Develop Reference

Fixing security vulnerabilities in docker image

I have the following docker file
FROM debian:stable
# Avoid warnings by switching to noninteractive
ENV DEBIAN_FRONTEND=noninteractive
#Versions
ENV HELM_VERSION=v3.10.0
ENV KUBECTL_VERSION=v1.20.9
ENV MAVEN_OPTS="-Djavax.net.ssl.trustStore=/cicd/assets/truststore.jks"
ENV TERRAFORM_VERSION=1.2.0
ENV GOLANG_VERSION=1.19.1
ENV TERRAGRUNT_VERSION=v0.38.7
RUN set -xe \
&& apt-get update -y \
&& apt-get install -y python3-pip
RUN apt-get install zip unzip
#Copy python requirements file
COPY requirements.txt /tmp/pip-tmp/
# Makes the Ansible directories
RUN mkdir /etc/ansible /ansible
RUN mkdir ~/.ssh
# Configure apt and install python packages
RUN apt-get update -y -q \
&& apt-get upgrade -y -q \
&& apt-get install -y wget \
&& apt-get -y install --no-install-recommends apt-utils dialog 2>&1 \
&& apt-get install -y --no-install-recommends apt-utils \
&& apt-get -y install ca-certificates software-properties-common build-essential curl git gettext-base maven sshpass krb5-user \
&& pip --disable-pip-version-check --no-cache-dir install -r /tmp/pip-tmp/requirements.txt \
&& apt-get -y install jq \
&& rm -rf /tmp/pip-tmp
#Install helm
RUN wget https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz \
&& tar -zxvf helm-${HELM_VERSION}-linux-amd64.tar.gz \
&& mv linux-amd64/helm /usr/local/bin/helm
#Install kubectl
RUN curl --silent https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl --output /usr/local/bin/kubectl \
&& chmod +x /usr/local/bin/kubectl
#Install Docker CLI
RUN curl -sSL https://get.docker.com/ | sh \
&& curl -L "https://github.com/docker/compose/releases/download/2.10.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose \
&& chmod +x /usr/local/bin/docker-compose
#Install AWS CLI
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
&& unzip awscliv2.zip \
&& ./aws/install
#Copy Assets
#RUN mkdir -p /cicd
#COPY assets /cicd
#Install helm plugins
#RUN helm plugin add https://github.com/databus23/helm-diff
#RUN helm plugin install /cicd/helm-nexus-push
# Downloading gcloud package
RUN curl https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.tar.gz > /tmp/google-cloud-sdk.tar.gz
# Installing the package
RUN mkdir -p /usr/local/gcloud \
&& tar -C /usr/local/gcloud -xvf /tmp/google-cloud-sdk.tar.gz \
&& /usr/local/gcloud/google-cloud-sdk/install.sh
# Adding the package path to local
ENV PATH $PATH:/usr/local/gcloud/google-cloud-sdk/bin
RUN cd /tmp && \
wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip -d /usr/local/bin && \
rm -rf /tmp/*
RUN cd /tmp && \
wget https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz && \
tar -xzf go${GOLANG_VERSION}.linux-amd64.tar.gz -C /usr/local && \
rm -rf /tmp/*
RUN cd /tmp && \
wget https://github.com/gruntwork-io/terragrunt/releases/download/${TERRAGRUNT_VERSION}/terragrunt_linux_amd64 && \
mv terragrunt_linux_amd64 /usr/local/bin/terragrunt && \
chmod +x /usr/local/bin/terragrunt && \
rm -rf /tmp/*
RUN git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
ENV GOPATH=/usr/local/go
ENV PATH=/usr/local/go/bin:$PATH
ENV CGO_ENABLED=0
RUN go version
RUN terraform --version
RUN terragrunt --version
RUN ansible --version
CMD bash
I build the docker image and upload it to google artifact registry, but I always come across security vulnerabilities I have tried to fix it but unfortunately I'm unable to fix the security vulnerabilities. Please look at the critical errors and let me know how I can fix this, Any recommendation is appreciated. Thank You.

