Skip to content

build: Standardize asset containers to use official Ubuntu base images. #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

build: Standardize asset containers to use official Ubuntu base images. #3

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6e27486
change ubuntu references to ubuntu:jammy
PacificViking Jul 24, 2025
0d480b7
fix according to coderabbit recommendations
PacificViking Jul 30, 2025
2de68a1
lock gzip version (this was the reason for --allow-downgrades, it was…
PacificViking Jul 30, 2025
a0a0175
lock gzip version
PacificViking Aug 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion assets/elasticsearch/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM ghcr.io/y-scope/clp/clp-core-dependencies-x86-ubuntu-jammy:main
from ubuntu:jammy

RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y \
Expand Down
4 changes: 2 additions & 2 deletions assets/gzip/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@
# dependencies

# If there is any dedicated image available, you should build the benchmarking image on top of that
FROM ghcr.io/y-scope/clp/clp-core-dependencies-x86-ubuntu-jammy:main
FROM ubuntu:jammy

# Install necessary packages
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --allow-downgrades \
tmux \
vim \
gzip
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

--allow-downgrades warrants justification & pinning
Allowing downgrades can silently pull older vulnerable packages. Pin explicit versions or document the requirement; otherwise drop the flag.

Additionally, apply the usual --no-install-recommends and cache clean-up:

-RUN apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y --allow-downgrades \
-    tmux \
-    vim \
-    gzip
+RUN set -eux; \
+    apt-get update; \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        gzip=1.10-4ubuntu4 \
+        vim-tiny=2:8.* \
+        tmux=3.2a-4; \
+    rm -rf /var/lib/apt/lists/*

🏁 Script executed:

#!/bin/bash
# Display the beginning of the Dockerfile to review base image and context
sed -n '1,50p' assets/gzip/Dockerfile

Length of output: 426

Review Dockerfile: remove or justify --allow-downgrades & improve apt-install hygiene

The --allow-downgrades flag should either be documented (why a downgrade is needed and what version is targeted) or removed to avoid silently installing older, potentially vulnerable packages. Additionally, to minimise image size and surface area:

  • Drop --allow-downgrades unless there’s a compelling, documented reason.
  • Add --no-install-recommends to avoid installing unnecessary packages.
  • Cleanup Apt cache after installation with rm -rf /var/lib/apt/lists/*.
  • (Optional) Pin package versions for reproducibility, e.g. gzip=1.10-4ubuntu4, tmux=3.2a-4, vim-tiny=2:8.*.

Suggested diff:

-RUN apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y --allow-downgrades \
-    tmux \
-    vim \
-    gzip
+RUN set -eux; \
+    apt-get update; \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        gzip \
+        vim-tiny \
+        tmux; \
+    rm -rf /var/lib/apt/lists/*
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --allow-downgrades \
tmux \
vim \
gzip
RUN set -eux; \
apt-get update; \
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
gzip \
vim-tiny \
tmux; \
rm -rf /var/lib/apt/lists/*
🧰 Tools
🪛 Checkov (3.2.334)

[LOW] 1-12: Ensure that HEALTHCHECK instructions have been added to container images

(CKV_DOCKER_2)

[LOW] 1-12: Ensure that a user for the container has been created

(CKV_DOCKER_3)

🤖 Prompt for AI Agents 
In assets/gzip/Dockerfile around lines 9 to 12, remove the --allow-downgrades
flag unless there is a documented reason for downgrading packages. Add the
--no-install-recommends flag to the apt-get install command to avoid installing
unnecessary packages. After installation, add a command to clean up the apt
cache by removing /var/lib/apt/lists/* to reduce image size. Optionally, pin
package versions explicitly for reproducibility by specifying versions for gzip,
tmux, and vim packages.

Expand Down
2 changes: 1 addition & 1 deletion assets/overhead_test/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# dependencies

# If there is any dedicated image available, you should build the benchmarking image on top of that
FROM ghcr.io/y-scope/clp/clp-core-dependencies-x86-ubuntu-jammy:main
FROM ubuntu:jammy

# Install necessary packages
RUN apt-get update \
Expand Down
2 changes: 1 addition & 1 deletion assets/template/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# dependencies

# If there is any dedicated image available, you should build the benchmarking image on top of that
FROM ghcr.io/y-scope/clp/clp-core-dependencies-x86-ubuntu-jammy:main
FROM ubuntu:jammy

# Install necessary packages
RUN apt-get update \
Expand Down