shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
coder/scripts/ironbank/Dockerfile
T
Seth Shelnutt 8eb7051987 fix(scripts/ironbank): update base image to UBI9 and remove urllib3 (CVE-2026-44431) (#25217) 
The IronBank Dockerfile used UBI8-minimal:8.7 as its base image.
IronBank has migrated images to UBI9 base, and the bundled urllib3
1.26.5 in the image triggers CVE-2026-44431 (sensitive headers leaked on
cross-origin redirects via the low-level API).

This updates the base image from UBI8-minimal to UBI9-minimal and
explicitly removes python3-urllib3 after package installation. Coder is
a Go binary and does not invoke Python at runtime, so urllib3 is unused.

Refs
[ENT-4](https://linear.app/codercom/issue/ENT-4/ironbank-v23111-update-urllib3-from-1265-to-fix-cve-2026-44431),
[ENT-51](https://linear.app/codercom/issue/ENT-51/ironbank-main-update-base-image-urllib3-cve-2026-44431),
[CVE-2026-44431](https://nvd.nist.gov/vuln/detail/CVE-2026-44431)

> Generated by Coder Agents

<details><summary>Decision log</summary>

- **Base image**: Moved from `ubi8-minimal:8.7` to `ubi9-minimal:9.6` to
align with IronBank's UBI9 migration and reduce overall vulnerability
surface.
- **urllib3 removal**: Added explicit `microdnf remove python3-urllib3`
with error suppression (`|| true`) so the build succeeds whether or not
the package is present in the base image. This handles both the minimal
and full UBI9 base image variants that IronBank may use.
- **Crypto policies**: RHEL 9 uses the same
`/etc/crypto-policies/back-ends/*.config` paths as RHEL 8; no changes
needed.
- **Build script**: Updated the `registry.access.redhat.com` override
from `ubi8/ubi-minimal:8.7` to `ubi9/ubi-minimal:9.6` for local builds.

</details>
2026-05-13 10:41:56 -04:00

99 lines
4.4 KiB
Docker
Raw Permalink Blame History

ARG BASE_REGISTRY=registry1.dso.mil
ARG BASE_IMAGE=ironbank/redhat/ubi/ubi9-minimal
ARG BASE_TAG=9.6
FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
SHELL ["/bin/bash", "-c"]
ENV LANG=en_US.UTF-8
RUN microdnf update --assumeyes && \
microdnf install --assumeyes \
ca-certificates \
git \
gzip \
shadow-utils \
tar \
unzip && \
# Remove python3-urllib3 if present to address CVE-2026-44431.
# Coder is a Go binary and does not use Python at runtime.
microdnf remove --assumeyes python3-urllib3 2>/dev/null || true && \
microdnf clean all
# Configure the cryptography policy manually. These policies likely
# have no impact, since Go doesn't link against these libraries.
#
# Normally, one uses the update-crypto-policies script to create these
# links, which is included in the crypto-policies-scripts package, but
# that pulls in Python, so we create the links manually here. This
# list of links comes from running strace on the update-crypto-policies
# script (strace update-crypto-policies --set FIPS) in Fedora, since
# RHEL and UBI do not provide an strace package by default.
RUN echo "FIPS" >/etc/crypto-policies/config && \
cp --force /usr/share/crypto-policies/policies/FIPS.pol /etc/crypto-policies/state/CURRENT.pol && \
echo "FIPS" >/etc/crypto-policies/state/current && \
ln --symbolic --force /usr/share/crypto-policies/FIPS/bind.txt /etc/crypto-policies/back-ends/bind.config && \
ln --symbolic --force /usr/share/crypto-policies/FIPS/gnutls.txt /etc/crypto-policies/back-ends/gnutls.config && \
ln --symbolic --force /usr/share/crypto-policies/FIPS/java.txt /etc/crypto-policies/back-ends/java.config && \
ln --symbolic --force /usr/share/crypto-policies/FIPS/krb5.txt /etc/crypto-policies/back-ends/krb5.config && \
ln --symbolic --force /usr/share/crypto-policies/FIPS/libreswan.txt /etc/crypto-policies/back-ends/libreswan.config && \
ln --symbolic --force /usr/share/crypto-policies/FIPS/libssh.txt /etc/crypto-policies/back-ends/libssh.config && \
ln --symbolic --force /usr/share/crypto-policies/FIPS/nss.txt /etc/crypto-policies/back-ends/nss.config && \
ln --symbolic --force /usr/share/crypto-policies/FIPS/openssh.txt /etc/crypto-policies/back-ends/openssh.config && \
ln --symbolic --force /usr/share/crypto-policies/FIPS/opensshserver.txt /etc/crypto-policies/back-ends/opensshserver.config && \
ln --symbolic --force /usr/share/crypto-policies/FIPS/openssl.txt /etc/crypto-policies/back-ends/openssl.config && \
ln --symbolic --force /usr/share/crypto-policies/FIPS/opensslcnf.txt /etc/crypto-policies/back-ends/opensslcnf.config
# Copy and extract Coder binary from tar file. We have to put this in /opt to
# match the Dockerfile.
ARG CODER_BIN=/opt/coder
ARG CODER_BIN_TAR_GZ=coder.tar.gz
COPY "$CODER_BIN_TAR_GZ" /tmp/coder.tar.gz
RUN mkdir -p /opt && \
tar -xzvf /tmp/coder.tar.gz --directory /opt --strip-components=1 ./coder && \
rm /tmp/coder.tar.gz
ENV PATH="/opt:${PATH}"
# Copy and extract Terraform binary from zip file.
ARG TERRAFORM_BIN_DIR=/opt/terraform
ARG TERRAFORM_BIN_ZIP=terraform.zip
COPY "$TERRAFORM_BIN_ZIP" /tmp/terraform.zip
RUN mkdir -p "$TERRAFORM_BIN_DIR" && \
unzip /tmp/terraform.zip -d "$TERRAFORM_BIN_DIR" && \
rm /tmp/terraform.zip
ENV PATH="${TERRAFORM_BIN_DIR}:${PATH}"
# Install the Coder Terraform provider to a well-known location.
ARG TERRAFORM_PLUGINS_DIR=/opt/terraform/plugins
ARG TERRAFORM_CODER_PROVIDER_VERSION
ARG TERRAFORM_CODER_PROVIDER_ZIP=terraform-provider-coder.zip
COPY "$TERRAFORM_CODER_PROVIDER_ZIP" "${TERRAFORM_PLUGINS_DIR}/registry.terraform.io/coder/coder/terraform-provider-coder_${TERRAFORM_CODER_PROVIDER_VERSION}_linux_amd64.zip"
# Configure Terraform to use plugins from this dir.
COPY terraform-filesystem-mirror.tfrc /opt/terraform/config.tfrc
ENV TF_CLI_CONFIG_FILE=/opt/terraform/config.tfrc
# Uninstall the build dependencies.
RUN microdnf remove --assumeyes \
tar \
unzip && \
microdnf clean all
# Transfer ownership of the binaries to the 'coder' user.
RUN useradd coder \
--create-home \
--shell=/bin/bash \
--uid=1000 \
--user-group && \
chown --recursive --quiet coder:coder "$CODER_BIN" && \
chown --recursive --quiet coder:coder "$TERRAFORM_BIN_DIR" && \
chown --recursive --quiet coder:coder "$TERRAFORM_PLUGINS_DIR" && \
chmod 0755 /home/coder
USER 1000
ENV HOME /home/coder
ENV USER=coder
ENTRYPOINT [ "/opt/coder", "server" ]
Reference in New Issue View Git Blame Copy Permalink