Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use DDEV method for SQLite to avoid side effects of debian testing #14

Merged
merged 1 commit into from
Jan 2, 2025
+13 −10
Merged

Use DDEV method for SQLite to avoid side effects of debian testing #14

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 13 additions & 10 deletions src/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,21 +6,22 @@ FROM docksal/cli:${CLI_VERSION}
# See https://github.com/hadolint/hadolint/wiki/DL4006
SHELL ["/bin/bash", "-o", "pipefail", "-c"]

ARG TARGETARCH
ARG HELM_VERSION=v2.17.0
# Args defined before the FROM directive are not available in the build stage,
# so cannot test CLI_VERSION directly here.
ARG INSTALL_SQLITE=false

# Install kubectl and helm client
RUN curl -o /usr/local/bin/kubectl -LO "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/$(dpkg --print-architecture)/kubectl" && \
RUN curl -o /usr/local/bin/kubectl -LO "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/${TARGETARCH}/kubectl" && \
chmod +x /usr/local/bin/kubectl && \
curl -o ./install_helm.sh https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get && \
chmod +x ./install_helm.sh && \
./install_helm.sh -v ${HELM_VERSION} && \
helm init --client-only

# Also install helm3 as `helm3`
RUN curl -s https://get.helm.sh/helm-v3.6.2-linux-"$(dpkg --print-architecture)".tar.gz | sudo tar -C /tmp --no-same-owner -xvzf - linux-"$(dpkg --print-architecture)"/helm --strip-components 1 && \
RUN curl -s https://get.helm.sh/helm-v3.6.2-linux-${TARGETARCH}.tar.gz | sudo tar -C /tmp --no-same-owner -xvzf - linux-${TARGETARCH}/helm --strip-components 1 && \
mv /tmp/helm /bin/helm3
Comment on lines +24 to 25
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Remove sudo usage in helm3 installation

Using sudo in Dockerfile RUN commands can lead to unpredictable behavior. Consider modifying the command to avoid sudo:

-RUN curl -s https://get.helm.sh/helm-v3.6.2-linux-${TARGETARCH}.tar.gz | sudo tar -C /tmp --no-same-owner -xvzf - linux-${TARGETARCH}/helm --strip-components 1 && \
+RUN curl -s https://get.helm.sh/helm-v3.6.2-linux-${TARGETARCH}.tar.gz | tar -C /tmp --no-same-owner -xvzf - linux-${TARGETARCH}/helm --strip-components 1 && \
     mv /tmp/helm /bin/helm3
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
RUN curl -s https://get.helm.sh/helm-v3.6.2-linux-${TARGETARCH}.tar.gz | sudo tar -C /tmp --no-same-owner -xvzf - linux-${TARGETARCH}/helm --strip-components 1 && \
mv /tmp/helm /bin/helm3
RUN curl -s https://get.helm.sh/helm-v3.6.2-linux-${TARGETARCH}.tar.gz | tar -C /tmp --no-same-owner -xvzf - linux-${TARGETARCH}/helm --strip-components 1 && \
mv /tmp/helm /bin/helm3
🧰 Tools
🪛 Hadolint (2.12.0)

[error] 24-24: Do not use sudo as it leads to unpredictable behavior. Use a tool like gosu to enforce root

(DL3004)

💡 Codebase verification

🛠️ Refactor suggestion

Checksum verification is recommended and available for helm binary

Based on the verification results:

  • Helm provides SHA256 checksums for both amd64 and arm64 architectures (HTTP 200 responses)
  • YQ has a general checksums file available in the release assets
  • For SQLite packages from Debian, checksums are typically included in the .dsc file and can be verified using apt's built-in mechanisms

To implement checksum verification:

  • For helm: Download and verify the SHA256 checksum before installing:
RUN curl -sLO "https://get.helm.sh/helm-v3.6.2-linux-${TARGETARCH}.tar.gz.sha256sum" && \
    curl -sL "https://get.helm.sh/helm-v3.6.2-linux-${TARGETARCH}.tar.gz" | tee helm.tar.gz | sha256sum -c helm-v3.6.2-linux-${TARGETARCH}.tar.gz.sha256sum && \
    tar -C /tmp --no-same-owner -xvzf helm.tar.gz linux-${TARGETARCH}/helm --strip-components 1 && \
    mv /tmp/helm /bin/helm3
  • For yq: Download and verify against the checksums file
  • For SQLite: Use apt's built-in verification mechanisms when installing the package
🔗 Analysis chain

Consider adding checksum verification for binary downloads

For security, consider adding checksum verification for helm3, yq, and SQLite package downloads. This helps ensure the integrity of downloaded binaries.

Also applies to: 43-44, 54-55

Let me try a different approach to verify the checksums availability.

