In case you want to build against Debian Bullseye (11)

isuftin commented 3 years ago

We were finding a ton of CVE vulnerabilities using this Docker image because it's based on Buster.

Internally we've recreated this image based on Bullseye.

Here's what we do.. the main differences being that I was not able to use the base image and this image as source images because they do delete content needed in downstream builds so we are grabbing release archive source code to get that content and move it to the right place. But this just is an example of how things work using Bullseye. Take from it what you will. Close this as you feel.

FROM debian:11-slim

ARG OPENLDAP_PACKAGE_VERSION=2.4.57
ARG LDAP_OPENLDAP_GID
ARG LDAP_OPENLDAP_UID
ARG PQCHECKER_VERSION=2.0.0
ARG PQCHECKER_MD5=c005ce596e97d13e39485e711dcbc7e1

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

RUN apt-get update && apt-get install --no-install-recommends -y \
    ca-certificates=20210119* \
    tzdata=2021a* \
    locales=2.31* \
    curl=7.68* \
    && mkdir -p /container/file /tmp/downloads/unpack \
    && curl -L --output /tmp/downloads/baseimage_code.tar.gz https://github.com/osixia/docker-light-baseimage/archive/refs/tags/v1.3.3.tar.gz \
    && tar xzf /tmp/downloads/baseimage_code.tar.gz --strip-components 1 --directory /tmp/downloads/unpack \
    && mv /tmp/downloads/unpack/image/* /container \
    && chmod +x /container/build.sh && /container/build.sh \
    && rm -rf /tmp/downloads /var/lib/apt/lists/* /tmp/* /var/tmp/* /var/log/*log /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old

ENV LANG="en_US.UTF-8" \
    LANGUAGE="en_US:en" \
    LC_ALL="en_US.UTF-8"

# Add openldap user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
# If explicit uid or gid is given, use it.
RUN mkdir -p /container/service /container/environment/99-default /tmp/downloads/unpack \
    && curl -L --output /tmp/downloads/openldap_code.tar.gz https://github.com/osixia/docker-openldap/archive/refs/tags/v1.5.0.tar.gz \
    && tar xzf /tmp/downloads/openldap_code.tar.gz --strip-components 1 --directory /tmp/downloads/unpack \
    && if [ -z "${LDAP_OPENLDAP_GID}" ]; then groupadd -g 911 -r openldap; else groupadd -r -g ${LDAP_OPENLDAP_GID} openldap; fi \
    && if [ -z "${LDAP_OPENLDAP_UID}" ]; then useradd -l -u 911 -r -g openldap openldap; else useradd -l -r -g openldap -u ${LDAP_OPENLDAP_UID} openldap; fi \
    && echo "path-include /usr/share/doc/krb5*" >> /etc/dpkg/dpkg.cfg.d/docker \
    && apt-get -y update \
    && /container/tool/add-service-available :ssl-tools \
    && LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        ldap-utils=${OPENLDAP_PACKAGE_VERSION}\* \
        libldap-common=${OPENLDAP_PACKAGE_VERSION}\* \
        libsasl2-modules=2.1.27* \
        libsasl2-modules-db=2.1.27* \
        libsasl2-modules-gssapi-mit=2.1.27* \
        libsasl2-modules-ldap=2.1.27* \
        libsasl2-modules-otp=2.1.27* \
        libsasl2-modules-sql=2.1.27* \
        openssl=1.1.1* \
        slapd=${OPENLDAP_PACKAGE_VERSION}\* \
        slapd-contrib=${OPENLDAP_PACKAGE_VERSION}\* \
        krb5-kdc-ldap=1.18.3* \
    && curl -o pqchecker.deb -SL http://www.meddeb.net/pub/pqchecker/deb/8/pqchecker_${PQCHECKER_VERSION}_amd64.deb \
    && echo "${PQCHECKER_MD5} *pqchecker.deb" | md5sum -c - \
    && dpkg -i pqchecker.deb \
    && rm pqchecker.deb \
    && update-ca-certificates \
    && mv /tmp/downloads/unpack/image/service/* /container/service \
    && /container/tool/install-service \
    && mv /tmp/downloads/unpack/image/environment/* /container/environment/99-default \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /tmp/downloads

EXPOSE 389 636
ENTRYPOINT ["/container/tool/run"]

strouja commented 7 months ago

Thanks I kept on getting this error (I also got this error with Debian 10 Dockerfile as well)