It looks like the DockerFile is trying to a specific version of golang by hand into "/usr/local" rather than using the Debian package manager. According to the info at https://security-tracker.debian.org/tracker/CVE-2021-38297, that bug is fixed in 1.17.3-3 and the Dockerfile are using 1.19.1. So perhaps there is an old golang installation in the base image ... and that is what the scanner is picking up. Check that, and if necessary apt install a newer version.
Likewise, https://security-tracker.debian.org/tracker/CVE-2022-23806 should be fixed by a newer version of golang. See the CVE link for versions.
https://security-tracker.debian.org/tracker/CVE-2015-20107 could be fixed by upgrading to Python 3.10.6-1 or later.
https://security-tracker.debian.org/tracker/CVE-2019-19814 doesn't appear to have a fix from upstream, so there is nothing you can do about it except not use f2fs.
https://security-tracker.debian.org/tracker/CVE-2022-29599 can be fixed by updating the maven-shared-utils package; see the CVE link for versions.
https://security-tracker.debian.org/tracker/CVE-2022-1996 has a fix upstream but it is awaiting triage by the Debian team.
In summary, some of the vulnerabilities can be fixed, but for a couple of them no fix is readily available. So:
Apply the fixes that are available.
Then read the CVEs and accompanying explanations and 1) make a judgement whether they represent a risk that you can take, and 2) figure out if you can mitigate the risk; e.g. by locking down access to the running Docker container.

Docker image for python3.5 and ubuntu 16.04

I am trying to create a docker image for python 3.5 and Ubuntu 16.04.
I have created the docker file but at the time of requirement installation using pip the package "psycopg2" is giving the error.
psycopg2 needs Postgres installed in.
Dockerfile
FROM ubuntu:16.04
# bring system up-to-date
RUN apt-get update -qq && \
apt-get upgrade -qqy
RUN apt-get update && apt-get install software-properties-common python-software-properties
RUN add-apt-repository ppa:jonathonf/python-3.6
RUN apt-get update
RUN apt-get install -y libpq-dev build-essential python3.6 python3.6-dev python3-pip python3.6-venv
RUN apt-get install -y git
# update pip
RUN python3.6 -m pip install pip --upgrade
RUN python3.6 -m pip install wheel
RUN apt-get install -y wget
RUN apt-get install bzip2
RUN rm -rf /usr/share/fonts/truetype/*
RUN apt-get update && apt-get install -y --force-yes gettext libgettextpo-dev fontconfig
# install phantom js
RUN mkdir -p /usr/share && \
cd /usr/share \
&& wget -O phantomjs.tar.bz2 https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2 && tar xvfj phantomjs.tar.bz2 && mv phantomjs-2.1.1-linux-x86_64 phantomjs && rm -rf phantomjs.tar.bz2
RUN echo "ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula select true" | debconf-set-selections \
&& apt-get update \
&& apt-get install -y ttf-mscorefonts-installer
COPY ./helvetica /usr/share/fonts/truetype/msttcorefonts
RUN fc-cache -f -v
RUN fc-list | grep -i 'helvetica'
# Requirements have to be pulled and installed here, otherwise caching won't work
COPY ./requirements /requirements
RUN pip3 install -r /requirements/local.txt
COPY ./compose/production/django/entrypoint.sh /entrypoint.sh
RUN sed -i 's/\r//' /entrypoint.sh
RUN chmod +x /entrypoint.sh
COPY ./compose/local/django/start.sh /start.sh
RUN sed -i 's/\r//' /start.sh
RUN chmod +x /start.sh
COPY ./compose/local/django/celery/worker/start.sh /start-celeryworker.sh
RUN sed -i 's/\r//' /start-celeryworker.sh
RUN chmod +x /start-celeryworker.sh
COPY ./compose/local/django/celery/beat/start.sh /start-celerybeat.sh
RUN sed -i 's/\r//' /start-celerybeat.sh
RUN chmod +x /start-celerybeat.sh
WORKDIR /app
ENTRYPOINT ["/entrypoint.sh"]
Is there an available docker image for ubuntu 16.04 and python3.5?

Docker Volume overwriting file permissions

I have a Dockerfile where I bring in some files and change permissions.
I also have a docker-compose that creates a volume for nodemon to watch. I believe that these volumes are overwriting the permissions that I set. When I remove the volumes the app works but I don't get the server restarting. When the volumes are there the app crashes due to permissions. I've tried creating the volume first but perhaps I was doing that wrong.
FROM ubuntu:16.04
RUN apt-get update && apt-get install -y --no-install-recommends curl sudo
RUN curl -sL https://deb.nodesource.com/setup_9.x | sudo -E bash -
RUN apt-get install -y nodejs && \
apt-get install --yes build-essential
RUN apt-get install --yes npm
#VOLUME "/usr/local/app"
# Set up C++ dev env
RUN apt-get update && \
apt-get dist-upgrade -y && \
apt-get install gcc-multilib g++-multilib cmake wget -y && \
apt-get clean autoclean && \
apt-get autoremove -y
#wget -O /tmp/conan.deb -L https://github.com/conan-io/conan/releases/download/0.25.1/conan-ubuntu-64_0_25_1.deb && \
#dpkg -i /tmp/conan.deb
#ADD ./scripts/cmake-build.sh /build.sh
#RUN chmod +x /build.sh
#RUN /build.sh
RUN curl -sL https://deb.nodesource.com/setup_9.x | sudo -E bash -
RUN apt-get install -y nodejs sudo
RUN mkdir -p /usr/local/app
WORKDIR /usr/local/app
COPY package.json /usr/local/app
RUN ["npm", "install"]
RUN npm install --global nodemon
COPY . .
RUN echo "/usr/local/app/dm" > /etc/ld.so.conf.d/mythrift.conf
RUN echo "/usr/lib/x86_64-linux-gnu" >> /etc/ld.so.conf.d/mythrift.conf
RUN echo "/usr/local/lib64" >> /etc/ld.so.conf.d/mythrift.conf
RUN ldconfig
EXPOSE 9090
RUN ["chmod", "+x", "dm/dm3"]
RUN ["chmod", "777", "policy"]
RUN ls -al .
RUN npm -v
RUN node -v
notice at the end where i'm changing permissions.
version: '3'
services:
web:
build: .
volumes:
- .:/usr/local/app/
- /usr/app/node_modules
command: nodemon
ports:
- "3000:3000"

When you mount volumes into a docker container, the files inside are on a lower layer so they are hidden.
In your case, /usr/local/app from the Dockerfile is hidden. Its contents are the files from the host machine (the parent directory of docker-compose.yml). You should set the permissions in the host machine.

Dockerfile ubuntu only installs node version 4.2

This dockerfile installs nodejs version 4.2 and I cant understand why. could someone please help me install node 9.2. i've tried taking out the -- no install-recommends command to no avail.
adding more text her because stack would not let me post this even though it is a very simple question that I've looked on the web for quite some time about to no avail.adding more text her because stack would not let me post this even though it is a very simple question that I've looked on the web for quite some time about to no avail.
FROM ubuntu:16.04
RUN apt-get update && apt-get install -y --no-install-recommends curl sudo
RUN curl -sL https://deb.nodesource.com/setup_9.x | sudo -E bash -
RUN apt-get install -y nodejs && \
apt-get install --yes build-essential
RUN apt-get install --yes npm
#VOLUME "/usr/local/app"
# Set up C++ dev env
RUN apt-get update && \
apt-get dist-upgrade -y && \
apt-get install gcc-multilib g++-multilib cmake wget -y && \
apt-get clean autoclean && \
apt-get autoremove -y
#wget -O /tmp/conan.deb -L https://github.com/conan-io/conan/releases/download/0.25.1/conan-ubuntu-64_0_25_1.deb && \
#dpkg -i /tmp/conan.deb
#ADD ./scripts/cmake-build.sh /build.sh
#RUN chmod +x /build.sh
#RUN /build.sh
RUN mkdir -p /usr/local/app
WORKDIR /usr/local/app
COPY package.json /usr/local/app
RUN ["npm", "install"]
COPY . .
RUN echo "/usr/local/app/dm" > /etc/ld.so.conf.d/mythrift.conf
RUN echo "/usr/lib/x86_64-linux-gnu" >> /etc/ld.so.conf.d/mythrift.conf
RUN echo "/usr/local/lib64" >> /etc/ld.so.conf.d/mythrift.conf
RUN ldconfig
RUN chmod +x dm/dm3
RUN ldd dm/dm3
RUN ["chmod", "+x", "dm/dm3"]
RUN ["chmod", "777", "policy"]
RUN ls -al .
RUN ["nodejs", "-v"]
CMD ["nodejs", "-v"]

