From c10c90b3257ea397fea903ff02f0d5bfadff8c85 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Fri, 16 Feb 2024 18:55:36 +0900 Subject: [PATCH] Updated according security and style recommendations --- Dockerfiles/agent/rhel/Dockerfile | 2 +- Dockerfiles/agent2/rhel/Dockerfile | 2 +- Dockerfiles/proxy-mysql/README.md | 2 +- Dockerfiles/proxy-mysql/rhel/Dockerfile | 2 +- Dockerfiles/proxy-sqlite3/rhel/Dockerfile | 2 +- Dockerfiles/server-mysql/rhel/Dockerfile | 2 +- .../web-apache-mysql/ubuntu/Dockerfile | 2 +- Dockerfiles/web-nginx-mysql/rhel/Dockerfile | 2 +- Dockerfiles/web-service/rhel/Dockerfile | 35 ++++++++++--------- 9 files changed, 26 insertions(+), 25 deletions(-) diff --git a/Dockerfiles/agent/rhel/Dockerfile b/Dockerfiles/agent/rhel/Dockerfile index 94ba272a8..9d2aecece 100644 --- a/Dockerfiles/agent/rhel/Dockerfile +++ b/Dockerfiles/agent/rhel/Dockerfile @@ -58,7 +58,7 @@ RUN set -eux && \ shadow-utils \ pcre2 \ libcurl" && \ - curl -sSL -o /tmp/epel-release-latest-8.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ + curl --tlsv1.2 -sSf -L -o /tmp/epel-release-latest-8.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ rpm -ivh /tmp/epel-release-latest-8.noarch.rpm && \ rm -rf /tmp/epel-release-latest-8.noarch.rpm && \ microdnf -y install \ diff --git a/Dockerfiles/agent2/rhel/Dockerfile b/Dockerfiles/agent2/rhel/Dockerfile index cb997b91b..d919334ee 100644 --- a/Dockerfiles/agent2/rhel/Dockerfile +++ b/Dockerfiles/agent2/rhel/Dockerfile @@ -65,7 +65,7 @@ RUN set -eux && \ smartmontools \ sudo \ libcurl" && \ - curl -sSL -o /tmp/epel-release-latest-8.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ + curl --tlsv1.2 -sSf -L -o /tmp/epel-release-latest-8.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ rpm -ivh /tmp/epel-release-latest-8.noarch.rpm && \ rm -rf /tmp/epel-release-latest-8.noarch.rpm && \ microdnf -y install \ diff --git a/Dockerfiles/proxy-mysql/README.md b/Dockerfiles/proxy-mysql/README.md index f95682e96..a9abfc711 100644 --- a/Dockerfiles/proxy-mysql/README.md +++ b/Dockerfiles/proxy-mysql/README.md @@ -113,7 +113,7 @@ This variable is port Zabbix server listening on. By default, value is `10051`. This variable is IP or DNS name of MySQL server. By default, value is 'mysql-server' ### `DB_SERVER_PORT` - + This variable is port of MySQL server. By default, value is '3306'. ### `MYSQL_USER`, `MYSQL_PASSWORD`, `MYSQL_USER_FILE`, `MYSQL_PASSWORD_FILE` diff --git a/Dockerfiles/proxy-mysql/rhel/Dockerfile b/Dockerfiles/proxy-mysql/rhel/Dockerfile index 2eedd3746..d817eb708 100644 --- a/Dockerfiles/proxy-mysql/rhel/Dockerfile +++ b/Dockerfiles/proxy-mysql/rhel/Dockerfile @@ -73,7 +73,7 @@ RUN set -eux && \ pcre2 \ gzip \ unixODBC" && \ - curl -sSL -o /tmp/epel-release-latest-8.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ + curl --tlsv1.2 -sSf -L -o /tmp/epel-release-latest-8.