docker images with vulnerabilties #31864
Description
Describe the bug
Hi Team,
We’ve observed that our ACR Docker images are under compliance review and need to be cleaned and rebuilt. Previously, we were using the base image mcr.microsoft.com/cbl-mariner/base/python:3.9, but we’ve now noted that this image will reach End of Life (EOL) on July 31, 2025.
As part of the remediation, I’ve updated the base image to mcr.microsoft.com/azurelinux/base/python:3.12. However, after rebuilding, vulnerabilities are still being reported.
Please refer the latest docker image with tag "vfix"
Ref: Vulnerability Management
Exploring Security for Kubernetes Connect Service
https://mcr.microsoft.com/en-us/artifact/mar/azurelinux/base/python/about
Related command
We are building docker images with ADO pipeline.
Sample docker file
FROM mcr.microsoft.com/azurelinux/base/python:3.12
RUN tdnf makecache && tdnf update -y && tdnf install -y tar ca-certificates jq
RUN tdnf install azure-cli -y
RUN /usr/bin/curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/latest.txt)/bin/linux/amd64/kubectl
&& chmod +x ./kubectl
&& mv ./kubectl /usr/local/bin/kubectl
COPY ./arc_agent_cleanup/requirements.txt ./
RUN --mount=type=secret,id=ado_pat,target=/run/secrets/ado_pat
token=$(cat /run/secrets/ado_pat) &&
index_url="https://ArcValidationPackages:[email protected]/ArcValidationProgram/ArcValidationProgram/_packaging/ArcValidationPackages/pypi/simple/" &&
mkdir -p ~/.config/pip &&
echo "[global]" > ~/.config/pip/pip.conf &&
echo "index-url = $index_url" >> ~/.config/pip/pip.conf &&
echo "extra-index-url = $index_url" >> ~/.config/pip/pip.conf &&
echo "trusted-host = pkgs.dev.azure.com" >> ~/.config/pip/pip.conf &&
cat ~/.config/pip/pip.conf &&
pip install --upgrade -r requirements.txt
Manually download and install Helm
RUN curl -sSL https://get.helm.sh/helm-v3.17.4-linux-amd64.tar.gz -o helm.tar.gz &&
tar -xzf helm.tar.gz &&
mv linux-amd64/helm /usr/local/bin/helm &&
rm -rf linux-amd64 helm.tar.gz
Verify Helm installation
RUN helm version
RUN curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash \
&& helm version
ARG SONOBUOY_VERSION
RUN curl -L https://github.com/vmware-tanzu/sonobuoy/releases/download/v${SONOBUOY_VERSION}/sonobuoy_${SONOBUOY_VERSION}_linux_amd64.tar.gz --output /bin/sonobuoy.tar.gz
RUN ["tar", "-xzf", "/bin/sonobuoy.tar.gz", "-C", "/bin/"]
COPY ./arc_agent_cleanup/arc_agent_cleanup.sh /
COPY ./arc_agent_cleanup/cleanup.py /
COPY ./common/results_utility.py /
COPY ./common/constants.py /
COPY ./common/kubernetes_namespace_utility.py /
COPY ./common/helm_utility.py /
COPY ./common/kubernetes_pod_utility.py /
COPY ./common/connected_cluster_utility.py /
COPY ./common/arm_rest_utility.py /
COPY ./common/setup_failure_handler.py /
RUN ["chmod", "+x", "/arc_agent_cleanup.sh"]
ENTRYPOINT ["./arc_agent_cleanup.sh"]
FROM mcr.microsoft.com/azurelinux/base/python:3.12
RUN tdnf makecache && tdnf update -y && tdnf install -y tar && tdnf install -y gawk && tdnf install -y util-linux
RUN tdnf install gnupg ca-certificates curl wget jq -y
RUN tdnf install azure-cli -y
RUN /usr/bin/curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/latest.txt)/bin/linux/amd64/kubectl
&& chmod +x ./kubectl
&& mv ./kubectl /usr/local/bin/kubectl
COPY ./ds_connect_core/requirements.txt ./
RUN --mount=type=secret,id=ado_pat,target=/run/secrets/ado_pat
token=$(cat /run/secrets/ado_pat) &&
index_url="https://ArcValidationPackages:[email protected]/ArcValidationProgram/ArcValidationProgram/_packaging/ArcValidationPackages/pypi/simple/" &&
