mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
Seth Shelnutt
8eb7051987
The IronBank Dockerfile used UBI8-minimal:8.7 as its base image. IronBank has migrated images to UBI9 base, and the bundled urllib3 1.26.5 in the image triggers CVE-2026-44431 (sensitive headers leaked on cross-origin redirects via the low-level API). This updates the base image from UBI8-minimal to UBI9-minimal and explicitly removes python3-urllib3 after package installation. Coder is a Go binary and does not invoke Python at runtime, so urllib3 is unused. Refs [ENT-4](https://linear.app/codercom/issue/ENT-4/ironbank-v23111-update-urllib3-from-1265-to-fix-cve-2026-44431), [ENT-51](https://linear.app/codercom/issue/ENT-51/ironbank-main-update-base-image-urllib3-cve-2026-44431), [CVE-2026-44431](https://nvd.nist.gov/vuln/detail/CVE-2026-44431) > Generated by Coder Agents <details><summary>Decision log</summary> - **Base image**: Moved from `ubi8-minimal:8.7` to `ubi9-minimal:9.6` to align with IronBank's UBI9 migration and reduce overall vulnerability surface. - **urllib3 removal**: Added explicit `microdnf remove python3-urllib3` with error suppression (`|| true`) so the build succeeds whether or not the package is present in the base image. This handles both the minimal and full UBI9 base image variants that IronBank may use. - **Crypto policies**: RHEL 9 uses the same `/etc/crypto-policies/back-ends/*.config` paths as RHEL 8; no changes needed. - **Build script**: Updated the `registry.access.redhat.com` override from `ubi8/ubi-minimal:8.7` to `ubi9/ubi-minimal:9.6` for local builds. </details>
107 lines
2.7 KiB
Bash
Executable File
107 lines
2.7 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# This script builds the ironbank Docker image of Coder containing the given
|
|
# binary. Other dependencies will be automatically downloaded and cached.
|
|
#
|
|
# Usage: ./build_ironbank.sh --target image_tag path/to/coder
|
|
|
|
set -euo pipefail
|
|
# shellcheck source=scripts/lib.sh
|
|
source "$(dirname "${BASH_SOURCE[0]}")/../lib.sh"
|
|
|
|
image_tag=""
|
|
|
|
args="$(getopt -o "" -l target: -- "$@")"
|
|
eval set -- "$args"
|
|
while true; do
|
|
case "$1" in
|
|
--target)
|
|
image_tag="$2"
|
|
shift 2
|
|
;;
|
|
--)
|
|
shift
|
|
break
|
|
;;
|
|
*)
|
|
error "Unrecognized option: $1"
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [[ "$image_tag" == "" ]]; then
|
|
error "The --image-tag parameter is required"
|
|
fi
|
|
|
|
# Check dependencies
|
|
dependencies docker sha256sum yq
|
|
if [[ $(yq --version) != *" v4."* ]]; then
|
|
error "yq version 4 is required"
|
|
fi
|
|
|
|
if [[ "$#" != 1 ]]; then
|
|
error "Exactly one argument must be provided to this script, $# were supplied"
|
|
fi
|
|
if [[ ! -f "$1" ]]; then
|
|
error "File '$1' does not exist or is not a regular file"
|
|
fi
|
|
input_file="$(realpath "$1")"
|
|
|
|
# Make temporary dir for Docker build context.
|
|
tmpdir="$(mktemp -d)"
|
|
trap 'rm -rf "$tmpdir"' EXIT
|
|
pushd "$(dirname "${BASH_SOURCE[0]}")"
|
|
cp Dockerfile "$tmpdir/"
|
|
cp terraform-filesystem-mirror.tfrc "$tmpdir/"
|
|
popd
|
|
|
|
# Create a coder.tar.gz file.
|
|
execrelative ../archive.sh \
|
|
--format tar.gz \
|
|
--os linux \
|
|
--output "$tmpdir/coder.tar.gz" \
|
|
"$input_file"
|
|
|
|
# Download all resources in the hardening_manifest.yaml file except for
|
|
# coder.tar.gz (which we will make ourselves).
|
|
manifest_path="$(dirname "${BASH_SOURCE[0]}")/hardening_manifest.yaml"
|
|
resources="$(yq e '.resources[] | select(.filename != "coder.tar.gz") | [.filename, .url, .validation.value] | @tsv' "$manifest_path")"
|
|
while read -r line; do
|
|
filename="$(echo "$line" | cut -f1)"
|
|
url="$(echo "$line" | cut -f2)"
|
|
sha256_hash="$(echo "$line" | cut -f3)"
|
|
|
|
pushd "$(dirname "${BASH_SOURCE[0]}")"
|
|
target=".${filename}.${sha256_hash}"
|
|
if [[ ! -f "$target" ]]; then
|
|
log "Downloading $filename"
|
|
curl -sSL "$url" -o "$target"
|
|
fi
|
|
|
|
sum="$(sha256sum "$target" | cut -d' ' -f1)"
|
|
if [[ "$sum" != "$sha256_hash" ]]; then
|
|
rm "$target"
|
|
error "Downloaded $filename has hash $sum, but expected $sha256_hash"
|
|
fi
|
|
cp "$target" "$tmpdir/$filename"
|
|
popd
|
|
done <<<"$resources"
|
|
|
|
terraform_coder_provider_version="$(yq e '.args.TERRAFORM_CODER_PROVIDER_VERSION' "$manifest_path")"
|
|
if [[ "$terraform_coder_provider_version" == "" ]]; then
|
|
error "TERRAFORM_CODER_PROVIDER_VERSION not found in hardening_manifest.yaml"
|
|
fi
|
|
|
|
# Build the image.
|
|
pushd "$tmpdir"
|
|
docker build \
|
|
--build-arg BASE_REGISTRY=registry.access.redhat.com \
|
|
--build-arg BASE_IMAGE=ubi9/ubi-minimal \
|
|
--build-arg BASE_TAG=9.6 \
|
|
--build-arg TERRAFORM_CODER_PROVIDER_VERSION="$terraform_coder_provider_version" \
|
|
-t "$image_tag" \
|
|
. >&2
|
|
popd
|
|
|
|
echo "$image_tag"
|