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ rpm -ivh /tmp/epel-release-latest-8.noarch.rpm && \ rm -rf /tmp/epel-release-latest-8.noarch.rpm && \ microdnf -y module enable mysql && \ diff --git a/Dockerfiles/proxy-sqlite3/rhel/Dockerfile b/Dockerfiles/proxy-sqlite3/rhel/Dockerfile index 4e564fe20..1098458cc 100644 --- a/Dockerfiles/proxy-sqlite3/rhel/Dockerfile +++ b/Dockerfiles/proxy-sqlite3/rhel/Dockerfile @@ -70,7 +70,7 @@ RUN set -eux && \ pcre2 \ sqlite-libs \ unixODBC" && \ - curl -sSL -o /tmp/epel-release-latest-8.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ + curl --tlsv1.2 -sSf -L -o /tmp/epel-release-latest-8.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ rpm -ivh /tmp/epel-release-latest-8.noarch.rpm && \ rm -rf /tmp/epel-release-latest-8.noarch.rpm && \ microdnf -y install \ diff --git a/Dockerfiles/server-mysql/rhel/Dockerfile b/Dockerfiles/server-mysql/rhel/Dockerfile index 51f8f822b..f7483c86f 100644 --- a/Dockerfiles/server-mysql/rhel/Dockerfile +++ b/Dockerfiles/server-mysql/rhel/Dockerfile @@ -75,7 +75,7 @@ RUN set -eux && \ pcre2 \ gzip \ unixODBC" && \ - curl -sSL -o /tmp/epel-release-latest-8.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ + curl --tlsv1.2 -sSf -L -o /tmp/epel-release-latest-8.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ rpm -ivh /tmp/epel-release-latest-8.noarch.rpm && \ rm -rf /tmp/epel-release-latest-8.noarch.rpm && \ microdnf -y module enable mysql && \ diff --git a/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile b/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile index 8e8223ad3..3665501d6 100644 --- a/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile +++ b/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile @@ -104,7 +104,7 @@ RUN set -eux && \ rm -rf /var/lib/apt/lists/* EXPOSE 8080/TCP 8443/TCP - + WORKDIR /usr/share/zabbix COPY ["docker-entrypoint.sh", "/usr/bin/"] diff --git a/Dockerfiles/web-nginx-mysql/rhel/Dockerfile b/Dockerfiles/web-nginx-mysql/rhel/Dockerfile index cb5740346..9233007fa 100644 --- a/Dockerfiles/web-nginx-mysql/rhel/Dockerfile +++ b/Dockerfiles/web-nginx-mysql/rhel/Dockerfile @@ -66,7 +66,7 @@ RUN set -eux && \ php-mbstring \ php-mysqlnd \ php-xml" && \ - curl -sSL -o /tmp/epel-release-latest-8.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ + curl --tlsv1.2 -sSf -L -o /tmp/epel-release-latest-8.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ rpm -ivh /tmp/epel-release-latest-8.noarch.rpm && \ rm -rf /tmp/epel-release-latest-8.noarch.rpm && \ microdnf -y module enable mysql && \ diff --git a/Dockerfiles/web-service/rhel/Dockerfile b/Dockerfiles/web-service/rhel/Dockerfile index 7e89ad29c..068dc6156 100644 --- a/Dockerfiles/web-service/rhel/Dockerfile +++ b/Dockerfiles/web-service/rhel/Dockerfile @@ -1,12 +1,12 @@ # syntax=docker/dockerfile:1 -ARG MAJOR_VERSION=6.0 -ARG RELEASE=26 -ARG ZBX_VERSION=${MAJOR_VERSION}.26 +ARG MAJOR_VERSION=7.0 +ARG RELEASE=0 +ARG ZBX_VERSION=${MAJOR_VERSION} ARG BUILD_BASE_IMAGE=zabbix-build-mysql:rhel-${ZBX_VERSION} -FROM ${BUILD_BASE_IMAGE} as builder +FROM ${BUILD_BASE_IMAGE} AS builder -FROM