Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apt-get upgrade in generated Dockerfile #227

Open
eric-hemasystems opened this issue Feb 9, 2023 · 0 comments
Open

apt-get upgrade in generated Dockerfile #227

eric-hemasystems opened this issue Feb 9, 2023 · 0 comments

Comments

@eric-hemasystems
Copy link

eric-hemasystems commented Feb 9, 2023
edited

It looks like the base container runs apt-get upgrade but the generated Dockerfile does not.

Recent OpenSSL advisory had me checking if GAE has us safe. When I ran apt-get update -y && apt-get upgrade -y on a freshly deployed app I see there are a lot of packages out-of-date:

The following packages will be upgraded:
  apt apt-utils base-files binutils binutils-common binutils-x86-64-linux-gnu
  ca-certificates cmake cmake-data curl distro-info-data gir1.2-gdkpixbuf-2.0
  gir1.2-harfbuzz-0.0 gir1.2-poppler-0.18 git git-man gpgv libapt-pkg6.0
  libasn1-8-heimdal libbinutils libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4
  libcurl4-openssl-dev libexpat1 libexpat1-dev libfreetype-dev libfreetype6
  libfreetype6-dev libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-bin
  libgdk-pixbuf2.0-common libgdk-pixbuf2.0-dev libgmp-dev libgmp10
  libgmpxx4ldbl libgnutls30 libgssapi-krb5-2 libgssapi3-heimdal
  libharfbuzz-dev libharfbuzz-gobject0 libharfbuzz-icu0 libharfbuzz0b
  libhcrypto4-heimdal libheimbase1-heimdal libheimntlm0-heimdal
  libhx509-5-heimdal libjbig-dev libjbig0 libjpeg-turbo8 libjpeg-turbo8-dev
  libk5crypto3 libkrb5-26-heimdal libkrb5-3 libkrb5support0 libmysqlclient-dev
  libmysqlclient21 libnss3 libpam-modules libpam-modules-bin libpam-runtime
  libpam0g libpcre2-16-0 libpcre2-32-0 libpcre2-8-0 libpcre2-dev
  libpcre2-posix2 libperl5.30 libpixman-1-0 libpixman-1-dev libpoppler-dev
  libpoppler-glib-dev libpoppler-glib8 libpoppler97 libpq-dev libpq5
  libpython3.8 libpython3.8-dev libpython3.8-minimal libpython3.8-stdlib
  libroken18-heimdal libsqlite3-0 libsqlite3-dev libssl-dev libssl1.1
  libtiff-dev libtiff5 libtiffxx5 libudev1 libwind0-heimdal libxml2
  libxml2-dev libxml2-utils libxslt1-dev libxslt1.1 linux-libc-dev login
  openssl passwd perl perl-base perl-modules-5.30 python3.8 python3.8-dev
  python3.8-minimal tzdata zlib1g zlib1g-dev
109 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 58.8 MB of archives.
After this operation, 227 kB of additional disk space will be used.

This is re-enforced by the fact that GCP lists the GAE built apps as having many CVEs according to the container registry:

image

In theory we could direct the generate dockerfile to use our own base container which we update more often. But that seems like a lot of effort given that the point of GAE is to remove that sort of maintenance.

If the augmented-base container ran apt-get upgrade -y then every time the app is built and deployed it would get all the latest security updates automatically. Is there a way to make this happen?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eric-hemasystems