build(docker): Bump dependencies #1618

jesse-c · 2024-03-04T10:11:02Z

Reduces exposure to CVEs.

Testing

$ make build

docker run --rm -it seldonio/mlserver:1.5.0.dev1 pip list | grep cryptography

Looks like the cryptography package isn't there?

It does have other packages, as expected:

$ docker run --rm -it seldonio/mlserver:1.5.0.dev1 pip list | grep huggingface
huggingface-hub                          0.21.3
mlserver-huggingface                     1.5.0.dev1

$ docker run --rm -it seldonio/mlserver:1.5.0.dev1 pip list | grep catboost
catboost                                 1.2.3
mlserver-catboost                        1.5.0.dev1

Reduces exposure to CVEs. **Testing** `$ make build` ``` docker run --rm -it seldonio/mlserver:1.5.0.dev1 pip list | grep cryptography ``` Looks like the cryptography package isn't there? It does have other packages, as expected: ``` $ docker run --rm -it seldonio/mlserver:1.5.0.dev1 pip list | grep huggingface huggingface-hub 0.21.3 mlserver-huggingface 1.5.0.dev1 ``` ``` $ docker run --rm -it seldonio/mlserver:1.5.0.dev1 pip list | grep catboost catboost 1.2.3 mlserver-catboost 1.5.0.dev1 ```

RafalSkolasinski

LGTM

sakoush · 2024-03-04T11:46:47Z

Dockerfile

@@ -1,7 +1,7 @@
 FROM python:3.10-slim AS wheel-builder
 SHELL ["/bin/bash", "-l", "-c"]

-ARG POETRY_VERSION="1.7.1"
+ARG POETRY_VERSION="1.8.1"


a minor question: do we also want to upgrade the lock files to this version of poetry?

Ran it locally, and looks fine:

diff --git a/poetry.lock b/poetry.lock index b5ab6575..f08d211c 100644 --- a/poetry.lock +++ b/poetry.lock @@ -2830,6 +2830,7 @@ description = "Powerful and Pythonic XML processing library combining libxml2/li optional = false python-versions = ">=3.6" files = [ + {file = "lxml-5.1.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:704f5572ff473a5f897745abebc6df40f22d4133c1e0a1f124e4f2bd3330ff7e"}, {file = "lxml-5.1.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:9d3c0f8567ffe7502d969c2c1b809892dc793b5d0665f602aad19895f8d508da"}, {file = "lxml-5.1.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:5fcfbebdb0c5d8d18b84118842f31965d59ee3e66996ac842e21f957eb76138c"}, {file = "lxml-5.1.0-cp310-cp310-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2f37c6d7106a9d6f0708d4e164b707037b7380fcd0b04c5bd9cae1fb46a856fb"}, @@ -2839,6 +2840,7 @@ files = [ {file = "lxml-5.1.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:82bddf0e72cb2af3cbba7cec1d2fd11fda0de6be8f4492223d4a268713ef2147"}, {file = "lxml-5.1.0-cp310-cp310-win32.whl", hash = "sha256:b66aa6357b265670bb574f050ffceefb98549c721cf28351b748be1ef9577d93"}, {file = "lxml-5.1.0-cp310-cp310-win_amd64.whl", hash = "sha256:4946e7f59b7b6a9e27bef34422f645e9a368cb2be11bf1ef3cafc39a1f6ba68d"}, + {file = "lxml-5.1.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:14deca1460b4b0f6b01f1ddc9557704e8b365f55c63070463f6c18619ebf964f"}, {file = "lxml-5.1.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:ed8c3d2cd329bf779b7ed38db176738f3f8be637bb395ce9629fc76f78afe3d4"}, {file = "lxml-5.1.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:436a943c2900bb98123b06437cdd30580a61340fbdb7b28aaf345a459c19046a"}, {file = "lxml-5.1.0-cp311-cp311-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:acb6b2f96f60f70e7f34efe0c3ea34ca63f19ca63ce90019c6cbca6b676e81fa"}, @@ -2848,6 +2850,7 @@ files = [ {file = "lxml-5.1.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:f4c9bda132ad108b387c33fabfea47866af87f4ea6ffb79418004f0521e63204"}, {file = "lxml-5.1.0-cp311-cp311-win32.whl", hash = "sha256:bc64d1b1dab08f679fb89c368f4c05693f58a9faf744c4d390d7ed1d8223869b"}, {file = "lxml-5.1.0-cp311-cp311-win_amd64.whl", hash = "sha256:a5ab722ae5a873d8dcee1f5f45ddd93c34210aed44ff2dc643b5025981908cda"}, + {file = "lxml-5.1.0-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:9aa543980ab1fbf1720969af1d99095a548ea42e00361e727c58a40832439114"}, {file = "lxml-5.1.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:6f11b77ec0979f7e4dc5ae081325a2946f1fe424148d3945f943ceaede98adb8"}, {file = "lxml-5.1.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:a36c506e5f8aeb40680491d39ed94670487ce6614b9d27cabe45d94cd5d63e1e"}, {file = "lxml-5.1.0-cp312-cp312-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f643ffd2669ffd4b5a3e9b41c909b72b2a1d5e4915da90a77e119b8d48ce867a"}, @@ -2873,8 +2876,8 @@ files = [ {file = "lxml-5.1.0-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:8f52fe6859b9db71ee609b0c0a70fea5f1e71c3462ecf144ca800d3f434f0764"}, {file = "lxml-5.1.0-cp37-cp37m-win32.whl", hash = "sha256:d42e3a3fc18acc88b838efded0e6ec3edf3e328a58c68fbd36a7263a874906c8"}, {file = "lxml-5.1.0-cp37-cp37m-win_amd64.whl", hash = "sha256:eac68f96539b32fce2c9b47eb7c25bb2582bdaf1bbb360d25f564ee9e04c542b"}, + {file = "lxml-5.1.0-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:ae15347a88cf8af0949a9872b57a320d2605ae069bcdf047677318bc0bba45b1"}, {file = "lxml-5.1.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:c26aab6ea9c54d3bed716b8851c8bfc40cb249b8e9880e250d1eddde9f709bf5"}, - {file = "lxml-5.1.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:cfbac9f6149174f76df7e08c2e28b19d74aed90cad60383ad8671d3af7d0502f"}, {file = "lxml-5.1.0-cp38-cp38-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:342e95bddec3a698ac24378d61996b3ee5ba9acfeb253986002ac53c9a5f6f84"}, {file = "lxml-5.1.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:725e171e0b99a66ec8605ac77fa12239dbe061482ac854d25720e2294652eeaa"}, {file = "lxml-5.1.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3d184e0d5c918cff04cdde9dbdf9600e960161d773666958c9d7b565ccc60c45"}, @@ -2882,6 +2885,7 @@ files = [ {file = "lxml-5.1.0-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:6d48fc57e7c1e3df57be5ae8614bab6d4e7b60f65c5457915c26892c41afc59e"}, {file = "lxml-5.1.0-cp38-cp38-win32.whl", hash = "sha256:7ec465e6549ed97e9f1e5ed51c657c9ede767bc1c11552f7f4d022c4df4a977a"}, {file = "lxml-5.1.0-cp38-cp38-win_amd64.whl", hash = "sha256:b21b4031b53d25b0858d4e124f2f9131ffc1530431c6d1321805c90da78388d1"}, + {file = "lxml-5.1.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:52427a7eadc98f9e62cb1368a5079ae826f94f05755d2d567d93ee1bc3ceb354"}, {file = "lxml-5.1.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:6a2a2c724d97c1eb8cf966b16ca2915566a4904b9aad2ed9a09c748ffe14f969"}, {file = "lxml-5.1.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:843b9c835580d52828d8f69ea4302537337a21e6b4f1ec711a52241ba4a824f3"}, {file = "lxml-5.1.0-cp39-cp39-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:9b99f564659cfa704a2dd82d0684207b1aadf7d02d33e54845f9fc78e06b7581"},