ERROR: failed to solve: process "/bin/bash -o pipefail -c apt-get update && apt-get install --no-install-recommends -y     ca-certificates     tzdata=2021a*     locales=2.31*     curl=7.68*     && mkdir -p /container/file /tmp/downloads/unpack     && curl -L --output /tmp/downloads/baseimage_code.tar.gz https://github.com/osixia/docker-light-baseimage/archive/refs/tags/v1.3.3.tar.gz     && tar xzf /tmp/downloads/baseimage_code.tar.gz --strip-components 1 --directory /tmp/downloads/unpack     && mv /tmp/downloads/unpack/image/* /container     && chmod +x /container/build.sh && /container/build.sh     && rm -rf /tmp/downloads /var/lib/apt/lists/* /tmp/* /var/tmp/* /var/log/*log /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old" did not complete successfully: exit code: 100

I fixed it by removing versions from these lines

    ca-certificates=20210119* \
    tzdata=2021a* \
    locales=2.31* \
    curl=7.68* \

So now make build worked for me, when my Dockerfile was this

FROM debian:11-slim

ARG OPENLDAP_PACKAGE_VERSION=2.4.57
ARG LDAP_OPENLDAP_GID
ARG LDAP_OPENLDAP_UID
ARG PQCHECKER_VERSION=2.0.0
ARG PQCHECKER_MD5=c005ce596e97d13e39485e711dcbc7e1

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

RUN apt-get update && apt-get install --no-install-recommends -y \
    ca-certificates \
    tzdata \
    locales \
    curl \
    && mkdir -p /container/file /tmp/downloads/unpack \
    && curl -L --output /tmp/downloads/baseimage_code.tar.gz https://github.com/osixia/docker-light-baseimage/archive/refs/tags/v1.3.3.tar.gz \
    && tar xzf /tmp/downloads/baseimage_code.tar.gz --strip-components 1 --directory /tmp/downloads/unpack \
    && mv /tmp/downloads/unpack/image/* /container \
    && chmod +x /container/build.sh && /container/build.sh \
    && rm -rf /tmp/downloads /var/lib/apt/lists/* /tmp/* /var/tmp/* /var/log/*log /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old

ENV LANG="en_US.UTF-8" \
    LANGUAGE="en_US:en" \
    LC_ALL="en_US.UTF-8"

# Add openldap user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
# If explicit uid or gid is given, use it.
RUN mkdir -p /container/service /container/environment/99-default /tmp/downloads/unpack \
    && curl -L --output /tmp/downloads/openldap_code.tar.gz https://github.com/osixia/docker-openldap/archive/refs/tags/v1.5.0.tar.gz \
    && tar xzf /tmp/downloads/openldap_code.tar.gz --strip-components 1 --directory /tmp/downloads/unpack \
    && if [ -z "${LDAP_OPENLDAP_GID}" ]; then groupadd -g 911 -r openldap; else groupadd -r -g ${LDAP_OPENLDAP_GID} openldap; fi \
    && if [ -z "${LDAP_OPENLDAP_UID}" ]; then useradd -l -u 911 -r -g openldap openldap; else useradd -l -r -g openldap -u ${LDAP_OPENLDAP_UID} openldap; fi \
    && echo "path-include /usr/share/doc/krb5*" >> /etc/dpkg/dpkg.cfg.d/docker \
    && apt-get -y update \
    && /container/tool/add-service-available :ssl-tools \
    && LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        ldap-utils=${OPENLDAP_PACKAGE_VERSION}\* \
        libldap-common=${OPENLDAP_PACKAGE_VERSION}\* \
        libsasl2-modules=2.1.27* \
        libsasl2-modules-db=2.1.27* \
        libsasl2-modules-gssapi-mit=2.1.27* \
        libsasl2-modules-ldap=2.1.27* \
        libsasl2-modules-otp=2.1.27* \
        libsasl2-modules-sql=2.1.27* \
        openssl=1.1.1* \
        slapd=${OPENLDAP_PACKAGE_VERSION}\* \
        slapd-contrib=${OPENLDAP_PACKAGE_VERSION}\* \
        krb5-kdc-ldap=1.18.3* \
    && curl -o pqchecker.deb -SL http://www.meddeb.net/pub/pqchecker/deb/8/pqchecker_${PQCHECKER_VERSION}_amd64.deb \
    && echo "${PQCHECKER_MD5} *pqchecker.deb" | md5sum -c - \
    && dpkg -i pqchecker.deb \
    && rm pqchecker.deb \
    && update-ca-certificates \
    && mv /tmp/downloads/unpack/image/service/* /container/service \
    && /container/tool/install-service \
    && mv /tmp/downloads/unpack/image/environment/* /container/environment/99-default \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /tmp/downloads

