Merge branch 'st-1388-automatic-security-updates' into 'master'

ST-1388: Weekly automation for building OCI images with security updates

See merge request ska-telescope/ska-tango-images!177

.make @ 3db25005

-Subproject commit aa07ec5c7d7f8805cc2369703e630b6d2230d536
+Subproject commit 3db25005b85fc0413cdb1eb3678997f816429f23

.release

-release=0.3.25
-tag=0.3.25
+release=0.3.26
+tag=0.3.26

charts/ska-tango-base/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: 0.3.23
 description: A Helm chart for deploying the TANGO base system on Kubernetes
 name: ska-tango-base
-version: 0.3.25
+version: 0.3.26
 icon: https://www.skatelescope.org/wp-content/uploads/2016/07/09545_NEW_LOGO_2014.png
 dependencies:
 - name: ska-tango-util

charts/ska-tango-umbrella/Chart.yaml

@@ -6,7 +6,7 @@ version: 0.2.6
 icon: https://www.skatelescope.org/wp-content/uploads/2016/07/09545_NEW_LOGO_2014.png
 dependencies:
 - name: ska-tango-base
-  version: 0.3.25
+  version: 0.3.26
   repository: file://../ska-tango-base
   condition: ska-tango-base.enabled,global.sub-system.ska-tango-base.enabled
 - name: ska-tango-util

images/ska-tango-images-pytango-builder/.release

-release=9.3.33
-tag=9.3.33
+release=9.3.34
+tag=9.3.34
 

images/ska-tango-images-pytango-builder/Dockerfile

@@ -11,6 +11,7 @@ ARG CAR_PYPI_REPOSITORY_URL
 ARG CAR_OCI_REGISTRY_HOST
 ARG BASE_IMAGE="${CAR_OCI_REGISTRY_HOST}/ska-tango-images-tango-cpp:9.3.7"
 FROM $BASE_IMAGE
+ARG DEBIAN_FRONTEND=noninteractive
 
 LABEL \
       author="Matteo Di Carlo <matteo.dicarlo@inaf.it>" \
@@ -23,17 +24,15 @@ LABEL \
 
 USER root
 
-
-
 # Install build dependencies:
-#
 # * build-essential installs C/C++ compilers and build tools
 # * libboost-python-dev is required to bind PyTango to the C++ Tango libs
 # * pkg-config is used to locate required libraries
 # * git is required for Python packages using katversion for release info
-#
-RUN apt-get update \
-    && apt-get -y install --no-install-recommends build-essential \
+
+RUN apt-get update && \
+      apt-get install -y --no-install-recommends \
+      build-essential \
       libboost-python-dev \
       pkg-config \
       python3-distutils \
@@ -57,7 +56,5 @@ RUN python3 -m pip install --no-cache-dir numpy==1.23.0
 # Install poetry as a binary
 ENV POETRY_HOME=/opt/poetry
 RUN curl -sSL https://install.python-poetry.org | python3 - --yes
-
 RUN python3 -m pip install --no-cache-dir pytango==9.3.6
-
 RUN ln -sfn /usr/bin/python3 /usr/bin/python && ln -sfn /opt/poetry/bin/poetry /usr/local/bin/poetry

images/ska-tango-images-pytango-runtime/.release

-release=9.3.20
-tag=9.3.20
+release=9.3.21
+tag=9.3.21

images/ska-tango-images-pytango-runtime/Dockerfile

@@ -10,6 +10,7 @@ ARG BASE_IMAGE="${CAR_OCI_REGISTRY_HOST}/ska-tango-images-tango-cpp:9.3.11"
 
 FROM ${BUILD_IMAGE} as buildenv
 FROM $BASE_IMAGE
+ARG DEBIAN_FRONTEND=noninteractive
 
 LABEL \
       author="Matteo Di Carlo <matteo.dicarlo@inaf.it>" \
@@ -22,17 +23,14 @@ LABEL \
 
 USER root
 
-
 # Permanently install Python and PyTango runtime dependencies:
 #
 # * libboost-python is required by PyTango;
 # * make is required to manage execution of the tests inside the container
 # * python3 is required as this image is intended for running Python Tango
 #   devices.
-#
-
-RUN apt-get update \
-    && apt-get -y install --no-install-recommends \
+RUN apt-get update && \
+      apt-get install -y --no-install-recommends \
       libboost-python1.74.0 \
       ca-certificates \
       make \

images/ska-tango-images-tango-admin/.release

-release=1.15.6
-tag=1.15.6
+release=1.15.7
+tag=1.15.7

images/ska-tango-images-tango-cpp/.release

-release=9.3.12
-tag=9.3.12
+release=9.3.13
+tag=9.3.13

images/ska-tango-images-tango-cpp/Dockerfile

@@ -7,11 +7,10 @@ ARG CAR_OCI_REGISTRY_HOST
 ARG BUILD_IMAGE="${CAR_OCI_REGISTRY_HOST}/ska-tango-images-tango-dependencies:9.3.5"
 ARG BASE_IMAGE="ubuntu:22.04"
 FROM $BUILD_IMAGE as buildenv
-
-
+ARG DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update && \
-    apt-get -y install --no-install-recommends \
+    apt-get install -y --no-install-recommends \
     build-essential \
     ca-certificates \
     cmake \
@@ -19,11 +18,15 @@ RUN apt-get update && \
     file \
     git \
     libmariadbclient-dev-compat \
-        pkg-config python3
+    pkg-config \
+    python3 \
+    unattended-upgrades
 
