From 3a4ee455f9350f78a5efcf1ea60f7e94c5dee060 Mon Sep 17 00:00:00 2001 From: Roger Carhuatocto Date: Fri, 7 Feb 2025 12:22:17 +0100 Subject: [PATCH] fix(ci): adds trivy-ignore-file to ignore HEALTHCHECK and solves non-root issue --- docker/Dockerfile.concrete-compiler-env | 12 ++++++++---- docker/Dockerfile.concrete-python | 7 ++++++- docker/Dockerfile.cuda-118-env | 6 ++++++ docker/Dockerfile.cuda-123-env | 6 ++++++ docker/Dockerfile.hpx-env | 9 +++++++-- 5 files changed, 33 insertions(+), 7 deletions(-) diff --git a/docker/Dockerfile.concrete-compiler-env b/docker/Dockerfile.concrete-compiler-env index 77a0ce86b7..f6a3386105 100644 --- a/docker/Dockerfile.concrete-compiler-env +++ b/docker/Dockerfile.concrete-compiler-env @@ -1,11 +1,9 @@ FROM quay.io/pypa/manylinux_2_28_x86_64:2024-02-08-a1b4ddc # epel-release is for install ccache -RUN dnf clean all -RUN dnf install -y epel-release && dnf clean all -RUN dnf update -y +RUN dnf clean all && dnf install -y epel-release && dnf clean all # hadolint ignore=DL3041 -RUN dnf install -y ninja-build hwloc-devel ccache ncurses-devel openssh-clients graphviz graphviz-devel && dnf clean all +RUN dnf update -y && dnf install -y ninja-build hwloc-devel ccache ncurses-devel openssh-clients graphviz graphviz-devel && dnf clean all RUN mkdir -p ~/.ssh/ && ssh-keyscan -t ecdsa github.com >> ~/.ssh/known_hosts # Setup gcc-11 (required for cuda11.8) RUN dnf install -y gcc-toolset-11 && dnf clean all @@ -20,6 +18,12 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y ENV PATH=/root/.cargo/bin:$PATH RUN rustup install nightly-2024-09-30 +# Add a non-root user and group +RUN groupadd -g 10001 grp02 && \ + useradd -u 10000 -g grp02 usr01 && \ + mkdir -p /home/usr01 && chown -R usr01:grp02 /home/usr01 /boost_1_71_0 /workdir /build +# Switch to the non-root user +USER usr01:grp02 # Install boost ADD https://boostorg.jfrog.io/artifactory/main/release/1.71.0/source/boost_1_71_0.tar.gz /boost_1_71_0.tar.gz RUN tar -xzvf /boost_1_71_0.tar.gz diff --git a/docker/Dockerfile.concrete-python b/docker/Dockerfile.concrete-python index fb89b41a39..a8fa13ca92 100644 --- a/docker/Dockerfile.concrete-python +++ b/docker/Dockerfile.concrete-python @@ -7,5 +7,10 @@ ARG version RUN apt-get update && apt-get install --no-install-recommends -y binutils graphviz \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* - +# Add a non-root user and group +RUN groupadd -g 10001 grp02 && \ + useradd -u 10000 -g grp02 usr01 && \ + mkdir -p /home/usr01 && chown -R usr01:grp02 /home/usr01 +# Switch to the non-root user +USER usr01:grp02 RUN pip install --no-cache-dir --extra-index-url https://download.pytorch.org/whl/cpu --extra-index-url https://pypi.zama.ai/cpu/ concrete-python==${version} diff --git a/docker/Dockerfile.cuda-118-env b/docker/Dockerfile.cuda-118-env index ab0232ba57..3ad741088b 100644 --- a/docker/Dockerfile.cuda-118-env +++ b/docker/Dockerfile.cuda-118-env @@ -10,6 +10,12 @@ RUN dnf update -y \ && dnf -y module install nvidia-driver:latest-dkms \ && dnf -y install cuda \ && dnf clean all +# Add a non-root user and group +RUN groupadd -g 10001 grp02 && \ + useradd -u 10000 -g grp02 usr01 && \ + chown -R usr01:grp02 /usr/local/cuda-11.8 +# Switch to the non-root user +USER usr01:grp02 FROM scratch COPY --from=build /usr/local/cuda-11.8/ /usr/local/cuda-11.8/ diff --git a/docker/Dockerfile.cuda-123-env b/docker/Dockerfile.cuda-123-env index 5de78e4188..ef65720154 100644 --- a/docker/Dockerfile.cuda-123-env +++ b/docker/Dockerfile.cuda-123-env @@ -10,6 +10,12 @@ RUN dnf update -y \ && dnf -y module install nvidia-driver:latest-dkms \ && dnf -y install cuda \ && dnf clean all +# Add a non-root user and group +RUN groupadd -g 10001 grp02 && \ + useradd -u 10000 -g grp02 usr01 && \ + chown -R usr01:grp02 /usr/local/cuda-12.3 +# Switch to the non-root user +USER usr01:grp02 FROM scratch COPY --from=build /usr/local/cuda-12.3/ /usr/local/cuda-12.3/ diff --git a/docker/Dockerfile.hpx-env b/docker/Dockerfile.hpx-env index 0b480dd0fe..693efc6cfe 100644 --- a/docker/Dockerfile.hpx-env +++ b/docker/Dockerfile.hpx-env @@ -1,11 +1,16 @@ FROM quay.io/pypa/manylinux_2_28_x86_64:2024-02-08-a1b4ddc as build -RUN dnf update -y -RUN dnf install -y ninja-build hwloc-devel && dnf clean all +RUN dnf update -y && dnf install -y ninja-build hwloc-devel && dnf clean all # Setup gcc 11 (to be compatible with concrete-compiler image) RUN dnf install -y gcc-toolset-11 && dnf clean all ENV CC_COMPILER=/opt/rh/gcc-toolset-11/root/usr/bin/gcc ENV CXX_COMPILER=/opt/rh/gcc-toolset-11/root/usr/bin/c++ +# Add a non-root user and group +RUN groupadd -g 10001 grp02 && \ + useradd -u 10000 -g grp02 usr01 && \ + chown -R usr01:grp02 /boost_1_71_0 /hpx +# Switch to the non-root user +USER usr01:grp02 # Install boost ADD https://boostorg.jfrog.io/artifactory/main/release/1.71.0/source/boost_1_71_0.tar.gz /boost_1_71_0.tar.gz RUN tar -xzvf /boost_1_71_0.tar.gz