diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile index 455e054bd..9160c63ba 100644 --- a/src/anaconda/.devcontainer/Dockerfile +++ b/src/anaconda/.devcontainer/Dockerfile @@ -3,9 +3,44 @@ FROM continuumio/anaconda3:2023.03-1 as upstream # Verify OS version is expected one RUN . /etc/os-release && if [ "${VERSION_CODENAME}" != "bullseye" ]; then exit 1; fi +# Temporary: Upgrade python packages due to mentioned CVEs +# They are installed by the base image (continuumio/anaconda3) which does not have the patch. +RUN python3 -m pip install \ + # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21797 + --upgrade joblib \ + # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24065 + cookiecutter \ + # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34749 + mistune \ + # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141 + numpy \ + # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25577 + werkzeug \ + # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32862 + nbconvert \ + # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370 + tornado + +RUN conda install \ + # https://github.com/advisories/GHSA-5cpq-8wj7-hf2v + pyopenssl=23.2.0 \ + cryptography=41.0.2 \ + # https://github.com/advisories/GHSA-j8r2-6x86-q33q + requests=2.31.0 + # Reset and copy updated files with updated privs to keep image size down -FROM mcr.microsoft.com/devcontainers/base:0-bullseye -COPY --from=upstream /opt /opt/ +FROM mcr.microsoft.com/devcontainers/base:1-bullseye + +ARG USERNAME=vscode + +# Create the conda group and add remote user to the group +RUN groupadd -r conda --gid 900 \ + && usermod -aG conda ${USERNAME} + +# Copy opt folder, set ownership and group permissions +COPY --chown=:conda --chmod=775 --from=upstream /opt/conda /opt/conda +RUN chmod =2775 /opt/conda + USER root # Copy scripts to execute @@ -43,24 +78,6 @@ RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \ && echo "conda activate base" >> ~/.bashrc \ && apt-get clean -y && rm -rf /var/lib/apt/lists/* /tmp/library-scripts/add-notice.sh -# Temporary: Upgrade python packages due to mentioned CVEs -# They are installed by the base image (continuumio/anaconda3) which does not have the patch. -RUN python3 -m pip install \ - # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21797 - --upgrade joblib \ - # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24065 - cookiecutter \ - # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34749 - mistune \ - # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141 - numpy \ - # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25577 - werkzeug \ - # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32862 - nbconvert \ - # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370 - tornado - # Copy environment.yml (if found) to a temp location so we can update the environment. Also # copy "noop.txt" so the COPY instruction does not fail if no environment.yml exists. # COPY environment.yml* .devcontainer/noop.txt /tmp/conda-tmp/ @@ -71,22 +88,3 @@ RUN if [ -f "/tmp/conda-tmp/environment.yml" ]; then umask 0002 && /opt/conda/bi # [Optional] Uncomment this section to install additional OS packages. # RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \ # && apt-get -y install --no-install-recommends - -# Temporary: Upgrade python packages due to mentioned CVEs -# They are installed by the base image (continuumio/anaconda3) which does not have the patch. -RUN conda install \ - # https://github.com/advisories/GHSA-5cpq-8wj7-hf2v - pyopenssl=23.2.0 \ - cryptography=41.0.2 \ - # https://github.com/advisories/GHSA-j8r2-6x86-q33q - requests=2.31.0 - -# Create conda group, update conda directory permissions, -# add user to conda group -# Note: We need to execute these commands after pip install / conda update -# since pip doesn't preserve directory permissions -RUN groupadd -r conda --gid 900 \ - && chown -R :conda /opt/conda \ - && chmod -R g+w /opt/conda \ - && find /opt -type d | xargs -n 1 chmod g+s \ - && usermod -aG conda ${USERNAME}