Revert "Use python distroless instead of copying python into google distroless, as 2F scanning does not like that for some reason (#5)"

bfichter · bfichter · commit 1b57f559bddc · 2025-03-26T08:34:11.000-04:00
This reverts commit df7d12b.
diff --git a/build/Dockerfile.distroless b/build/Dockerfile.distroless
@@ -1,3 +1,11 @@
+# This is our strategy for getting a clean (from CVE perspective) base image for python-based services.
+# This mostly takes from https://github.com/alexdmoss/distroless-python
+# We need to build our own to be able to get new debian versions with fixes.
+
+# Google periodically updates distroless images but just uses latest
+# CVEs will typically get fixed in versions (e.g deb12u7) and we'll need to rebuild this to incorporate them.
+ARG GOOGLE_DISTROLESS_BASE_IMAGE=gcr.io/distroless/cc-debian12:latest
+
 # ARG instructions do not create additional layers. Instead, next layers will
 # concatenate them. Also, we have to repeat ARG instructions in each build
 # stage that uses them.
@@ -176,7 +184,7 @@ COPY build/fonts.conf /etc/fonts/conf.d/100-gotenberg.conf
 # ----------------------------------------------
 # Final stage
 # ----------------------------------------------
-FROM public.ecr.aws/j9h1x6x3/distroless-python:latest AS base
+FROM ${GOOGLE_DISTROLESS_BASE_IMAGE} AS base
 
 # Set platform-specific CHIPSET_ARCH
 FROM base AS base-amd64
@@ -190,6 +198,11 @@ ARG CHIPSET_ARCH=aarch64-linux-gnu
 ARG TARGETARCH
 FROM base-${TARGETARCH}
 
+# Required for unoconverter
+COPY --from=gotenberg-binary-stage /usr/bin/python /usr/bin/python
+COPY --from=gotenberg-binary-stage /usr/lib/python3 /usr/lib/python3
+COPY --from=gotenberg-binary-stage /usr/lib/python3.11 /usr/lib/python3.11
+
 ENV PYTHONPATH="/usr/local/lib/python3.11/dist-packages:"
 
 # LibreOffice dependencies
