RED-181280 - support multiarch #27
Conversation
![jit-ci[bot]](https://avatars.githubusercontent.com/in/142441?s=60&v=4){kind=small}
There was a problem hiding this comment.
❌ Jit has detected 2 important findings in this PR that you should review.
The findings are detailed below as separate comments.
It’s highly recommended that you fix these security issues before merge.
Repository Risks:
- Database Integration: Connects to a database, often involving sensitive data that must be securely managed.
- Internally Accessible: Accessible only within the internal network, reducing exposure to external threats but still requiring proper controls.
- High Severity Findings: Indicates that the resource has high severity security findings that need attention.
Repository Context:
graph LR
GitHub$Repository_U23_RedisLabs/redis_U2D_webcli["GitHub Repository<br/>RedisLabs/redis-webcli"]:::GitHub$Repository
Team_U23_dev_U2D_team["Team<br/>dev-team"]:::Team
Team_U23_SecurityManagers["Team<br/>SecurityManagers"]:::Team
Team_U23_PCF$Devs["Team<br/>PCF Devs"]:::Team
Team_U23_k8s_U2D_operator_U2D_pr_U2D_reviewers["Team<br/>k8s-operator-pr-reviewers"]:::Team
DBIntegration_U23_redis["DBIntegration<br/>redis"]:::DBIntegration
Team_U23_dev_U2D_team -- "Owns" --> GitHub$Repository_U23_RedisLabs/redis_U2D_webcli
Team_U23_SecurityManagers -- "Owns" --> GitHub$Repository_U23_RedisLabs/redis_U2D_webcli
Team_U23_PCF$Devs -- "Owns" --> GitHub$Repository_U23_RedisLabs/redis_U2D_webcli
Team_U23_k8s_U2D_operator_U2D_pr_U2D_reviewers -- "Owns" --> GitHub$Repository_U23_RedisLabs/redis_U2D_webcli
GitHub$Repository_U23_RedisLabs/redis_U2D_webcli -- "Is accessible to" --> DBIntegration_U23_redis
| @@ -1,13 +1,21 @@ | |||
| FROM python:3.8 | |||
| FROM python:3.11-bookworm | |||
There was a problem hiding this comment.
Security control: Docker Scan
Image User Should Not Be 'Root'
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
Severity: HIGH
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
- First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this:
docker run <image> whoami. If it returnsroot, then you should consider using a non-root user, by following one of the next steps:- If a non-root user already exists in your container, consider using it.
- If not, you can create a new user by adding a
USERcommand to the Dockerfile, with a non-root user as argument, for example:USER <non-root-user-name>.
| FROM python:3.11-bookworm | |
| FROM python:3.11-bookworm | |
| RUN addgroup --system <group> | |
| RUN adduser --system <user> --ingroup <group> | |
| USER <user>:<group> | |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "Image user should not be 'root'" in Dockerfile; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
Dockerfile
Outdated
| echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/redis.list && \ | ||
| apt-get update && \ | ||
| apt-get install -y memtier-benchmark && \ | ||
| rm -rf /var/lib/apt/lists/* |
There was a problem hiding this comment.
Security control: Docker Scan
'Apt-Get' Missing '--No-Install-Recommends'
'apt-get' install should use '--no-install-recommends' to minimize image size.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "'apt-get' missing '--no-install-recommends'" in Dockerfile; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
Dockerfile
Outdated
| echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/redis.list && \ | ||
| apt-get update && \ | ||
| apt-get install -y memtier-benchmark=2.1.1-1rl1~bookworm1 && \ | ||
| rm -rf /var/lib/apt/lists/* |
There was a problem hiding this comment.
Security control: Docker Scan
'Apt-Get' Missing '--No-Install-Recommends'
'apt-get' install should use '--no-install-recommends' to minimize image size.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "'apt-get' missing '--no-install-recommends'" in Dockerfile; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
There was a problem hiding this comment.
right, fixed as suggested
thanks
Makefile
Outdated
| # Docker image configuration | ||
| # For testing, use: make docker-push-test TAG=arm-support-v1 | ||
| # For production, use: make docker-push IMAGE_NAME=redislabs/redis-webcli TAG=v1.2.3 | ||
| IMAGE_NAME ?= almoggueta247/test-call-home |
Makefile
Outdated
|
|
||
| # Build and push multi-platform image to test registry | ||
| docker-push-test: | ||
| docker buildx build --platform linux/amd64,linux/arm64 -t almoggueta247/test-call-home:$(TAG) --push . |
Dockerfile
Outdated
| "https://github.com/RedisLabs/memtier_benchmark/releases/download/2.1.1/memtier-benchmark_2.1.1.bookworm_${TARGETARCH}.deb" && \ | ||
| apt-get install -y /tmp/memtier-benchmark.deb && \ | ||
| rm /tmp/memtier-benchmark.deb && \ | ||
| rm -rf /var/lib/apt/lists/* |
There was a problem hiding this comment.
Security control: Docker Scan
'Apt-Get' Missing '--No-Install-Recommends'
'apt-get' install should use '--no-install-recommends' to minimize image size.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "'apt-get' missing '--no-install-recommends'" in Dockerfile; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
Dockerfile
Outdated
| RUN apt-get update && \ | ||
| apt-get install -y --no-install-recommends curl && \ | ||
| curl -fsSL -o /tmp/memtier-benchmark.deb \ | ||
| "https://github.com/RedisLabs/memtier_benchmark/releases/download/2.1.1/memtier-benchmark_2.1.1.bookworm_${TARGETARCH}.deb" && \ |
There was a problem hiding this comment.
Maybe we can use a build arg instead of hardcoded version?
Like - ARG MEMTIER_VERSION=2.1.1
There was a problem hiding this comment.
Also maybe its worth to add after installing memtier_benchmark, verification that it works.
RUN memtier_benchmark --version
Dockerfile
Outdated
| # Downloads the appropriate .deb file based on target architecture | ||
| # Note: Version 2.1.1 is not available in the Redis APT repository, only on GitHub releases | ||
| RUN apt-get update && \ | ||
| apt-get install -y --no-install-recommends curl && \ |
There was a problem hiding this comment.
curl is installed but remains in the final image. Consider adding apt-get purge -y curl && apt-get autoremove -y after the download to reduce image size, or keep it intentionally if useful for debugging.
There was a problem hiding this comment.
it adds 7MB - not sure its worth to remove - your call
** to build it we need to run:
make docker-push IMAGE_NAME=redislabs/redis-webcli TAG=<tag-number>