search

GoogleContainerTools / distroless

🥑 Language focused docker images, minus the operating system.
Apache License 2.0
19.13k stars 1.17k forks source link

How to update snapshots manually for not maintained images #1686

Open borja-rivera opened 1 month ago

borja-rivera commented 1 month ago

Hello,

Since the repository maintainers will no longer be generating debian11 images, I need to continue generating them on my own. For this, I understand that when a new vulnerability is released in one of the packages that have the distroless images, I have to update the snapshots in /distroless/private/deb/bullseye.yaml, as well as update the bullseye.lock.json file with the new versions.

However, this can be too tedious a job and I was wondering if there is an easier way to do this process. Does anyone know how to do it?

Thanks!

borja-rivera commented 1 month ago

I'm triying to execute the script ./knife lock to auto-update lock files but It seems like I cannot execute the command bazel run "@bookworm//:lock"

Here's the error:

ERROR: An error occurred during the fetch of repository 'bookworm_resolution':
   Traceback (most recent call last):
        File "/private/var/tmp/_bazel_XXXX/20797725df6c8828995322f6a5d00f5e/external/rules_distroless/apt/private/resolve.bzl", line 47, column 31, in _deb_resolve_impl
                manifest = _parse_manifest(rctx)
        File "/private/var/tmp/_bazel_XXXX/20797725df6c8828995322f6a5d00f5e/external/rules_distroless/apt/private/resolve.bzl", line 36, column 22, in _parse_manifest
                str(rctx.path(host_yq)),
Error in path: Unable to load package for **@yq_darwin_arm64//:yq**: The repository '@yq_darwin_arm64' could not be resolved: Repository '@yq_darwin_arm64' is not defined
ERROR: /Users/XXXX/distroless/WORKSPACE:103:20: fetching deb_resolve rule //external:bookworm_resolution: Traceback (most recent call last):
        File "/private/var/tmp/_bazel_XXXX/20797725df6c8828995322f6a5d00f5e/external/rules_distroless/apt/private/resolve.bzl", line 47, column 31, in _deb_resolve_impl
                manifest = _parse_manifest(rctx)
        File "/private/var/tmp/_bazel_XXXX/20797725df6c8828995322f6a5d00f5e/external/rules_distroless/apt/private/resolve.bzl", line 36, column 22, in _parse_manifest
                str(rctx.path(host_yq)),
Error in path: Unable to load package for @yq_darwin_arm64//:yq: The repository '@yq_darwin_arm64' could not be resolved: Repository '@yq_darwin_arm64' is not defined
ERROR: /private/var/tmp/_bazel_XXXX/20797725df6c8828995322f6a5d00f5e/external/bookworm/BUILD.bazel:2:6: @bookworm//:lock depends on @bookworm_resolution//:lock in repository @bookworm_resolution which failed to fetch. no such package '@bookworm_resolution//': Unable to load package for @yq_darwin_arm64//:yq: The repository '@yq_darwin_arm64' could not be resolved: Repository '@yq_darwin_arm64' is not defined
ERROR: Analysis of target '@bookworm//:lock' failed; build aborted: Analysis failed

Has anyone get in trouble with this?

loosebazooka commented 1 month ago

This repository is not particularly meant to be extended. If you want to build images, you should use rules_distroless and rules_oci to build the specific images you want.

Given that debian has mostly EOL'd debian11 (https://www.debian.org/News/2024/20240814) it might make sense to look into moving to debian12.