[anaconda] Reorg Dockerfile instructions to resolve issue with group permissions and PIP (#569)

* [anaconda] Reorg instructions to resolve group permission issue

- Reorg instructions to resolve issues with PIP and group permission;
- Remove temp patches that are no longer actual;
- Add missing test;

* Update `nbconvert` package

* Reorg steps, update comments

Author: alexander-smolyakov

src/anaconda/.devcontainer/Dockerfile

@@ -3,12 +3,6 @@ FROM continuumio/anaconda3 as upstream
 # Verify OS version is expected one
 RUN . /etc/os-release && if [ "${VERSION_CODENAME}" != "bullseye" ]; then exit 1; fi
 
-# Update, change owner
-RUN groupadd -r conda --gid 900 \
-    && chown -R :conda /opt/conda \
-    && chmod -R g+w /opt/conda \
-    && find /opt -type d | xargs -n 1 chmod g+s
-
 # Reset and copy updated files with updated privs to keep image size down
 FROM mcr.microsoft.com/devcontainers/base:0-bullseye
 COPY --from=upstream /opt /opt/
@@ -47,8 +41,6 @@ RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
     && ln -s /opt/conda/etc/profile.d/conda.sh /etc/profile.d/conda.sh \
     && echo ". /opt/conda/etc/profile.d/conda.sh" >> ~/.bashrc \
     && echo "conda activate base" >> ~/.bashrc \
-    && groupadd -r conda --gid 900 \
-    && usermod -aG conda ${USERNAME} \
     && apt-get clean -y && rm -rf /var/lib/apt/lists/* /tmp/library-scripts/add-notice.sh
 
 # Temporary: Upgrade python packages due to mentioned CVEs
@@ -58,26 +50,16 @@ RUN python3 -m pip install \
     --upgrade joblib \
     # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24065
     cookiecutter \
-    # https://github.com/advisories/GHSA-39hc-v87j-747x
-    cryptography \
     # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34749
     mistune \
     # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
     numpy \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23491
-    certifi \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897
-    setuptools \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40899
-    future \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40898
-    wheel \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32862
-    nbconvert \
     # https://github.com/devcontainers/images/issues/486
     pyOpenssl \
     # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25577
-    werkzeug
+    werkzeug \
+    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32862
+    nbconvert
 
 # Copy environment.yml (if found) to a temp location so we can update the environment. Also
 # copy "noop.txt" so the COPY instruction does not fail if no environment.yml exists.
@@ -89,3 +71,13 @@ RUN if [ -f "/tmp/conda-tmp/environment.yml" ]; then umask 0002 && /opt/conda/bi
 # [Optional] Uncomment this section to install additional OS packages.
 # RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
 #     && apt-get -y install --no-install-recommends <your-package-list-here>
+
+# Create conda group, update conda directory permissions, 
+# add user to conda group
+# Note: We need to execute these commands after pip install / conda update 
+# since pip doesn't preserve directory permissions
+RUN groupadd -r conda --gid 900 \
+    && chown -R :conda /opt/conda \
+    && chmod -R g+w /opt/conda \
+    && find /opt -type d | xargs -n 1 chmod g+s \
+    && usermod -aG conda ${USERNAME}

src/anaconda/test-project/test.sh

@@ -63,5 +63,8 @@ check "conda-install" bash -c "conda install -c conda-forge --yes pytorch"
 werkzeug_version=$(python -c "import werkzeug; print(werkzeug.__version__)")
 check-version-ge "werkzeug-requirement" "${werkzeug_version}" "2.2.3"
 
+certifi_version=$(python -c "import certifi; print(certifi.__version__)")
+check-version-ge "certifi-requirement" "${certifi_version}" "2022.12.07"
+
 # Report result
 reportResults