DON'T MERGE - SEE DESCRIPTION: 3.41.1 curl / libcurl patch
Created by: ggilmore
This PR should not be merged. It only serves as an easy way to see what's changed.
This PR is ready for review, but I left it as a draft so that people can't accidentally merge it.
If this PR is good to go, refer to bottom of the PR description to see how to get the list of images that you can republish to dockerhub.
overview
This PR upgrades the curl and libcurl versions to 7.79.0-r2 or 7.80.0-r2 in the following images:
- syntax-highlighter
- migrator
- jaeger-all-in-one
- postgres_exporter
- worker
- searcher
- precise-code-intel-worker
- repo-updater
- symbols
- github-proxy
- gitserver
- indexed-searcher
- frontend
- minio
- search-indexer
Overall plan
For each of the above services, I replaced their original Dockerfiles with one that pulls the original docker file and apk upgrade'd the curl and libcurl packages (if they were installed in the image to begin with).
One complication that came up is that most of our images run as a non-root user, but we need root permissions in order to upgrade packages. I worked around this by running USER root before the apk upgrade commands, and adding some defensive checks to ensure that we switch back to the original user after the upgrade completes.
what to code review
Ideally, it would be nice if someone could:
-
verify that the Trivy reports are acceptable -
verify that I didn't accidentally fat-finger/typo something in the Dockerfiles that I modified, including the running user and/or the ENTRYPOINTs -
Once the above two steps are complete, you can use something like the following to get the list of GCR candidate images and then publish those to dockerhub under whatever tag you choose sg ci logs --build $BUILDKITE_JOB_NUMBER --state "" | grep "^\s*us.gcr.io/sourcegraph-dev"` -
close this PR