base: update to Amazon Linux 2023 and bash 5.2.15

Upgrade the base image from Amazon Linux 2 to Amazon Linux 2023 for improved security, performance, and long-term support. This change also updates bash from 5.1.16 to 5.2.15.

Signed-off-by: Maher Homsi <[email protected]>

Author: maherthomsi

Dockerfile

@@ -1,19 +1,19 @@
 ################################################################################
 # Base image for all builds
 
-FROM public.ecr.aws/amazonlinux/amazonlinux:2 AS builder-base
-RUN yum group install -y "Development Tools"
+FROM public.ecr.aws/amazonlinux/amazonlinux:2023 AS builder-base
+RUN dnf group install -y "Development Tools"
 RUN useradd builder
 
 
 ################################################################################
 # Statically linked, more recent version of bash
 
 FROM builder-base AS builder-static
-RUN yum install -y glibc-static
+RUN dnf install -y glibc-static
 
 ARG musl_version=1.2.5
-ARG bash_version=5.1.16
+ARG bash_version=5.2.15
 
 WORKDIR /opt/build
 COPY ./sdk-fetch ./
@@ -47,51 +47,18 @@ RUN CC=""/usr/local/musl/bin/musl-gcc CFLAGS="-Os -DHAVE_DLOPEN=0" \
         --enable-static-link \
         --without-bash-malloc \
     || { cat config.log; exit 1; }
-RUN make -j`nproc`
+RUN make lib/sh/libsh.a && \
+    cd ./lib/sh && ar d libsh.a strtoimax.o && ranlib libsh.a && \
+    cd ../.. && make -j`nproc`
 RUN cp bash /opt/bash
 RUN mkdir -p /usr/share/licenses/bash && \
     cp -p COPYING /usr/share/licenses/bash
 
 
-################################################################################
-# Rebuild of Amazon Linux 2's systemd v219 with downstream patches
-
-FROM builder-base AS builder-systemd
-RUN yum install -y yum-utils rpm-build
-RUN yum-builddep -y systemd
-
-USER builder
-WORKDIR /home/builder
-RUN yumdownloader --source systemd
-RUN rpm -Uv systemd-219-*.src.rpm
-
-WORKDIR /home/builder/rpmbuild/SOURCES
-COPY systemd-patches/*.patch ./
-
-WORKDIR /home/builder/rpmbuild/SPECS
-# Recreate the spec file from three parts: everything up until the last upstream
-# patch, downstream patches, everything else.
-RUN last_patch=$(awk '/^Patch[0-9]+/ { line = NR } END { print line }' systemd.spec); \
-    head -n${last_patch} systemd.spec >systemd.mod.spec; \
-    { \
-        echo ;\
-        echo '# Bottlerocket Patches'; \
-        echo 'Patch9500: 9500-cgroup-util-extract-cgroup-hierarchy-base-path-into-.patch'; \
-        echo 'Patch9501: 9501-cgroup-util-accept-cgroup-hierarchy-base-as-option.patch'; \
-        echo 'Patch9502: 9502-core-move-initialization-of-.slice-and-init.scope-in.patch'; \
-        echo 'Patch9503: 9503-core-drop-.slice-from-shipped-units.patch'; \
-        echo 'Patch9504: 9504-core-skip-restart-when-a-JOB_STOP-job-is-pending.patch'; \
-        echo ; \
-    } >>systemd.mod.spec; \
-    tail -n+$((last_patch + 1)) systemd.spec >>systemd.mod.spec; \
-    mv systemd.mod.spec systemd.spec
-RUN rpmbuild --bb systemd.spec
-
-
 ################################################################################
 # Actual admin container image
 
-FROM public.ecr.aws/amazonlinux/amazonlinux:2
+FROM public.ecr.aws/amazonlinux/amazonlinux:2023
 
 ARG IMAGE_VERSION
 # Make the container image version a mandatory build argument
@@ -103,10 +70,8 @@ LABEL "org.opencontainers.image.version"="$IMAGE_VERSION"
 # dependency is best satisfied by the downstream build. Reinstalling it later
 # would result in also carrying around the original systemd in the final image
 # where it would remain forever hidden and unused in a lower layer.
-RUN --mount=type=bind,from=builder-systemd,source=/home/builder/rpmbuild/RPMS,target=/tmp/systemd-rpms \
-    yum update -y \
-    && yum install -y \
-        /tmp/systemd-rpms/*/systemd-{219,libs}*.rpm \
+RUN dnf update -y \
+    && dnf install -y \
         ec2-instance-connect \
         jq \
         openssh-server \
@@ -115,7 +80,7 @@ RUN --mount=type=bind,from=builder-systemd,source=/home/builder/rpmbuild/RPMS,ta
         shadow-utils \
         sudo \
         util-linux \
-    && yum clean all
+    && dnf clean all
 
 # Delete SELinux config file to prevent relabeling with contexts provided by the container's image
 RUN rm -rf /etc/selinux/config
@@ -144,4 +109,4 @@ RUN groupadd -g 274 api
 RUN ln -sf /usr/bin/true /usr/bin/logger
 
 CMD ["/usr/sbin/start_admin.sh"]
-ENTRYPOINT ["/bin/bash", "-c"]
+ENTRYPOINT ["/bin/bash", "-c"]

hashes/bash

@@ -1,2 +1,2 @@
-# https://ftp.gnu.org/gnu/bash/bash-5.1.16.tar.gz
-SHA512 (bash-5.1.16.tar.gz) = a32a343b6dde9a18eb6217602655f72c4098b0d90f04cf4e686fb21b81fc4ef26ade30f7226929fbb7c207cde34617dbad2c44f6103161d1141122bb31dc6c80
+# https://ftp.gnu.org/gnu/bash/bash-5.2.15.tar.gz
+SHA512 (bash-5.2.15.tar.gz) = 08a67f6da4af7a75ff2b2d5a9eb8fc46d8c6e9ae80ccaf73b51736d6609916861b1f3fced938ce3ea16d014edb324e1a3d8e03f4917f68dc56ffb665316f26c7