chore(images): use bash as default and enable some safety options

ekoops · irozzo-1A · poiana · commit 03a57b6ce002 · 2025-12-16T21:28:00.000+01:00
In order to be sure that shell instructions in RUN steps run as
intended, replace the default shell at build time with bash, enabling
some safety options (`-euo pipefail`). At the moment, this is done
only on rootfs images and builders.

Signed-off-by: Leonardo Di Giovanna &lt;leonardodigiovanna1@gmail.com&gt;
Co-Authored-By: irozzo-1A &lt;iacopo@sysdig.com&gt;
diff --git a/images/aarch64/amazonlinux2/5.4/Dockerfile b/images/aarch64/amazonlinux2/5.4/Dockerfile
@@ -3,6 +3,9 @@ FROM amazonlinux:2
 ARG VERSION=5.4.247-162.350
 ARG URL='http://amazonlinux.us-east-1.amazonaws.com/2/extras/kernel-5.4/latest/aarch64'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 RUN yum install -y \
 		binutils-devel \
 		chrony \
diff --git a/images/aarch64/amazonlinux2022/5.15/Dockerfile b/images/aarch64/amazonlinux2022/5.15/Dockerfile
@@ -3,6 +3,8 @@ FROM amazonlinux:2022
 ARG VERSION=5.15.73-45.135
 ARG URL='https://al2022-repos-us-east-1-9761ab97.s3.dualstack.us-east-1.amazonaws.com/core/mirrors/latest/aarch64'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 
 RUN dnf groupinstall -y 'Development Tools' && \
 	dnf install -y \
diff --git a/images/aarch64/archlinux/4.14/Dockerfile b/images/aarch64/archlinux/4.14/Dockerfile
@@ -3,6 +3,9 @@ FROM lopsided/archlinux:latest
 ARG VERSION=4.14.15-1
 ARG URL='http://tardis.tiny-vps.com/aarm/packages'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 WORKDIR /home/ubuntu
 
 RUN pacman -Syyu --noconfirm && \
@@ -32,4 +35,4 @@ RUN pacman -Syyu --noconfirm && \
 	pacman -U --noconfirm ./headers.tar.xz && \
 	rm -v ./headers.tar.xz && \
 	ln -s /usr/lib/systemd/systemd /sbin/init && \
-	yes | pacman -Scc || exit 0
+	pacman -Scc --noconfirm || exit 0
diff --git a/images/aarch64/fedora/6.2/Dockerfile b/images/aarch64/fedora/6.2/Dockerfile
@@ -5,6 +5,9 @@ ARG HVERSION=6.2.6-300
 ARG ARCHITECTURE=aarch64
 ARG URL='https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/38/Everything/aarch64/os/Packages'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 RUN dnf groupinstall -y 'Development Tools' && \
 	dnf install -y \
 		clang \
diff --git a/images/aarch64/oraclelinux/4.14/Dockerfile b/images/aarch64/oraclelinux/4.14/Dockerfile
@@ -3,6 +3,9 @@ FROM oraclelinux:7
 ARG VERSION=4.14.35-2047.527.2
 ARG URL='https://yum.oracle.com/repo/OracleLinux/OL7/latest/aarch64'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 COPY /dev.repo /etc/yum.repos.d/
 
 RUN yum groupinstall -y 'Development Tools' && \
diff --git a/images/aarch64/oraclelinux/5.15/Dockerfile b/images/aarch64/oraclelinux/5.15/Dockerfile
@@ -4,6 +4,9 @@ ARG VERSION=5.15.0-8.91.4.1
 ARG URL='https://yum.oracle.com/repo/OracleLinux/OL9/baseos/latest/aarch64'
 ARG ARCHITECTURE='aarch64'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 RUN yum install -y \
 		binutils-devel \
 		clang \
diff --git a/images/aarch64/ubuntu/6.5/Dockerfile b/images/aarch64/ubuntu/6.5/Dockerfile
@@ -3,6 +3,9 @@ FROM ubuntu:22.04
 ARG VERSION=6.5.0-1024-aws
 ARG URL='https://ports.ubuntu.com/ubuntu-ports/pool/main/l/linux-aws-6.5/'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 WORKDIR /home/ubuntu
 
