/tracker/CVE-2022-1996 has a fix upstream but it is awaiting triage by the Debian team.
In summary, some of the vulnerabilities can be fixed, but for a couple of them no fix is readily available. So:
Apply the fixes that are available.
Then read the CVEs and accompanying explanations and 1) make a judgement whether they represent a risk that you can take, and 2) figure out if you can mitigate the risk; e.g. by locking down access to the running Docker container.
I am trying to install the python version 3.8.5 on the base nginx image on the Dockerfile and getting the error message. Could you please help me to resolve the issue?
FROM nginx
RUN apt-get update && \
apt-get install -y \
wget \
make \
gcc \
xxd \
curl \
libcap2-bin \
zlib1g-dev \
&& apt-get clean
RUN wget https://www.python.org/ftp/python/3.8.5/Python-3.8.5.tgz \
&& tar -xvf Python-3.8.5.tgz && cd Python-3.8.5 \
&& ./configure --enable-shared \
&& make \
&& make test \
&& make install
Output:
FAILED (errors=1, skipped=94)
tests failed again:
test_asyncio test_socket
I need to install on docker the latest version of curl
when using the following the docker size is ~140MB
FROM debian:10.7
RUN apt-get update && \
apt-get install --no-install-recommends -y curl wget ca-certificates
This use curl 7.64
when using the following
FROM debian:10.7
RUN apt-get update && \
apt-get install --yes --no-install-recommends wget build-essential ca-certificates libcurl4 && \
wget https://curl.se/download/curl-7.73.0.tar.gz && \
tar -xvf curl-7.73.0.tar.gz && cd curl-7.74.0 && \
./configure && make && make install && \
apt-get purge -y --auto-remove build-essential && \
The docker image size is 240MB, I've tried to remove the build essintials which reduce the size from 440 to 240 , is there a way to remove this additional ~100MB ?
In fact, you are close to the solution. The one you missed is to delete the curl source package.
So next should make the image reduce:
FROM debian:10.7
RUN apt-get update && \
apt-get install --yes --no-install-recommends wget build-essential ca-certificates libcurl4 && \
wget https://curl.se/download/curl-7.73.0.tar.gz && \
tar -xvf curl-7.73.0.tar.gz && cd curl-7.73.0 && \
./configure && make && make install && \
apt-get purge -y --auto-remove build-essential && \
cd .. && rm -fr curl-7.73.0.tar.gz curl-7.73.0
Without Curl:
$ docker images abc:1
REPOSITORY TAG IMAGE ID CREATED SIZE
abc 1 d742bfdf5fa6 25 seconds ago 148MB
With curl & source package delete:
$ docker images abc:2
REPOSITORY TAG IMAGE ID CREATED SIZE
abc 2 afe3d404852a 27 minutes ago 151MB
Additional, if you delete apt cache with rm -rf /var/lib/apt/lists/* in Dockerfile, if will be smaller:
$ docker images abc:3
REPOSITORY TAG IMAGE ID CREATED SIZE
abc 3 5530b0e9b44f 2 minutes ago 134MB
Another solution maybe use multistage-build, you could use ./configure --prefix=xxx to set a default install location, then stage1 just used to build curl, while stage2 copy the xxx folder from stage1 to final image.
You should inclide rm -rf /var/lib/apt/lists/* into your RUN instruction to remove apt index files and might include apt-get clean to remove any other remaining package file.
Apart from that, you could also try using the slim image version, according to Docker Hub debian:10.7-slim is almost half size (~24Mb vs ~48Mb)
Finally, you can execute du -h | sort -h on a container from your generated image to find out where is the remaining space usage.
Using multistage-build as suggested by atline :
FROM debian:10.7 AS builder
WORKDIR /app
RUN mkdir /app/usr2
RUN apt-get update && \
apt-get install --yes --no-install-recommends wget build-essential ca-certificates libcurl4 && \
wget https://curl.se/download/curl-7.73.0.tar.gz && \
tar -xvf curl-7.73.0.tar.gz && cd curl-7.73.0 && \
./configure --prefix=/app/usr2 && make install
FROM debian:10.7
RUN apt-get update && \
apt-get install --no-install-recommends -y wget ca-certificates &&\
rm -rf /var/lib/apt/lists/*
COPY --from=builder /app/usr2/. /usr
Final size is 129MB
The following is my code for Docker:
FROM python:3.6.2-jessie
## Prepare apt-get:
RUN echo "debconf debconf/frontend select Noninteractive" | debconf-set-selections && \
apt-get update -qy && \
apt-get upgrade -qy && \
apt-get clean autoclean && \
apt-get install wkhtmltopdf -y && \
apt-get autoremove -y && \
apt-get install python3-setuptools -qy &&\
apt-get install python3-dev -qy && \
apt-get install python3-pip -qy && \
apt-get install build-essential -qy && \
apt-get -y install openssh-client -qy && \
apt-get clean
RUN pip3 install --upgrade pip
RUN pip3 install pandas
RUN pip3 install psycopg2==2.7.3.2
RUN pip3 install pdfkit
When I run following code,
docker run my_image python3 pdfkit.py
I get the following error:
OSError: wkhtmltopdf exited with non-zero code -6. error: The switch
--viewport-size, is not support using unpatched qt, and will be ignored.The switch --disable-smart-shrinking, is not support using
unpatched qt, and will be ignored.QXcbConnection: Could not connect to
display
Try the following:
RUN curl -L#o wk.tar.xz https://downloads.wkhtmltopdf.org/0.12/0.12.4/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz \
&& tar xf wk.tar.xz \
&& cp wkhtmltox/bin/wkhtmltopdf /usr/bin \
&& cp wkhtmltox/bin/wkhtmltoimage /usr/bin \
&& rm wk.tar.xz \
&& rm -r wkhtmltox
Rather than installing directly using apt-get install wkhtmltopdf -y.
I need to use a container with nginx and nodejs, so I take the nginx container and install the node:
FROM nginx
ENV DEBIAN_FRONTEND noninteractive
WORKDIR /usr/src/app
VOLUME /usr/src/app
RUN apt-get update && \
apt-get install -y apt-utils && \
apt-get install -y --no-install-recommends curl sudo wget nano && \
curl -sL https://deb.nodesource.com/setup_6.x | bash - && \
apt-get install -y nodejs git build-essential && \
whereis npm && \
npm install grunt grunt-cli bower -g && \
whereis returnme nothing npm:, and npm install... crash the build proccess. so Where ir my mistake, is there a bug or anything? btw I'm using latest docker-compose and Docker version 17.03.1-ce, build c6d412e
Update 1: It is not a dupe of this question, I'm only using one RUN line
FROM nginx
RUN \
echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections && \
apt-get update && \
apt-get install -y apt-utils && \
apt-get upgrade -y && \
apt-get update --fix-missing && \
apt-get install -y curl sudo wget nano git build-essential
# Install NodeJS
RUN \
wget https://deb.nodesource.com/setup_6.x && \
chmod +x setup_6.x && \
./setup_6.x && \
apt-get install -y nodejs && \
npm install grunt grunt-cli