docker-selenium
docker-selenium copied to clipboard
SeleniumHQ
Upgrade Docker base image Ubuntu 22 -> Ubuntu 24
User description
Description
Uprage from Ubuntu 22 LTS to Ubuntu 24 LTS See #2251
Motivation and Context
Newer bas OS somes with security patches and newer software, e.g. Python 3.12 instead of 3.10
Types of changes
- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
Checklist
- [x] I have read the contributing document.
- [ ] My change requires a change to the documentation.
- [ ] I have updated the documentation accordingly.
- [ ] I have added tests to cover my changes.
- [x] All new and existing tests passed.
PR Type
Enhancement
Description
- Upgraded the Docker base image in
Base/Dockerfilefrom Ubuntu 22 (jammy) to Ubuntu 24 (noble). - Updated APT sources in both
Base/DockerfileandVideo/Dockerfileto use the new Ubuntu 24 (noble) repositories.
Changes walkthrough 📝
| Relevant files | |||||
|---|---|---|---|---|---|
| Enhancement |
|
💡 PR-Agent usage: Comment
/helpon the PR to get a list of all available PR-Agent tools and their descriptions
PR Description updated to latest commit (https://github.com/SeleniumHQ/docker-selenium/commit/5227639293c21b7ad86e44fd48465da4df0528ae)
- [ ] Copy walkthrough table to "Files Changed" Tab
![codiumai-pr-agent-pro[bot] avatar](https://avatars.githubusercontent.com/in/484649?v=4 "Published by a pub.dev verified publisher"){kind=small}
PR Review 🔍
| ⏱️ Estimated effort to review [1-5] |
2, because the changes are straightforward, involving only updates to the base image and APT sources in Dockerfiles. The modifications are limited to version strings and do not involve complex logic or algorithms. |
| 🧪 Relevant tests |
No |
| ⚡ Possible issues |
Compatibility Issues: Upgrading the base image and APT sources might introduce compatibility issues with existing software or dependencies that are not yet fully supported or tested with Ubuntu 24. It's crucial to ensure that all components work as expected in the new environment. |
| 🔒 Security concerns |
No |
PR Code Suggestions ✨
| Category | Suggestions | |
| Enhancement |
✅ Add source package repositories to the Dockerfile.Suggestion Impact:The suggestion to enhance Dockerfile compatibility with multiple architectures was implemented. The condition to check the architecture using `dpkg --print-architecture` was added.code diff: Consider adding the
| ✅ Enhance Dockerfile compatibility with multiple architectures.Suggestion Impact:The commit added a conditional statement to check the architecture using `dpkg --print-architecture` and applied different configurations based on the architecture, which aligns with the suggestion to enhance compatibility with multiple architectures.code diff: To ensure that the Docker image can be built on architectures other than amd64, consider |
I feel it’s too early to start using Ubuntu 24.04 . In my opinion we should let the new version settle down as there are typically teething issue in first year of new release .
Several failures in the build. What is your motivation to move to Ubuntu 24, @StegSchreck? @amardeep2006 makes a good point.
I guess the failure will be solved when he reverted changes in Video/Dockerfile, since this image we reused from other project, and they did not move on 24.04.
I think we can follow some popular open-source projects, once they drop the change, we also release.
The failures are all caused by the configuration of Video/Dockerfile because it is trying to install things via pip that are independently installed viy the OS package manager. I thought this image is based on the Base/Dockerfile though - therefore I aligned it with the same changes. The overall dependencies between all the docker images in this repo might have confused me. I will revert this change.
Regading the motivation: this docker image is two years behind now. I want to use modern Python 3.12 in my code which is using the standalone-firefox as base. Ubuntu 22 only comes with Python 3.10. I have considered other ways of achieveing the ssame effect, but updating the base image is the straight-forward way. Additionally all users would profit from more uptodate software, including security fixes on top of the new features I mentioned before.
I was surprised to find out that 24.04 was released one month ago.
A wide range of users uses these images, and I do not feel comfortable forcing them now to use the new Ubuntu version.
I prefer to wait and then migrate.
@StegSchreck, can you also sign the CLA? Later we can go ahead without the pending item
@StegSchreck, can you also sign the CLA? Later we can go ahead without the pending item
Done.
@StegSchreck, can you also sign the CLA? Later we can go ahead without the pending item
Done.
It looks like your commit without email or the email in the commit author doesn't match with CLA input. Can you take some time to check?
@StegSchreck, can you also sign the CLA? Later we can go ahead without the pending item
Done.
It looks like your commit without email or the email in the commit author doesn't match with CLA input. Can you take some time to check?
I have re-signed the CLA with my second e-mail address.
@diemol and @team Ubuntu 22 has some high level CVES (security vulnerabilities). We will very soon be blocked by our organization, United Health Group, from using this selenium helm chart if it does not extend the Ubuntu 24 image.
@diemol and @team Ubuntu 22 has some high level CVES (security vulnerabilities). We will very soon be blocked by our organization, United Health Group, from using this selenium helm chart if it does not extend the Ubuntu 24 image.
@skycanine Can you please share the scan report and docker image tags that were scanned. Ubuntu 22 LTS is supported till 01 Apr 2027 so it should get all the security updates. I do not think Canonical will selectively send updates to Ubuntu 24 and miss on 22 .
The trick is to keep updating the base image which this project does with the help of Renovate bot. Dockerfile also has apt-get update and apt-get upgrade commands to auto patch the vulnerable packages .
Older images built sometimes back may have the vulnerable packages but the newer builds should automatically be patched.
"Ubuntu 22 LTS is supported till 01 Apr 2027 so it should get all the security updates." - I think I may have checked on this myself and found there was no fix when I last checked.
The vulnerability still exists in "docker.repo1.uhc.com/selenium/node-chrome:4.21.0-20240522"; the screen shot above shows a slightly older image.
Looks like CVE-2016-1585 didn't come from the base OS 22.04 image since it is not present in list https://hub.docker.com/layers/library/ubuntu/jammy/images/sha256-2af372c1e2645779643284c7dc38775e3dbbc417b2d784a27c5a9eb784014fb8?context=explore When looking into layers, it appears in step install noVNC, so I think we should wait for the dependency has a fix for it.
I looked at https://bugs.launchpad.net/apparmor/+bug/1597017 and seems some backport in (slow) progress for Jammy .
I intend to configure the next release to publish both Jammy and Noble. For the main tags convention, it will use Noble, and Jammy will be tagged as jammy-latest. What do you think of this approach?