ask664 · 2024-03-05T13:09:10Z

Dockerfile

@@ -27,8 +27,8 @@ RUN pip install poetry==$POETRY_VERSION && \
 FROM registry.access.redhat.com/ubi9/ubi-minimal
 SHELL ["/bin/bash", "-c"]

-ARG PYTHON_VERSION=3.10.11
-ARG CONDA_VERSION=23.3.1
+ARG PYTHON_VERSION=3.10.12


quick question: Can we update python version - 3.11.6?

Good question! That would require a bit more testing than a minor version bump like this was. Out of curiosity, outside of it being better to be on a later version, are there particular things missing since it's a 3.10 base?

yes, actually version incompatible with mlflow.pyfunc because in mlflow using 3.11.6

@ask664: No update, unfortunately. I've raised this with others.

You could try editing the Dockerfile [1] to bump it to 3.11.x and build an image in the meantime.

[1] https://github.com/SeldonIO/MLServer/blob/master/Dockerfile#L1

jesse-c self-assigned this Mar 4, 2024

jesse-c requested review from RafalSkolasinski and sakoush March 4, 2024 10:11

jesse-c force-pushed the bump-dockerfile-bases branch from f854dd9 to 29b331e Compare March 4, 2024 10:13

RafalSkolasinski approved these changes Mar 4, 2024

View reviewed changes

jesse-c merged commit 6a9990a into SeldonIO:master Mar 4, 2024
20 checks passed

jesse-c deleted the bump-dockerfile-bases branch March 4, 2024 10:31

sakoush reviewed Mar 4, 2024

View reviewed changes

ask664 reviewed Mar 5, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(docker): Bump dependencies #1618

build(docker): Bump dependencies #1618

jesse-c commented Mar 4, 2024 •

edited

RafalSkolasinski left a comment

sakoush Mar 4, 2024

jesse-c Mar 4, 2024

ask664 Mar 5, 2024 •

edited

jesse-c Mar 5, 2024

ask664 Mar 5, 2024

jesse-c Mar 18, 2024

build(docker): Bump dependencies #1618

build(docker): Bump dependencies #1618

Conversation

jesse-c commented Mar 4, 2024 • edited

RafalSkolasinski left a comment

Choose a reason for hiding this comment

sakoush Mar 4, 2024

Choose a reason for hiding this comment

jesse-c Mar 4, 2024

Choose a reason for hiding this comment

ask664 Mar 5, 2024 • edited

Choose a reason for hiding this comment

jesse-c Mar 5, 2024

Choose a reason for hiding this comment

ask664 Mar 5, 2024

Choose a reason for hiding this comment

jesse-c Mar 18, 2024

Choose a reason for hiding this comment

jesse-c commented Mar 4, 2024 •

edited

ask664 Mar 5, 2024 •

edited