EDIT
Apparently it's important for the OP to run exactly this version of ubuntu. Here's a sample that builds on top of FROM ubuntu:16.04:
FROM ubuntu:16.04
RUN apt-get update && apt-get install -y --reinstall ca-certificates curl build-essential \
&& curl -s https://nodejs.org/dist/v9.9.0/node-v9.9.0-linux-x64.tar.xz \
-o node-v9.9.0-linux-x64.tar.xz && tar xf node-v9.9.0-linux-x64.tar.xz \
&& cd node-v9.9.0-linux-x64 && cp -r bin include lib share /usr/local \
&& rm -rf /node-v9.9.0-linux-x64.tar.xz /node-v9.9.0-linux-x64
CMD ["node", "-v"]
Build
docker build -t testing .
Test
docker run testing
v9.9.0
Note that this only takes care of the node related things and don't take into account all the other dependencies.

The reason you are getting node 4 is because apt-get only installs the default version of a package which will never be the cutting edge latest.
Whilst this issue is present in a Docker container, it is not specific to Docker as it will happen on any Ubuntu installation, both inside or outside of Docker.
To get the latest version you have 2 options.
(1) Install using a PPA:
cd ~
curl -sL https://deb.nodesource.com/setup_9.x -o nodesource_setup.sh
sudo bash nodesource_setup.sh
sudo apt-get install nodejs
nodejs -v
(2) Install using Node Version Manager (nvm)
The latter is great because it lets you install multiple versions of Node and jump between them very quickly.
Here's a link to an amazing Digital Ocean article on this very topic:
https://www.digitalocean.com/community/tutorials/how-to-install-node-js-on-ubuntu-16-04
Here's a link to NVM ... https://github.com/creationix/nvm

Create a nodejs container Docker based on ubuntu

I used the official nodejs image to create a docker container that run a nodejs app.
But now I want to create the same docker but my own base on ubuntu:14.04 but it doesn't work
Dockerfile mynode
FROM ubuntu:14.04
RUN apt-get update -y
RUN apt-get upgrade -y
RUN apt-get install nodejs -y
RUN apt-get install nodejs-legacy -y
RUN apt-get install npm -y
RUN npm install -g nodemon
RUN mkdir -p /usr/src/app
WORKDIR /usr/src/app
COPY ./prj/package.json /usr/src/app/
RUN npm install
ADD ./prj /usr/src/app
EXPOSE 9977
# Run app using nodemon
CMD ["nodemon", "/usr/src/app/app.js"]
If I change the line from ubuntu:14.04 to node it works well.
But now if I use a docker-compose to build and run the container it doesn't work.
node:
restart: always
build: ./mynodeFolder
ports:
- "9977:9977"
I have the error :
Now if I use the image build with the mynode DockerFile and use docker run -it --rm myNewContainer bash and then start my app using nodemon it works perfectly !
So everything is well installed and packed within the my dockerimage, so why it doesn't work when build with the docker-compose
It works now when i use this DockerFile
# Set the base image to Ubuntu
FROM ubuntu:14.04
#FOR DEBUGGING
RUN apt-get update -y
RUN apt-get upgrade -y
RUN apt-get install nodejs -y
RUN apt-get install nodejs-legacy -y
RUN apt-get install npm -y
# Install nodemon
RUN npm install -g nodemon
# Provides cached layer for node_modules
RUN mkdir -p /usr/src/app
# Define working directory
WORKDIR /usr/src/app
ADD ./prj /usr/src/app
RUN npm install
# Expose port
EXPOSE 9977
# Run app using nodemon
CMD ["nodemon", "/usr/src/app/app.js"]

