Eng 487 change ruby base images from debian to alpine #364
Conversation
Dockerfile
Outdated
| RUN apt update -y \ | ||
| && apt -y install nano \ | ||
| && cp /usr/bin/nano /usr/local/bin/ | ||
| FROM ruby:3.3.5-alpine as rubybuilder |
There was a problem hiding this comment.
Is the switch to -alpine intentional here?
alpine linux is a lightweight linux distribution designed for running in containers. It uses a different 'libc' than debian (which is what the -slim) version uses.
There may be compatibility issues arising from pulling in from a different linux distribution.
It would probably be safest stick with the -slim variant for any additional builder layers that are pulled in
There was a problem hiding this comment.
We're looking at a switch to alpine as the ruby:3.3.5 and ruby:3.3.5-slim images are based on debian stable, which appears to have a critical CVE associated with it. It looks like Hauwa has been able to get the app running correctly with alpine and the gcompat library, which handles the glibc/musl conversion.
I think this is a really good change if it works as it gives us a much smaller image and a more up-to-date set of packages, with a smaller attack surface and therefore fewer vulnerabilities.
|
|
||
| group :test do | ||
| gem 'rack_session_access', '~> 0.2.0' | ||
| end | ||
|
|
||
| gem "listen", "~> 3.9", :group => :development | ||
| gem "listen", "~> 3.9" |
There was a problem hiding this comment.
Why did we need to do this? Looks like the listen gem is only used in the development environment.
There was a problem hiding this comment.
when we specify it with :group => :development in the Gemfile, our Docker build fails with the error:
"listen is not part of the bundle. Add it to your Gemfile."
There was a problem hiding this comment.
hmm, I think this is the wrong solution. I added a comment on the Jira ticket about this
removing the "group" constrain on the "listen" gem will mean that it gets included even when the app runs in "production" mode, when it is not needed.
There are already other steps in the dockerfile (the bundle config and rake assets:precompile) which work towards making this dockerfile a "production mode only" docker file, which I think is the right thing to do.
What we should do instead is specify RAILS_ENV as production in the final CMD line in the docker file
a nice way of doing that would be to add an ENV statement which defaults RAILS_ENV to production
Reason for Change The main driver for this change is to address the critical vulnerability CVE-2023-45853 in MiniZip (part of zlib) that was present in the Debian-based images. This vulnerability, which could lead to integer overflow and heap-based buffer overflow, was not resolved in the Debian images we were using. Alpine Linux has resolved this vulnerability in their zlib packages, along with several other CVEs. Changing this image to alpine eliminates the CVE-2023-45853 and reduces the overall image size. Updated Dockerfile to use Alpine-based images
Testing
Next Steps
|
* Explicit error message if env file is not set * doesn't load fake data unless running in development *errors out if unable to get csv file from s3
config/initializers/cost_centers.rb
Outdated
| if Rails.env.development? | ||
| return File.read(File.join(Rails.root, 'config', 'cost_centre_fixture.csv')) | ||
| # dont load the cost centers from s3 if were not running the server or we're not in RAILS_ENV != production | ||
| if Rails.env.development? or !defined?(Rails::Server) |
There was a problem hiding this comment.
seems reasonable .. I would maybe double down on making the logic explicit by extracting !defined?(Rails::Server) into a named method eg.
def running_inside_a_rake_task?
@defined(Rails::Server)
end
...
def get_cost_centre_data()
...
if Rails.env.development? or running_inside_a_rake_task?
...
end
...
* initializers are always run after version 4 of rails. In this instance the initializer was being run by rake during the docker build process. However, the necessary env vars are not present at build time so this step was failing. Line 36 stops this.
No description provided.