Thank you Even, these are very helpful suggestions. I tried removing jdk and flattening the image but jdk was still there in the diff folder.
Because of other dependencies, we are trying to stay with v3.8. I tried to regenerate using v3.8.5 (git hash1d418c1). I updated ARG ARROW_VERSION=15.0.2-1 after getting the error The following packages have unmet dependencies: > libarrow-dev : Depends: libarrow1500 (= 15.0.1-1) but 15.0.2-1 is to be > installed This time I get to: Step 46/46 : RUN . /buildscripts/bh-set-envvars.sh && > /buildscripts/bh-gdal.sh > ... > -- Configuring done > -- Generating done > -- Build files have been written to: /gdal/build > [ 1%] Building CXX object > port/CMakeFiles/cpl_iconv.dir/cpl_recode_iconv.cpp.o > ... > [ 51%] Built target gdal_MRF > make: *** [Makefile:136: all] Error 2 > The command '/bin/sh -c . /buildscripts/bh-set-envvars.sh && > /buildscripts/bh-gdal.sh' returned a non-zero code: 2 How can I resolve this error? Alternatively, we have considered a different solution that uses ubuntu:22.04 as our base image and then installing GDAL but also having problems with installing GDAL (I can't seem to get past dependency conflicts for v3.8.5 in pipenv so trying v3.8.3), getting an error: Collecting gdal==3.8.3 (from -r > /tmp/pipenv-gde160cj-requirements/pipenv-ndnw2zi0-hashed-reqs.txt (line 62)) > Downloading GDAL-3.8.3.tar.gz (802 kB) > ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 802.5/802.5 kB 104.5 MB/s eta > 0:00:00 > Preparing metadata (setup.py): started > Preparing metadata (setup.py): finished with status 'error' > error: subprocess-exited-with-error > > × python setup.py egg_info did not run successfully. > │ exit code: 1 > Exception: Python bindings of GDAL 3.8.3 require at least libgdal 3.8.3, > but 3.4.1 was found How can we upgrade libgdal (in our Dockerfile)? Many thanks! Matt ------------------------------ *From:* Even Rouault <even.roua...@spatialys.com> *Sent:* Monday, September 9, 2024 1:56 PM *To:* Matt Luck - NOAA Affiliate <matt.l...@noaa.gov>; gdal-dev@lists.osgeo.org <gdal-dev@lists.osgeo.org> *Subject:* Re: [gdal-dev] Upgrade or remove Java JDK 17 in GDAL Docker image Matt, Several potential solutions: 1) Regenerate the Docker image from sources: git clone https://github.com/OSGeo/gdal cd gdal ./docker/ubuntu-full/build.sh 2) Same as 1), but before edit ./docker/ubuntu-full/Dockerfile to remove all traces of java/jdk from it 3) Use the existing image, remove the openjdk package, and "flatten" the Docker layers with docker export / docker import (cf https://forums.docker.com/t/how-to-flatten-an-image-with-127-parents/1600/2), so that the layer where it was installed disappears 4) Wait a couple hours while I'm regenerating it to be updated to 17.0.12+7-1ubuntu2~24.04 Even Le 09/09/2024 à 19:29, Matt Luck - NOAA Affiliate via gdal-dev a écrit : Hi, our IT department has detected a security vulnerability in the Java JDK version 17 that's installed in the ubuntu-full docker image (see message below). I am able to remove the Java files from the Docker image via the Dockerfile and I've tried changing the `JAVA_VERSION` in the Dockerfile, but there always seems to be a reference remaining in the Docker diff files that I can't seem to get rid of. To reproduce: A `docker system prune -a -f`, then `sudo find /var/lib/docker/overlay2 -type d -name java-17-openjdk-amd64` finds nothing, but then `docker pull ghcr.io/osgeo/gdal:ubuntu-full-3.9.1` <http://ghcr.io/osgeo/gdal:ubuntu-full-3.9.1> followed by `sudo find /var/lib/docker/overlay2 -type d -name java-17-openjdk-amd64` finds: /var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/lib/jvm/java-17-openjdk-amd64 /var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/lib/debug/usr/lib/jvm/java-17-openjdk-amd64 /var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/share/gdb/auto-load/usr/lib/jvm/java-17-openjdk-amd64 Because they're diff files, those files exist whether or not they're actually in the container and thus the vulnerability is always triggered. Is there a solution and/or a way to either upgrade the Java version or remove Java entirely if it's not needed so that we can deal with this issue in the future? On Mon, Jul 8, 2024 at 10:21 AM X wrote: All, Please see the vulns below and remediate as soon as possible. These are in containers. Path : /var/lib/docker/overlay2/48c2e3da9fc2282822d4522e28ca46788f5357a14a8a38f687e2cadbf9de68d7/diff/usr/lib/jvm/java-17-openjdk-amd64/ Installed version : 17.0.8 Fixed version : Upgrade to a version greater than 17.0.10 Path : /var/lib/docker/overlay2/4aed72b0f0433c615afe67854c8c79bb7acca2fb01216bf6be25774180266f4d/diff/usr/lib/jvm/java-17-openjdk-amd64/ Installed version : 17.0.8 Fixed version : Upgrade to a version greater than 17.0.10 _______________________________________________ gdal-dev mailing listgdal-dev@lists.osgeo.orghttps://lists.osgeo.org/mailman/listinfo/gdal-dev -- http://www.spatialys.com My software is free, but my time generally not.
_______________________________________________ gdal-dev mailing list gdal-dev@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/gdal-dev