 RUN apt-get update && apt-get install -y \
diff --git a/images/builder/Dockerfile b/images/builder/Dockerfile
@@ -3,6 +3,9 @@ FROM centos:7
 # TARGETARCH is automatically set by BuildKit (arm64 or amd64)
 ARG TARGETARCH
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 COPY /dhclient.service /usr/lib/systemd/system/
 
 # Fix broken mirrors - centos:7 eol
diff --git a/images/modernprobe-builder/Dockerfile b/images/modernprobe-builder/Dockerfile
@@ -1,5 +1,8 @@
 FROM fedora:latest
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 COPY /dhclient.service /usr/lib/systemd/system/
 
 RUN dnf install -y \
diff --git a/images/x86_64/amazonlinux2/4.19/Dockerfile b/images/x86_64/amazonlinux2/4.19/Dockerfile
@@ -3,6 +3,9 @@ FROM amazonlinux:2
 ARG VERSION=4.19.84-33.70
 ARG URL='http://amazonlinux.us-east-1.amazonaws.com/2/extras/kernel-ng/latest/x86_64'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 RUN yum install -y \
 		binutils-devel \
 		clang \
diff --git a/images/x86_64/amazonlinux2/5.10/Dockerfile b/images/x86_64/amazonlinux2/5.10/Dockerfile
@@ -3,6 +3,9 @@ FROM amazonlinux:2
 ARG VERSION=5.10.184-175.749
 ARG URL='http://amazonlinux.us-east-1.amazonaws.com/2/extras/kernel-5.10/latest/x86_64'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 RUN yum install -y \
 		binutils-devel \
 		clang \
diff --git a/images/x86_64/amazonlinux2/5.15/Dockerfile b/images/x86_64/amazonlinux2/5.15/Dockerfile
@@ -3,6 +3,9 @@ FROM amazonlinux:2
 ARG VERSION=5.15.117-73.143
 ARG URL='http://amazonlinux.us-east-1.amazonaws.com/2/extras/kernel-5.15/latest/x86_64'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 RUN yum install -y \
 		binutils-devel \
 		clang \
diff --git a/images/x86_64/amazonlinux2/5.4/Dockerfile b/images/x86_64/amazonlinux2/5.4/Dockerfile
@@ -3,6 +3,9 @@ FROM amazonlinux:2
 ARG VERSION=5.4.247-162.350
 ARG URL='http://amazonlinux.us-east-1.amazonaws.com/2/extras/kernel-5.4/latest/x86_64'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 RUN yum install -y \
 		binutils-devel \
 		clang \
diff --git a/images/x86_64/amazonlinux2022/5.15/Dockerfile b/images/x86_64/amazonlinux2022/5.15/Dockerfile
@@ -3,6 +3,8 @@ FROM amazonlinux:2022
 ARG VERSION=5.15.73-45
 ARG URL='https://al2022-repos-us-east-1-9761ab97.s3.dualstack.us-east-1.amazonaws.com/core/mirrors/latest/x86_64'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 
 RUN dnf groupinstall -y 'Development Tools' && \
 	dnf install -y \
diff --git a/images/x86_64/amazonlinux2023/6.1/Dockerfile b/images/x86_64/amazonlinux2023/6.1/Dockerfile
@@ -3,6 +3,8 @@ FROM amazonlinux:2023
 ARG VERSION=6.1.34-58
 ARG URL='https://cdn.amazonlinux.com/al2023/core/mirrors/latest/x86_64'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 
 RUN dnf groupinstall -y 'Development Tools' && \
 	dnf install -y \
diff --git a/images/x86_64/archlinux/5.18/Dockerfile b/images/x86_64/archlinux/5.18/Dockerfile
@@ -1,5 +1,8 @@
 FROM archlinux/archlinux:base-20220807.0.72894
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 WORKDIR /home/ubuntu
 