registry.access.redhat.com/ubi8/ubi-minimal +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3 ARG MAJOR_VERSION ARG RELEASE @@ -19,9 +19,9 @@ ENV TERM=xterm \ LABEL description="Zabbix web service for performing various tasks using headless web browser" \ maintainer="alexey.pustovalov@zabbix.com" \ - name="zabbix/zabbix-web-service-60" \ + name="zabbix/zabbix-web-service-trunk" \ release="${RELEASE}" \ - run="docker run --name zabbix-web-service --link zabbix-server:zabbix-server -p 10053:10053 -d registry.connect.redhat.com/zabbix/zabbix-web-service-60:${ZBX_VERSION}" \ + run="docker run --name zabbix-web-service --link zabbix-server:zabbix-server -p 10053:10053 -d registry.connect.redhat.com/zabbix/zabbix-web-service-trunk:${ZBX_VERSION}" \ summary="Zabbix web service" \ url="https://www.zabbix.com/" \ vendor="Zabbix LLC" \ @@ -32,7 +32,7 @@ LABEL description="Zabbix web service for performing various tasks using headles io.openshift.tags="zabbix,zabbix-web-service" \ org.label-schema.build-date="${BUILD_DATE}" \ org.label-schema.description="Zabbix web service for performing various tasks using headless web browser" \ - org.label-schema.docker.cmd="docker run --name zabbix-web-service --link zabbix-server:zabbix-server -p 10053:10053 -d registry.connect.redhat.com/zabbix/zabbix-web-service-60:${ZBX_VERSION}" \ + org.label-schema.docker.cmd="docker run --name zabbix-web-service --link zabbix-server:zabbix-server -p 10053:10053 -d registry.connect.redhat.com/zabbix/zabbix-web-service-trunk:${ZBX_VERSION}" \ org.label-schema.license="GPL v2.0" \ org.label-schema.name="zabbix-web-service-rhel" \ org.label-schema.schema-version="1.0" \ @@ -53,15 +53,16 @@ RUN set -eux && \ INSTALL_PKGS="bash \ shadow-utils \ chromium-headless" && \ - curl -sSL -o /tmp/epel-release-latest-8.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ - rpm -ivh /tmp/epel-release-latest-8.noarch.rpm && \ - rm -rf /tmp/epel-release-latest-8.noarch.rpm && \ + curl --tlsv1.2 -sSf -L -o /tmp/epel-release-latest-9.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \ + rpm -ivh /tmp/epel-release-latest-9.noarch.rpm && \ + rm -rf /tmp/epel-release-latest-9.noarch.rpm && \ + ARCH_SUFFIX="$(arch)"; \ microdnf -y install \ --disablerepo "*" \ - --enablerepo "ubi-8-baseos-rpms" \ - --enablerepo "ubi-8-appstream-rpms" \ - --enablerepo "rhel-8-for-x86_64-baseos-rpms" \ - --enablerepo "rhel-8-for-x86_64-appstream-rpms" \ + --enablerepo "ubi-9-baseos-rpms" \ + --enablerepo "ubi-9-appstream-rpms" \ + --enablerepo "rhel-9-for-$ARCH_SUFFIX-baseos-rpms" \ + --enablerepo "rhel-9-for-$ARCH_SUFFIX-appstream-rpms" \ --enablerepo "epel" \ --setopt=install_weak_deps=0 \ --best \ @@ -69,8 +70,8 @@ RUN set -eux && \ ${INSTALL_PKGS} && \ microdnf -y install \ --disablerepo "*" \ - --enablerepo "ubi-8-baseos-rpms" \ - --enablerepo "ubi-8-appstream-rpms" \ + --enablerepo "ubi-9-baseos-rpms" \ + --enablerepo "ubi-9-appstream-rpms" \ --setopt=install_weak_deps=0 \ --best \ --setopt=tsflags=nodocs \