[anaconda] Refactor Dockerfile to decrease image size (#692)

* [anaconda] Refactor Dockerfile to decrease image size * Update Dockerfile * Resolve review comments - Bump `base` devcontainer version - Update permissions * Update src/anaconda/.devcontainer/Dockerfile Co-authored-by: Samruddhi Khandale <[email protected]> * Revert "Update src/anaconda/.devcontainer/Dockerfile" This reverts commit 4bf3c7b. * Set permissions for `/opt/conda` folder * Restore comment --------- Co-authored-by: Samruddhi Khandale <[email protected]>
devcontainers · Aug 8, 2023 · d394ecd · d394ecd
1 parent 9c256d0
commit d394ecd
Showing 1 changed file with 37 additions and 39 deletions.
diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile
@@ -3,9 +3,44 @@ FROM continuumio/anaconda3:2023.03-1 as upstream
 # Verify OS version is expected one
 RUN . /etc/os-release && if [ "${VERSION_CODENAME}" != "bullseye" ]; then exit 1; fi
 
+# Temporary: Upgrade python packages due to mentioned CVEs
+# They are installed by the base image (continuumio/anaconda3) which does not have the patch.
+RUN python3 -m pip install \
+    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21797
+    --upgrade joblib \
+    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24065
+    cookiecutter \
+    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34749
+    mistune \
+    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
+    numpy \
+    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25577
+    werkzeug \
+    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32862
+    nbconvert \
+   # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370
+    tornado
+
+RUN conda install \ 
+    # https://github.com/advisories/GHSA-5cpq-8wj7-hf2v
+    pyopenssl=23.2.0 \ 
+    cryptography=41.0.2 \
+    # https://github.com/advisories/GHSA-j8r2-6x86-q33q
+    requests=2.31.0
+
 # Reset and copy updated files with updated privs to keep image size down
-FROM mcr.microsoft.com/devcontainers/base:0-bullseye
-COPY --from=upstream /opt /opt/
+FROM mcr.microsoft.com/devcontainers/base:1-bullseye
+
+ARG USERNAME=vscode
+
+# Create the conda group and add remote user to the group
+RUN groupadd -r conda --gid 900 \ 
+    && usermod -aG conda ${USERNAME}
+
+# Copy opt folder, set ownership and group permissions
+COPY --chown=:conda --chmod=775 --from=upstream /opt/conda /opt/conda
+RUN chmod =2775 /opt/conda
+
 USER root
 
 # Copy scripts to execute
@@ -43,24 +78,6 @@ RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
     && echo "conda activate base" >> ~/.bashrc \
     && apt-get clean -y && rm -rf /var/lib/apt/lists/* /tmp/library-scripts/add-notice.sh
 
-# Temporary: Upgrade python packages due to mentioned CVEs
-# They are installed by the base image (continuumio/anaconda3) which does not have the patch.
-RUN python3 -m pip install \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21797
-    --upgrade joblib \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24065
-    cookiecutter \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34749
-    mistune \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
-    numpy \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25577
-    werkzeug \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32862
-    nbconvert \
-   # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370
-    tornado
-
 # Copy environment.yml (if found) to a temp location so we can update the environment. Also
 # copy "noop.txt" so the COPY instruction does not fail if no environment.yml exists.
 # COPY environment.yml* .devcontainer/noop.txt /tmp/conda-tmp/
@@ -71,22 +88,3 @@ RUN if [ -f "/tmp/conda-tmp/environment.yml" ]; then umask 0002 && /opt/conda/bi
 # [Optional] Uncomment this section to install additional OS packages.
 # RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
 #     && apt-get -y install --no-install-recommends <your-package-list-here>
-
-# Temporary: Upgrade python packages due to mentioned CVEs
-# They are installed by the base image (continuumio/anaconda3) which does not have the patch.
-RUN conda install \ 
-    # https://github.com/advisories/GHSA-5cpq-8wj7-hf2v
-    pyopenssl=23.2.0 \ 
-    cryptography=41.0.2 \
-    # https://github.com/advisories/GHSA-j8r2-6x86-q33q
-    requests=2.31.0
-
-# Create conda group, update conda directory permissions, 
-# add user to conda group
-# Note: We need to execute these commands after pip install / conda update 
-# since pip doesn't preserve directory permissions
-RUN groupadd -r conda --gid 900 \
-    && chown -R :conda /opt/conda \
-    && chmod -R g+w /opt/conda \
-    && find /opt -type d | xargs -n 1 chmod g+s \
-    && usermod -aG conda ${USERNAME}