From 3b0adf2cc5770a6a3114e4ab51764d114e32977d Mon Sep 17 00:00:00 2001 From: Wes Mason Date: Tue, 21 Nov 2023 02:00:08 +0000 Subject: [PATCH 1/2] Update to latest ubuntu image in dockerfile to avoid lots of vulnerabilities --- Dockerfile | 25 ++++++++++++++++--------- Makefile | 3 ++- 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index 17c7a1ac..8ffa3d80 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,23 +1,30 @@ -FROM ubuntu:focal +FROM ubuntu:mantic-20231011 WORKDIR /app COPY . /app # installing all system dependencies, yq, ruby-build and rbenv RUN apt-get update && \ - apt-get install --yes --no-install-recommends uuid-runtime curl ca-certificates git make build-essential libssl-dev libreadline-dev zlib1g-dev && \ - rm -rf /var/lib/apt/lists/* && \ - curl -L https://github.com/mikefarah/yq/releases/download/v4.24.2/yq_linux_amd64.tar.gz | tar -xzvf - && mv yq_linux_amd64 /usr/bin/yq && \ - git clone https://github.com/rbenv/rbenv.git ~/.rbenv && \ - curl -L https://github.com/sstephenson/ruby-build/archive/v20220324.tar.gz | tar -zxvf - -C /tmp/ && \ - cd /tmp/ruby-build-* && ./install.sh + apt-get install --yes --no-install-recommends \ + uuid-runtime curl ca-certificates git make build-essential \ + libssl-dev libreadline-dev zlib1g-dev && \ + rm -rf /var/lib/apt/lists/* +RUN curl -L https://github.com/mikefarah/yq/releases/download/v4.24.2/yq_linux_amd64.tar.gz | tar -xzvf - && \ + mv yq_linux_amd64 /usr/bin/yq +RUN git clone https://github.com/rbenv/rbenv.git ~/.rbenv && \ + curl -L https://github.com/sstephenson/ruby-build/archive/v20231114.tar.gz | tar -zxvf - -C /tmp/ && \ + cd /tmp/ruby-build-* && \ + ./install.sh # set the env ENV PATH /root/.rbenv/bin:/root/.rbenv/shims:$PATH RUN echo 'eval "$(rbenv init -)"' >> .bashrc -RUN echo 'eval "$(rbenv init -)"' >> /etc/profile.d/rbenv.sh # or /etc/profile +RUN echo 'eval "$(rbenv init -)"' >> /etc/profile.d/rbenv.sh # run the make file to install the app -RUN make install +# override CFLAGS because -w (warning suppression) screws up ruby-build in newer versions +# when compiling ruby 2.6.x, *but* we need newer ruby-build to compile older openssl +# on newer Ubuntu releases +RUN make install RUBY_CFLAGS='' CMD ["/bin/bash", "script/run_in_docker.sh"] diff --git a/Makefile b/Makefile index 65aa34fc..623b1ed7 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,5 @@ YQ ?= "yq" +RUBY_CFLAGS ?= -w .phony: test ftest lint autocorrect update_config autocorrect-unsafe install build-docker run-docker exec_app tag exec_cli .phony: build_utility build_service release_utility_dev release_service_dev release_utility release_service build_utility_gem build_service_gem @@ -67,7 +68,7 @@ push_gem: bundle _$(shell cat .bundler-version)_ exec gem push .gems/* install: - RUBY_CFLAGS="-w" rbenv install -s + RUBY_CFLAGS="$(RUBY_CFLAGS)" rbenv install -s - gem install bundler -v $(shell cat .bundler-version) && rbenv rehash bundle _$(shell cat .bundler-version)_ install --jobs 1 From e36c1eac4087520b44b1604d1963802425a1e89c Mon Sep 17 00:00:00 2001 From: Wes Mason Date: Wed, 22 Nov 2023 01:18:08 +0000 Subject: [PATCH 2/2] Use the latest yq in docker image --- Dockerfile | 2 +- Gemfile.lock | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 8ffa3d80..7dc69d22 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,7 +9,7 @@ RUN apt-get update && \ uuid-runtime curl ca-certificates git make build-essential \ libssl-dev libreadline-dev zlib1g-dev && \ rm -rf /var/lib/apt/lists/* -RUN curl -L https://github.com/mikefarah/yq/releases/download/v4.24.2/yq_linux_amd64.tar.gz | tar -xzvf - && \ +RUN curl -L https://github.com/mikefarah/yq/releases/download/v4.40.2/yq_linux_amd64.tar.gz | tar -xzvf - && \ mv yq_linux_amd64 /usr/bin/yq RUN git clone https://github.com/rbenv/rbenv.git ~/.rbenv && \ curl -L https://github.com/sstephenson/ruby-build/archive/v20231114.tar.gz | tar -zxvf - -C /tmp/ && \ diff --git a/Gemfile.lock b/Gemfile.lock index 62d5c72a..7fbc9ba4 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -204,6 +204,7 @@ PLATFORMS universal-java-11 x86-mingw32 x86_64-darwin-20 + x86_64-linux DEPENDENCIES activesupport (~> 6.1.7.3)