fix security issue: "Arguments in long RUN instructions should be sor…

…ted" (#4402)

Signed-off-by: jiuyu <guotongyu.gty@alibaba-inc.com>
Co-authored-by: jiuyu <guotongyu.gty@alibaba-inc.com>

addons/dynamic-mount/base/Dockerfile

@@ -1,6 +1,7 @@
 FROM debian:bullseye@sha256:a165446a88794db4fec31e35e9441433f9552ae048fb1ed26df352d2b537cb96 as builder
 
-RUN apt update && apt install -y build-essential libfuse3-dev pkg-config git python3-pip
+RUN apt update && \
+    apt install -y build-essential git libfuse3-dev pkg-config python3-pip
 
 RUN pip install meson ninja
 
@@ -12,7 +13,10 @@ RUN cd libfuse/example && gcc -Wall passthrough.c `pkg-config fuse3 --cflags --l
 
 FROM debian:bullseye-slim@sha256:a165446a88794db4fec31e35e9441433f9552ae048fb1ed26df352d2b537cb96
 
-RUN apt update && apt install -y python3 fuse tini supervisor inotify-tools jq && rm -rf /var/cache/apt/* && ln -s /usr/bin/python3 /usr/local/bin/python
+RUN apt update && \
+    apt install -y fuse inotify-tools jq python3 supervisor tini && \
+    rm -rf /var/cache/apt/* && \
+    ln -s /usr/bin/python3 /usr/local/bin/python
 COPY inotify-fluid-config.ini /tmp/inotify-fluid-config.ini
 RUN cat /tmp/inotify-fluid-config.ini >> /etc/supervisor/supervisord.conf && rm /tmp/inotify-fluid-config.ini
 

addons/dynamic-mount/juicefs/docker/Dockerfile.juicefs

@@ -7,19 +7,31 @@ ARG TARGETARCH
 ENV JUICEFS_CLI=/usr/bin/juicefs
 ENV JFS_MOUNT_PATH=/usr/local/juicefs/mount/jfsmount
 
-RUN apt update && apt install -y software-properties-common wget gnupg gnupg2 && bash -c "if [[ '${TARGETARCH}' == amd64 ]]; then wget -O - https://download.gluster.org/pub/gluster/glusterfs/10/rsa.pub | apt-key add - && \
+RUN apt update && \
+    apt install -y gnupg gnupg2 software-properties-common wget && \
+    bash -c "if [[ '${TARGETARCH}' == amd64 ]]; then wget -O - https://download.gluster.org/pub/gluster/glusterfs/10/rsa.pub | apt-key add - && \
     echo deb [arch=${TARGETARCH}] https://download.gluster.org/pub/gluster/glusterfs/10/LATEST/Debian/buster/${TARGETARCH}/apt buster main > /etc/apt/sources.list.d/gluster.list && \
     apt-get update && apt-get install -y uuid-dev libglusterfs-dev glusterfs-common; fi"
 
-RUN apt-get update && apt-get install -y librados2 curl fuse procps iputils-ping strace iproute2 net-tools tcpdump lsof librados-dev libcephfs-dev librbd-dev && \
-    rm -rf /var/cache/apt/* && \
-    bash -c "curl -o ${JUICEFS_CLI} https://juicefs.com/static/juicefs.4.9 && \
-    chmod a+x ${JUICEFS_CLI} && mkdir -p /usr/local/juicefs/mount && curl -o ${JFS_MOUNT_PATH} https://juicefs.com/static/Linux/mount.4.9 && chmod a+x ${JFS_MOUNT_PATH};" && \
+RUN apt-get update && \
+    apt-get install -y curl fuse iproute2 iputils-ping librados2 librados-dev librbd-dev libcephfs-dev lsof net-tools procps strace tcpdump && \
+    rm -rf /var/cache/apt/*
+
+RUN bash -c "curl -o ${JUICEFS_CLI} https://juicefs.com/static/juicefs.4.9 && \
+    chmod a+x ${JUICEFS_CLI} && \
+    mkdir -p /usr/local/juicefs/mount && \
+    curl -o ${JFS_MOUNT_PATH} https://juicefs.com/static/Linux/mount.4.9 && \
+    chmod a+x ${JFS_MOUNT_PATH};" && \
     chmod +x ${JUICEFS_CLI} && \
-    mkdir -p /root/.juicefs && \
-    ln -s /usr/local/bin/python /usr/bin/python && \
-    mkdir /root/.acl && cp /etc/passwd /root/.acl/passwd && cp /etc/group /root/.acl/group && \
-    ln -sf /root/.acl/passwd /etc/passwd && ln -sf /root/.acl/group  /etc/group
+    mkdir -p /root/.juicefs
+
+RUN ln -s /usr/local/bin/python /usr/bin/python
+
+RUN mkdir /root/.acl && \
+    cp /etc/passwd /root/.acl/passwd && \
+    cp /etc/group /root/.acl/group && \
+    ln -sf /root/.acl/passwd /etc/passwd && \
+    ln -sf /root/.acl/group /etc/group
 
