DarthGandalf
commented
6 months ago @tianon Hi, any idea how to fix this? The alpine version is already correct in the image
Open xgpt opened 6 months ago
DarthGandalf
commented
6 months ago @tianon Hi, any idea how to fix this? The alpine version is already correct in the image
psychon
commented
6 months ago Out of curiosity: Does anyone know why libuv is being installed? The command for that layer is apk add --no-cache build-base cmake icu-dev openssl-dev perl python3. I don't have Docker nor alpine around, so I can only check my local Debian testing. There, libuv is a dependency of CMake. That's only a build dependency and not actually used at run time and sounds a lot like that means the libuv bug is a non-issue.
@DarthGandalf Random guess would be to rebuild the image. Somehow remove the relevant base image and cause a rebuild of everything. How are the images build currently? Do you do that locally or is there some automation that I am missing?
DarthGandalf
commented
6 months ago Do you do that locally or is there some automation that I am missing?
https://hub.docker.com/r/zncbouncer/znc-git is built and pushed to docker hub by github actions. The official image (https://hub.docker.com/_/znc) though is done somehow through https://github.com/docker-library/official-images/blob/master/library/znc
psychon
commented
6 months ago https://hub.docker.com/r/zncbouncer/znc-git is built and pushed to docker hub by github actions.
That one seems to be rebuild on each run. Looking at the output of a random recent execution of that:
[...]
#9 [4/7] RUN apk add --no-cache argon2-libs boost build-base ca-certificates cmake cyrus-sasl gettext icu-dev icu-data-full openssl-dev perl python3 su-exec tini tzdata
#9 1.152 fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
#9 1.557 fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
#9 1.808 (1/102) Installing argon2-libs (20190702-r5)
#9 1.835 (2/102) Installing libgcc (13.2.1_git20231014-r0)
#9 1.840 (3/102) Installing libstdc++ (13.2.1_git20231014-r0)
[...]So, this rebuilds the image on every run.
But libuv does not appear in the build output, so... it was never installed? Dunno.
The official image (https://hub.docker.com/_/znc) though is done somehow through https://github.com/docker-library/official-images/blob/master/library/znc
The readme of that file says about "what are official images":
Actively rebuild for updates and security fixes
So, this one will just fix itself, I guess? There is a link in the text, but that doesn't explain things for me and I can't find out what they actually mean. It only says:
Tags in the library file are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:bookworm would be rebuilt when debian:bookworm is built). Only what is in the library file will be rebuilt when a base has updates.
So... they will fix this on the next alpine release?
DarthGandalf
commented
6 months ago So... they will fix this on the next alpine release?
Every alpine release already have the fixed libuv.
That's why I tagged @tianon here - I don't know what we can do on our side.
DarthGandalf
commented
6 months ago Actually, no, only 3.19 has the bad version, I was reading alpine packages wrong.
See link: https://hub.docker.com/layers/library/znc/latest/images/sha256-9ee87dce4120706eb1da4bbde51224efd1780117177e2e28ab5c72fc32669001?context=repo&tab=vulnerabilities
Looks like libuv needs to be updated from 1.47 to 1.48