From fdc1508198a9b4257989eb872c8bfd88f8b1d55e Mon Sep 17 00:00:00 2001 From: Syspretor <32930733+Syspretor@users.noreply.github.com> Date: Thu, 14 Nov 2024 15:18:25 +0800 Subject: [PATCH] fix security issue: "Arguments in long RUN instructions should be sorted" (#4402) Signed-off-by: jiuyu Co-authored-by: jiuyu --- addons/dynamic-mount/base/Dockerfile | 8 +++-- .../juicefs/docker/Dockerfile.juicefs | 30 +++++++++++++------ addons/dynamic-mount/ossfs/docker/Dockerfile | 8 +++-- addons/nfs/dev-guide/nfs-zh_CN.md | 4 +-- addons/nfs/dev-guide/nfs.md | 4 +-- addons/nfs/docker/Dockerfile | 4 +-- docker/Dockerfile.alluxioruntime | 2 +- docker/Dockerfile.application | 2 +- docker/Dockerfile.crds | 2 +- docker/Dockerfile.csi | 2 +- docker/Dockerfile.dataset | 2 +- docker/Dockerfile.efcruntime | 2 +- docker/Dockerfile.goosefsruntime | 2 +- docker/Dockerfile.jindoruntime | 2 +- docker/Dockerfile.juicefsruntime | 2 +- docker/Dockerfile.thinruntime | 2 +- docker/Dockerfile.vineyardruntime | 2 +- docker/Dockerfile.webhook | 2 +- 18 files changed, 50 insertions(+), 32 deletions(-) diff --git a/addons/dynamic-mount/base/Dockerfile b/addons/dynamic-mount/base/Dockerfile index 49be4cdd10d..fd94bc0c6e2 100644 --- a/addons/dynamic-mount/base/Dockerfile +++ b/addons/dynamic-mount/base/Dockerfile @@ -1,6 +1,7 @@ FROM debian:bullseye@sha256:a165446a88794db4fec31e35e9441433f9552ae048fb1ed26df352d2b537cb96 as builder -RUN apt update && apt install -y build-essential libfuse3-dev pkg-config git python3-pip +RUN apt update && \ + apt install -y build-essential git libfuse3-dev pkg-config python3-pip RUN pip install meson ninja @@ -12,7 +13,10 @@ RUN cd libfuse/example && gcc -Wall passthrough.c `pkg-config fuse3 --cflags --l FROM debian:bullseye-slim@sha256:a165446a88794db4fec31e35e9441433f9552ae048fb1ed26df352d2b537cb96 -RUN apt update && apt install -y python3 fuse tini supervisor inotify-tools jq && rm -rf /var/cache/apt/* && ln -s /usr/bin/python3 /usr/local/bin/python +RUN apt update && \ + apt install -y fuse inotify-tools jq python3 supervisor tini && \ + rm -rf /var/cache/apt/* && \ + ln -s /usr/bin/python3 /usr/local/bin/python COPY inotify-fluid-config.ini /tmp/inotify-fluid-config.ini RUN cat /tmp/inotify-fluid-config.ini >> /etc/supervisor/supervisord.conf && rm /tmp/inotify-fluid-config.ini diff --git a/addons/dynamic-mount/juicefs/docker/Dockerfile.juicefs b/addons/dynamic-mount/juicefs/docker/Dockerfile.juicefs index b822756fd98..48a77895c2c 100644 --- a/addons/dynamic-mount/juicefs/docker/Dockerfile.juicefs +++ b/addons/dynamic-mount/juicefs/docker/Dockerfile.juicefs @@ -7,19 +7,31 @@ ARG TARGETARCH ENV JUICEFS_CLI=/usr/bin/juicefs ENV JFS_MOUNT_PATH=/usr/local/juicefs/mount/jfsmount -RUN apt update && apt install -y software-properties-common wget gnupg gnupg2 && bash -c "if [[ '${TARGETARCH}' == amd64 ]]; then wget -O - https://download.gluster.org/pub/gluster/glusterfs/10/rsa.pub | apt-key add - && \ +RUN apt update && \ + apt install -y gnupg gnupg2 software-properties-common wget && \ + bash -c "if [[ '${TARGETARCH}' == amd64 ]]; then wget -O - https://download.gluster.org/pub/gluster/glusterfs/10/rsa.pub | apt-key add - && \ echo deb [arch=${TARGETARCH}] https://download.gluster.org/pub/gluster/glusterfs/10/LATEST/Debian/buster/${TARGETARCH}/apt buster main > /etc/apt/sources.list.d/gluster.list && \ apt-get update && apt-get install -y uuid-dev libglusterfs-dev glusterfs-common; fi" -RUN apt-get update && apt-get install -y librados2 curl fuse procps iputils-ping strace iproute2 net-tools tcpdump lsof librados-dev libcephfs-dev librbd-dev && \ - rm -rf /var/cache/apt/* && \ - bash -c "curl -o ${JUICEFS_CLI} https://juicefs.com/static/juicefs.4.9 && \ - chmod a+x ${JUICEFS_CLI} && mkdir -p /usr/local/juicefs/mount && curl -o ${JFS_MOUNT_PATH} https://juicefs.com/static/Linux/mount.4.9 && chmod a+x ${JFS_MOUNT_PATH};" && \ +RUN apt-get update && \ + apt-get install -y curl fuse iproute2 iputils-ping librados2 librados-dev librbd-dev libcephfs-dev lsof net-tools procps strace tcpdump && \ + rm -rf /var/cache/apt/* + +RUN bash -c "curl -o ${JUICEFS_CLI} https://juicefs.com/static/juicefs.4.9 && \ + chmod a+x ${JUICEFS_CLI} && \ + mkdir -p /usr/local/juicefs/mount && \ + curl -o ${JFS_MOUNT_PATH} https://juicefs.com/static/Linux/mount.4.9 && \ + chmod a+x ${JFS_MOUNT_PATH};" && \ chmod +x ${JUICEFS_CLI} && \ - mkdir -p /root/.juicefs && \ - ln -s /usr/local/bin/python /usr/bin/python && \ - mkdir /root/.acl && cp /etc/passwd /root/.acl/passwd && cp /etc/group /root/.acl/group && \ - ln -sf /root/.acl/passwd /etc/passwd && ln -sf /root/.acl/group /etc/group + mkdir -p /root/.juicefs + +RUN ln -s /usr/local/bin/python /usr/bin/python + +RUN mkdir /root/.acl && \ + cp /etc/passwd /root/.acl/passwd && \ + cp /etc/group /root/.acl/group && \ + ln -sf /root/.acl/passwd /etc/passwd && \ + ln -sf /root/.acl/group /etc/group RUN /usr/bin/juicefs version diff --git a/addons/dynamic-mount/ossfs/docker/Dockerfile b/addons/dynamic-mount/ossfs/docker/Dockerfile index 32ca1cfb28d..5f494d28239 100644 --- a/addons/dynamic-mount/ossfs/docker/Dockerfile +++ b/addons/dynamic-mount/ossfs/docker/Dockerfile @@ -2,7 +2,8 @@ FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160 AS builder ENV OSSFS_VERSION 1.91.1 RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/' /etc/apk/repositories -RUN apk --update add fuse alpine-sdk automake autoconf libxml2-dev fuse-dev curl-dev pkgconf +RUN apk update && \ + apk add alpine-sdk automake autoconf curl-dev fuse fuse-dev libxml2-dev pkgconf RUN wget -qO- https://github.com/aliyun/ossfs/archive/v$OSSFS_VERSION.tar.gz |tar xz RUN cd ossfs-1.91.1 \ && ./autogen.sh \ @@ -12,8 +13,9 @@ RUN cd ossfs-1.91.1 \ # alpine:3.18 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160 -RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/' /etc/apk/repositories && \ - apk --update add bash coreutils curl fuse inotify-tools libgcc libstdc++ libxml2 openssl python3 tini && \ +RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/' /etc/apk/repositories +RUN apk update && \ + apk add bash curl coreutils fuse inotify-tools libgcc libstdc++ libxml2 openssl python3 tini && \ rm -rf /var/cache/apk/* ENV OSSFS_VERSION v1.91.1 COPY --from=builder /usr/bin/ossfs /usr/bin/ossfs diff --git a/addons/nfs/dev-guide/nfs-zh_CN.md