Here is the Dockerfile for the official node image:
https://github.com/nodejs/docker-node/blob/5d433ece4d221fac7e38efbec25ffea2dea56286/5.2/Dockerfile
RUN set -ex && for key in 9554F04D7259F04124DE6B476D5A82AC7E37093B 94AE36675C464D64BAFA68DD7434390BDBE9B9C5 0034A06D9D9B0064CE8ADF6BF1747F4AD2306D93 FD3A5288F042B6850C66B31F09FE44734EB7990E 71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 DD8F2338BAE7501E3DD5AC78C273792F7D83545D ; do gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; done
ENV NPM_CONFIG_LOGLEVEL=info
ENV NODE_VERSION=5.2.0
RUN curl -SLO "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-x64.tar.gz" && curl -SLO "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" && gpg --verify SHASUMS256.txt.asc && grep " node-v$NODE_VERSION-linux-x64.tar.gz\$" SHASUMS256.txt.asc | sha256sum -c - && tar -xzf "node-v$NODE_VERSION-linux-x64.tar.gz" -C /usr/local --strip-components=1 && rm "node-v$NODE_VERSION-linux-x64.tar.gz" SHASUMS256.txt.asc
CMD "node"
If you go to http://imagelayers.io, you can see the combined Dockerfile for the image, including the buildpack-deps:jessie base image:
RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates curl wget && rm -rf /var/lib/apt/lists/*
RUN apt-get update && apt-get install -y --no-install-recommends bzr git mercurial openssh-client subversion procps && rm -rf /var/lib/apt/lists/*
RUN apt-get update && apt-get install -y --no-install-recommends autoconf automake bzip2 file g++ gcc imagemagick libbz2-dev libc6-dev libcurl4-openssl-dev libevent-dev libffi-dev libgeoip-dev libglib2.0-dev libjpeg-dev liblzma-dev libmagickcore-dev libmagickwand-dev libmysqlclient-dev libncurses-dev libpng-dev libpq-dev libreadline-dev libsqlite3-dev libssl-dev libtool libwebp-dev libxml2-dev libxslt-dev libyaml-dev make patch xz-utils zlib1g-dev && rm -rf /var/lib/apt/lists/*
RUN set -ex && for key in 9554F04D7259F04124DE6B476D5A82AC7E37093B 94AE36675C464D64BAFA68DD7434390BDBE9B9C5 0034A06D9D9B0064CE8ADF6BF1747F4AD2306D93 FD3A5288F042B6850C66B31F09FE44734EB7990E 71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 DD8F2338BAE7501E3DD5AC78C273792F7D83545D ; do gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; done
ENV NPM_CONFIG_LOGLEVEL=info
ENV NODE_VERSION=5.2.0
RUN curl -SLO "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-x64.tar.gz" && curl -SLO "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" && gpg --verify SHASUMS256.txt.asc && grep " node-v$NODE_VERSION-linux-x64.tar.gz\$" SHASUMS256.txt.asc | sha256sum -c - && tar -xzf "node-v$NODE_VERSION-linux-x64.tar.gz" -C /usr/local --strip-components=1 && rm "node-v$NODE_VERSION-linux-x64.tar.gz" SHASUMS256.txt.asc
CMD "node"