 RUN printf 'SigLevel = Never\nServer=https://archive.archlinux.org/repos/2022/08/04/$repo/os/$arch' > /etc/pacman.d/mirrorlist && \
@@ -17,7 +20,7 @@ pacman -Syyu --noconfirm && \
 		python \
 		rsync \
 		wget && \
-	yes | pacman -Scc && \
+	pacman -Scc --noconfirm && \
 	ln -sf /usr/share/zoneinfo/US/Eastern /etc/localtime && \
 	echo 'LANG=en_US.UTF-8' > /etc/locale.gen && \
 	locale-gen && \
diff --git a/images/x86_64/archlinux/6.0/Dockerfile b/images/x86_64/archlinux/6.0/Dockerfile
@@ -1,5 +1,8 @@
 FROM archlinux/archlinux:base-20221211.0.109768
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 WORKDIR /home/ubuntu
 
 RUN printf 'SigLevel = Never\nServer=https://archive.archlinux.org/repos/2022/12/11/$repo/os/$arch' > /etc/pacman.d/mirrorlist && \
@@ -17,7 +20,7 @@ pacman -Syyu --noconfirm && \
 		python \
 		rsync \
 		wget && \
-	yes | pacman -Scc && \
+	pacman -Scc --noconfirm && \
 	ln -sf /usr/share/zoneinfo/US/Eastern /etc/localtime && \
 	echo 'LANG=en_US.UTF-8' > /etc/locale.gen && \
 	locale-gen && \
diff --git a/images/x86_64/archlinux/6.7/Dockerfile b/images/x86_64/archlinux/6.7/Dockerfile
@@ -1,5 +1,8 @@
 FROM archlinux/archlinux:base-20240124.0.209208
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 WORKDIR /home/ubuntu
 
 RUN printf 'SigLevel = Never\nServer=https://archive.archlinux.org/repos/2024/01/24/$repo/os/$arch' > /etc/pacman.d/mirrorlist && \
@@ -17,7 +20,7 @@ pacman -Syyu --noconfirm && \
 		python \
 		rsync \
 		wget && \
-	yes | pacman -Scc && \
+	pacman -Scc --noconfirm && \
 	ln -sf /usr/share/zoneinfo/US/Eastern /etc/localtime && \
 	echo 'LANG=en_US.UTF-8' > /etc/locale.gen && \
 	locale-gen && \
diff --git a/images/x86_64/centos/3.10/Dockerfile b/images/x86_64/centos/3.10/Dockerfile
@@ -3,6 +3,9 @@ FROM centos:centos7.9.2009
 ARG VERSION=3.10.0-1160
 ARG BASEOS_URL='https://vault.centos.org/centos/7.9.2009/os/x86_64/Packages'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 # Fix broken mirrors.
 RUN sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo; \
     sed -i s/^#.*baseurl=http/baseurl=https/g /etc/yum.repos.d/*.repo; \
diff --git a/images/x86_64/centos/4.18/Dockerfile b/images/x86_64/centos/4.18/Dockerfile
@@ -3,6 +3,9 @@ FROM quay.io/centos/centos:stream8
 ARG VERSION=4.18.0-552
 ARG BASEOS_URL='https://vault.centos.org/centos/8-stream/BaseOS/x86_64/os/Packages'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 # Fix broken mirrors.
 RUN sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo; \
     sed -i s/^#.*baseurl=http/baseurl=https/g /etc/yum.repos.d/*.repo; \
diff --git a/images/x86_64/centos/5.14/Dockerfile b/images/x86_64/centos/5.14/Dockerfile
@@ -3,6 +3,9 @@ FROM quay.io/centos/centos:stream9
 ARG VERSION=5.14.0-648
 ARG APPSTR_URL='http://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 RUN dnf groupinstall -y 'Development Tools' && \
 	dnf install -y --allowerasing \
 		clang \
diff --git a/images/x86_64/fedora/5.17/Dockerfile b/images/x86_64/fedora/5.17/Dockerfile
@@ -4,6 +4,9 @@ ARG VERSION=5.17.5-300
 ARG HVERSION=5.17.0-300
 ARG URL='https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/36/Everything/x86_64/os/Packages'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 RUN dnf groupinstall -y 'Development Tools' && \
 	dnf install -y \
 		clang \
diff --git a/images/x86_64/fedora/5.8/Dockerfile b/images/x86_64/fedora/5.8/Dockerfile
@@ -4,6 +4,9 @@ ARG VERSION=5.8.15-301
 ARG HVERSION=5.8.11-300
 ARG URL='https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/33/Everything/x86_64/os/Packages'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 RUN dnf groupinstall -y 'Development Tools' && \
 	dnf install -y \
 		clang \
diff --git a/images/x86_64/fedora/6.2/Dockerfile b/images/x86_64/fedora/6.2/Dockerfile
@@ -4,6 +4,9 @@ ARG VERSION=6.2.9-300
 ARG HVERSION=6.2.6-300
 ARG URL='https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/38/Everything/x86_64/os/Packages'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 RUN dnf groupinstall -y 'Development Tools' && \
 	dnf install -y \
 		clang \
diff --git a/images/x86_64/oraclelinux/3.10/Dockerfile b/images/x86_64/oraclelinux/3.10/Dockerfile
@@ -3,6 +3,9 @@ FROM oraclelinux:7
 ARG VERSION=3.10.0-1160.92.1.0.2
 ARG URL='https://yum.oracle.com/repo/OracleLinux/OL7/MODRHCK/x86_64'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 COPY /dev.repo /etc/yum.repos.d/
 
