From 87dbc02d435aaab777c8b8f9ae7296dc5ca2530e Mon Sep 17 00:00:00 2001 From: Ben Fichter Date: Wed, 26 Mar 2025 08:34:05 -0400 Subject: [PATCH 1/2] Revert "Distroless fix (#6)" This reverts commit 9592d713cea079db9bbd23f235c366b50890a56a. --- build/Dockerfile.distroless | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/build/Dockerfile.distroless b/build/Dockerfile.distroless index 96aee1076..b947d6135 100644 --- a/build/Dockerfile.distroless +++ b/build/Dockerfile.distroless @@ -173,15 +173,10 @@ RUN \ # https://github.com/arachnys/athenapdf/commit/ba25a8d80a25d08d58865519c4cd8756dc9a336d. COPY build/fonts.conf /etc/fonts/conf.d/100-gotenberg.conf -# ---------------------------------------------- -# Python copy stage -# ---------------------------------------------- -FROM public.ecr.aws/j9h1x6x3/distroless-python:latest AS python-source - # ---------------------------------------------- # Final stage # ---------------------------------------------- -FROM gcr.io/distroless/cc-debian12:latest AS base +FROM public.ecr.aws/j9h1x6x3/distroless-python:latest AS base # Set platform-specific CHIPSET_ARCH FROM base AS base-amd64 @@ -195,11 +190,6 @@ ARG CHIPSET_ARCH=aarch64-linux-gnu ARG TARGETARCH FROM base-${TARGETARCH} -# Required for unoconverter -COPY --from=python-source /usr/local/bin/python /usr/bin/python -COPY --from=python-source /usr/local/bin/python /usr/bin/python3 -COPY --from=python-source /usr/local/bin/python /usr/bin/python3.11 - ENV PYTHONPATH="/usr/local/lib/python3.11/dist-packages:" # LibreOffice dependencies From 1b57f559bddc2ac70721303b79bfec47b124de85 Mon Sep 17 00:00:00 2001 From: Ben Fichter Date: Wed, 26 Mar 2025 08:34:11 -0400 Subject: [PATCH 2/2] Revert "Use python distroless instead of copying python into google distroless, as 2F scanning does not like that for some reason (#5)" This reverts commit df7d12b811afb10d0d5f9a78cb1bff55966764ee. --- build/Dockerfile.distroless | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/build/Dockerfile.distroless b/build/Dockerfile.distroless index b947d6135..ea6ea7049 100644 --- a/build/Dockerfile.distroless +++ b/build/Dockerfile.distroless @@ -1,3 +1,11 @@ +# This is our strategy for getting a clean (from CVE perspective) base image for python-based services. +# This mostly takes from https://github.com/alexdmoss/distroless-python +# We need to build our own to be able to get new debian versions with fixes. + +# Google periodically updates distroless images but just uses latest +# CVEs will typically get fixed in versions (e.g deb12u7) and we'll need to rebuild this to incorporate them. +ARG GOOGLE_DISTROLESS_BASE_IMAGE=gcr.io/distroless/cc-debian12:latest + # ARG instructions do not create additional layers. Instead, next layers will # concatenate them. Also, we have to repeat ARG instructions in each build # stage that uses them. @@ -176,7 +184,7 @@ COPY build/fonts.conf /etc/fonts/conf.d/100-gotenberg.conf # ---------------------------------------------- # Final stage # ---------------------------------------------- -FROM public.ecr.aws/j9h1x6x3/distroless-python:latest AS base +FROM ${GOOGLE_DISTROLESS_BASE_IMAGE} AS base # Set platform-specific CHIPSET_ARCH FROM base AS base-amd64 @@ -190,6 +198,11 @@ ARG CHIPSET_ARCH=aarch64-linux-gnu ARG TARGETARCH FROM base-${TARGETARCH} +# Required for unoconverter +COPY --from=gotenberg-binary-stage /usr/bin/python /usr/bin/python +COPY --from=gotenberg-binary-stage /usr/lib/python3 /usr/lib/python3 +COPY --from=gotenberg-binary-stage /usr/lib/python3.11 /usr/lib/python3.11 + ENV PYTHONPATH="/usr/local/lib/python3.11/dist-packages:" # LibreOffice dependencies