Alpine conversion due to Debian Critical Vulns

docker/Dockerfile

@@ -1,14 +1,18 @@
 # BUILD STAGE ---------------------------------------
 # split this stage to save time and reduce image size
 # ---------------------------------------------------
-FROM python:3.10-bullseye as BuildStage
+FROM python:alpine3.19 as BuildStage
 # from now on, work in the /app directory
 WORKDIR /app/
 # Layer dependency install (for caching)
 COPY ./packages/requires.txt ./base_requires.txt
 COPY ./packages/opal-common/requires.txt ./common_requires.txt
 COPY ./packages/opal-client/requires.txt ./client_requires.txt
 COPY ./packages/opal-server/requires.txt ./server_requires.txt
+
+# add required packages with apk
+RUN apk add gcc musl-dev linux-headers python3-dev zlib-dev libffi-dev libgit2-dev
+
 # install python deps
 RUN pip install --no-cache-dir --upgrade pip && pip install --no-cache-dir -r ./base_requires.txt -r ./common_requires.txt -r ./client_requires.txt -r ./server_requires.txt
 
@@ -24,22 +28,25 @@ RUN cd /tmp/cedar-agent && \
 
 # COMMON IMAGE --------------------------------------
 # ---------------------------------------------------
-FROM python:3.10-slim-bullseye as common
+FROM python:alpine3.19 as common
 
 # copy libraries from build stage (This won't copy redundant libraries we used in BuildStage)
 COPY --from=BuildStage /usr/local /usr/local
+COPY --from=BuildStage /etc/apk/repositories /etc/apk/repositories
 
 # Add non-root user (with home dir at /opal)
-RUN useradd -m -b / -s /bin/bash opal
+RUN adduser -s /bin/bash -h /opal --disabled-password opal
 WORKDIR /opal
 
+RUN apk add bash
+
 # copy wait-for script (create link at old path to maintain backward compatibility)
 COPY scripts/wait-for.sh .
 RUN chmod +x ./wait-for.sh
 RUN ln -s /opal/wait-for.sh /usr/wait-for.sh
 
 # netcat (nc) is used by the wait-for.sh script
-RUN apt-get update && apt-get install -y netcat jq && apt-get clean
+RUN apk update && apk add netcat-openbsd jq libgit2-dev
 
 # copy startup script (create link at old path to maintain backward compatibility)
 COPY ./scripts/start.sh .
@@ -142,7 +149,7 @@ USER opal
 # ---------------------------------------------------
 FROM common as server
 
-RUN apt-get update && apt-get install -y openssh-client git curl && apt-get clean
+RUN apk update && apk add openssh-client git curl
 
 USER opal
 
@@ -195,4 +202,4 @@ ENV OPAL_POLICY_REPO_REUSE_CLONE_PATH=true
 
 # expose opal server port
 EXPOSE 7002
-USER opal
+USER opal

packages/opal-client/opal_client/engine/runner.py

@@ -130,11 +130,9 @@ async def _run_process_until_terminated(self) -> int:
         )
 
         if self._piped_logs_format != EngineLogFormat.NONE:
-            await asyncio.wait(
-                [
-                    self.pipe_logs(self._process.stdout, self._piped_logs_format),
-                    self.pipe_logs(self._process.stderr, self._piped_logs_format),
-                ]
+            await asyncio.gather(
+                self.pipe_logs(self._process.stdout, self._piped_logs_format),
+                self.pipe_logs(self._process.stderr, self._piped_logs_format)
             )
 
         return_code = await self._process.wait()

packages/opal-server/requires.txt

@@ -3,7 +3,7 @@ permit-broadcaster[postgres,redis,kafka]>=0.2.0,<1
 gitpython>=3.1.32,<4
 pyjwt[crypto]>=2.1.0,<3
 websockets>=10.3,<11
-ddtrace>=1.1.4,<2
+ddtrace>=2.4.0
 slowapi>=0.1.5,<1
 # slowapi is stuck on and old `redis`, so fix that and switch from aioredis to redis
 pygit2>=1.9.2,<2