SYS-622 alpine:20 image updates (#160)

* SYS-622 alpine:20 image updates
instantlinux · Jul 2, 2024 · c5789d4 · c5789d4
1 parent 8868eff
commit c5789d4
Show file tree

Hide file tree

Showing 35 changed files with 83 additions and 74 deletions.
diff --git a/.image-gitlab-ci.yml b/.image-gitlab-ci.yml
@@ -4,6 +4,7 @@ variables:
   IMAGE: {{ IMAGE }}
   PLATFORMS: linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7
   REGISTRY: $REGISTRY_URI/$CI_PROJECT_PATH
+  TRIVY_VERSION: 0.53.0
 
 stages:
   - Static Code Analysis
@@ -38,7 +39,7 @@ test:
 security_scan_trivy:
   services: [ "docker:dind" ]
   image:
-    name: aquasec/trivy:latest
+    name: aquasec/trivy:$TRIVY_VERSION
     entrypoint: [""]
   stage: Security Scan
   variables:
@@ -52,17 +53,12 @@ security_scan_trivy:
     TRIVY_VULN_TYPE: os,library
   script:
   - export TAG=bld_$CI_PIPELINE_IID_${CI_COMMIT_SHORT_SHA}
-  - trivy image --clear-cache
+  - trivy clean --all
   - trivy image --download-db-only --no-progress
   - trivy image "${REGISTRY}/${IMAGE}:${TAG}" --severity LOW,MEDIUM
       --exit-code 0 --format table --output medium-vulns.txt
   - cat medium-vulns.txt
   - echo CVE-2023-2253 > .trivyignore
-  - echo TODO remove these exceptions when alpine:3.20 arrives
-  - echo CVE-2024-2398 >> .trivyignore
-  - echo CVE-2024-24806 >> .trivyignore
-  - echo CVE-2024-25062 >> .trivyignore
-  - echo CVE-2024-28085 >> .trivyignore
   - trivy image "${REGISTRY}/${IMAGE}:${TAG}" || echo Vulnerabilities Found
   cache:
     paths: [ .trivycache ]

diff --git a/ansible/roles/docker_node/tasks/repos.yml b/ansible/roles/docker_node/tasks/repos.yml
@@ -5,6 +5,14 @@
     filename: ubuntu
   with_items: "{{ ubuntu_repos }}"
 
+
+# TODO remove this at next k8s and ubuntu update (24.04)
+- name: Remove stale k8s repo
+  apt_repository:
+    filename: k8s
+    repo: "{{ k8s.apt_repo.repo }}"
+    state: absent
+
 - name: Docker repo key
   get_url:
     url: "{{ docker.apt_repo.url }}"

diff --git a/ansible/roles/kubernetes/tasks/main.yml b/ansible/roles/kubernetes/tasks/main.yml
@@ -8,6 +8,8 @@
   apt_repository:
     filename: k8s
     repo: "{{ k8s.apt_repo.repo }}"
+    # TODO restore this at next k8s and ubuntu update (24.04)
+    state: absent
 
 - name: Install system packages
   apt:

diff --git a/images/data-sync/Dockerfile b/images/data-sync/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.19
+FROM alpine:3.20
 MAINTAINER Rich Braun "[email protected]"
 ARG BUILD_DATE
 ARG VCS_REF
@@ -16,9 +16,9 @@ ENV PEERNAME= \
     SSHKEY1=data-sync-sshkey1 \
     SSHKEY2=data-sync-sshkey2
 
-ARG UNISON_VERSION=2.53.3
-ARG OCAML_VERSION=4.14.1-r3
-ARG UNISON_SHA=aaea04fc5bc76dcfe8627683c9659ee4c194d4f992cc8aaa15bbb2820fc8de46
+ARG UNISON_VERSION=2.53.5
+ARG OCAML_VERSION=4.14.2-r1
+ARG UNISON_SHA=330418ad130d93d0e13da7e7e30f9b829bd7c0e859355114bd4644c35fe08d23
 ARG RRSYNC_SHA=b745a37909fc10087cc9c901ad7dfda8ad8b6b493097b156b68ba33db4a5a52f
 