+# Apply security upgrades (base image is not patched)
+RUN unattended-upgrade
+RUN apt-get purge unattended-upgrades -y
 
 # build and install tangoidl
-
 RUN mkdir -p /usr/src/idl
 WORKDIR /usr/src/idl
 
@@ -61,6 +64,7 @@ RUN git clone --depth 1 https://gitlab.com/tango-controls/TangoDatabase.git /usr
 
 
 FROM $BASE_IMAGE
+ARG DEBIAN_FRONTEND=noninteractive
 
 LABEL \
     author="Matteo Di Carlo <matteo.dicarlo@inaf.it>" \
@@ -74,8 +78,9 @@ LABEL \
 COPY --from=buildenv /usr/local /usr/local
 
 RUN apt-get update && \
-    apt-get -y install --no-install-recommends \
-        libmariadb3 sudo
+    apt-get install -y --no-install-recommends \
+    libmariadb3 \
+    sudo
 
 RUN useradd --create-home --home-dir /home/tango tango
 

images/ska-tango-images-tango-databaseds/.release

-release=5.16.6
-tag=5.16.6
+release=5.16.7
+tag=5.16.7

images/ska-tango-images-tango-db/.release

-release=10.4.18
-tag=10.4.18
+release=10.4.19
+tag=10.4.19

images/ska-tango-images-tango-db/Dockerfile

 ARG BASE_IMAGE="mariadb:10.7.4-focal"
 FROM $BASE_IMAGE AS builder
+ARG DEBIAN_FRONTEND=noninteractive
 
 ENV TANGO_DOWNLOAD_URL=https://artefact.skao.int/repository/raw-internal/ska-tango-images/libraries/tango-9.3.4.tar.gz
 
 RUN apt-get update && \
-     apt-get -y install --no-install-recommends curl ca-certificates
+    apt-get install -y --no-install-recommends \
+    curl \
+    ca-certificates \
+    unattended-upgrades
+
+# Apply security upgrades (base image is not patched)
+RUN unattended-upgrade
+RUN apt-get purge unattended-upgrades -y
 
 RUN mkdir -p /usr/src/tango
 

images/ska-tango-images-tango-dependencies/.release

-release=9.3.11
-tag=9.3.11
+release=9.3.12
+tag=9.3.12

images/ska-tango-images-tango-dependencies/Dockerfile

@@ -5,6 +5,7 @@
 #
 ARG BASE_IMAGE="ubuntu:22.04"
 FROM $BASE_IMAGE as buildenv
+ARG DEBIAN_FRONTEND=noninteractive
 
 ENV ZEROMQ_DOWNLOAD_URL=https://github.com/zeromq/libzmq/archive/v4.3.4.tar.gz
 ENV CPPZMQ_DOWNLOAD_URL=https://github.com/zeromq/cppzmq/archive/v4.8.1.tar.gz
@@ -16,10 +17,24 @@ COPY wait-for-it.sh /usr/local/bin/wait-for-it.sh
 COPY retry.sh /usr/local/bin/retry
 
 RUN apt-get update && \
-    apt-get -y install --no-install-recommends \
-        autoconf automake build-essential ca-certificates \
-        curl libkrb5-dev libtool pkg-config unzip \
-        cmake python3-dev python3-pkgconfig
+    apt-get install -y --no-install-recommends \
+    autoconf \
+    automake \
+    build-essential \
+    ca-certificates \
+    curl \
+    libkrb5-dev \
+    libtool \
+    pkg-config \
+    unzip \
+    cmake \
+    python3-dev \
+    python3-pkgconfig \
+    unattended-upgrades
+
+# Apply security upgrades (base image)
+RUN unattended-upgrade
+RUN apt-get purge unattended-upgrades -y
 
 RUN mkdir /usr/src/zeromq
 WORKDIR /usr/src/zeromq

images/ska-tango-images-tango-dsconfig/.release

-release=1.5.8
-tag=1.5.8
+release=1.5.9
+tag=1.5.9

images/ska-tango-images-tango-itango/.release

-release=9.3.11
-tag=9.3.11
+release=9.3.12
+tag=9.3.12

images/ska-tango-images-tango-itango/Dockerfile

@@ -4,6 +4,7 @@ ARG BASE_IMAGE="${CAR_OCI_REGISTRY_HOST}/ska-tango-images-pytango-runtime:9.3.12
 
 FROM $BUILD_IMAGE as buildenv
 FROM $BASE_IMAGE
+ARG DEBIAN_FRONTEND=noninteractive
 
 LABEL \
       author="Matteo Di Carlo <matteo.dicarlo@inaf.it>" \
@@ -15,7 +16,9 @@ LABEL \
       int.skao.application="ITango"
 
 USER root
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y procps
+RUN apt-get update && \
+      apt-get install -y --no-install-recommends \
+      procps 
 
 USER tango
 

images/ska-tango-images-tango-java/.release

-release=9.3.8
-tag=9.3.8
+release=9.3.9
+tag=9.3.9