OpenHands icon indicating copy to clipboard operation
OpenHands copied to clipboard
verified publisher icon All-Hands-AI

feature - Build alternate ubuntu images

Open raymyers opened this issue 8 months ago • 1 comments

  • [ ] This change is worth documenting at https://docs.all-hands.dev/
  • [X] Include this change in the Release Notes. If checked, you must provide an end-user friendly description for your change below

End-user friendly description of the problem this fixes or functionality that this introduces.

Add a new docker image option based on Ubuntu

Give a summary of what the PR does, explaining any non-trivial design decisions.

We are trying to reduce the vulnerabilities found in image scans using SCA tools like trivy. Unfortunately, the current Debian Stable (Bookworm) which our nikolaik bases image use has vulnerabilities with no patches available showing up.

This PR introduces Ubuntu 24.04 to address this but retains the existing nikolaik build as the default.

For reference, here is the nikolaik dockerfile template: https://github.com/nikolaik/docker-python-nodejs/blob/main/templates/debian.Dockerfile

Other changes

Removing the apt-get upgrade (which is done by upstream images regularly)

Adding another cache dir to to the ci config.

Removing several extensions dirs from the openvscode-server install because they show up as false positives (extension version is confused for npm package of the same name. These are handlebars, pug, json, diff, grunt, ini, npm.

Docker template logic

Since the Ubuntu base image does not have python and node installed by default, there are commands added to install them. Right now these activate when base_image contains "ubuntu", but perhaps people might try to configure a custom image with that in the name. Should we introduce another flag to toggle this? I'm not sure what the interface should be, maybe this is ok for now.

Link of any specific issues this addresses.

To run this PR locally, use the following command:

docker run -it --rm   -p 3000:3000   -v /var/run/docker.sock:/var/run/docker.sock   --add-host host.docker.internal:host-gateway   -e SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.all-hands.dev/all-hands-ai/runtime:78509e5-ubuntu   --name openhands-app-78509e5   docker.all-hands.dev/all-hands-ai/openhands:78509e5

raymyers avatar Apr 03 '25 17:04 raymyers

I'll have to troubleshoot the runtime test failures, looks like

raymyers avatar Apr 03 '25 23:04 raymyers

How does the ubuntu image compare in size with the nikolaik one?

@tofarr It does slightly better, probably because Bookworm's stock image starts out larger than Ubuntu's, but most of the space we add ourselves.

runtime:78509e5-nikolaik - 10.5 gb runtime:78509e5-ubuntu - 9.86 gb

tofarr avatar Apr 04 '25 14:04 tofarr