 COPY src/ /root/src/
@@ -34,8 +34,6 @@ RUN apk add --update openssh-client openssh-server perl rsync && \
       https://github.com/bcpierce00/unison/archive/v$UNISON_VERSION.tar.gz && \
     echo "$UNISON_SHA  unison.tar.gz" | sha256sum -c && \
     tar zxf unison.tar.gz --strip-components=1 && \
-    sed -i -e 's/GLIBC_SUPPORT_INOTIFY 0/GLIBC_SUPPORT_INOTIFY 1/' \
-      src/fsmonitor/linux/inotify_stubs.c && \
     make && cp src/unison src/unison-fsmonitor /usr/bin && \
     cd .. && apk del .fetch-deps && \
     rm -fr /build /var/log/* /var/cache/apk/* && \

diff --git a/images/data-sync/helm/Chart.yaml b/images/data-sync/helm/Chart.yaml
@@ -5,8 +5,8 @@ home: https://github.com/instantlinux/docker-tools
 sources:
 - https://github.com/instantlinux/docker-tools
 type: application
-version: 0.1.12
-appVersion: "2.53.3-4.14.1-r3"
+version: 0.1.13
+appVersion: "2.53.5-4.14.2-r1"
 dependencies:
 - name: chartlib
   version: 0.1.8

diff --git a/images/git-dump/Dockerfile b/images/git-dump/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.19
+FROM alpine:3.20
 MAINTAINER Rich Braun "[email protected]"
 ARG BUILD_DATE
 ARG VCS_REF
@@ -20,7 +20,7 @@ ENV API_TOKEN_SECRET= \
     USERNAME=git-dump \
     TZ=UTC
 
-ARG GIT_VERSION=2.43.4-r0
+ARG GIT_VERSION=2.45.2-r0
 ARG GROUP=care
 ARG GID=505
 ARG UID=212

diff --git a/images/git-dump/helm/Chart.yaml b/images/git-dump/helm/Chart.yaml
@@ -5,8 +5,8 @@ home: https://github.com/instantlinux/docker-tools
 sources:
 - https://github.com/instantlinux/docker-tools
 type: application
-version: 0.1.13
-appVersion: "2.43.4-r0"
+version: 0.1.14
+appVersion: "2.45.2-r0"
 dependencies:
 - name: chartlib
   version: 0.1.8

diff --git a/images/git-pull/Dockerfile b/images/git-pull/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.19
+FROM alpine:3.20
 MAINTAINER Rich Braun <[email protected]>
 ARG BUILD_DATE
 ARG VCS_REF
@@ -8,7 +8,7 @@ LABEL org.label-schema.build-date=$BUILD_DATE \
     org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
 
-ARG GIT_VERSION=2.43.4-r0
+ARG GIT_VERSION=2.45.2-r0
 ENV DEST=. \
     GIT_COMMIT=master \
     GIT_HOST=github.com \

diff --git a/images/git-pull/helm/Chart.yaml b/images/git-pull/helm/Chart.yaml
@@ -5,8 +5,8 @@ home: https://github.com/instantlinux/docker-tools
 sources:
 - https://github.com/instantlinux/docker-tools
 type: application
-version: 0.1.11
-appVersion: "2.43.4-r0"
+version: 0.1.12
+appVersion: "2.45.2-r0"
 dependencies:
 - name: chartlib
   version: 0.1.8

diff --git a/images/mt-daapd/Dockerfile b/images/mt-daapd/Dockerfile
@@ -1,3 +1,7 @@
+# TODO: this dockerfile is obsoleted by the code maintainer and will
+# require install-from-source because debian repo no longer includes
+# either forked-daapd or owntone.
+#  https://owntone.github.io/owntone-server/installation/
 FROM debian:buster-slim
 MAINTAINER Rich Braun <[email protected]>
 ARG BUILD_DATE

diff --git a/images/mysqldump/Dockerfile b/images/mysqldump/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.19
+FROM alpine:3.20
 MAINTAINER Rich Braun "[email protected]"
 ARG BUILD_DATE
 ARG VCS_REF
@@ -18,7 +18,7 @@ ENV HOUR=3 MINUTE=30 \
     TZ=UTC
 ARG UID=210
 ARG BACKUP_GID=34
-ARG CLIENT_VERSION=10.11.6-r0
+ARG CLIENT_VERSION=10.11.8-r0
 
 RUN RMGROUP=$(grep :$BACKUP_GID: /etc/group | cut -d: -f 1) && \
     [ -z "$RMGROUP" ] || delgroup $RMGROUP && \

diff --git a/images/mysqldump/helm/Chart.yaml b/images/mysqldump/helm/Chart.yaml
@@ -6,8 +6,8 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - https://github.com/mariadb/server/tree/10.5/client
 type: application
-version: 0.1.9
-appVersion: "10.11.6-r0"
+version: 0.1.10
+appVersion: "10.11.8-r0"
 dependencies:
 - name: chartlib
   version: 0.1.8

diff --git a/images/mythtv-backend/helm/Chart.yaml b/images/mythtv-backend/helm/Chart.yaml
@@ -6,8 +6,8 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - https://github.com/mythtv/mythtv
 type: application
-version: 0.1.9
-appVersion: "33.1-fixes.202309262218.26e76a3949"
+version: 0.1.10
+appVersion: "33.1-fixes.202405301110.512d723c83"
 dependencies:
 - name: chartlib
   version: 0.1.8

diff --git a/images/nagios/Dockerfile b/images/nagios/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.19
+FROM alpine:3.20
 MAINTAINER Rich Braun "[email protected]"
 ARG BUILD_DATE
 ARG VCS_REF
@@ -8,7 +8,7 @@ LABEL org.label-schema.build-date=$BUILD_DATE \
     org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
 
-ARG NAGIOS_VERSION=4.5.1-r0
+ARG NAGIOS_VERSION=4.5.2-r0
 ARG NAGIOS_GID=1000
 ARG NAGIOS_UID=999
 ARG PLUGINS_VERSION=2.4.5-r1
@@ -25,7 +25,7 @@ ENV AUTHORIZED_USERS=nagiosadmin \
     PERF_ENABLE=yes \
     TZ=UTC
 
-RUN deluser xfs && addgroup -g $NAGIOS_GID nagios && \
+RUN addgroup -g $NAGIOS_GID nagios && \
     adduser -g www-data -u $WWW_UID -DSH -h /var/www www-data && \
     adduser -G nagios -g "Nagios Server" -DSH -h /var/nagios -u $NAGIOS_UID \
       nagios && \
@@ -36,7 +36,7 @@ RUN deluser xfs && addgroup -g $NAGIOS_GID nagios && \
       nagios-plugins-mysql=$PLUGINS_VERSION \
       nrpe-plugin bash curl fcgiwrap file mariadb-client nginx openssl \
       perl-crypt-x509 perl-libwww perl-text-glob perl-timedate \
-      php81 php81-fpm py3-pip py3-pymysql python3 ssmtp tzdata && \
+      php82 php82-fpm py3-pip py3-pymysql python3 ssmtp tzdata && \
     addgroup nginx nagios && \
     chmod u+s /usr/lib/nagios/plugins/check_ping && \
     sed -i -e s/use_syslog=.*/use_syslog=0/ \
@@ -51,6 +51,6 @@ EXPOSE 80
 VOLUME /etc/nagios /opt/nagios/plugins /var/nagios
 
 COPY nginx.conf /etc/nginx/http.d/nagios.conf
-COPY php-fpm-www.conf /etc/php81/php-fpm.d/www.conf
+COPY php-fpm-www.conf /etc/php82/php-fpm.d/www.conf
 COPY entrypoint.sh mail.sh /usr/local/bin/
 ENTRYPOINT /usr/local/bin/entrypoint.sh
diff --git a/images/nagios/entrypoint.sh b/images/nagios/entrypoint.sh
@@ -94,7 +94,7 @@ for item in backup hosts services; do
 done
 start-stop-daemon -u nginx -b --exec /usr/bin/fcgiwrap -- \
   -s unix:/run/fcgiwrap/fcgiwrap.sock
-/usr/sbin/php-fpm81
+/usr/sbin/php-fpm82
 /usr/sbin/nginx
 touch /var/nagios/nagios.log && tail -1 -f /var/nagios/nagios.log &
 find /var/nagios -not -user nagios -exec chown nagios.nagios {} \;

diff --git a/images/nut-upsd/Dockerfile b/images/nut-upsd/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.19
+FROM alpine:3.20
 MAINTAINER Rich Braun "[email protected]"
 ARG BUILD_DATE
 ARG VCS_REF

diff --git a/images/openldap/Dockerfile b/images/openldap/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.19
+FROM alpine:3.20
 MAINTAINER Rich Braun "[email protected]"
 ARG BUILD_DATE
 ARG VCS_REF
@@ -8,7 +8,7 @@ LABEL org.label-schema.build-date=$BUILD_DATE \
     org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
 
-ARG OPENLDAP_VERSION=2.6.6-r1
+ARG OPENLDAP_VERSION=2.6.7-r0
 ENV SLAPD_DN_ATTR=uid \
     SLAPD_FQDN=example.com \
     SLAPD_LOG_LEVEL=Config,Stats \

diff --git a/images/openldap/helm/Chart.yaml b/images/openldap/helm/Chart.yaml
@@ -6,8 +6,8 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - https://git.openldap.org/openldap/openldap
 type: application
-version: 0.1.5
-appVersion: "2.6.6-r1"
+version: 0.1.6
+appVersion: "2.6.7-r0"
 dependencies:
 - name: chartlib
   version: 0.1.8

diff --git a/images/postfix-python/Dockerfile b/images/postfix-python/Dockerfile
@@ -1,4 +1,4 @@
-ARG POSTFIX_VERSION=3.8.6-r0
+ARG POSTFIX_VERSION=3.9.0-r1
 
