Update scheduler

c2d75420 · Austin Denton · 38fdba06 · c2d75420 · c2d75420 · c2d75420
Commit c2d75420 authored Apr 08, 2021 by Austin Denton
4 changed files
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,26 +15,35 @@ ENV BITNAMI_PKG_EXTRA_DIRS="/opt/bitnami/airflow/dags" \
 COPY --from=base ${BITNAMI_HOME} ${BITNAMI_HOME}
 COPY --from=base ${BITNAMI_DIR} ${BITNAMI_DIR}
-COPY prebuildfs /
+COPY --from=base \
+     /lib/x86_64-linux-gnu/libbz2.so.1.0 \
+     /usr/lib64/
 RUN dnf update -y --nodocs && \
-    dnf install -y curl tar gzip ca-certificates libxml2 \
+    dnf install -y curl tar gzip ca-certificates libxml2 procps glibc-langpack-en && \
-    procps glibc-locale-source glibc-langpack-en && \
    dnf clean all && \
    rm -rf /var/cache/dnf && \
-    localedef -c -f UTF-8 -i en_US en_US.UTF-8 && \
+    mkdir -p /local/wheels && \
    chmod g+rwX /opt/bitnami
 COPY rootfs /
-RUN /opt/bitnami/scripts/airflow-scheduler/postunpack.sh
+COPY *.whl *.tar.gz /local/wheels/
-COPY --from=base \
+RUN /opt/bitnami/scripts/airflow-scheduler/postunpack.sh && \
-     /lib/x86_64-linux-gnu/libbz2.so.1.0 \
+    source /opt/bitnami/airflow/venv/bin/activate && \
-     /usr/lib64/
+    # Remove for security advisory GHSA-x9p2-fxq6-2m5f GHSA-4f9m-pxwh-68hg GHSA-388g-jwpg-x6j4
+    rm -rf ${BITNAMI_HOME}/airflow/venv/lib/python3.8/site-packages/swagger_ui_bundle/vendor/swagger-ui-2.2.10 && \
+    # Update to thrift-0.14 per CVE-2020-13949
+    tar xfz /local/wheels/thrift-0.14.1.tar.gz -C /local/wheels && \
+    pip install --no-index --no-deps /local/wheels/thrift-0.14.1/lib/py && \
+    rm -rf /local/wheels/thrift-0.14.1* && \
+    for f in $(ls -l /local/wheels | awk '{print $9}' |sed '/^$/d'); do pip install --no-index --no-deps /local/wheels/$f; done && \
+    find /opt/bitnami/airflow/venv/lib/python3.8/site-packages -name "*.pem" -o -name "*.key" | egrep ".*test.*/.*\.pem|.*test.*/.*\.key" | xargs rm -f && \
+    rm -rf /local/*
 ENV AIRFLOW_HOME="/opt/bitnami/airflow" \
    BITNAMI_APP_NAME="airflow-scheduler" \
-    BITNAMI_IMAGE_VERSION="2.0.1-debian-10-r53" \
+    BITNAMI_IMAGE_VERSION="2.0.1-debian-10-r54" \
    LD_LIBRARY_PATH="/opt/bitnami/python/lib/:/opt/bitnami/airflow/venv/lib/python3.8/site-packages/numpy.libs/:$LD_LIBRARY_PATH" \
    LIBNSS_WRAPPER_PATH="/opt/bitnami/common/lib/libnss_wrapper.so" \
    LNAME="airflow" \

--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -38,6 +38,36 @@ labels:
 resources:
 - tag: bitnami/airflow-scheduler:2.0.1-debian-10-r53
  url: docker://docker.io/bitnami/airflow-scheduler@sha256:6bc874b99ebbc514606f3929bd34bdb438ab0b66ace5c9745464d5aa8346ad0c
+- filename: thrift-0.14.1.tar.gz
+  url: https://mirror.jframeworks.com/apache/thrift/0.14.1/thrift-0.14.1.tar.gz
+  validation:
+    type: sha256
+    value: 13da5e1cd9c8a3bb89778c0337cc57eb0c29b08f3090b41cf6ab78594b410ca5
+- filename: pylint-2.7.2-py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/b3/66/af8f80d4fa77dcd4cba9e56e136522838920a2eaf6794b784e1f377f84d9/pylint-2.7.2-py3-none-any.whl
+  validation:
+    type: sha256
+    value: d09b0b07ba06bcdff463958f53f23df25e740ecd81895f7d2699ec04bbd8dc3b
+- filename: networkx-2.5.1-py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/f3/b7/c7f488101c0bb5e4178f3cde416004280fd40262433496830de8a8c21613/networkx-2.5.1-py3-none-any.whl
+  validation:
+    type: sha256
+    value: 0635858ed7e989f4c574c2328380b452df892ae85084144c73d8cd819f0c4e06
+- filename: decorator-4.4.2-py2.py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/ed/1b/72a1821152d07cf1d8b6fce298aeb06a7eb90f4d6d41acec9861e7cc6df0/decorator-4.4.2-py2.py3-none-any.whl
+  validation:
+    type: sha256
+    value: 41fa54c2a0cc4ba648be4fd43cff00aedf5b9465c9bf18d64325bc225f08f760
+- filename: aiohttp-3.7.4.post0-cp38-cp38-manylinux2014_x86_64.whl
+  url: https://files.pythonhosted.org/packages/a6/76/f18138b0ff84fcd939667a2efc2e1b49c871299f9091f84c06bb4c350c01/aiohttp-3.7.4.post0-cp38-cp38-manylinux2014_x86_64.whl
+  validation:
+    type: sha256
+    value: 79ebfc238612123a713a457d92afb4096e2148be17df6c50fb9bf7a81c2f8013
+- filename: azure_storage_blob-12.8.0-py2.py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/09/14/4ca417a9c92b0fb93516575dd7be9b058bf13d531dcc21239b5f8f216a69/azure_storage_blob-12.8.0-py2.py3-none-any.whl
+  validation:
+    type: sha256
+    value: 46999df6e2cde8773739f7c3bd1eb5846d4b7dc1ef6e2161f3b6d1d0f21726ba
 # List of project maintainers
 maintainers:

--- a/prebuildfs/opt/bitnami/scripts/liblog.sh
+++ b/prebuildfs/opt/bitnami/scripts/liblog.sh
@@ -106,5 +106,5 @@ indent() {
    for ((i = 0; i < num; i++)); do
        indent_unit="${indent_unit}${char}"
    done
-    echo "$string" | sed "s/^/${indent_unit}/"
+    echo "${string//^/${indent_unit}}"
 }
--- a/prebuildfs/opt/bitnami/scripts/libversion.sh
+++ b/prebuildfs/opt/bitnami/scripts/libversion.sh
@@ -9,7 +9,7 @@
 # Functions
 ########################
-# Gets semantic version 
+# Gets semantic version
 # Arguments:
 #   $1 - version: string to extract major.minor.patch
 #   $2 - section: 1 to extract major, 2 to extract minor, 3 to extract patch
@@ -38,7 +38,7 @@ get_sematic_version () {
        done
        local number_regex='^[0-9]+$'
-        if [[ "$section" =~ $number_regex ]] && (( $section > 0 )) && (( $section <= 3 )); then
+        if [[ "$section" =~ $number_regex ]] && (( section > 0 )) && (( section <= 3 )); then
             echo "${version_sections[$section]}"
             return
        else