Revert to a working state after failed CVE remediation (#7)

bfichter · web-flow · commit 6114bf7120f2 · 2025-03-26T08:35:33.000-04:00
* Revert "Distroless fix (#6)" This reverts commit 9592d71. * Revert "Use python distroless instead of copying python into google distroless, as 2F scanning does not like that for some reason (#5)" This reverts commit df7d12b.
diff --git a/build/Dockerfile.distroless b/build/Dockerfile.distroless
@@ -1,3 +1,11 @@
+# This is our strategy for getting a clean (from CVE perspective) base image for python-based services.
+# This mostly takes from https://github.com/alexdmoss/distroless-python
+# We need to build our own to be able to get new debian versions with fixes.
+
+# Google periodically updates distroless images but just uses latest
+# CVEs will typically get fixed in versions (e.g deb12u7) and we'll need to rebuild this to incorporate them.
+ARG GOOGLE_DISTROLESS_BASE_IMAGE=gcr.io/distroless/cc-debian12:latest
+
 # ARG instructions do not create additional layers. Instead, next layers will
 # concatenate them. Also, we have to repeat ARG instructions in each build
 # stage that uses them.
@@ -173,15 +181,10 @@ RUN \
 # https://github.com/arachnys/athenapdf/commit/ba25a8d80a25d08d58865519c4cd8756dc9a336d.
 COPY build/fonts.conf /etc/fonts/conf.d/100-gotenberg.conf
 
-# ----------------------------------------------
-# Python copy stage
-# ----------------------------------------------
-FROM public.ecr.aws/j9h1x6x3/distroless-python:latest AS python-source
-
 # ----------------------------------------------
 # Final stage
 # ----------------------------------------------
-FROM gcr.io/distroless/cc-debian12:latest AS base
+FROM ${GOOGLE_DISTROLESS_BASE_IMAGE} AS base
 
 # Set platform-specific CHIPSET_ARCH
 FROM base AS base-amd64
@@ -196,9 +199,9 @@ ARG TARGETARCH
 FROM base-${TARGETARCH}
 
 # Required for unoconverter
-COPY --from=python-source /usr/local/bin/python /usr/bin/python
-COPY --from=python-source /usr/local/bin/python /usr/bin/python3
-COPY --from=python-source /usr/local/bin/python /usr/bin/python3.11
+COPY --from=gotenberg-binary-stage /usr/bin/python /usr/bin/python
+COPY --from=gotenberg-binary-stage /usr/lib/python3 /usr/lib/python3
+COPY --from=gotenberg-binary-stage /usr/lib/python3.11 /usr/lib/python3.11
 
 ENV PYTHONPATH="/usr/local/lib/python3.11/dist-packages:"
 
