use py3.9, resolve CVEs

splunk · Jun 12, 2024 · c2560fa · c2560fa
1 parent 27201c1
commit c2560fa
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 8 deletions.
diff --git a/base/redhat-8/Dockerfile b/base/redhat-8/Dockerfile
@@ -28,7 +28,7 @@ LABEL name="splunk" \
 ARG BUSYBOX_URL
 
 ENV BUSYBOX_URL=${BUSYBOX_URL} \
-    PYTHON_VERSION=3.8.19 \
+    PYTHON_VERSION=3.9.19 \
     PYTHON_GPG_KEY_ID=E3FF2839C048B25C084DEBE9B26995E310250568
 
 COPY install.sh /install.sh

diff --git a/base/redhat-8/install.sh b/base/redhat-8/install.sh
@@ -17,7 +17,8 @@ set -e
 
 # Generate UTF-8 char map and locale
 # Reinstalling local English def for now, removed in minimal image: https://bugzilla.redhat.com/show_bug.cgi?id=1665251
-microdnf -y --nodocs install glibc-langpack-en
+# Comment below install until glibc update is available in minimal image: https://access.redhat.com/errata/RHSA-2024:2722
+#microdnf -y --nodocs install glibc-langpack-en
 
 # Currently there is no access to the UTF-8 char map. The following command is commented out until
 # the base container can generate the locale.
@@ -74,9 +75,12 @@ ln -sf /usr/bin/pip${PY_SHORT} /usr/bin/pip
 
 # Install splunk-ansible dependencies
 cd /
-/usr/bin/python3.8 -m pip install --upgrade pip
+/usr/bin/python3.9 -m pip install --upgrade pip
 pip -q --no-cache-dir install --upgrade "requests_unixsocket<2.29" "requests<2.29" six wheel Mako "urllib3<2.0.0" certifi jmespath future avro cryptography lxml protobuf setuptools ansible
 
+# Avoid vulnerability on old pip version
+/usr/libexec/platform-python -m pip install --upgrade pip
+
 # Remove tests packaged in python libs
 find /usr/lib/ -depth \( -type d -a -not -wholename '*/ansible/plugins/test' -a \( -name test -o -name tests -o -name idle_test \) \) -exec rm -rf '{}' \;
 find /usr/lib/ -depth \( -type f -a -name '*.pyc' -o -name '*.pyo' -o -name '*.a' \) -exec rm -rf '{}' \;

diff --git a/py23-image/redhat-8/Dockerfile b/py23-image/redhat-8/Dockerfile
@@ -3,11 +3,12 @@ FROM ${SPLUNK_PRODUCT}-redhat-8:latest
 USER root
 
 RUN microdnf -y --nodocs update \
-    && microdnf -y --nodocs install python2-pip python2-devel \
+    && microdnf -y --nodocs install python2 \
+    && pip2 install --upgrade pip \
     && pip2 --no-cache-dir install requests pyyaml jmespath \
-    && ln -sf /usr/bin/python3.8 /usr/bin/python3 \
-    && ln -sf /usr/bin/pip3.8 /usr/bin/pip3 \
-    && ln -sf /usr/bin/python3.8 /usr/bin/python \
-    && ln -sf /usr/bin/pip3.8 /usr/bin/pip \
+    && ln -sf /usr/bin/python3.9 /usr/bin/python3 \
+    && ln -sf /usr/bin/pip3.9 /usr/bin/pip3 \
+    && ln -sf /usr/bin/python3.9 /usr/bin/python \
+    && ln -sf /usr/bin/pip3.9 /usr/bin/pip \
     && pip3 install --upgrade requests==2.25.1 pyyaml==5.4.1 jmespath==0.10.0 \
     && sed -i '/^\[defaults\]/a\interpreter_python = /usr/bin/python3' /opt/ansible/ansible.cfg