Lint docker files

- be more explicit about versions of anything we depend on - avoid unneeded Docker layers - slight trimming of installed packages
zeek · Feb 1, 2025 · 35b78b6 · 35b78b6
1 parent 83afcaa
commit 35b78b6
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 27 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -19,3 +19,8 @@ repos:
   rev: v1.29.5
   hooks:
     - id: typos
+
+- repo: https://github.com/hadolint/hadolint
+  rev: v2.12.0
+  hooks:
+    - id: hadolint
diff --git a/docker/Dockerfile.mariadb b/docker/Dockerfile.mariadb
@@ -1,4 +1,4 @@
-FROM mariadb
+FROM mariadb:11.6.2
 
 COPY bropkg/config/schema/sessions.sql /bro-sessions.sql
 COPY secrets/database.sql /docker-entrypoint-initdb.d/bro-database.sql
diff --git a/docker/Dockerfile.nginx b/docker/Dockerfile.nginx
@@ -1,9 +1,13 @@
 FROM nginx:1.27.3
 
-RUN apt update -y
-RUN DEBIAN_FRONTEND=noninteractive apt-get install -y \
-    certbot \
-    cron \
-    python3-certbot-nginx
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update -y \
+ && apt-get install -y --no-install-recommends \
+    certbot=2.1.0-4 \
+    cron=3.0pl1-162 \
+    python3-certbot-nginx=2.1.0-2 \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
 
 COPY docker/nginx-default.conf /etc/nginx/conf.d/default.conf
diff --git a/docker/Dockerfile.php b/docker/Dockerfile.php
@@ -1,40 +1,48 @@
 FROM php:7.1.33-fpm AS base
 WORKDIR /var/www/html
 
-RUN apt update -y
-RUN DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
-    cron \
-    git \
-    libicu-dev \
-    libzip-dev \
-    procps \
-    python3-pip \
-    python3-setuptools \
-    unzip \
-    vim
-RUN apt purge -y --auto-remove
+ENV DEBIAN_FRONTEND=noninteractive
 
-RUN docker-php-ext-install \
+RUN apt-get update -y \
+ && apt-get install --no-install-recommends -y \
+    cron=3.0pl1-134+deb10u1 \
+    git=1:2.20.1-2+deb10u9 \
+    libicu-dev=63.1-6+deb10u3 \
+    libzip-dev=1.5.1-4 \
+    procps=2:3.3.15-2 \
+    python3-pip=18.1-5 \
+    python3-setuptools=40.8.0-1 \
+    unzip=6.0-23+deb10u3 \
+ # TODO(timw): Unclear what the next line should remove, it does
+ # not seem to clear caches which needs to be done manually.
+ && apt-get purge -y --auto-remove \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/* \
+# TODO(timw): Can we be explicit about versions here?
+ && docker-php-ext-install \
     intl \
     mysqli \
     pdo \
     pdo_mysql \
-    zip
-
+    zip \
 # Install an initial version of zkg. This gets updated by cron
 # every night before updating the packages list.
-RUN pip3 install GitPython semantic-version zkg
+ && pip3 install --no-cache-dir GitPython==3.1.44 semantic-version==2.10.0 zkg==3.0.1
 
 # We could use the composer image directly here but using the php
 # one guarantees we have the same version of php installed. Instead
 # we pull the composer script from one of their images into this one.
 FROM php:7.1.33-fpm AS build
 WORKDIR /var/www/html
 
-RUN apt update -y
-RUN DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
-    libicu-dev \
-    libzip-dev
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update -y \
+ && apt-get install --no-install-recommends -y \
+    libicu-dev=63.1-6+deb10u3 \
+    libzip-dev=1.5.1-4 \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
 
 RUN docker-php-ext-install \
     intl \
@@ -59,7 +67,7 @@
 # it's stored in /usr/local/bin/bro-package-ci. We explicitly pin to version 0.4.0
 # which is the version the existing live site is using. The version on 'master' has
 # some problems with the dns_resolution check over-matching.
-RUN python3 -m pip install 'bro-package-ci@git+https://github.com/zeek/zeek-package-ci@1117e24fd80f03167ca36749bf5a246a02d86178'
+RUN python3 -m pip install --no-cache-dir 'bro-package-ci@git+https://github.com/zeek/zeek-package-ci@1117e24fd80f03167ca36749bf5a246a02d86178'
 
 COPY --chmod=755 cronjob/bro-pkg-web-updater.php /usr/local/sbin
 COPY --chmod=755 cronjob/bro-pkg-web-cron.sh /etc/cron.daily