b/addons/nfs/dev-guide/nfs-zh_CN.md index e0c66bab57b..c68f24194fa 100644 --- a/addons/nfs/dev-guide/nfs-zh_CN.md +++ b/addons/nfs/dev-guide/nfs-zh_CN.md @@ -73,7 +73,7 @@ sleep inf # Build environment FROM ubuntu:jammy as BUILD RUN apt update && \ - apt install --yes libfuse-dev libnfs13 libnfs-dev libtool m4 automake libnfs-dev xsltproc make libtool + apt install --yes automake libfuse-dev libnfs-dev libnfs-dev libnfs13 libtool libtool m4 make xsltproc COPY ./fuse-nfs-master /src @@ -85,7 +85,7 @@ RUN ./setup.sh && \ # Production image FROM ubuntu:jammy RUN apt update && \ - apt install --yes libnfs13 libfuse2 fuse python3 bash && \ + apt install --yes bash fuse libfuse2 libnfs13 python3 && \ apt clean autoclean && \ apt autoremove --yes && \ rm -rf /var/lib/{apt,dpkg,cache,log}/ diff --git a/addons/nfs/dev-guide/nfs.md b/addons/nfs/dev-guide/nfs.md index 9dcb006054b..28c1f096af2 100644 --- a/addons/nfs/dev-guide/nfs.md +++ b/addons/nfs/dev-guide/nfs.md @@ -76,7 +76,7 @@ Package parameter resolution scripts, mount scripts, and related libraries into # Build environment FROM ubuntu:jammy as BUILD RUN apt update && \ - apt install --yes libfuse-dev libnfs13 libnfs-dev libtool m4 automake libnfs-dev xsltproc make libtool + apt install --yes automake libfuse-dev libnfs-dev libnfs-dev libnfs13 libtool libtool m4 make xsltproc COPY ./fuse-nfs-master /src @@ -88,7 +88,7 @@ RUN ./setup.sh && \ # Production image FROM ubuntu:jammy RUN apt update && \ - apt install --yes libnfs13 libfuse2 fuse python3 bash && \ + apt install --yes bash fuse libfuse2 libnfs13 python3 && \ apt clean autoclean && \ apt autoremove --yes && \ rm -rf /var/lib/{apt,dpkg,cache,log}/ diff --git a/addons/nfs/docker/Dockerfile b/addons/nfs/docker/Dockerfile index d27a756f051..6a0d701980c 100644 --- a/addons/nfs/docker/Dockerfile +++ b/addons/nfs/docker/Dockerfile @@ -1,7 +1,7 @@ # Build environment FROM ubuntu:jammy as BUILD RUN apt update && \ - apt install --yes libfuse-dev libnfs13 libnfs-dev libtool m4 automake libnfs-dev xsltproc make libtool + apt install --yes automake libfuse-dev libnfs-dev libnfs-dev libnfs13 libtool libtool m4 make xsltproc COPY ./fuse-nfs-master /src @@ -13,7 +13,7 @@ RUN ./setup.sh && \ # Production image FROM ubuntu:jammy RUN apt update && \ - apt install --yes libnfs13 libfuse2 fuse python3 bash && \ + apt install --yes bash fuse libfuse2 libnfs13 python3 && \ apt clean autoclean && \ apt autoremove --yes && \ rm -rf /var/lib/{apt,dpkg,cache,log}/ diff --git a/docker/Dockerfile.alluxioruntime b/docker/Dockerfile.alluxioruntime index 4b2f9efc2d3..7c623782216 100644 --- a/docker/Dockerfile.alluxioruntime +++ b/docker/Dockerfile.alluxioruntime @@ -10,7 +10,7 @@ RUN make alluxioruntime-controller-build && \ # alpine:3.18 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160 -RUN apk add --update curl tzdata iproute2 bash libc6-compat vim && \ +RUN apk add --update bash curl iproute2 libc6-compat tzdata vim && \ rm -rf /var/cache/apk/* && \ cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \ echo "Asia/Shanghai" > /etc/timezone diff --git a/docker/Dockerfile.application b/docker/Dockerfile.application index 745d7d1509e..a59e2cc1289 