mirror of
https://github.com/open-webui/open-terminal.git
synced 2026-07-09 16:09:14 +00:00
security: pin base images to python:3.12.13, remove apt/apk upgrade
Per Docker best practices, security patching should come from rebuilding with updated base image tags, not from apt-get upgrade inside the Dockerfile. Pinning to a specific patch version ensures reproducible builds. Bump the version and rebuild to pick up new patches.
This commit is contained in:
parent
9941db7d4a
commit
ae89d2ed11
4 changed files with 8 additions and 10 deletions
|
|
@ -1,4 +1,6 @@
|
|||
FROM python:3.12
|
||||
# Pin to a specific patch version for reproducible builds.
|
||||
# To pick up security patches, bump this version and rebuild.
|
||||
FROM python:3.12.13
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
# Core utilities
|
||||
|
|
@ -37,8 +39,6 @@ RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
|
|||
# Docker CLI + Compose + Buildx (mount socket at runtime for access)
|
||||
RUN curl -fsSL https://get.docker.com | sh
|
||||
|
||||
# Pull in all available security patches for installed packages.
|
||||
RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@
|
|||
# Compiles Python dependencies in an isolated prefix. Alpine needs
|
||||
# musl-dev and gcc for most C extensions.
|
||||
# --------------------------------------------------------------------------
|
||||
FROM python:3.12-alpine AS builder
|
||||
FROM python:3.12.13-alpine AS builder
|
||||
|
||||
WORKDIR /src
|
||||
|
||||
|
|
@ -55,7 +55,7 @@ RUN pip install --no-cache-dir --prefix=/install .
|
|||
# Stage 2: Runtime
|
||||
# Tiny Alpine runtime. No compilers, no build tools, no sudo.
|
||||
# --------------------------------------------------------------------------
|
||||
FROM python:3.12-alpine
|
||||
FROM python:3.12.13-alpine
|
||||
|
||||
# ── Runtime system packages ────────────────────────────────────────────────
|
||||
#
|
||||
|
|
@ -94,8 +94,6 @@ COPY --from=builder /install /usr/local
|
|||
WORKDIR /app
|
||||
COPY . .
|
||||
|
||||
# Upgrade base packages to pull in security fixes (e.g. zlib CVE-2026-22184).
|
||||
RUN apk upgrade --no-cache
|
||||
|
||||
# Install the app itself (fast — all deps are already present) and grant
|
||||
# the Python binary cap_setgid so multi-user mode can call setgid().
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@
|
|||
# Compiles Python dependencies in an isolated prefix so we can copy only
|
||||
# the final result into the slim runtime image — no compilers shipped.
|
||||
# --------------------------------------------------------------------------
|
||||
FROM python:3.12-slim AS builder
|
||||
FROM python:3.12.13-slim AS builder
|
||||
|
||||
WORKDIR /src
|
||||
|
||||
|
|
@ -51,7 +51,7 @@ RUN pip install --no-cache-dir --prefix=/install .
|
|||
# Stage 2: Runtime
|
||||
# The actual image that ships. No compilers, no build tools, no sudo.
|
||||
# --------------------------------------------------------------------------
|
||||
FROM python:3.12-slim
|
||||
FROM python:3.12.13-slim
|
||||
|
||||
# ── Runtime system packages ────────────────────────────────────────────────
|
||||
#
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ That's it — you're up and running at `http://localhost:8000`.
|
|||
| | `latest` | `slim` | `alpine` |
|
||||
|---|---|---|---|
|
||||
| **Best for** | AI agent sandboxes | Production / hardened | Edge / CI / minimal footprint |
|
||||
| **Size** | ~2 GB | ~500 MB | ~300 MB |
|
||||
| **Size** | ~4 GB | ~430 MB | ~230 MB |
|
||||
| **Bundled tooling** | Node.js, gcc, ffmpeg, LaTeX, Docker CLI, data science libs | git, curl, jq | git, curl, jq |
|
||||
| **Install packages at runtime** | ✔ (has `sudo`) | ✘ | ✘ |
|
||||
| **Multi-user / egress firewall** | ✔ | ✔ | ✔ |
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue