Update Docker images to Alpine3.20 (#1044)

* initial commit * upgrade setuptools to counter CVE-2024-6345
ministryofjustice · Nov 14, 2024 · d853091 · d853091
1 parent 08e689b
commit d853091
Showing 1 changed file with 24 additions and 14 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,12 +1,24 @@
-FROM node:23-bullseye AS node_builder
+ARG ecr_path=public.ecr.aws/docker/library/
+ARG alpine_version=alpine3.20
+ARG python_version=python:3.11
+ARG node_version=node:23
+
+# The node builder image, used to build the virtual environment
+FROM ${ecr_path}${node_version}-${alpine_version} AS node_builder
+
+# Install dependencies for npm install command
+RUN apk add --no-cache bash
 
 WORKDIR /app
 COPY . .
 
 RUN npm install --omit=dev
 
 # The builder image, used to build the virtual environment
-FROM python:3.11-buster AS builder
+FROM ${ecr_path}${python_version}-${alpine_version} AS python_builder
+
+# Install dependencies for compiling .po files
+RUN apk add --no-cache bash make gettext gcc musl-dev libffi-dev
 
 WORKDIR /app
 COPY --from=node_builder /app .
@@ -16,17 +28,13 @@ ENV PYTHONDONTWRITEBYTECODE=1
 ENV PYTHONUNBUFFERED=1
 
 # Install poetry via pip
-RUN pip install poetry==1.7.1
+RUN pip install poetry==1.8.4
 
 ENV POETRY_NO_INTERACTION=1 \
   POETRY_VIRTUALENVS_IN_PROJECT=1 \
   POETRY_VIRTUALENVS_CREATE=1 \
   POETRY_CACHE_DIR=/tmp/poetry_cache
 
-# Update and install dependencies for compiling .po files
-RUN apt-get update && \
-  apt-get install --no-install-recommends -y make gettext
-
 COPY pyproject.toml poetry.lock Makefile ./
 COPY lib ./lib
 COPY locale ./
@@ -35,11 +43,13 @@ RUN poetry install --without dev --no-root && rm -rf $POETRY_CACHE_DIR
 RUN make compilemessages
 
 # The runtime image, used to just run the code provided its virtual environment
-FROM python:3.11-slim-buster AS runtime
+FROM ${ecr_path}${python_version}-${alpine_version} AS runtime
+
+# Workaround for CVE-2024-6345 upgrade the installed version of setuptools to the latest version
+RUN pip install -U setuptools
 
-# Update and Install Netcat
-RUN apt-get update && \
-  apt-get install --no-install-recommends -y netcat
+# Install dependencies for the runtime image
+RUN apk add --no-cache bash make netcat-openbsd
 
 WORKDIR /app
 
@@ -48,9 +58,9 @@ ENV VIRTUAL_ENV=/app/.venv \
 
 # copy project and dependencies
 COPY . .
-COPY --from=builder /app/static ./static
-COPY --from=builder /app/locale ./locale
-COPY --from=builder ${VIRTUAL_ENV} ${VIRTUAL_ENV}
+COPY --from=python_builder /app/static ./static
+COPY --from=python_builder /app/locale ./locale
+COPY --from=python_builder ${VIRTUAL_ENV} ${VIRTUAL_ENV}
 
 RUN chmod +x ./scripts/app-entrypoint.sh