fix: CVE-2024-38428 remove wget to close vuln, reduce image size

Zhupku · k8s-infra-cherrypick-robot · commit 0b20bacd3feb · 2024-09-03T13:13:12.000Z
diff --git a/pkg/blobplugin/Dockerfile b/pkg/blobplugin/Dockerfile
@@ -12,13 +12,47 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM registry.k8s.io/build-image/debian-base:bookworm-v1.0.3
-
 ARG ARCH=amd64
+
+FROM registry.k8s.io/build-image/debian-base:bookworm-v1.0.3 AS base
+
+FROM base AS builder
+
+ARG ARCH
+
+RUN apt update \
+    && apt install -y curl
+
+# install aznfs
+ARG aznfsVer=2.0.7
+ARG anzfsArch=x86_64
+RUN if [ "$ARCH" = "arm64" ]; then \
+      anzfsArch="arm64"; \
+    fi
+RUN curl -Ls https://github.com/Azure/AZNFS-mount/releases/download/${aznfsVer}/aznfs-${aznfsVer}-1.${anzfsArch}.tar.gz | tar xvzf - -C / --keep-directory-symlink
+
+# install azcopy
+RUN curl -Ls https://azcopyvnext.azureedge.net/releases/release-10.26.0-20240731/azcopy_linux_${ARCH}_10.26.0.tar.gz \
+        | tar xvzf - --strip-components=1 -C /usr/local/bin/ --wildcards "*/azcopy"
+
+# download blobfuse deb
+RUN mkdir /blobfuse-proxy/
+RUN curl -Lso /blobfuse-proxy/packages-microsoft-prod-18.04.deb https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb
+RUN curl -Lso /blobfuse-proxy/packages-microsoft-prod-22.04.deb https://packages.microsoft.com/config/ubuntu/22.04/packages-microsoft-prod.deb
+FROM base
+
+ARG ARCH
 ARG binary=./_output/${ARCH}/blobplugin
 COPY ${binary} /blobplugin
 
-RUN mkdir /blobfuse-proxy/
+COPY --from=builder --chown=root:root /opt/microsoft/aznfs /opt/microsoft/aznfs
+COPY --from=builder --chown=root:root /sbin/mount.aznfs /sbin/mount.aznfs
+COPY --from=builder --chown=root:root /usr/sbin/aznfswatchdog /usr/sbin/aznfswatchdog
+COPY --from=builder --chown=root:root /usr/local/bin/azcopy /usr/local/bin/azcopy
+COPY --from=builder --chown=root:root /blobfuse-proxy /blobfuse-proxy
+
+# packages that are only needed by aznfs: procps conntrack iptables bind9-host iproute2 bash netcat sysvinit-utils.
+RUN apt update && apt upgrade -y && apt-mark unhold libcap2 && clean-install ca-certificates uuid-dev util-linux mount udev e2fsprogs nfs-common netbase procps conntrack iptables bind9-host iproute2 bash netcat-traditional sysvinit-utils kmod
 
 COPY ./pkg/blobfuse-proxy/init.sh /blobfuse-proxy/
 COPY ./pkg/blobfuse-proxy/install-proxy.sh /blobfuse-proxy/
@@ -27,37 +61,18 @@ COPY ./pkg/blobfuse-proxy/blobfuse-proxy.service /blobfuse-proxy/
 COPY ./_output/${ARCH}/blobfuse-proxy /blobfuse-proxy/
 
 RUN chmod +x /blobfuse-proxy/init.sh && \
- chmod +x /blobfuse-proxy/install-proxy-rhcos.sh && \
- chmod +x /blobfuse-proxy/install-proxy.sh && \
- chmod +x /blobfuse-proxy/blobfuse-proxy.service && \
- chmod +x /blobfuse-proxy/blobfuse-proxy
-
-# packages that are only needed by aznfs: procps conntrack iptables bind9-host iproute2 bash netcat sysvinit-utils.
-RUN apt update && apt upgrade -y && apt-mark unhold libcap2 && clean-install ca-certificates uuid-dev util-linux mount udev wget e2fsprogs nfs-common netbase procps conntrack iptables bind9-host iproute2 bash netcat-traditional sysvinit-utils kmod
+  chmod +x /blobfuse-proxy/install-proxy-rhcos.sh && \
+  chmod +x /blobfuse-proxy/install-proxy.sh && \
+  chmod +x /blobfuse-proxy/blobfuse-proxy.service && \
+  chmod +x /blobfuse-proxy/blobfuse-proxy
 
-# install aznfs
-ARG aznfsVer=2.0.7
 RUN if [ "$ARCH" = "amd64" ] ; then \
-  wget -O aznfs.tar.gz https://github.com/Azure/AZNFS-mount/releases/download/${aznfsVer}/aznfs-${aznfsVer}-1.x86_64.tar.gz; \
-else \
-  wget -O aznfs.tar.gz https://github.com/Azure/AZNFS-mount/releases/download/${aznfsVer}/aznfs-${aznfsVer}-1.arm64.tar.gz;fi
-RUN tar xvzf aznfs.tar.gz -C / --keep-directory-symlink && rm aznfs.tar.gz
+    clean-install libcurl4-gnutls-dev \
+    && dpkg -i /blobfuse-proxy/packages-microsoft-prod-18.04.deb \
+    && rm /blobfuse-proxy/packages-microsoft-prod-18.04.deb \
+    && apt update \
+    && apt install -y blobfuse blobfuse2 fuse; fi
 
-# install azcopy
-ARG azcopyURL=https://azcopyvnext.azureedge.net/releases/release-10.26.0-20240731/azcopy_linux_amd64_10.26.0.tar.gz
-RUN if [ "$ARCH" == "arm64" ] ; then \
-  azcopyURL=https://azcopyvnext.azureedge.net/releases/release-10.26.0-20240731/azcopy_linux_arm64_10.26.0.tar.gz; fi
-RUN wget -O azcopy.tar.gz ${azcopyURL} && \
-  tar xvzf azcopy.tar.gz -C . && rm azcopy.tar.gz && \
-  mv ./azcopy_linux_$ARCH_*/azcopy /usr/local/bin/azcopy && \
-  rm -rf ./azcopy_linux_$ARCH_*
-RUN chmod +x /usr/local/bin/azcopy
-
-RUN if [ "$ARCH" = "amd64" ] ; then \
-  clean-install libcurl4-gnutls-dev && \
-  wget -O /blobfuse-proxy/packages-microsoft-prod-22.04.deb https://packages.microsoft.com/config/ubuntu/22.04/packages-microsoft-prod.deb && \
-  wget -O /blobfuse-proxy/packages-microsoft-prod-18.04.deb https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb && \
-  dpkg -i /blobfuse-proxy/packages-microsoft-prod-18.04.deb && apt update && apt install blobfuse blobfuse2 fuse -y && apt remove wget -y; fi
 LABEL maintainers="andyzhangx"
 LABEL description="Azure Blob Storage CSI driver"
 
