Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build: Install wget in development docker image #33288

Merged
merged 1 commit into from
Sep 19, 2023

Conversation

timmc-edx
Copy link
Contributor

It's needed by make common_constraints.txt. We're starting to see
failures running this command in lms-shell in devstack. This has probably
been going on the entire time, but the error suppression was only removed
recently in #33271.

The new RUN instruction for installing wget is added to the development
layer only, partly to limit image sizes and partly to make life harder for
any attacker who manages to gain code execution in production.

I've moved USER app from the end of the base layer to the start of the
production layer, since the only other layer (in this file) that builds
on base is development, which more or less immediately switches back
to root. (The intervening COPY instruction is not affected by the current
user.)

Ticket: #33287

It's needed by `make common_constraints.txt`. We're starting to see
failures running this command in lms-shell in devstack. This has probably
been going on the entire time, but the error suppression was only removed
recently in <#33271>.

The new RUN instruction for installing wget is added to the development
layer only, partly to limit image sizes and partly to make life harder for
any attacker who manages to gain code execution in production.

I've moved `USER app` from the end of the `base` layer to the start of the
`production` layer, since the only other layer (in this file) that builds
on `base` is `development`, which more or less immediately switches back
to root. (The intervening COPY instruction is not affected by the current
user.)

Ticket: #33287
@timmc-edx
Copy link
Contributor Author

I've tested that make compile-requirements was failing in make lms-shell before this change, and that after I built a new image and used its hash in the devstack docker-compose.yml, the command is now working.

@timmc-edx timmc-edx merged commit 6714062 into master Sep 19, 2023
@timmc-edx timmc-edx deleted the timmc/wget-for-devstack branch September 19, 2023 20:39
@edx-pipeline-bot
Copy link
Contributor

2U Release Notice: This PR has been deployed to the edX staging environment in preparation for a release to production.

@edx-pipeline-bot
Copy link
Contributor

2U Release Notice: This PR has been deployed to the edX production environment.

@edx-pipeline-bot
Copy link
Contributor

2U Release Notice: This PR has been deployed to the edX staging environment in preparation for a release to production.

@edx-pipeline-bot
Copy link
Contributor

2U Release Notice: This PR has been deployed to the edX production environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants