Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Docker base image Ubuntu 22 -> Ubuntu 24 #2252

Open
wants to merge 4 commits into
base: trunk
Choose a base branch
from
Open

Upgrade Docker base image Ubuntu 22 -> Ubuntu 24 #2252

wants to merge 4 commits into from
+4 −4

Conversation

StegSchreck
Copy link

@StegSchreck StegSchreck commented May 6, 2024
edited

User description

Description

Uprage from Ubuntu 22 LTS to Ubuntu 24 LTS
See #2251

Motivation and Context

Newer bas OS somes with security patches and newer software, e.g. Python 3.12 instead of 3.10

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist

  • I have read the contributing document.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

PR Type

Enhancement

Description

  • Upgraded the Docker base image in Base/Dockerfile from Ubuntu 22 (jammy) to Ubuntu 24 (noble).
  • Updated APT sources in both Base/Dockerfile and Video/Dockerfile to use the new Ubuntu 24 (noble) repositories.

Changes walkthrough 📝

Relevant files
Enhancement
Dockerfile
Upgrade Docker Base Image and APT Sources to Ubuntu 24     

Base/Dockerfile

  • Updated base image from Ubuntu 22 (jammy) to Ubuntu 24 (noble)
  • Updated APT sources to point to the new Ubuntu 24 repositories
    		•  +4/-4     
    Dockerfile
    Update APT Sources to Ubuntu 24 in Video Dockerfile           

    Video/Dockerfile

  • Updated APT sources to point to the new Ubuntu 24 (noble) repositories

    		•  +3/-3     

    💡 PR-Agent usage:
    Comment /help on the PR to get a list of all available PR-Agent tools and their descriptions

    @CLAassistant
    Copy link

    CLAassistant commented May 6, 2024
    edited

    CLA assistant check
    All committers have signed the CLA.

    @codiumai-pr-agent-pro CodiumAI PR-Agent Pro
    Copy link

    PR Description updated to latest commit (5227639)

    @codiumai-pr-agent-pro CodiumAI PR-Agent Pro
    Copy link

    PR Review 🔍

    ⏱️ Estimated effort to review [1-5]

    2, because the changes are straightforward, involving only updates to the base image and APT sources in Dockerfiles. The modifications are limited to version strings and do not involve complex logic or algorithms.

    🧪 Relevant tests

    No

    ⚡ Possible issues

    Compatibility Issues: Upgrading the base image and APT sources might introduce compatibility issues with existing software or dependencies that are not yet fully supported or tested with Ubuntu 24. It's crucial to ensure that all components work as expected in the new environment.

    🔒 Security concerns

    No

    @StegSchreck StegSchreck mentioned this pull request May 6, 2024
    Open
    @codiumai-pr-agent-pro CodiumAI PR-Agent Pro
    Copy link

    PR Code Suggestions ✨

    CategorySuggestions                                                                                                                                                       
    Enhancement
    Add source package repositories to the Dockerfile.

    Consider adding the deb-src lines for source packages in the Dockerfile. This will allow
    you to fetch source packages using apt-get source, which can be useful for debugging or
    custom builds.

    Base/Dockerfile [40-42]

     echo "deb http://archive.ubuntu.com/ubuntu noble main universe\n" > /etc/apt/sources.list \
+&& echo "deb-src http://archive.ubuntu.com/ubuntu noble main universe\n" >> /etc/apt/sources.list \
 && echo "deb http://archive.ubuntu.com/ubuntu noble-updates main universe\n" >> /etc/apt/sources.list \
-&& echo "deb http://security.ubuntu.com/ubuntu noble-security main universe\n" >> /etc/apt/sources.list ;
+&& echo "deb-src http://archive.ubuntu.com/ubuntu noble-updates main universe\n" >> /etc/apt/sources.list \
+&& echo "deb http://security.ubuntu.com/ubuntu noble-security main universe\n" >> /etc/apt/sources.list \
+&& echo "deb-src http://security.ubuntu.com/ubuntu noble-security main universe\n" >> /etc/apt/sources.list ;
    Enhance Dockerfile compatibility with multiple architectures.

    To ensure that the Docker image can be built on architectures other than amd64, consider
    adding similar conditional statements for other architectures or a default configuration
    that applies to all architectures.

    Video/Dockerfile [18-20]

    -RUN  echo "deb http://archive.ubuntu.com/ubuntu noble main universe\n" > /etc/apt/sources.list \
-&& echo "deb http://archive.ubuntu.com/ubuntu noble-updates main universe\n" >> /etc/apt/sources.list \
-&& echo "deb http://security.ubuntu.com/ubuntu noble-security main universe\n" >> /etc/apt/sources.list
+RUN  if [ "${TARGETARCH}" = "amd64" ]; then \
+        echo "deb http://archive.ubuntu.com/ubuntu noble main universe\n" > /etc/apt/sources.list \
+        && echo "deb http://archive.ubuntu.com/ubuntu noble-updates main universe\n" >> /etc/apt/sources.list \
+        && echo "deb http://security.ubuntu.com/ubuntu noble-security main universe\n" >> /etc/apt/sources.list ; \
+     else \
+        echo "deb http://archive.ubuntu.com/ubuntu noble main universe\n" > /etc/apt/sources.list \
+        && echo "deb http://archive.ubuntu.com/ubuntu noble-updates main universe\n" >> /etc/apt/sources.list \
+        && echo "deb http://security.ubuntu.com/ubuntu noble-security main universe\n" >> /etc/apt/sources.list ; \
+     fi

    @amardeep2006
    Copy link
    Contributor

    I feel it’s too early to start using Ubuntu 24.04 .
    In my opinion we should let the new version settle down as there are typically teething issue in first year of new release .

