fix(security): switch ingestion-base images to python:3.10-slim-bookworm#28606
Open
akashverma0786 wants to merge 2 commits into
Open
fix(security): switch ingestion-base images to python:3.10-slim-bookworm#28606akashverma0786 wants to merge 2 commits into
akashverma0786 wants to merge 2 commits into
Conversation
Swap operators Dockerfile + Dockerfile.ci from python:3.10-bookworm to the slim variant to reduce baseline CVE surface. Adds a small bootstrap layer (curl ca-certificates gnupg) and three apt packages (pkg-config, libgomp1, procps) needed by mysqlclient, numpy/scipy runtime, and ps/py-spy respectively. Verified locally: full [all] extras build green, image 4.46 GB, smoke tests pass (metadata CLI, mysqlclient, psycopg2, cx_Oracle, numpy, libgomp, pkg-config, ps). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Contributor
|
Hi there 👋 Thanks for your contribution! The OpenMetadata team will review the PR shortly! Once it has been labeled as Let us know if you need any help! |
akashverma0786
added
the
safe to test
akashverma0786
had a problem deploying
to
security-scan
GitHub Actions
Failure
akashverma0786
temporarily deployed
to
security-scan
GitHub Actions
Inactive
akashverma0786
temporarily deployed
to
security-scan
GitHub Actions
Inactive
Contributor
🟡 Playwright Results — all passed (16 flaky)✅ 4256 passed · ❌ 0 failed · 🟡 16 flaky · ⏭️ 88 skipped
🟡 16 flaky test(s) (passed on retry)
How to debug locally# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip # view trace |
Code Review ✅ ApprovedMigration to python:3.10-slim-bookworm reduces the ingestion-base image attack surface while restoring necessary system dependencies for build and runtime compatibility. No issues found. OptionsDisplay: compact → Showing less information. Comment with these commands to change:
Was this helpful? React with 👍 / 👎 | Gitar |
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ingestion/operators/docker/DockerfileandDockerfile.cifrompython:3.10-bookwormtopython:3.10-slim-bookwormto reduce baseline CVE surface in the ingestion-base imagespkg-config(formysqlclient's source build),libgomp1(runtime for numpy/scipy/sklearn wheels),procps(providespsfor py-spy / debugging)RUNinstallingcurl ca-certificates gnupgbefore the Microsoft apt-key + repo lines, since slim doesn't preinstall thoseTest plan
docker build -f ingestion/operators/docker/Dockerfile --build-arg RI_VERSION=1.9.17.6 .succeeds locally (arm64, ~10 min, 4.46 GB image)metadata --version,python -c "import mysql, psycopg2, cx_Oracle, numpy, sqlalchemy, pyhive",libgomp.so.1loadable,ps/pkg-configpresent — all passdocker-openmetadata-ingestion-base{,-slim}.ymlandpy-operator-build-test.ymlon linux/amd64trivy-scan-ingestion-base-slim-image.yml) shows reduced CVE count vs. previous full-bookworm baseline🤖 Generated with Claude Code