security: pin base images to python:3.12.13, remove apt/apk upgrade

Per Docker best practices, security patching should come from rebuilding
with updated base image tags, not from apt-get upgrade inside the
Dockerfile. Pinning to a specific patch version ensures reproducible
builds. Bump the version and rebuild to pick up new patches.
This commit is contained in:
Timothy Jaeryang Baek 2026-03-13 16:32:06 -05:00
parent 9941db7d4a
commit ae89d2ed11
4 changed files with 8 additions and 10 deletions

View file

@ -1,4 +1,6 @@
FROM python:3.12
# Pin to a specific patch version for reproducible builds.
# To pick up security patches, bump this version and rebuild.
FROM python:3.12.13
RUN apt-get update && apt-get install -y --no-install-recommends \
# Core utilities
@ -37,8 +39,6 @@ RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
# Docker CLI + Compose + Buildx (mount socket at runtime for access)
RUN curl -fsSL https://get.docker.com | sh
# Pull in all available security patches for installed packages.
RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*
WORKDIR /app

View file

@ -29,7 +29,7 @@
# Compiles Python dependencies in an isolated prefix. Alpine needs
# musl-dev and gcc for most C extensions.
# --------------------------------------------------------------------------
FROM python:3.12-alpine AS builder
FROM python:3.12.13-alpine AS builder
WORKDIR /src
@ -55,7 +55,7 @@ RUN pip install --no-cache-dir --prefix=/install .
# Stage 2: Runtime
# Tiny Alpine runtime. No compilers, no build tools, no sudo.
# --------------------------------------------------------------------------
FROM python:3.12-alpine
FROM python:3.12.13-alpine
# ── Runtime system packages ────────────────────────────────────────────────
#
@ -94,8 +94,6 @@ COPY --from=builder /install /usr/local
WORKDIR /app
COPY . .
# Upgrade base packages to pull in security fixes (e.g. zlib CVE-2026-22184).
RUN apk upgrade --no-cache
# Install the app itself (fast — all deps are already present) and grant
# the Python binary cap_setgid so multi-user mode can call setgid().

View file

@ -25,7 +25,7 @@
# Compiles Python dependencies in an isolated prefix so we can copy only
# the final result into the slim runtime image — no compilers shipped.
# --------------------------------------------------------------------------
FROM python:3.12-slim AS builder
FROM python:3.12.13-slim AS builder
WORKDIR /src
@ -51,7 +51,7 @@ RUN pip install --no-cache-dir --prefix=/install .
# Stage 2: Runtime
# The actual image that ships. No compilers, no build tools, no sudo.
# --------------------------------------------------------------------------
FROM python:3.12-slim
FROM python:3.12.13-slim
# ── Runtime system packages ────────────────────────────────────────────────
#

View file

@ -29,7 +29,7 @@ That's it — you're up and running at `http://localhost:8000`.
| | `latest` | `slim` | `alpine` |
|---|---|---|---|
| **Best for** | AI agent sandboxes | Production / hardened | Edge / CI / minimal footprint |
| **Size** | ~2 GB | ~500 MB | ~300 MB |
| **Size** | ~4 GB | ~430 MB | ~230 MB |
| **Bundled tooling** | Node.js, gcc, ffmpeg, LaTeX, Docker CLI, data science libs | git, curl, jq | git, curl, jq |
| **Install packages at runtime** | ✔ (has `sudo`) | ✘ | ✘ |
| **Multi-user / egress firewall** | ✔ | ✔ | ✔ |