Upgrade debian base image to improve security vulnerabilities

.github/workflows/ci.yml

@@ -47,18 +47,26 @@ jobs:
       contents: read
     needs: [prepare-matrix]
     strategy:
-      max-parallel: 5
+      max-parallel: 10
       matrix:
         integration: ${{fromJson(needs.prepare-matrix.outputs.matrix)}}
+        platform:
+          - linux/amd64
+          - linux/arm64
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
         with:
-          platforms: linux/amd64,linux/arm64
+          platforms: ${{ matrix.platform }}
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+        with:
+          platforms: ${{ matrix.platform }}
+
       - name: Prepare Docker images tags
         id: prepare_tags
         run: |
@@ -74,6 +82,7 @@ jobs:
 
           dockerfile_path=integrations/_infra/Dockerfile
           if test -e $folder/../Dockerfile; then
+            echo "Choosing a custom Dockerfile for ${{ matrix.integration }}"
             dockerfile_path=$folder/../Dockerfile
           fi
           echo "dockerfile_path=$dockerfile_path" >> $GITHUB_OUTPUT
@@ -92,16 +101,31 @@ jobs:
             echo "is_dev_version=false" >> $GITHUB_OUTPUT
           fi
 
+      - name: Get used docker base image
+        id: get-docker-image
+        run: |
+          echo "base_image=$(cat ${{ steps.prepare_tags.outputs.dockerfile_path }} | head -n 1 | awk -F '=' '{print $2}' )" >> $GITHUB_OUTPUT
+
+      - name: Cache Docker images
+        uses: ScribeMD/[email protected]
+        with:
+          key: docker-${{ matrix.integration }}-${{ steps.get-docker-image.outputs.base_image }}-${{ matrix.platform }}
+
       - name: Build
         uses: docker/build-push-action@v6
         with:
           context: .
           file: ${{ steps.prepare_tags.outputs.dockerfile_path }}
-          platforms: linux/amd64,linux/arm64
+          platforms: ${{ matrix.platform }}
           push: false
+          load: true
           cache-from: type=gha
           cache-to: type=gha,mode=max
           tags: ${{ steps.prepare_tags.outputs.tags }}
           build-args: |
             BUILD_CONTEXT=${{ steps.prepare_tags.outputs.context_dir }}
             INTEGRATION_VERSION=${{ steps.prepare_tags.outputs.version }}
+
+      - name: Verify Built Image
+        run: |
+          docker run --platform ${{ matrix.platform }} --rm --entrypoint bash ${{ steps.prepare_tags.outputs.tags }} -c 'ocean version'

CHANGELOG.md

@@ -7,6 +7,13 @@ this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 <!-- towncrier release notes start -->
 
+## 0.12.3 (2024-10-09)
+
+### Improvements
+
+- Updated docker base image to improve security vulnerabilities
+
+
 ## 0.12.2 (2024-10-06)
 
 ### Improvements

integrations/_infra/Dockerfile

@@ -0,0 +1 @@
+./Dockerfile.Deb

integrations/_infra/Dockerfile.Deb

@@ -0,0 +1,67 @@
+ARG BASE_PYTHON_IMAGE=debian:trixie-slim
+
+FROM ${BASE_PYTHON_IMAGE} AS base
+
+ARG BUILD_CONTEXT
+ARG BUILDPLATFORM
+
+ENV LIBRDKAFKA_VERSION=1.9.2 \
+    PYTHONUNBUFFERED=1 \
+    POETRY_VIRTUALENVS_IN_PROJECT=1 \
+    PIP_ROOT_USER_ACTION=ignore
+
+RUN apt-get update \
+    && apt-get install -y \
+        wget \
+        g++ \
+        libssl-dev \
+        autoconf \
+        automake \
+        libtool \
+        curl \
+        librdkafka-dev \
+        python3 \
+        python3-pip \
+        python3-poetry \
+    && apt-get clean
+
+WORKDIR /app
+
+COPY ./${BUILD_CONTEXT}/pyproject.toml ./${BUILD_CONTEXT}/poetry.lock /app/
+
+RUN poetry install --without dev --no-root --no-interaction --no-ansi --no-cache
+
+FROM ${BASE_PYTHON_IMAGE} AS prod
+
+ARG INTEGRATION_VERSION
+ARG BUILD_CONTEXT
+
+ENV LIBRDKAFKA_VERSION=1.9.2
+
+LABEL INTEGRATION_VERSION=${INTEGRATION_VERSION}
+# Used to ensure that new integrations will be public, see https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility
+LABEL org.opencontainers.image.source=https://github.com/port-labs/ocean
+
+ENV PIP_ROOT_USER_ACTION=ignore
+
+RUN apt-get update \
+    && apt-get install -y librdkafka-dev python3 \
+    && apt-get clean
+
+WORKDIR /app
+
+# Copy the application code
+COPY ./${BUILD_CONTEXT} /app
+
+# Copy dependencies from the build stage
+COPY --from=base /app/.venv /app/.venv
+
+COPY ./integrations/_infra/init.sh /app/init.sh
+
+# Ensure that ocean is available for all in path
+RUN chmod a+x /app/.venv/bin/ocean
+
+RUN chmod a+x /app/init.sh
+RUN ln -s /app/.venv/bin/ocean /usr/bin/ocean
+# Run the application
+CMD ["bash", "/app/init.sh"]