 FROM instantlinux/postfix:$POSTFIX_VERSION
 MAINTAINER Rich Braun "[email protected]"
@@ -21,7 +21,7 @@ ENV BLACKLIST_USER_SECRET=mysql-blacklist-user \
     SPAMC_HOST=spamassassin
 ARG GETPIP_SHA=311afebb7cdd310eb3a3a6bb6fffef53d84493db98c7cebf4008a18d3418c8be
 ARG GETPIP_URI=https://bootstrap.pypa.io/pip/3.5/get-pip.py
-ARG PYTHON_PIP_VERSION=23.3.2
+ARG PYTHON_PIP_VERSION=24.1.1
 
 COPY requirements.txt /root/
 COPY src/ /usr/local/bin/

diff --git a/images/postfix-python/helm/Chart.yaml b/images/postfix-python/helm/Chart.yaml
@@ -6,8 +6,8 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - https://github.com/vdukhovni/postfix
 type: application
-version: 0.1.13
-appVersion: "3.8.6-r0"
+version: 0.1.14
+appVersion: "3.9.0-r1"
 dependencies:
 - name: chartlib
   version: 0.1.8

diff --git a/images/postfix/Dockerfile b/images/postfix/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.19
+FROM alpine:3.20
 MAINTAINER Rich Braun "[email protected]"
 ARG BUILD_DATE
 ARG VCS_REF
@@ -7,7 +7,7 @@ LABEL org.label-schema.build-date=$BUILD_DATE \
     org.label-schema.name=postfix \
     org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
-ARG POSTFIX_VERSION=3.8.6-r0
+ARG POSTFIX_VERSION=3.9.0-r1
 ENV SASL_PASSWD_SECRET=postfix-sasl-passwd \
     TZ=UTC
 

diff --git a/images/proftpd/Dockerfile b/images/proftpd/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.19
+FROM alpine:3.20
 MAINTAINER Rich Braun "[email protected]"
 ARG BUILD_DATE
 ARG VCS_REF
@@ -8,7 +8,7 @@ LABEL org.label-schema.build-date=$BUILD_DATE \
     org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
 
-ARG PROFTPD_VERSION=1.3.8b-r1
+ARG PROFTPD_VERSION=1.3.8b-r2
 
 ENV ALLOW_OVERWRITE=on \
     ANONYMOUS_DISABLE=off \

diff --git a/images/proftpd/helm/Chart.yaml b/images/proftpd/helm/Chart.yaml
@@ -6,8 +6,8 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - https://github.com/proftpd/proftpd
 type: application
-version: 0.1.8
-appVersion: "1.3.8b-r1"
+version: 0.1.9
+appVersion: "1.3.8b-r2"
 dependencies:
 - name: chartlib
   version: 0.1.8

diff --git a/images/rsyslogd/Dockerfile b/images/rsyslogd/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.19
+FROM alpine:3.20
 MAINTAINER Rich Braun "[email protected]"
 ARG BUILD_DATE
 ARG VCS_REF
@@ -8,7 +8,7 @@ LABEL org.label-schema.build-date=$BUILD_DATE \
     org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
 
-ARG RSYSLOG_VERSION=8.2310.0-r0
+ARG RSYSLOG_VERSION=8.2404.0-r0
 ENV TZ=UTC
 RUN apk add --update gzip logrotate rsyslog=$RSYSLOG_VERSION \
       rsyslog-mysql=$RSYSLOG_VERSION tar xz && \

diff --git a/images/rsyslogd/helm/Chart.yaml b/images/rsyslogd/helm/Chart.yaml
@@ -6,8 +6,8 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - https://github.com/rsyslog/rsyslog
 type: application
-version: 0.1.10
-appVersion: "8.2310.0-r0"
+version: 0.1.11
+appVersion: "8.2404.0-r0"
 dependencies:
 - name: chartlib
   version: 0.1.8

diff --git a/images/samba-dc/Dockerfile b/images/samba-dc/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.19
+FROM alpine:3.20
 MAINTAINER Rich Braun "[email protected]"
 ARG BUILD_DATE
 ARG VCS_REF
@@ -24,7 +24,7 @@ ENV ADMIN_PASSWORD_SECRET=samba-admin-password \
     WINBIND_USE_DEFAULT_DOMAIN=yes \
     WORKGROUP=AD
 
-ARG SAMBA_VERSION=4.18.9-r0
+ARG SAMBA_VERSION=4.19.6-r0
 
 COPY *.conf.j2 /root/
 COPY entrypoint.sh /usr/local/bin/

diff --git a/images/samba-dc/helm/Chart.yaml b/images/samba-dc/helm/Chart.yaml
@@ -6,8 +6,8 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - ttps://gitlab.com/samba-team/samba
 type: application
-version: 0.1.12
-appVersion: "4.18.9-r0"
+version: 0.1.13
+appVersion: "4.19.6-r0"
 dependencies:
 - name: chartlib
   version: 0.1.8