mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 13:37:30 +00:00
18f010f228
#20571 ## Summary of changes We have a few moving parts in fleetctl land (`fleetdm/wix` is used to build `msi`s and `fleetdm/bomutils` is used to build `pkg`s, and `fleetdm/fleetctl` can be used to build packages using docker, no need for fleetctl executable): ```mermaid graph LR fleetctl_exec[fleetctl<br>executable]; wix_image[fleetdm/wix<br>docker image]; bomutils_image[fleetdm/bomutils<br>docker image]; fleetctl_image[fleetdm/fleetctl<br>docker image]; fleetctl_exec -- uses --> wix_image; fleetctl_image -- COPY dependencies<br>FROM --> wix_image; fleetctl_exec -- uses --> bomutils_image; fleetctl_image -- COPY dependencies<br>FROM --> bomutils_image; ``` So, we'll need to update the three images: `fleetdm/bomutils`, `fleetdm/wix` & `fleetdm/fleetctl`. - `tools/bomutils-docker/Dockerfile`, `tools/wix-docker/Dockerfile` and `tools/fleetctl-docker/Dockerfile`: Updating the base image to fix the CRITICAL vulnerabilities. - Modified existing+unused `.github/workflows/build-and-check-fleetctl-docker-and-deps.yml` to run every day to check for CRITICAL vulnerabilities in `fleetdm/wix`, `fleetdm/bomutils` and `fleetdm/fleetctl`. - `.github/workflows/goreleaser-fleetctl-docker-deps.yaml`: `fleetdm/bomutils` and `fleetdm/wix` were pushed manually a few years ago (most likely by Zach), so I've added a new action to release them when we have changes to release (like now). It will basically release `fleetctl/bomutils` and `fleetdm/wix` when pushing a tag of the form `fleetctl-docker-deps-*` (we'll need to protect such tag prefix). - Changes in `.github/workflows/test-native-tooling-packaging.yml` to build `fleetdm/bomutils` and `fleetdm/wix` for `fleetdm/fleetctl` to use them instead of the ones in docker hub. -- Build before upgrading `debian:stable-slim`: https://github.com/fleetdm/fleet/actions/runs/10255391418/job/28372231837  Build after upgrading `debian:stable-slim`: https://github.com/fleetdm/fleet/actions/runs/10255550034 - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Manual QA for all new/changed functionality
28 lines
1.3 KiB
Docker
28 lines
1.3 KiB
Docker
FROM debian:stable-slim@sha256:90128f59a7c6f6fdcb6493f587ea352d5c7507f52a6ddfba66fc56cd3d99dc2b AS builder
|
|
|
|
RUN apt-get update
|
|
RUN apt-get install -y build-essential autoconf libxml2-dev libssl-dev zlib1g-dev curl git
|
|
|
|
# Build bomutils
|
|
RUN git clone -b master \
|
|
--depth=1 --no-tags --progress \
|
|
--no-recurse-submodules https://github.com/hogliux/bomutils.git && \
|
|
cd bomutils && git reset --hard c41ad8b67d82a0071245ce8a5069023d39a885b8 && \
|
|
make && make install
|
|
|
|
# Install xar
|
|
RUN curl -L https://github.com/mackyle/xar/archive/refs/tags/xar-1.6.1.tar.gz > xar.tar.gz && \
|
|
echo "5e7d50dab73f5cb1713b49fa67c455c2a0dd2b0a7770cbc81b675e21f6210e25 xar.tar.gz" | sha256sum --check && \
|
|
tar -xzf xar.tar.gz
|
|
# Note this needs patching due to newer version of OpenSSL
|
|
# See https://github.com/mackyle/xar/pull/23
|
|
COPY patch.txt .
|
|
RUN cd xar-xar-1.6.1/xar && patch < ../../patch.txt && autoconf && ./configure && make && make install
|
|
|
|
|
|
FROM debian:stable-slim@sha256:90128f59a7c6f6fdcb6493f587ea352d5c7507f52a6ddfba66fc56cd3d99dc2b
|
|
|
|
RUN apt-get update && apt-get install -y --no-install-recommends libxml2 && rm -rf /var/lib/apt/lists/*
|
|
COPY --from=builder /usr/bin /usr/bin/
|
|
COPY --from=builder /usr/local/bin /usr/local/bin/
|
|
COPY --from=builder /usr/local/lib /usr/local/lib/
|