diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7a682d0..2c818e4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -19,3 +19,8 @@ repos: rev: v1.29.5 hooks: - id: typos + +- repo: https://github.com/hadolint/hadolint + rev: v2.12.0 + hooks: + - id: hadolint diff --git a/docker/Dockerfile.mariadb b/docker/Dockerfile.mariadb index 29fc69b..b44f864 100644 --- a/docker/Dockerfile.mariadb +++ b/docker/Dockerfile.mariadb @@ -1,4 +1,4 @@ -FROM mariadb +FROM mariadb:11.6.2 COPY bropkg/config/schema/sessions.sql /bro-sessions.sql COPY secrets/database.sql /docker-entrypoint-initdb.d/bro-database.sql diff --git a/docker/Dockerfile.nginx b/docker/Dockerfile.nginx index afb0255..2054f89 100644 --- a/docker/Dockerfile.nginx +++ b/docker/Dockerfile.nginx @@ -1,9 +1,13 @@ FROM nginx:1.27.3 -RUN apt update -y -RUN DEBIAN_FRONTEND=noninteractive apt-get install -y \ - certbot \ - cron \ - python3-certbot-nginx +ENV DEBIAN_FRONTEND=noninteractive + +RUN apt-get update -y \ + && apt-get install -y --no-install-recommends \ + certbot=2.1.0-4 \ + cron=3.0pl1-162 \ + python3-certbot-nginx=2.1.0-2 \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* COPY docker/nginx-default.conf /etc/nginx/conf.d/default.conf diff --git a/docker/Dockerfile.php b/docker/Dockerfile.php index 68d3698..2ec339e 100644 --- a/docker/Dockerfile.php +++ b/docker/Dockerfile.php @@ -1,29 +1,33 @@ FROM php:7.1.33-fpm AS base WORKDIR /var/www/html -RUN apt update -y -RUN DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ - cron \ - git \ - libicu-dev \ - libzip-dev \ - procps \ - python3-pip \ - python3-setuptools \ - unzip \ - vim -RUN apt purge -y --auto-remove +ENV DEBIAN_FRONTEND=noninteractive -RUN docker-php-ext-install \ +RUN apt-get update -y \ + && apt-get install --no-install-recommends -y \ + cron=3.0pl1-134+deb10u1 \ + git=1:2.20.1-2+deb10u9 \ + libicu-dev=63.1-6+deb10u3 \ + libzip-dev=1.5.1-4 \ + procps=2:3.3.15-2 \ + python3-pip=18.1-5 \ + python3-setuptools=40.8.0-1 \ + unzip=6.0-23+deb10u3 \ + # TODO(timw): Unclear what the next line should remove, it does + # not seem to clear caches which needs to be done manually. + && apt-get purge -y --auto-remove \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* \ +# TODO(timw): Can we be explicit about versions here? + && docker-php-ext-install \ intl \ mysqli \ pdo \ pdo_mysql \ - zip - + zip \ # Install an initial version of zkg. This gets updated by cron # every night before updating the packages list. -RUN pip3 install GitPython semantic-version zkg + && pip3 install --no-cache-dir GitPython==3.1.44 semantic-version==2.10.0 zkg==3.0.1 # We could use the composer image directly here but using the php # one guarantees we have the same version of php installed. Instead @@ -31,10 +35,14 @@ FROM php:7.1.33-fpm AS build WORKDIR /var/www/html -RUN apt update -y -RUN DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ - libicu-dev \ - libzip-dev +ENV DEBIAN_FRONTEND=noninteractive + +RUN apt-get update -y \ + && apt-get install --no-install-recommends -y \ + libicu-dev=63.1-6+deb10u3 \ + libzip-dev=1.5.1-4 \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* RUN docker-php-ext-install \ intl \ @@ -59,7 +67,7 @@ # it's stored in /usr/local/bin/bro-package-ci. We explicitly pin to version 0.4.0 # which is the version the existing live site is using. The version on 'master' has # some problems with the dns_resolution check over-matching. -RUN python3 -m pip install 'bro-package-ci@git+https://github.com/zeek/zeek-package-ci@1117e24fd80f03167ca36749bf5a246a02d86178' +RUN python3 -m pip install --no-cache-dir 'bro-package-ci@git+https://github.com/zeek/zeek-package-ci@1117e24fd80f03167ca36749bf5a246a02d86178' COPY --chmod=755 cronjob/bro-pkg-web-updater.php /usr/local/sbin COPY --chmod=755 cronjob/bro-pkg-web-cron.sh /etc/cron.daily