Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: (IAC-1476) DAC - Security scan 2024.06 #558

Merged
merged 1 commit into from
Jun 20, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ RUN curl -sLO https://storage.googleapis.com/kubernetes-release/release/v$kubect

# Installation
FROM baseline
ARG helm_version=3.14.2
ARG aws_cli_version=2.15.22
ARG gcp_cli_version=472.0.0-0
ARG helm_version=3.15.2
ARG aws_cli_version=2.16.5
ARG gcp_cli_version=479.0.0-0

# Add extra packages
RUN apt-get update && apt-get install --no-install-recommends -y gzip wget git jq ssh sshpass skopeo rsync \
Expand Down Expand Up @@ -54,7 +54,7 @@ RUN pip install -r ./requirements.txt \
&& pip cache purge \
&& chmod -R g=u /etc/passwd /etc/group /viya4-deployment/ \
&& chmod 755 /viya4-deployment/docker-entrypoint.sh \
&& git config --system --add safe.directory /viya4-deployment
&& git config --system --add safe.directory /viya4-deployment ||:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was the addition||: needed? Shouldn't we stop the Docker build if this command fails rather than ignoring the error?

Copy link
Member Author

@dhoucgitter dhoucgitter Jun 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jarpat, it is a change that I often make to allow building the docker image if the folder docker build is run from is not a first-class repository folder, ie. a work-tree folder. If that is the case, the git config --system command will fail but and the docker image will fail to create, however, since this line was added as a workaround to fix a git cli vulnerability in an earlier git version, it may be OK to completely remove this line now. I will do a quick search and post back, interested on your thoughts with doing that and what risk we might incur if any. I have run the resulting viy4-deployment container with that change in the past with no obvious ill effect.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that change is fine now that I'm aware of the reasoning behind it.


ENV PLAYBOOK=playbook.yaml
ENV VIYA4_DEPLOYMENT_TOOLING=docker
Expand Down
4 changes: 3 additions & 1 deletion requirements.txt
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
ansible==9.2.0 # 9.1.0 # 8.6.0 # 2.10.7
ansible==9.6.0 # 9.2.0 # 9.1.0 # 8.6.0 # 2.10.7
openshift==0.13.2 # 0.13.1 # 0.12.0
kubernetes==27.2.0 # 26.1.0 # 12.0.1
dnspython==2.6.1 # 2.3.0 # 2.1.0
docker==7.1.0 # 7.0.0 # 5.0.3
urllib3==1.26.18
wheel>=0.38.1
setuptools>=65.5.1
2 changes: 1 addition & 1 deletion requirements.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
collections:
- name: ansible.utils
version: 3.1.0 # 2.3.0
version: 4.1.0 # 3.1.0 # 2.3.0
- name: community.docker
version: 3.10.3 # 3.8.0 # 2.7.8
- name: kubernetes.core
Expand Down
Loading