Let me try one more verification for yq checksums with a different pattern.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if checksums are available for the downloaded binaries
echo "Checking helm3 checksums..."
curl -sI "https://get.helm.sh/helm-v3.6.2-linux-${TARGETARCH}.tar.gz.sha256sum"

echo "Checking yq checksums..."
curl -sI "https://github.com/mikefarah/yq/releases/download/v4.21.1/yq_linux_${TARGETARCH}.tar.gz.sha256"

echo "Checking SQLite package checksums..."
curl -sI "https://snapshot.debian.org/archive/debian/20240203T152533Z/pool/main/s/sqlite3/sqlite3_3.45.1-1_${TARGETARCH}.deb.sha256"

Length of output: 2015

Script:

#!/bin/bash
# Check if checksums are available for the downloaded binaries with correct architecture patterns
echo "Checking helm3 checksums..."
curl -sI "https://get.helm.sh/helm-v3.6.2-linux-amd64.tar.gz.sha256sum"
curl -sI "https://get.helm.sh/helm-v3.6.2-linux-arm64.tar.gz.sha256sum"

echo -e "\nChecking yq checksums..."
curl -sI "https://github.com/mikefarah/yq/releases/download/v4.21.1/yq_linux_amd64.tar.gz.sha256"
curl -sI "https://github.com/mikefarah/yq/releases/download/v4.21.1/yq_linux_arm64.tar.gz.sha256"

echo -e "\nChecking SQLite package checksums..."
curl -sI "https://snapshot.debian.org/archive/debian/20240203T152533Z/pool/main/s/sqlite3/sqlite3_3.45.1-1_amd64.deb.sha256"
curl -sI "https://snapshot.debian.org/archive/debian/20240203T152533Z/pool/main/s/sqlite3/sqlite3_3.45.1-1_arm64.deb.sha256"

Length of output: 4344

Script:

#!/bin/bash
# Check if checksums are available for yq with different patterns
echo "Checking yq checksums..."
curl -sI "https://github.com/mikefarah/yq/releases/download/v4.21.1/checksums"
curl -sI "https://github.com/mikefarah/yq/releases/download/v4.21.1/checksums.txt"

# Also check if SQLite has checksums in a different format
echo -e "\nChecking SQLite checksums..."
curl -sI "https://snapshot.debian.org/archive/debian/20240203T152533Z/pool/main/s/sqlite3/sqlite3_3.45.1-1.dsc"

Length of output: 6122

🧰 Tools
🪛 Hadolint (2.12.0)

[error] 24-24: Do not use sudo as it leads to unpredictable behavior. Use a tool like gosu to enforce root

(DL3004)


# Install Kustomize
Expand All @@ -39,19 +40,21 @@ RUN curl https://awscli.amazonaws.com/awscli-exe-linux-"$(uname -m)".zip -o "aws

# Install yq
# https://mikefarah.gitbook.io/yq/#wget
RUN wget https://github.com/mikefarah/yq/releases/download/v4.21.1/yq_linux_"$(dpkg --print-architecture)".tar.gz -O - |\
tar xz && mv yq_linux_"$(dpkg --print-architecture)" /usr/bin/yq
RUN wget https://github.com/mikefarah/yq/releases/download/v4.21.1/yq_linux_${TARGETARCH}.tar.gz -O - |\
tar xz && mv yq_linux_${TARGETARCH} /usr/bin/yq

# Upgrade SQLite 3.x if specified in the build args.
# @see https://www.drupal.org/project/drupal/issues/3346338
# @see https://github.com/ddev/ddev/blob/a82397976cb06a440b23a81a474ceda13a428ae1/containers/ddev-webserver/Dockerfile#L124
# @see https://github.com/docksal/service-cli/pull/327/files
# Need to get sqlite3 from the Debian testing repository as the default version is too old.
# Using the DDEV method since it doesn't have the side effects of the Docksal method.
ARG SQLITE_VERSION="3.45.1"
RUN if [ "$INSTALL_SQLITE" = "true" ]; then \
set -xe; \
echo "deb https://deb.debian.org/debian testing main" | tee /etc/apt/sources.list.d/testing.list; \
apt-get update >/dev/null; \
apt-get install -y -t testing sqlite3; \
apt-get clean; rm -rf /var/lib/apt/lists/*; \
mkdir -p /tmp/sqlite3; \
wget -O /tmp/sqlite3/sqlite3.deb https://snapshot.debian.org/archive/debian/20240203T152533Z/pool/main/s/sqlite3/sqlite3_${SQLITE_VERSION}-1_${TARGETARCH}.deb; \
wget -O /tmp/sqlite3/libsqlite3.deb https://snapshot.debian.org/archive/debian/20240203T152533Z/pool/main/s/sqlite3/libsqlite3-0_${SQLITE_VERSION}-1_${TARGETARCH}.deb; \
apt-get install -y /tmp/sqlite3/*.deb; \
rm -rf /tmp/sqlite3; \
fi

# Install expect, vim
Expand Down
Loading