sonic-buildimage icon indicating copy to clipboard operation
sonic-buildimage copied to clipboard

Published 20 hours ago verified publisher icon sonic-net

[build][FedRAMP]Update docker-base-bullseye to build from python:3.9-slim-bullseye

Open baxia-lan opened this issue 1 year ago • 6 comments

Why I did it

python3=3.9.2-3 version in bullseye release has CVEs filed:

  • CVE-2023-24535 (https://security-tracker.debian.org/tracker/CVE-2023-24535)
    • CVE-2023-27043 (https://security-tracker.debian.org/tracker/CVE-2023-27043)
    • CVE-2023-40217 (https://security-tracker.debian.org/tracker/CVE-2023-40217)
    • CVE-2015-20107 (https://security-tracker.debian.org/tracker/CVE-2015-20107)
    • CVE-2020-10735 (https://security-tracker.debian.org/tracker/CVE-2020-10735)
    • CVE-2020-27619 (https://security-tracker.debian.org/tracker/CVE-2020-27619)
    • CVE-2021-28861 (https://security-tracker.debian.org/tracker/CVE-2021-28861)
    • CVE-2021-29921 (https://security-tracker.debian.org/tracker/CVE-2021-29921)
    • CVE-2021-3426 (https://security-tracker.debian.org/tracker/CVE-2021-3426)
    • CVE-2021-3733 (https://security-tracker.debian.org/tracker/CVE-2021-3733)
    • CVE-2021-3737 (https://security-tracker.debian.org/tracker/CVE-2021-3737)
    • CVE-2021-4189 (https://security-tracker.debian.org/tracker/CVE-2021-4189)
    • CVE-2022-0391 (https://security-tracker.debian.org/tracker/CVE-2022-0391)
    • CVE-2022-37454 (https://security-tracker.debian.org/tracker/CVE-2022-37454)
    • CVE-2022-42919 (https://security-tracker.debian.org/tracker/CVE-2022-42919)
    • CVE-2022-45061 (https://security-tracker.debian.org/tracker/CVE-2022-45061)
    • CVE-2023-24329 (https://security-tracker.debian.org/tracker/CVE-2023-24329)

Using slim version of base image python:3.9-slim-bullseye also helps to reduce overall docker container size.

Work item tracking

How I did it

How to verify it

Start a docker container and run bash commands.

$ python3 --version
Python 3.9.19

Which release branch to backport (provide reason below if selected)

  • [ ] 201811
  • [ ] 201911
  • [ ] 202006
  • [ ] 202012
  • [ ] 202106
  • [ ] 202111
  • [ ] 202205
  • [ ] 202211
  • [ ] 202305

baxia-lan avatar May 18 '24 18:05 baxia-lan

python 3.9.17-slim-bullseye 6b9a3e5fd109 10 months ago 124MB

There is no reason to use this outdated docker image. New images include multiple fixes for other system packages like glibc.

k-v1 avatar May 18 '24 19:05 k-v1

But debian slim image is a good idea. I don't understand why we don't use them. Upd: PR #19008 to fix this.

k-v1 avatar May 18 '24 22:05 k-v1

python 3.9.17-slim-bullseye 6b9a3e5fd109 10 months ago 124MB

There is no reason to use this outdated docker image. New images include multiple fixes for other system packages like glibc.

I updated this PR to use python:3.9.18-slim-bullseye. Using slim debian package with pre-installed python package is for FedRAMP compliance. Python3 official release in Debian Registry is 3.9.2-3 and no plan to update. It does not include security patches included in later patches. 3.11 is not officially supported in bullseye, so using 3.9 version here to avoid breaking issues.

baxia-lan avatar May 20 '24 17:05 baxia-lan

python 3.9.17-slim-bullseye 6b9a3e5fd109 10 months ago 124MB

There is no reason to use this outdated docker image. New images include multiple fixes for other system packages like glibc.

I updated this PR to use python:3.9.18-slim-bullseye. Using slim debian package with pre-installed python package is for FedRAMP compliance. Python3 official release in Debian Registry is 3.9.2-3 and no plan to update. It does not include security patches included in later patches. 3.11 is not officially supported in bullseye, so using 3.9 version here to avoid breaking issues.

Official debian docker images (https://hub.docker.com/_/debian) contain actual versions of base system packages and libs because they are updated on regular base (latest update was May 13, 2024). Your image python:3.9.18-slim-bullseye is based on bullseye-20240110-slim. So it's still outdated.

If we select your image as a base layer for docker-base-bullseye then we get:

  1. New version of python. But it may be incompatible with some python packages from debian repo because they are tested with python 3.9.2.
  2. Critical vulnerabilities in system packages like glibc because your docker image includes oudated version of system packages and we don't do apt-get full upgrade or even apt-get upgrade when build docker-base-bullseye.

My assumption is that for SONiC we should use debian official images (better to use slim images to reduce size of SONiC image). Debian maintainers provide most critical fixes for old distro packages including python. All your issues are marked as python3.9 <no-dsa> (Minor issue) by debian maintainers. That's why they are not fixed.

k-v1 avatar May 20 '24 18:05 k-v1

@lguohan PTAL at this PR. The python:3.9-slim-bullseye needs to be uploaded to Azure which I don't have permission.

baxia-lan avatar Jun 04 '24 23:06 baxia-lan

Can we merge this PR?

baxia-lan avatar Jul 12 '24 16:07 baxia-lan

/azp run Azure.sonic-buildimage

mssonicbld avatar Mar 11 '25 02:03 mssonicbld

Azure Pipelines successfully started running 1 pipeline(s).

azure-pipelines[bot] avatar Mar 11 '25 02:03 azure-pipelines[bot]