integrations/_infra/Dockerfile.alpine

@@ -0,0 +1,108 @@
+ARG BASE_PYTHON_IMAGE=alpine:3.20.1
+
+FROM ${BASE_PYTHON_IMAGE} AS base
+
+ARG BUILD_CONTEXT
+ARG BUILDPLATFORM
+
+ENV LIBRDKAFKA_VERSION=1.9.2 \
+    PYTHONUNBUFFERED=1 \
+    PIP_DISABLE_PIP_VERSION_CHECK=on \
+    POETRY_NO_INTERACTION=1 \
+    PIP_NO_CACHE_DIR=on \
+    PIP_DEFAULT_TIMEOUT=100 \
+    GRPC_PYTHON_DISABLE_LIBC_COMPATIBILITY=1 \
+    PYTHONDONTWRITEBYTECODE=1
+
+# Install system dependencies and libraries
+RUN \
+    apk add --no-cache \
+        gcc \
+        g++ \
+        musl-dev \
+        build-base \
+        bash \
+        oniguruma-dev \
+        make \
+        autoconf \
+        automake \
+        libtool \
+        curl \
+        openssl-dev \
+        cargo \
+        pkgconfig \
+        linux-headers \
+        libstdc++ \
+        libffi-dev \
+        py3-grpcio \
+        py3-protobuf \
+        python3-dev \
+        # librdkafka-dev \
+    # Install community librdkafka-dev since the default in alpine is older
+    && echo "@edge http://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories \
+    && echo "@edgecommunity http://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
+    && apk add --no-cache \
+        alpine-sdk \
+        "librdkafka@edgecommunity>=${LIBRDKAFKA_VERSION}" \
+        "librdkafka-dev@edgecommunity>=${LIBRDKAFKA_VERSION}" \
+    && curl -sSL https://install.python-poetry.org | python3 - \
+    && apk upgrade gcc linux-headers libstdc++ gcc g++ --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main/ \
+    && ln -s /root/.local/bin/poetry /usr/bin/poetry \
+    && poetry config virtualenvs.in-project true
+
+WORKDIR /app
+
+COPY ./${BUILD_CONTEXT}/pyproject.toml ./${BUILD_CONTEXT}/poetry.lock /app/
+
+COPY ./integrations/_infra/grpcio.sh /app/grpcio.sh
+
+RUN chmod a+x /app/grpcio.sh && /app/grpcio.sh "${BUILDPLATFORM}"
+
+RUN export GRPC_PYTHON_DISABLE_LIBC_COMPATIBILITY=1 \
+    && poetry install --without dev --no-root --no-interaction --no-ansi --no-cache
+
+FROM ${BASE_PYTHON_IMAGE} AS prod
+
+ARG INTEGRATION_VERSION
+ARG BUILD_CONTEXT
+
+ENV LIBRDKAFKA_VERSION=1.9.2
+
+LABEL INTEGRATION_VERSION=${INTEGRATION_VERSION}
+# Used to ensure that new integrations will be public, see https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility
+LABEL org.opencontainers.image.source=https://github.com/port-labs/ocean
+
+# Install only runtime dependencies
+RUN \
+    apk add --no-cache \
+        bash \
+        oniguruma-dev \
+        python3 \
+    # Install community librdkafka-dev since the default in alpine is older
+    && echo "@edge http://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories \
+    && echo "@edgecommunity http://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
+    && apk update \
+    && apk add --no-cache \
+        alpine-sdk \
+        "librdkafka@edgecommunity>=${LIBRDKAFKA_VERSION}" \
+        "librdkafka-dev@edgecommunity>=${LIBRDKAFKA_VERSION}" \
+    # Fix security issues
+    && apk upgrade busybox libcrypto3 libssl3 --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main/
+
+WORKDIR /app
+
+# Copy the application code
+COPY ./${BUILD_CONTEXT} /app
+
+# Copy dependencies from the build stage
+COPY --from=base /app/.venv /app/.venv
+
+COPY ./integrations/_infra/init.sh /app/init.sh
+
+# Ensure that ocean is available for all in path
+RUN chmod a+x /app/.venv/bin/ocean
+
+RUN chmod a+x /app/init.sh
+RUN ln -s /app/.venv/bin/ocean /usr/bin/ocean
+# Run the application
+CMD ["bash", "/app/init.sh"]

integrations/_infra/Makefile

@@ -49,8 +49,8 @@ install/local-core: install
 	$(ACTIVATE) && pip install -e ../../
 
 install/prod:
-	$(call install_poetry) && \
 	poetry install --without dev --no-root --no-interaction --no-ansi --no-cache
+	$(call install_poetry) && \
 
 lint:
 	$(ACTIVATE) && \

integrations/_infra/grpcio.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+PLATFORM=${1}
+
+if [[ ! $(grep -q 'grpcio' ./poetry.lock) ]]; then
+    echo 'grpcio not present, skipping explicit build'
+else
+    echo 'found grpcio, checking platform'
+fi
+
+if [[ "${PLATFORM}" == "linux/arm64" ]]; then
+    echo "On arm, need to explicitly install grpcio"
+    poetry env use "$(which python)"
+    echo "${VIRTUAL_ENV}"
+    poetry run pip install --upgrade pip
+    GRPC_PYTHON_BUILD_SYSTEM_OPENSSL=1 GRPC_PYTHON_BUILD_SYSTEM_ZLIB=1 GRPC_PYTHON_DISABLE_LIBC_COMPATIBILITY=1 poetry run pip install 'grpcio==1.66.2'
+else
+    echo "Not on arm, no need to explicitly install grpcio"
+fi

integrations/_infra/init.sh

@@ -1,4 +1,5 @@
 if test -e /usr/local/share/ca-certificates/cert.crt; then
   update-ca-certificates
 fi
+
 ocean sail

integrations/jenkins/examples/blueprints.json

@@ -57,4 +57,4 @@
             }
         }
     }
-]
+]

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "port-ocean"
-version = "0.12.2"
+version = "0.12.3"
 description = "Port Ocean is a CLI tool for managing your Port projects."
 readme = "README.md"
 homepage = "https://app.getport.io"