Explicitly upgrade openssl in docker file and enforce new version of cryptography (#9697)
parent
e2904f720d
commit
12d6184713
|
@ -0,0 +1 @@
|
||||||
|
Ensure that the docker container has up to date versions of openssl.
|
|
@ -0,0 +1 @@
|
||||||
|
Enforce that `cryptography` dependency is up to date to ensure it has the most recent openssl patches.
|
|
@ -20,17 +20,18 @@ FROM docker.io/python:${PYTHON_VERSION}-slim as builder
|
||||||
|
|
||||||
# install the OS build deps
|
# install the OS build deps
|
||||||
RUN apt-get update && apt-get install -y \
|
RUN apt-get update && apt-get install -y \
|
||||||
build-essential \
|
build-essential \
|
||||||
libffi-dev \
|
libffi-dev \
|
||||||
libjpeg-dev \
|
libjpeg-dev \
|
||||||
libpq-dev \
|
libpq-dev \
|
||||||
libssl-dev \
|
libssl-dev \
|
||||||
libwebp-dev \
|
libwebp-dev \
|
||||||
libxml++2.6-dev \
|
libxml++2.6-dev \
|
||||||
libxslt1-dev \
|
libxslt1-dev \
|
||||||
rustc \
|
openssl \
|
||||||
zlib1g-dev \
|
rustc \
|
||||||
&& rm -rf /var/lib/apt/lists/*
|
zlib1g-dev \
|
||||||
|
&& rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
# Build dependencies that are not available as wheels, to speed up rebuilds
|
# Build dependencies that are not available as wheels, to speed up rebuilds
|
||||||
RUN pip install --prefix="/install" --no-warn-script-location \
|
RUN pip install --prefix="/install" --no-warn-script-location \
|
||||||
|
@ -63,14 +64,16 @@ RUN pip install --prefix="/install" --no-warn-script-location \
|
||||||
FROM docker.io/python:${PYTHON_VERSION}-slim
|
FROM docker.io/python:${PYTHON_VERSION}-slim
|
||||||
|
|
||||||
RUN apt-get update && apt-get install -y \
|
RUN apt-get update && apt-get install -y \
|
||||||
curl \
|
curl \
|
||||||
gosu \
|
gosu \
|
||||||
libjpeg62-turbo \
|
libjpeg62-turbo \
|
||||||
libpq5 \
|
libpq5 \
|
||||||
libwebp6 \
|
libwebp6 \
|
||||||
xmlsec1 \
|
xmlsec1 \
|
||||||
libjemalloc2 \
|
libjemalloc2 \
|
||||||
&& rm -rf /var/lib/apt/lists/*
|
libssl-dev \
|
||||||
|
openssl \
|
||||||
|
&& rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
COPY --from=builder /install /usr/local
|
COPY --from=builder /install /usr/local
|
||||||
COPY ./docker/start.py /start.py
|
COPY ./docker/start.py /start.py
|
||||||
|
@ -83,4 +86,4 @@ EXPOSE 8008/tcp 8009/tcp 8448/tcp
|
||||||
ENTRYPOINT ["/start.py"]
|
ENTRYPOINT ["/start.py"]
|
||||||
|
|
||||||
HEALTHCHECK --interval=1m --timeout=5s \
|
HEALTHCHECK --interval=1m --timeout=5s \
|
||||||
CMD curl -fSs http://localhost:8008/health || exit 1
|
CMD curl -fSs http://localhost:8008/health || exit 1
|
||||||
|
|
|
@ -82,6 +82,9 @@ REQUIREMENTS = [
|
||||||
"Jinja2>=2.9",
|
"Jinja2>=2.9",
|
||||||
"bleach>=1.4.3",
|
"bleach>=1.4.3",
|
||||||
"typing-extensions>=3.7.4",
|
"typing-extensions>=3.7.4",
|
||||||
|
# We enforce that we have a `cryptography` version that bundles an `openssl`
|
||||||
|
# with the latest security patches.
|
||||||
|
"cryptography>=3.4.7;python_version>='3.6'",
|
||||||
]
|
]
|
||||||
|
|
||||||
CONDITIONAL_REQUIREMENTS = {
|
CONDITIONAL_REQUIREMENTS = {
|
||||||
|
|
Loading…
Reference in New Issue