Protei/PromucFlow_constructor
2
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

chore: Remove build-essential by default in the Docker image (#27813)

Browse Source 
This removes ~70 medium/low severity CVEs reported on our Docker image,
by removing `build-essential` from being installed by default in the
Docker image.

We only need it when compiling Redis, which is needed on _some_ ARM
systems, that re configured with a page-size of greater than 4096. For
example, CentOS 8.
This commit is contained in:
Shrikant Sharat Kandula 2023-10-05 10:26:39 +05:30 committed by GitHub
parent 3be086710e
commit 63322193d2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -33,7 +33,7 @@ RUN curl --silent --show-error --location https://www.mongodb.org/static/pgp/ser
&& echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list \ && echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list \
&& curl --silent --show-error --location https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \ && curl --silent --show-error --location https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
&& apt update \ && apt update \
&& apt-get install --no-install-recommends --yes mongodb-org nodejs redis build-essential postgresql-13 \ && apt-get install --no-install-recommends --yes mongodb-org nodejs redis postgresql-13 \
&& apt-get clean \ && apt-get clean \
# This is to get semver 7.5.2, for a CVE fix, might be able to remove it with later versions on NodeJS. # This is to get semver 7.5.2, for a CVE fix, might be able to remove it with later versions on NodeJS.
&& npm install -g npm@9.7.2 && npm install -g npm@9.7.2

25
deploy/docker/fs/opt/appsmith/entrypoint.sh
View File

@ -315,21 +315,28 @@ configure_supervisord() {
} }
# This is a workaround to get Redis working on diffent memory pagesize # This is a workaround to get Redis working on different memory pagesize
# https://github.com/appsmithorg/appsmith/issues/11773 # https://github.com/appsmithorg/appsmith/issues/11773
check_redis_compatible_page_size() { check_redis_compatible_page_size() {
local page_size local page_size
page_size="$(getconf PAGE_SIZE)" page_size="$(getconf PAGE_SIZE)"
if [[ $page_size -gt 4096 ]]; then if [[ $page_size -gt 4096 ]]; then
curl \
--silent \
--user "$APPSMITH_SEGMENT_CE_KEY:" \
--header 'Content-Type: application/json' \
--data '{ "userId": "'"$HOSTNAME"'", "event":"RedisCompile" }' \
https://api.segment.io/v1/track \
|| true
echo "Compile Redis stable with page size of $page_size" echo "Compile Redis stable with page size of $page_size"
echo "Downloading Redis source..." apt-get update
curl https://download.redis.io/redis-stable.tar.gz -L | tar xvz apt-get install --yes build-essential
cd redis-stable/ curl --location https://download.redis.io/redis-stable.tar.gz | tar -xz -C /tmp
echo "Compiling Redis from source..." pushd /tmp/redis-stable
make && make install make
echo "Cleaning up Redis source..." make install
cd .. popd
rm -rf redis-stable/ rm -rf /tmp/redis-stable
else else
echo "Redis is compatible with page size of $page_size" echo "Redis is compatible with page size of $page_size"
fi fi