This is an automated email from the ASF dual-hosted git repository. ephraimanierobi pushed a commit to branch v2-8-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit cb34e9169147979f76aa25dbbda0f68ed6c2f05a Author: Jarek Potiuk <[email protected]> AuthorDate: Fri Feb 23 10:42:50 2024 +0100 Install latest docker CLI instead of specific one (#37651) This decreses reproducibility a bit, but it also helps to improve security, in case some older version of docker CLI bring security vulnerabilities. (cherry picked from commit 2294a2f5ff8cba9fa653fcdc65f350b4dedcbf9c) --- Dockerfile | 25 +++++++++++++------------ Dockerfile.ci | 25 +++++++++++++------------ scripts/docker/install_os_dependencies.sh | 25 +++++++++++++------------ 3 files changed, 39 insertions(+), 36 deletions(-) diff --git a/Dockerfile b/Dockerfile index a6b0d16d53..1ada5269c8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -76,8 +76,6 @@ COPY <<"EOF" /install_os_dependencies.sh #!/usr/bin/env bash set -euo pipefail -DOCKER_CLI_VERSION=24.0.6 - if [[ "$#" != 1 ]]; then echo "ERROR! There should be 'runtime' or 'dev' parameter passed as argument.". exit 1 @@ -130,20 +128,23 @@ lsb-release openssh-client python3-selinux rsync sasl2-bin sqlite3 sudo unixodbc } function install_docker_cli() { - local platform - if [[ $(uname -m) == "arm64" || $(uname -m) == "aarch64" ]]; then - platform="aarch64" - else - platform="x86_64" - fi - curl --silent \ - "https://download.docker.com/linux/static/stable/${platform}/docker-${DOCKER_CLI_VERSION}.tgz"; \ - | tar -C /usr/bin --strip-components=1 -xvzf - docker/docker + apt-get update + apt-get install ca-certificates curl + install -m 0755 -d /etc/apt/keyrings + curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc + chmod a+r /etc/apt/keyrings/docker.asc + # shellcheck disable=SC1091 + echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \ + $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ + tee /etc/apt/sources.list.d/docker.list > /dev/null + apt-get update + apt-get install -y --no-install-recommends docker-ce-cli } function install_debian_dev_dependencies() { apt-get update - apt-get install --no-install-recommends -yqq apt-utils >/dev/null 2>&1 + apt-get install -yqq --no-install-recommends apt-utils >/dev/null 2>&1 apt-get install -y --no-install-recommends curl gnupg2 lsb-release # shellcheck disable=SC2086 export ${ADDITIONAL_DEV_APT_ENV?} diff --git a/Dockerfile.ci b/Dockerfile.ci index bc4533c38f..b63fd0896b 100644 --- a/Dockerfile.ci +++ b/Dockerfile.ci @@ -36,8 +36,6 @@ COPY <<"EOF" /install_os_dependencies.sh #!/usr/bin/env bash set -euo pipefail -DOCKER_CLI_VERSION=24.0.6 - if [[ "$#" != 1 ]]; then echo "ERROR! There should be 'runtime' or 'dev' parameter passed as argument.". exit 1 @@ -90,20 +88,23 @@ lsb-release openssh-client python3-selinux rsync sasl2-bin sqlite3 sudo unixodbc } function install_docker_cli() { - local platform - if [[ $(uname -m) == "arm64" || $(uname -m) == "aarch64" ]]; then - platform="aarch64" - else - platform="x86_64" - fi - curl --silent \ - "https://download.docker.com/linux/static/stable/${platform}/docker-${DOCKER_CLI_VERSION}.tgz"; \ - | tar -C /usr/bin --strip-components=1 -xvzf - docker/docker + apt-get update + apt-get install ca-certificates curl + install -m 0755 -d /etc/apt/keyrings + curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc + chmod a+r /etc/apt/keyrings/docker.asc + # shellcheck disable=SC1091 + echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \ + $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ + tee /etc/apt/sources.list.d/docker.list > /dev/null + apt-get update + apt-get install -y --no-install-recommends docker-ce-cli } function install_debian_dev_dependencies() { apt-get update - apt-get install --no-install-recommends -yqq apt-utils >/dev/null 2>&1 + apt-get install -yqq --no-install-recommends apt-utils >/dev/null 2>&1 apt-get install -y --no-install-recommends curl gnupg2 lsb-release # shellcheck disable=SC2086 export ${ADDITIONAL_DEV_APT_ENV?} diff --git a/scripts/docker/install_os_dependencies.sh b/scripts/docker/install_os_dependencies.sh index 5d53867643..f848846cb6 100644 --- a/scripts/docker/install_os_dependencies.sh +++ b/scripts/docker/install_os_dependencies.sh @@ -18,8 +18,6 @@ # shellcheck shell=bash set -euo pipefail -DOCKER_CLI_VERSION=24.0.6 - if [[ "$#" != 1 ]]; then echo "ERROR! There should be 'runtime' or 'dev' parameter passed as argument.". exit 1 @@ -72,20 +70,23 @@ lsb-release openssh-client python3-selinux rsync sasl2-bin sqlite3 sudo unixodbc } function install_docker_cli() { - local platform - if [[ $(uname -m) == "arm64" || $(uname -m) == "aarch64" ]]; then - platform="aarch64" - else - platform="x86_64" - fi - curl --silent \ - "https://download.docker.com/linux/static/stable/${platform}/docker-${DOCKER_CLI_VERSION}.tgz"; \ - | tar -C /usr/bin --strip-components=1 -xvzf - docker/docker + apt-get update + apt-get install ca-certificates curl + install -m 0755 -d /etc/apt/keyrings + curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc + chmod a+r /etc/apt/keyrings/docker.asc + # shellcheck disable=SC1091 + echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \ + $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ + tee /etc/apt/sources.list.d/docker.list > /dev/null + apt-get update + apt-get install -y --no-install-recommends docker-ce-cli } function install_debian_dev_dependencies() { apt-get update - apt-get install --no-install-recommends -yqq apt-utils >/dev/null 2>&1 + apt-get install -yqq --no-install-recommends apt-utils >/dev/null 2>&1 apt-get install -y --no-install-recommends curl gnupg2 lsb-release # shellcheck disable=SC2086 export ${ADDITIONAL_DEV_APT_ENV?}