    @diemol
    Copy link
    Member

    diemol commented May 6, 2024

    Several failures in the build. What is your motivation to move to Ubuntu 24, @StegSchreck? @amardeep2006 makes a good point.

    @VietND96
    Copy link
    Member

    VietND96 commented May 7, 2024

    I guess the failure will be solved when he reverted changes in Video/Dockerfile, since this image we reused from other project, and they did not move on 24.04.
    I think we can follow some popular open-source projects, once they drop the change, we also release.

    @StegSchreck
    Copy link
    Author

    The failures are all caused by the configuration of Video/Dockerfile because it is trying to install things via pip that are independently installed viy the OS package manager. I thought this image is based on the Base/Dockerfile though - therefore I aligned it with the same changes. The overall dependencies between all the docker images in this repo might have confused me. I will revert this change.

    Regading the motivation: this docker image is two years behind now. I want to use modern Python 3.12 in my code which is using the standalone-firefox as base. Ubuntu 22 only comes with Python 3.10. I have considered other ways of achieveing the ssame effect, but updating the base image is the straight-forward way. Additionally all users would profit from more uptodate software, including security fixes on top of the new features I mentioned before.

    @diemol
    Copy link
    Member

    diemol commented May 7, 2024

    I was surprised to find out that 24.04 was released one month ago.

    A wide range of users uses these images, and I do not feel comfortable forcing them now to use the new Ubuntu version.

    I prefer to wait and then migrate.

    @VietND96
    Copy link
    Member

    @StegSchreck, can you also sign the CLA? Later we can go ahead without the pending item

    @StegSchreck
    Copy link
    Author

    @StegSchreck, can you also sign the CLA? Later we can go ahead without the pending item

    Done.

    @VietND96
    Copy link
    Member

    @StegSchreck, can you also sign the CLA? Later we can go ahead without the pending item

    Done.

    It looks like your commit without email or the email in the commit author doesn't match with CLA input. Can you take some time to check?

    @StegSchreck
    Copy link
    Author

    @StegSchreck, can you also sign the CLA? Later we can go ahead without the pending item

    Done.

    It looks like your commit without email or the email in the commit author doesn't match with CLA input. Can you take some time to check?

    I have re-signed the CLA with my second e-mail address.

    @skycanine
    Copy link

    skycanine commented May 29, 2024
    edited

    @diemol and @team Ubuntu 22 has some high level CVES (security vulnerabilities). We will very soon be blocked by our organization, United Health Group, from using this selenium helm chart if it does not extend the Ubuntu 24 image.

    @amardeep2006
    Copy link
    Contributor

    @diemol and @team Ubuntu 22 has some high level CVES (security vulnerabilities). We will very soon be blocked by our organization, United Health Group, from using this selenium helm chart if it does not extend the Ubuntu 24 image.

    @skycanine Can you please share the scan report and docker image tags that were scanned.
    Ubuntu 22 LTS is supported till 01 Apr 2027 so it should get all the security updates. I do not think Canonical will selectively send updates to Ubuntu 24 and miss on 22 .

    The trick is to keep updating the base image which this project does with the help of Renovate bot. Dockerfile also has apt-get update and apt-get upgrade commands to auto patch the vulnerable packages .

    Older images built sometimes back may have the vulnerable packages but the newer builds should automatically be patched.

    @skycanine
    Copy link

    @amardeep2006
    image

    @skycanine
    Copy link

    @amardeep2006 Second page:
    image

    @skycanine
    Copy link

    skycanine commented May 30, 2024
    edited

    "Ubuntu 22 LTS is supported till 01 Apr 2027 so it should get all the security updates." - I think I may have checked on this myself and found there was no fix when I last checked.

    The vulnerability still exists in "docker.repo1.uhc.com/selenium/node-chrome:4.21.0-20240522"; the screen shot above shows a slightly older image.

    image

    @skycanine
    Copy link

    https://ubuntu.com/security/CVE-2016-1585

    @VietND96
    Copy link
    Member

    Looks like CVE-2016-1585 didn't come from the base OS 22.04 image since it is not present in list https://hub.docker.com/layers/library/ubuntu/jammy/images/sha256-2af372c1e2645779643284c7dc38775e3dbbc417b2d784a27c5a9eb784014fb8?context=explore
    When looking into layers, it appears in step install noVNC, so I think we should wait for the dependency has a fix for it.

    @amardeep2006
    Copy link
    Contributor

    I looked at https://bugs.launchpad.net/apparmor/+bug/1597017
    and seems some backport in (slow) progress for Jammy .

    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Reviewers
    No reviews
    Assignees
    No one assigned
    Labels
    enhancement Review effort [1-5]: 2
    Projects
    None yet
    Milestone
    No milestone
    Development

    Successfully merging this pull request may close these issues.

    None yet
    6 participants
    @StegSchreck @CLAassistant @amardeep2006 @diemol @VietND96 @skycanine