mkdir -p ~/.config/pip &&
echo "[global]" > ~/.config/pip/pip.conf &&
echo "index-url = $index_url" >> ~/.config/pip/pip.conf &&
echo "extra-index-url = $index_url" >> ~/.config/pip/pip.conf &&
echo "trusted-host = pkgs.dev.azure.com" >> ~/.config/pip/pip.conf &&
cat ~/.config/pip/pip.conf &&
pip install --upgrade -r requirements.txt
#RUN az upgrade --yes
RUN az extension add --upgrade --name connectedk8s --yes --debug
RUN az extension add --upgrade --name k8s-configuration --yes --debug
RUN az extension add --upgrade --name k8s-extension --yes --debug
RUN az extension add --upgrade --name customlocation --yes --debug
RUN az extension add --upgrade --name arcdata --yes --debug
RUN tdnf update -y
ARG SONOBUOY_VERSION
RUN curl -L https://github.com/vmware-tanzu/sonobuoy/releases/download/v${SONOBUOY_VERSION}/sonobuoy_${SONOBUOY_VERSION}_linux_amd64.tar.gz --output /bin/sonobuoy.tar.gz
RUN ["tar", "-xzf", "/bin/sonobuoy.tar.gz", "-C", "/bin/"]
COPY ["./ds_connect_core/arc_ds_connect_conformance.sh", "./ds_connect_core/ds_pre_cleanup.sh", "./ds_connect_core/ds_setup_failure_handler.py", "./"]
COPY ["./ds_connect_core/pytest.ini", "./ds_connect_core/conftest.py", "./common", "/conformancetests/"]
COPY ["./ds_connect_core/pytest.ini", "./ds_connect_core/conftest.py", "./common", "/conformancetests-indirect/"]
Ds direct tests
COPY ["./ds_connect_core/ds_connect_constants.py", "./ds_connect_core/test_check_namespace_existence.py", "./ds_connect_core/test_check_pod_existence.py", "./ds_connect_core/test_check_pv_existence.py", "./ds_connect_core/test_ds_direct_cleanup.py", "./ds_connect_core/test_check_kubernetes_extension_arm.py", "/ds_connect_core/test_check_datacontroller_arm.py", "./ds_connect_core/test_check_customlocation_arm.py", "./ds_connect_core/test_check_connected_cluster_arm.py", "./ds_connect_core/test_check_azure_arc_namespace_existence.py", "./ds_connect_core/test_data_controller_ready.py", "./ds_connect_core/test_create_sql_mi.py", "/conformancetests/"]
To do will add these below tests once postgres sql is ready from az cli
#COPY ./ds_connect_core/test_create_postgressql.py /conformancetests/
#COPY ./ds_connect_core/test_scale_out_postgressql.py /conformancetests/
DS indirect tests
COPY ["./ds_core/test_check_namespace_existence.py", "./ds_core/test_check_pod_existence.py", "./ds_core/test_check_pv_existence.py", "./ds_core/test_create_sql_mi.py", "./ds_core/test_data_controller_ready.py", "./ds_core/test_create_postgressql.py", "./ds_core/test_scale_out_postgressql.py", "./ds_core/test_ds_indirect_cleanup.py", "/conformancetests-indirect/"]
RUN ["chmod", "+x", "ds_pre_cleanup.sh"]
RUN ["chmod", "+x", "arc_ds_connect_conformance.sh"]
RUN sed -i -e 's/\r$//' arc_ds_connect_conformance.sh
RUN sed -i -e 's/\r$//' ds_pre_cleanup.sh
RUN rm -rf ~/.config/pip/pip.conf
ENTRYPOINT ["/arc_ds_connect_conformance.sh"]
Errors
vulnerability flags from service 360
Issue script & Debug output
please find the attached document for issue and observations.
Expected behavior
vulnerability free.
Environment Summary
root [ / ]# az -v
azure-cli 2.75.0
core 2.75.0
telemetry 1.1.0
Extensions:
arcdata 1.5.24
Dependencies:
msal 1.33.0b1
azure-mgmt-resource 23.3.0
Python location '/usr/bin/python3.12'
Config directory '/root/.azure'
Extensions directory '/root/.azure/cliextensions'
Python (Linux) 3.12.9 (main, Jun 12 2025, 19:38:44) [GCC 13.2.0]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
Please guide and suggest us.