100644 --- a/docker/Dockerfile.application +++ b/docker/Dockerfile.application @@ -13,7 +13,7 @@ RUN make application-controller-build && \ # alpine:3.18 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160 -RUN apk add --update curl tzdata iproute2 bash libc6-compat vim && \ +RUN apk add --update bash curl iproute2 libc6-compat tzdata vim && \ rm -rf /var/cache/apk/* && \ cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \ echo "Asia/Shanghai" > /etc/timezone diff --git a/docker/Dockerfile.crds b/docker/Dockerfile.crds index b6a4e32783f..fc966784fe0 100644 --- a/docker/Dockerfile.crds +++ b/docker/Dockerfile.crds @@ -4,7 +4,7 @@ FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5 COPY ./charts/fluid/fluid/crds /fluid/crds COPY ./tools/crd-upgrade/upgrade-crds.sh /fluid/upgrade-crds.sh -RUN apk add --update curl tzdata iproute2 bash libc6-compat vim && \ +RUN apk add --update bash curl iproute2 libc6-compat tzdata vim && \ rm -rf /var/cache/apk/* && \ cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \ echo "Asia/Shanghai" > /etc/timezone diff --git a/docker/Dockerfile.csi b/docker/Dockerfile.csi index b53cc605655..776f06b40d3 100644 --- a/docker/Dockerfile.csi +++ b/docker/Dockerfile.csi @@ -20,7 +20,7 @@ RUN make csi-build && \ # Refer to https://github.com/GoogleContainerTools/distroless for more details # alpine:3.18 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160 -RUN apk add --update curl tzdata iproute2 bash libc6-compat vim && \ +RUN apk add --update bash curl iproute2 libc6-compat tzdata vim && \ rm -rf /var/cache/apk/* && \ cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \ echo "Asia/Shanghai" > /etc/timezone diff --git a/docker/Dockerfile.dataset b/docker/Dockerfile.dataset index 338715e4bb7..012d6d41152 100644 --- a/docker/Dockerfile.dataset +++ b/docker/Dockerfile.dataset @@ -13,7 +13,7 @@ RUN make dataset-controller-build && \ # alpine:3.18 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160 -RUN apk add --update curl tzdata iproute2 bash libc6-compat vim && \ +RUN apk add --update bash curl iproute2 libc6-compat tzdata vim && \ rm -rf /var/cache/apk/* && \ cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \ echo "Asia/Shanghai" > /etc/timezone diff --git a/docker/Dockerfile.efcruntime b/docker/Dockerfile.efcruntime index 2618ce71d24..38c6e79d426 100644 --- a/docker/Dockerfile.efcruntime +++ b/docker/Dockerfile.efcruntime @@ -13,7 +13,7 @@ RUN make efcruntime-controller-build && \ # alpine:3.18 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160 -RUN apk add --update curl tzdata iproute2 bash libc6-compat vim && \ +RUN apk add --update bash curl iproute2 libc6-compat tzdata vim && \ rm -rf /var/cache/apk/* && \ cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \ echo "Asia/Shanghai" > /etc/timezone diff --git a/docker/Dockerfile.goosefsruntime b/docker/Dockerfile.goosefsruntime index 0079a4cee71..51c62cb15ef 100644 --- a/docker/Dockerfile.goosefsruntime +++ b/docker/Dockerfile.goosefsruntime @@ -13,7 +13,7 @@ RUN go install github.com/go-delve/delve/cmd/dlv@v1.8.2 # alpine:3.18 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160 -RUN apk add --update