 RUN /usr/bin/juicefs version
 

addons/dynamic-mount/ossfs/docker/Dockerfile

@@ -2,7 +2,8 @@
 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160 AS builder
 ENV OSSFS_VERSION 1.91.1
 RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/' /etc/apk/repositories
-RUN apk --update add fuse alpine-sdk automake autoconf libxml2-dev fuse-dev curl-dev pkgconf
+RUN apk update && \
+    apk add alpine-sdk automake autoconf curl-dev fuse fuse-dev libxml2-dev pkgconf
 RUN wget -qO- https://github.com/aliyun/ossfs/archive/v$OSSFS_VERSION.tar.gz |tar xz
 RUN cd ossfs-1.91.1 \
   && ./autogen.sh \
@@ -12,8 +13,9 @@ RUN cd ossfs-1.91.1 \
 
 # alpine:3.18
 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160
-RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/' /etc/apk/repositories && \
-    apk --update add bash coreutils curl fuse inotify-tools libgcc libstdc++ libxml2 openssl python3 tini && \
+RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/' /etc/apk/repositories
+RUN apk update && \
+    apk add bash curl coreutils fuse inotify-tools libgcc libstdc++ libxml2 openssl python3 tini && \
     rm -rf /var/cache/apk/*
 ENV OSSFS_VERSION v1.91.1
 COPY --from=builder /usr/bin/ossfs /usr/bin/ossfs

addons/nfs/dev-guide/nfs-zh_CN.md

@@ -73,7 +73,7 @@ sleep inf
 # Build environment
 FROM ubuntu:jammy as BUILD
 RUN apt update && \
-    apt install --yes libfuse-dev libnfs13 libnfs-dev libtool m4 automake libnfs-dev xsltproc make libtool
+    apt install --yes automake libfuse-dev libnfs-dev libnfs-dev libnfs13 libtool libtool m4 make xsltproc
 
 
 COPY ./fuse-nfs-master /src
@@ -85,7 +85,7 @@ RUN ./setup.sh && \
 # Production image
 FROM ubuntu:jammy
 RUN apt update && \
-    apt install --yes libnfs13 libfuse2 fuse python3 bash && \
+    apt install --yes bash fuse libfuse2 libnfs13 python3 && \
     apt clean autoclean && \
     apt autoremove --yes && \
     rm -rf /var/lib/{apt,dpkg,cache,log}/

addons/nfs/dev-guide/nfs.md

@@ -76,7 +76,7 @@ Package parameter resolution scripts, mount scripts, and related libraries into
 # Build environment
 FROM ubuntu:jammy as BUILD
 RUN apt update && \
-    apt install --yes libfuse-dev libnfs13 libnfs-dev libtool m4 automake libnfs-dev xsltproc make libtool
+    apt install --yes automake libfuse-dev libnfs-dev libnfs-dev libnfs13 libtool libtool m4 make xsltproc
 
 
 COPY ./fuse-nfs-master /src
@@ -88,7 +88,7 @@ RUN ./setup.sh && \
 # Production image
 FROM ubuntu:jammy
 RUN apt update && \
-    apt install --yes libnfs13 libfuse2 fuse python3 bash && \
+    apt install --yes bash fuse libfuse2 libnfs13 python3 && \
     apt clean autoclean && \
     apt autoremove --yes && \
     rm -rf /var/lib/{apt,dpkg,cache,log}/

addons/nfs/docker/Dockerfile

@@ -1,7 +1,7 @@
 # Build environment
 FROM ubuntu:jammy as BUILD
 RUN apt update && \
-    apt install --yes libfuse-dev libnfs13 libnfs-dev libtool m4 automake libnfs-dev xsltproc make libtool
+    apt install --yes automake libfuse-dev libnfs-dev libnfs-dev libnfs13 libtool libtool m4 make xsltproc
 
 
 COPY ./fuse-nfs-master /src
@@ -13,7 +13,7 @@ RUN ./setup.sh && \
 # Production image
 FROM ubuntu:jammy
 RUN apt update && \
-    apt install --yes libnfs13 libfuse2 fuse python3 bash && \
+    apt install --yes bash fuse libfuse2 libnfs13 python3 && \
     apt clean autoclean && \
     apt autoremove --yes && \
     rm -rf /var/lib/{apt,dpkg,cache,log}/

docker/Dockerfile.alluxioruntime

@@ -10,7 +10,7 @@ RUN make alluxioruntime-controller-build && \
 
 # alpine:3.18
 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160
-RUN apk add --update curl tzdata iproute2 bash libc6-compat vim &&  \
+RUN apk add --update bash curl iproute2 libc6-compat tzdata vim &&  \
  	rm -rf /var/cache/apk/* && \
  	cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
  	echo "Asia/Shanghai" >  /etc/timezone

docker/Dockerfile.application

@@ -13,7 +13,7 @@ RUN make application-controller-build && \
 
 # alpine:3.18
 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160
-RUN apk add --update curl tzdata iproute2 bash libc6-compat vim &&  \
+RUN apk add --update bash curl iproute2 libc6-compat tzdata vim &&  \
  	rm -rf /var/cache/apk/* && \
  	cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
  	echo "Asia/Shanghai" >  /etc/timezone

docker/Dockerfile.crds

@@ -4,7 +4,7 @@ FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5
 COPY ./charts/fluid/fluid/crds /fluid/crds
 COPY ./tools/crd-upgrade/upgrade-crds.sh /fluid/upgrade-crds.sh
 
