Missing security repository in the Debian base image
Summary
The security repository is missing
Steps to reproduce
Use the standard Debian image as a base and try to install a package that should be pulled from the security repository, like openjdk-11-jdk.
ARG BASE_REGISTRY=registry1.dso.mil
ARG BASE_IMAGE=ironbank/opensource/debian/debian
ARG BASE_TAG="11.7"
FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
ENV DEBIAN_FRONTEND=noninteractive
ENV TZ=Etc/UTC
RUN apt-get update && \
apt-get upgrade -y && \
apt-get install --no-install-recommends --yes \
openjdk-11-jdk && \
rm -fr /var/cache/apt /var/lib/apt/list
The above Dockerfile
will install 11.0.20+8-1~deb11u1
, despite the version of the security update is 11.0.21+9-1~deb11u1
: https://tracker.debian.org/pkg/openjdk-11
If I print the content of /etc/apt/sources.list:
# deb http://snapshot.debian.org/archive/debian/20230227T000000Z bullseye main
deb [MASKED]debian11 bullseye main
# deb http://snapshot.debian.org/archive/debian/20230227T000000Z bullseye-updates main
deb [MASKED]debian11-updates bullseye-updates main
Basically, this repository is missing:
deb http://deb.debian.org/debian-security/ bullseye-security main
See my test job: https://repo1.dso.mil/dsop/liferay/dxp/-/jobs/27868818
Corresponding code: https://repo1.dso.mil/dsop/liferay/dxp/-/blob/test_branch_debian/Dockerfile
It is weird because if pull the image to my local computer, the repository is there and functioning properly:
$ docker run -ti registry1.dso.mil/ironbank/opensource/debian/debian:11.7 cat /etc/apt/sources.list
# deb http://snapshot.debian.org/archive/debian/20230612T000000Z bullseye main
deb http://deb.debian.org/debian bullseye main
# deb http://snapshot.debian.org/archive/debian-security/20230612T000000Z bullseye-security main
deb http://deb.debian.org/debian-security bullseye-security main
# deb http://snapshot.debian.org/archive/debian/20230612T000000Z bullseye-updates main
deb http://deb.debian.org/debian bullseye-updates main
It looks like this image is a completely different image.
What is the expected correct behavior?
Security updates should be available for installation on Gitlab CI.
Extra question:
According to this page, both Ubuntu and Debian distributions are supported. https://docs-ironbank.dso.mil/hardening/choosing-base-image/
As far as I can see, the Ubuntu image is not ready for use and the latest Debian version (v12, bookworm) is also not available, but Debian 11 (bullseye).
Is that correct, that Debian-based distributions are not fully supported?
Tasks
-
Bug has been identified and corrected within the container
Please read the Iron Bank Documentation for more info