curl tzdata iproute2 bash libc6-compat vim && \ +RUN apk add --update bash curl iproute2 libc6-compat tzdata vim && \ rm -rf /var/cache/apk/* && \ cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \ echo "Asia/Shanghai" > /etc/timezone diff --git a/docker/Dockerfile.jindoruntime b/docker/Dockerfile.jindoruntime index dea9245609a..a9fbaad18ed 100644 --- a/docker/Dockerfile.jindoruntime +++ b/docker/Dockerfile.jindoruntime @@ -10,7 +10,7 @@ RUN make jindoruntime-controller-build && \ # alpine:3.18 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160 -RUN apk add --update curl tzdata iproute2 bash libc6-compat vim && \ +RUN apk add --update bash curl iproute2 libc6-compat tzdata vim && \ rm -rf /var/cache/apk/* && \ cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \ echo "Asia/Shanghai" > /etc/timezone diff --git a/docker/Dockerfile.juicefsruntime b/docker/Dockerfile.juicefsruntime index b7ee101898e..b2bdf41602f 100644 --- a/docker/Dockerfile.juicefsruntime +++ b/docker/Dockerfile.juicefsruntime @@ -13,7 +13,7 @@ RUN make juicefsruntime-controller-build && \ # alpine:3.18 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160 -RUN apk add --update curl tzdata iproute2 bash libc6-compat vim && \ +RUN apk add --update bash curl iproute2 libc6-compat tzdata vim && \ rm -rf /var/cache/apk/* && \ cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \ echo "Asia/Shanghai" > /etc/timezone diff --git a/docker/Dockerfile.thinruntime b/docker/Dockerfile.thinruntime index af3219d4a0e..8e768c3a736 100644 --- a/docker/Dockerfile.thinruntime +++ b/docker/Dockerfile.thinruntime @@ -13,7 +13,7 @@ RUN make thinruntime-controller-build && \ # alpine:3.18 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160 -RUN apk add --update curl tzdata iproute2 bash libc6-compat vim && \ +RUN apk add --update bash curl iproute2 libc6-compat tzdata vim && \ rm -rf /var/cache/apk/* && \ cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \ echo "Asia/Shanghai" > /etc/timezone diff --git a/docker/Dockerfile.vineyardruntime b/docker/Dockerfile.vineyardruntime index e259bcee30e..b8f0ba3485a 100644 --- a/docker/Dockerfile.vineyardruntime +++ b/docker/Dockerfile.vineyardruntime @@ -10,7 +10,7 @@ RUN make vineyardruntime-controller-build && \ # alpine:3.18 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160 -RUN apk add --update curl tzdata iproute2 bash libc6-compat vim && \ +RUN apk add --update bash curl iproute2 libc6-compat tzdata vim && \ rm -rf /var/cache/apk/* && \ cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \ echo "Asia/Shanghai" > /etc/timezone diff --git a/docker/Dockerfile.webhook b/docker/Dockerfile.webhook index 5dad4940eab..9d8e4045267 100644 --- a/docker/Dockerfile.webhook +++ b/docker/Dockerfile.webhook @@ -13,7 +13,7 @@ RUN make webhook-build && \ # alpine:3.18 FROM alpine@sha256:11e21d7b981a59554b3f822c49f6e9f57b6068bb74f49c4cd5cc4c663c7e5160 -RUN apk add --update curl tzdata iproute2 bash libc6-compat vim && \ +RUN apk add --update bash curl iproute2 libc6-compat tzdata vim && \ rm -rf /var/cache/apk/* && \ cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \ echo "Asia/Shanghai" > /etc/timezone