-RUN apk add --update curl tzdata iproute2 bash libc6-compat vim &&  \
+RUN apk add --update bash curl iproute2 libc6-compat tzdata vim &&  \
  	rm -rf /var/cache/apk/* && \
  	cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
  	echo "Asia/Shanghai" >  /etc/timezone

docker/Dockerfile.csi

@@ -20,7 +20,7 @@ RUN make csi-build && \
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 # alpine:3.18
 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160
-RUN apk add --update curl tzdata iproute2 bash libc6-compat vim &&  \
+RUN apk add --update bash curl iproute2 libc6-compat tzdata vim &&  \
  	rm -rf /var/cache/apk/* && \
  	cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
  	echo "Asia/Shanghai" >  /etc/timezone

docker/Dockerfile.dataset

@@ -13,7 +13,7 @@ RUN make dataset-controller-build && \
 
 # alpine:3.18
 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160
-RUN apk add --update curl tzdata iproute2 bash libc6-compat vim &&  \
+RUN apk add --update bash curl iproute2 libc6-compat tzdata vim &&  \
  	rm -rf /var/cache/apk/* && \
  	cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
  	echo "Asia/Shanghai" >  /etc/timezone

docker/Dockerfile.efcruntime

@@ -13,7 +13,7 @@ RUN make efcruntime-controller-build && \
 
 # alpine:3.18
 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160
-RUN apk add --update curl tzdata iproute2 bash libc6-compat vim &&  \
+RUN apk add --update bash curl iproute2 libc6-compat tzdata vim &&  \
  	rm -rf /var/cache/apk/* && \
  	cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
  	echo "Asia/Shanghai" >  /etc/timezone

docker/Dockerfile.goosefsruntime

@@ -13,7 +13,7 @@ RUN go install github.com/go-delve/delve/cmd/dlv@v1.8.2
 
 # alpine:3.18
 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160
-RUN apk add --update curl tzdata iproute2 bash libc6-compat vim &&  \
+RUN apk add --update bash curl iproute2 libc6-compat tzdata vim &&  \
  	rm -rf /var/cache/apk/* && \
  	cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
  	echo "Asia/Shanghai" >  /etc/timezone

docker/Dockerfile.jindoruntime

@@ -10,7 +10,7 @@ RUN make jindoruntime-controller-build && \
 
 # alpine:3.18
 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160
-RUN apk add --update curl tzdata iproute2 bash libc6-compat vim &&  \
+RUN apk add --update bash curl iproute2 libc6-compat tzdata vim &&  \
  	rm -rf /var/cache/apk/* && \
  	cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
  	echo "Asia/Shanghai" >  /etc/timezone

docker/Dockerfile.juicefsruntime

@@ -13,7 +13,7 @@ RUN make juicefsruntime-controller-build && \
 
 # alpine:3.18
 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160
-RUN apk add --update curl tzdata iproute2 bash libc6-compat vim &&  \
+RUN apk add --update bash curl iproute2 libc6-compat tzdata vim &&  \
  	rm -rf /var/cache/apk/* && \
  	cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
  	echo "Asia/Shanghai" >  /etc/timezone

docker/Dockerfile.thinruntime

@@ -13,7 +13,7 @@ RUN make thinruntime-controller-build && \
 
 # alpine:3.18
 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160
-RUN apk add --update curl tzdata iproute2 bash libc6-compat vim &&  \
+RUN apk add --update bash curl iproute2 libc6-compat tzdata vim &&  \
  	rm -rf /var/cache/apk/* && \
  	cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
  	echo "Asia/Shanghai" >  /etc/timezone

docker/Dockerfile.vineyardruntime

@@ -10,7 +10,7 @@ RUN make vineyardruntime-controller-build && \
 
 # alpine:3.18
 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160
-RUN apk add --update curl tzdata iproute2 bash libc6-compat vim &&  \
+RUN apk add --update bash curl iproute2 libc6-compat tzdata vim &&  \
  	rm -rf /var/cache/apk/* && \
  	cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
  	echo "Asia/Shanghai" >  /etc/timezone

docker/Dockerfile.webhook

@@ -13,7 +13,7 @@ RUN make webhook-build && \
 
 # alpine:3.18
 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160
-RUN apk add --update curl tzdata iproute2 bash libc6-compat vim &&  \
+RUN apk add --update bash curl iproute2 libc6-compat tzdata vim &&  \
 	rm -rf /var/cache/apk/* && \
 	cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
 	echo "Asia/Shanghai" >  /etc/timezone