Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: use --mode flag for RUN mounts #2

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
- [Security] Add upstream security fix as patch in Open edX image (by @dawoudsheraz)
39 changes: 22 additions & 17 deletions tutor/templates/build/openedx/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ FROM docker.io/ubuntu:20.04 AS minimal
LABEL maintainer="Overhang.io <[email protected]>"

ENV DEBIAN_FRONTEND=noninteractive
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
RUN --mount=type=cache,mode=0755,target=/var/cache/apt,sharing=locked \
--mount=type=cache,mode=0755,target=/var/lib/apt,sharing=locked \
apt update && \
apt install -y build-essential curl git language-pack-en
ENV LC_ALL=en_US.UTF-8
Expand All @@ -14,8 +14,8 @@ ENV LC_ALL=en_US.UTF-8
###### Install python with pyenv in /opt/pyenv and create virtualenv in /openedx/venv
FROM minimal AS python
# https://github.com/pyenv/pyenv/wiki/Common-build-problems#prerequisites
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
RUN --mount=type=cache,mode=0755,target=/var/cache/apt,sharing=locked \
--mount=type=cache,mode=0755,target=/var/lib/apt,sharing=locked \
apt update && \
apt install -y libssl-dev zlib1g-dev libbz2-dev \
libreadline-dev libsqlite3-dev wget curl llvm libncurses5-dev libncursesw5-dev \
Expand Down Expand Up @@ -53,6 +53,11 @@ RUN git config --global user.email "[email protected]" \
# Patches in nightly node
{%- else %}
# Patches in non-nightly mode
# Security patch around content library permissions
# https://discuss.openedx.org/t/security-upcoming-security-release-for-edx-platform-2024-07-25/13473
# https://github.com/openedx/edx-platform/pull/35180
RUN curl -fsSL https://github.com/openedx/edx-platform/commit/3160ff68ca4a4516375af3307fe84f22cd5e5b36.patch | git am

{%- endif %}

{# Example: RUN curl -fsSL https://github.com/openedx/edx-platform/commit/<GITSHA1>.patch | git am #}
Expand All @@ -75,13 +80,13 @@ ENV PATH=/openedx/venv/bin:${PATH}
ENV VIRTUAL_ENV=/openedx/venv/
ENV XDG_CACHE_HOME=/openedx/.cache

RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
RUN --mount=type=cache,mode=0755,target=/var/cache/apt,sharing=locked \
--mount=type=cache,mode=0755,target=/var/lib/apt,sharing=locked \
apt update \
&& apt install -y software-properties-common libmysqlclient-dev libxmlsec1-dev libgeos-dev

# Install the right version of pip/setuptools
RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
RUN --mount=type=cache,mode=0755,target=/openedx/.cache/pip,sharing=shared \
pip install \
# https://pypi.org/project/setuptools/
# https://pypi.org/project/pip/
Expand All @@ -90,11 +95,11 @@ RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \

# Install base requirements
RUN --mount=type=bind,from=edx-platform,source=/requirements/edx/base.txt,target=/openedx/edx-platform/requirements/edx/base.txt \
--mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
--mount=type=cache,mode=0755,target=/openedx/.cache/pip,sharing=shared \
pip install -r /openedx/edx-platform/requirements/edx/base.txt

# Install extra requirements
RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
RUN --mount=type=cache,mode=0755,target=/openedx/.cache/pip,sharing=shared \
pip install \
# Use redis as a django cache https://pypi.org/project/django-redis/
django-redis==5.4.0 \
Expand All @@ -107,7 +112,7 @@ RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
RUN pip install "openedx-scorm-xblock>=18.0.0,<19.0.0"

{% for extra_requirements in OPENEDX_EXTRA_PIP_REQUIREMENTS %}
RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
RUN --mount=type=cache,mode=0755,target=/openedx/.cache/pip,sharing=shared \
pip install '{{ extra_requirements }}'
{% endfor %}

Expand All @@ -126,15 +131,15 @@ WORKDIR /openedx/edx-platform
RUN --mount=type=bind,from=edx-platform,source=/package.json,target=/openedx/edx-platform/package.json \
--mount=type=bind,from=edx-platform,source=/package-lock.json,target=/openedx/edx-platform/package-lock.json \
--mount=type=bind,from=edx-platform,source=/scripts/copy-node-modules.sh,target=/openedx/edx-platform/scripts/copy-node-modules.sh \
--mount=type=cache,target=/root/.npm,sharing=shared \
--mount=type=cache,mode=0755,target=/root/.npm,sharing=shared \
npm clean-install --no-audit --registry=$NPM_REGISTRY

###### Production image with system and python requirements
FROM minimal AS production

# Install system requirements
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
RUN --mount=type=cache,mode=0755,target=/var/cache/apt,sharing=locked \
--mount=type=cache,mode=0755,target=/var/lib/apt,sharing=locked \
apt update \
&& apt install -y gettext gfortran graphviz graphviz-dev libffi-dev libfreetype6-dev libgeos-dev libjpeg8-dev liblapack-dev libmysqlclient-dev libpng-dev libsqlite3-dev libxmlsec1-dev lynx mysql-client ntp pkg-config rdfind

Expand Down Expand Up @@ -252,18 +257,18 @@ FROM production AS development

# Install useful system requirements (as root)
USER root
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
RUN --mount=type=cache,mode=0755,target=/var/cache/apt,sharing=locked \
--mount=type=cache,mode=0755,target=/var/lib/apt,sharing=locked \
apt update && \
apt install -y vim iputils-ping dnsutils telnet
USER app

# Install dev python requirements
RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
RUN --mount=type=cache,mode=0755,target=/openedx/.cache/pip,sharing=shared \
pip install -r requirements/edx/development.txt
# https://pypi.org/project/ipdb/
# https://pypi.org/project/ipython (>=Python 3.10 started with 8.20)
RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
RUN --mount=type=cache,mode=0755,target=/openedx/.cache/pip,sharing=shared \
pip install ipdb==0.13.13 ipython==8.24.0

{# Re-install mounted requirements, otherwise they will be superseded by upstream reqs #}
Expand Down