EXPOSE 389 636
ENTRYPOINT ["/container/tool/run"]

strouja commented 7 months ago

I did more testing and this Dockerfileis better in my opinion as it takes out more versions of packages, so use this instead

# use debain 11 slim as the base operating system
FROM debian:11-slim

ARG OPENLDAP_PACKAGE_VERSION=2.4.57
ARG LDAP_OPENLDAP_GID
ARG LDAP_OPENLDAP_UID
ARG PQCHECKER_VERSION=2.0.0
ARG PQCHECKER_MD5=c005ce596e97d13e39485e711dcbc7e1

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

RUN apt-get update && apt-get install --no-install-recommends -y \
    ca-certificates \
    tzdata \
    locales \
    curl \
    && mkdir -p /container/file /tmp/downloads/unpack \
    && curl -L --output /tmp/downloads/baseimage_code.tar.gz https://github.com/osixia/docker-light-baseimage/archive/refs/tags/v1.3.3.tar.gz \
    && tar xzf /tmp/downloads/baseimage_code.tar.gz --strip-components 1 --directory /tmp/downloads/unpack \
    && mv /tmp/downloads/unpack/image/* /container \
    && chmod +x /container/build.sh && /container/build.sh \
    && rm -rf /tmp/downloads /var/lib/apt/lists/* /tmp/* /var/tmp/* /var/log/*log /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old

ENV LANG="en_US.UTF-8" \
    LANGUAGE="en_US:en" \
    LC_ALL="en_US.UTF-8"

# Add openldap user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
# If explicit uid or gid is given, use it.
RUN mkdir -p /container/service /container/environment/99-default /tmp/downloads/unpack \
    && curl -L --output /tmp/downloads/openldap_code.tar.gz https://github.com/osixia/docker-openldap/archive/refs/tags/v1.5.0.tar.gz \
    && tar xzf /tmp/downloads/openldap_code.tar.gz --strip-components 1 --directory /tmp/downloads/unpack \
    && if [ -z "${LDAP_OPENLDAP_GID}" ]; then groupadd -g 911 -r openldap; else groupadd -r -g ${LDAP_OPENLDAP_GID} openldap; fi \
    && if [ -z "${LDAP_OPENLDAP_UID}" ]; then useradd -l -u 911 -r -g openldap openldap; else useradd -l -r -g openldap -u ${LDAP_OPENLDAP_UID} openldap; fi \
    && echo "path-include /usr/share/doc/krb5*" >> /etc/dpkg/dpkg.cfg.d/docker \
    && apt-get -y update \
    && /container/tool/add-service-available :ssl-tools \
    && LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        ldap-utils=${OPENLDAP_PACKAGE_VERSION}\* \
        libldap-common=${OPENLDAP_PACKAGE_VERSION}\* \
        libsasl2-modules \
        libsasl2-modules-db \
        libsasl2-modules-gssapi-mit \
        libsasl2-modules-ldap \
        libsasl2-modules-otp \
        libsasl2-modules-sql \
        openssl \
        slapd=${OPENLDAP_PACKAGE_VERSION}\* \
        slapd-contrib=${OPENLDAP_PACKAGE_VERSION}\* \
        krb5-kdc-ldap \
    && curl -o pqchecker.deb -SL http://www.meddeb.net/pub/pqchecker/deb/8/pqchecker_${PQCHECKER_VERSION}_amd64.deb \
    && echo "${PQCHECKER_MD5} *pqchecker.deb" | md5sum -c - \
    && dpkg -i pqchecker.deb \
    && rm pqchecker.deb \
    && update-ca-certificates \
    && mv /tmp/downloads/unpack/image/service/* /container/service \
    && /container/tool/install-service \
    && mv /tmp/downloads/unpack/image/environment/* /container/environment/99-default \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /tmp/downloads

EXPOSE 389 636
ENTRYPOINT ["/container/tool/run"]

osixia / docker-openldap

In case you want to build against Debian Bullseye (11) #583