 RUN yum install -y \
diff --git a/images/x86_64/oraclelinux/4.14/Dockerfile b/images/x86_64/oraclelinux/4.14/Dockerfile
@@ -3,6 +3,9 @@ FROM oraclelinux:7
 ARG VERSION=4.14.35-2047.526.2
 ARG URL='https://yum.oracle.com/repo/OracleLinux/OL7/UEKR5/x86_64'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 COPY /dev.repo /etc/yum.repos.d/
 
 RUN yum groupinstall -y 'Development Tools' && \
diff --git a/images/x86_64/oraclelinux/5.15/Dockerfile b/images/x86_64/oraclelinux/5.15/Dockerfile
@@ -3,6 +3,9 @@ FROM oraclelinux:9
 ARG VERSION=5.15.0-8.91.4.1
 ARG URL='https://yum.oracle.com/repo/OracleLinux/OL9/UEKR7/x86_64'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 RUN yum install -y \
 		binutils-devel \
 		clang \
diff --git a/images/x86_64/oraclelinux/5.4/Dockerfile b/images/x86_64/oraclelinux/5.4/Dockerfile
@@ -3,6 +3,9 @@ FROM oraclelinux:8
 ARG VERSION=5.4.17-2136.320.7.1
 ARG URL='https://yum.oracle.com/repo/OracleLinux/OL8/UEKR6/x86_64/'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 RUN yum install -y \
 		binutils-devel \
 		clang \
diff --git a/images/x86_64/ubuntu/4.15/Dockerfile b/images/x86_64/ubuntu/4.15/Dockerfile
@@ -3,6 +3,9 @@ FROM ubuntu:18.04
 ARG VERSION=4.15.0-1118-aws
 ARG URL='https://archive.ubuntu.com/ubuntu/pool/main/l/linux-aws/'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 WORKDIR /home/ubuntu
 
 RUN apt-get update && apt-get install -y \
diff --git a/images/x86_64/ubuntu/5.8/Dockerfile b/images/x86_64/ubuntu/5.8/Dockerfile
@@ -2,6 +2,9 @@ FROM ubuntu:20.04
 
 ARG VERSION=5.8.0-1041-aws
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 WORKDIR /home/ubuntu
 
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
diff --git a/images/x86_64/ubuntu/6.2/Dockerfile b/images/x86_64/ubuntu/6.2/Dockerfile
@@ -3,6 +3,9 @@ FROM ubuntu:22.04
 ARG VERSION=6.2.0-1018-aws
 ARG URL='https://archive.ubuntu.com/ubuntu/pool/main/l/linux-aws-6.2/'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 WORKDIR /home/ubuntu
 
 RUN apt-get update && apt-get install -y \
diff --git a/images/x86_64/ubuntu/6.5/Dockerfile b/images/x86_64/ubuntu/6.5/Dockerfile
@@ -3,6 +3,9 @@ FROM ubuntu:22.04
 ARG VERSION=6.5.0-1024-aws
 ARG URL='https://archive.ubuntu.com/ubuntu/pool/main/l/linux-aws-6.5/'
 
+# Use bash for all RUN steps with some safety options enabled.
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 WORKDIR /home/ubuntu
 
 RUN apt-get update && apt-get install -y \
