Skip to content

Commit d83c7af

Browse files
lucacomelucacome
authored
Add workaround for using latest UBI 8 for NAP (#3647)
1 parent 5e3fed0 commit d83c7af

File tree

1 file changed

+5
-4
lines changed

1 file changed

+5
-4
lines changed

build/Dockerfile

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -142,15 +142,15 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
142142
&& microdnf clean all
143143

144144
############################################# Base image for UBI with NGINX Plus and App Protect WAF/DoS #############################################
145-
FROM redhat/ubi8:8.6 as ubi-plus-nap
145+
FROM redhat/ubi8 as ubi-plus-nap
146146
ARG NGINX_PLUS_VERSION
147147
ARG NAP_MODULES
148148

149149
RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
150150
--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
151151
--mount=type=secret,id=rhel_license,dst=/tmp/rhel_license,mode=0644 \
152152
source /tmp/rhel_license \
153-
## the code below is duplicated from the ubi-plus image because NAP doesn't support UBI versions newer than 8.6
153+
## the code below is duplicated from the ubi-plus image because NAP doesn't support UBI 9 and minimal versions
154154
dnf --nodocs install -y shadow-utils ca-certificates \
155155
&& groupadd --system --gid 101 nginx \
156156
&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
@@ -159,6 +159,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
159159
&& sed -i "0,/centos/s;;${NGINX_PLUS_VERSION}/centos;" /etc/yum.repos.d/nginx-plus.repo \
160160
&& dnf --nodocs install -y nginx-plus nginx-plus-module-njs \
161161
## end of duplicated code
162+
&& sed -i 's/\(def in_container():\)/\1\n return False/g' /usr/lib64/python*/*-packages/rhsm/config.py \
162163
&& subscription-manager register --org=${RHEL_ORGANIZATION} --activationkey=${RHEL_ACTIVATION_KEY} || true \
163164
&& subscription-manager attach \
164165
&& dnf config-manager --set-enabled codeready-builder-for-rhel-8-x86_64-rpms \
@@ -173,8 +174,8 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
173174
sed -i "0,/centos/s;;${NGINX_PLUS_VERSION}/centos;" /etc/yum.repos.d/app-protect-dos-8.repo; \
174175
dnf --nodocs install -y app-protect-dos; \
175176
fi \
176-
# fix for CVEs
177-
&& dnf --nodocs upgrade -y libcom_err libxml2 krb5-libs dbus expat systemd libtasn1 sqlite-libs libksba platform-python platform-python-setuptools python3-setuptools-wheel tar curl \
177+
# temp fix for CVE-2023-23916
178+
&& dnf --nodocs upgrade -y curl \
178179
&& rm /etc/yum.repos.d/app-protect*.repo \
179180
&& subscription-manager unregister \
180181
&& dnf clean all && rm -rf /var/cache/dnf

0 commit comments

Comments
 (0)