From b2d5f46299b4742e8744400a0359ff0a5e2ed523 Mon Sep 17 00:00:00 2001 From: Adrian Frischkorn <5385601+afrischk@users.noreply.github.com> Date: Thu, 10 Jul 2025 13:08:37 +0200 Subject: [PATCH 1/3] Deps: Bump golang package to 1.23 to mitigate security holes --- Dockerfile | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4de3264..3b6369f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,22 +15,25 @@ ENV POSTGRES_OLD_VERSION=${POSTGRES_OLD_VERSION} # Enable and install old version of PostgreSQL. RUN sed -i "s/\$/ ${POSTGRES_OLD_VERSION}/" /etc/apt/sources.list.d/pgdg.list +RUN echo "deb http://deb.debian.org/debian bookworm-backports main" >> /etc/apt/sources.list RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ postgresql-${POSTGRES_OLD_VERSION} \ + golang-1.23/bookworm-backports \ ; \ rm -rf /var/lib/apt/lists/* + # The old binaries will be in /usr/lib/postgresql/16/bin -ENV PGBINOLD /usr/lib/postgresql/${POSTGRES_OLD_VERSION}/bin -ENV PGBINNEW /usr/lib/postgresql/${POSTGRES_VERSION}/bin +ENV PGBINOLD=/usr/lib/postgresql/${POSTGRES_OLD_VERSION}/bin +ENV PGBINNEW=/usr/lib/postgresql/${POSTGRES_VERSION}/bin # we are usually using /var/lib/postgresql/data as the data directory # so this is why we are using it for the 'old' version instead of the # path that is customized for the version. -ENV PGDATAOLD /var/lib/postgresql/data -ENV PGDATANEW /var/lib/postgresql/${POSTGRES_VERSION}/data +ENV PGDATAOLD=/var/lib/postgresql/data +ENV PGDATANEW=/var/lib/postgresql/${POSTGRES_VERSION}/data COPY bin/upgradeversion.sh /usr/local/bin/upgradeversion From 51e81fcc49789a6bbab5a51ec0feab2d312e591b Mon Sep 17 00:00:00 2001 From: Adrian Frischkorn <5385601+afrischk@users.noreply.github.com> Date: Mon, 14 Jul 2025 12:01:56 +0200 Subject: [PATCH 2/3] WIP: Use build stages and exchanged gosu for su-exec --- Dockerfile | 41 +++++++++++++++++++++++++++++------------ 1 file changed, 29 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3b6369f..fc19e16 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ # The image is modified to include an older version of PostgreSQL, which # allows us to upgrade the database from the old version to the new one. ARG POSTGRES_VERSION=17 -FROM postgres:${POSTGRES_VERSION} +FROM postgres:${POSTGRES_VERSION} AS base # we need to redeclare the ARG here, otherwise it will not # be available in the section below the FROM statement. @@ -13,6 +13,19 @@ ARG POSTGRES_OLD_VERSION=16 ENV POSTGRES_VERSION=${POSTGRES_VERSION} ENV POSTGRES_OLD_VERSION=${POSTGRES_OLD_VERSION} +# The old binaries will be in /usr/lib/postgresql/16/bin +ENV PGBINOLD=/usr/lib/postgresql/${POSTGRES_OLD_VERSION}/bin +ENV PGBINNEW=/usr/lib/postgresql/${POSTGRES_VERSION}/bin + +# we are usually using /var/lib/postgresql/data as the data directory +# so this is why we are using it for the 'old' version instead of the +# path that is customized for the version. +ENV PGDATAOLD=/var/lib/postgresql/data +ENV PGDATANEW=/var/lib/postgresql/${POSTGRES_VERSION}/data + +COPY bin/upgradeversion.sh /usr/local/bin/upgradeversion + +FROM base AS install # Enable and install old version of PostgreSQL. RUN sed -i "s/\$/ ${POSTGRES_OLD_VERSION}/" /etc/apt/sources.list.d/pgdg.list RUN echo "deb http://deb.debian.org/debian bookworm-backports main" >> /etc/apt/sources.list @@ -20,22 +33,26 @@ RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ postgresql-${POSTGRES_OLD_VERSION} \ - golang-1.23/bookworm-backports \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; +FROM install AS no-gosu -# The old binaries will be in /usr/lib/postgresql/16/bin -ENV PGBINOLD=/usr/lib/postgresql/${POSTGRES_OLD_VERSION}/bin -ENV PGBINNEW=/usr/lib/postgresql/${POSTGRES_VERSION}/bin +RUN set -eux; \ + rm -rf /usr/local/bin/gosu; -# we are usually using /var/lib/postgresql/data as the data directory -# so this is why we are using it for the 'old' version instead of the -# path that is customized for the version. -ENV PGDATAOLD=/var/lib/postgresql/data -ENV PGDATANEW=/var/lib/postgresql/${POSTGRES_VERSION}/data +FROM postgres:${POSTGRES_VERSION} AS su-exec -COPY bin/upgradeversion.sh /usr/local/bin/upgradeversion +RUN set -eux; \ + apt-get update; \ + apt-get install -y --no-install-recommends gcc libc-dev curl ca-certificates; \ + rm -rf /var/lib/apt/lists/*; \ + curl -o /usr/local/bin/su-exec.c https://raw.githubusercontent.com/ncopa/su-exec/master/su-exec.c; \ + gcc -Wall /usr/local/bin/su-exec.c -o /usr/local/bin/su-exec; + +FROM no-gosu AS runtime + +COPY --from=su-exec --chown=root:root --chmod=755 /usr/local/bin/su-exec /usr/local/bin/gosu # We decided to use our own UID range. # INFO: https://github.com/greenbone/automatix/blob/main/README.md From 2f2b62790e672374326119777229b172f8aeae04 Mon Sep 17 00:00:00 2001 From: Adrian Frischkorn <5385601+afrischk@users.noreply.github.com> Date: Mon, 14 Jul 2025 14:37:50 +0200 Subject: [PATCH 3/3] WIP: Remove backports --- Dockerfile | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index fc19e16..4cb9249 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,8 +27,7 @@ COPY bin/upgradeversion.sh /usr/local/bin/upgradeversion FROM base AS install # Enable and install old version of PostgreSQL. -RUN sed -i "s/\$/ ${POSTGRES_OLD_VERSION}/" /etc/apt/sources.list.d/pgdg.list -RUN echo "deb http://deb.debian.org/debian bookworm-backports main" >> /etc/apt/sources.list +RUN sed -i "s/\$/ ${POSTGRES_OLD_VERSION}/" /etc/apt/sources.list.d/pgdg.list; RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -37,12 +36,10 @@ RUN set -eux; \ rm -rf /var/lib/apt/lists/*; FROM install AS no-gosu - RUN set -eux; \ rm -rf /usr/local/bin/gosu; FROM postgres:${POSTGRES_VERSION} AS su-exec - RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends gcc libc-dev curl ca-certificates; \ @@ -51,9 +48,7 @@ RUN set -eux; \ gcc -Wall /usr/local/bin/su-exec.c -o /usr/local/bin/su-exec; FROM no-gosu AS runtime - COPY --from=su-exec --chown=root:root --chmod=755 /usr/local/bin/su-exec /usr/local/bin/gosu - # We decided to use our own UID range. # INFO: https://github.com/greenbone/automatix/blob/main/README.md # Change to user root user to run the commands.