build: Update packages in release image

This will get updates released after the base image was built. This adds a layer and increase the image size, but significantly reduce the number of CVEs in the resultant image. Signed-off-by: Gert van den Berg <github@mohag.net>
2024-11-09 16:00:22 +00:00 · 2023-02-01 08:37:07 +02:00 · 2023-02-01 08:37:07 +02:00 · c3d5b78276
commit c3d5b78276
parent 567b7df197
1 changed files with 9 additions and 4 deletions
--- a/deploy/cephcsi/image/Dockerfile
+++ b/deploy/cephcsi/image/Dockerfile
@ -2,7 +2,13 @@ ARG SRC_DIR="/go/src/github.com/ceph/ceph-csi/"
 ARG GO_ARCH
 ARG BASE_IMAGE

-FROM ${BASE_IMAGE} as builder
+FROM ${BASE_IMAGE} as updated_base
+
+RUN dnf -y update \
+       && dnf clean all \
+       && rm -rf /var/cache/yum
+
+FROM updated_base as builder

 LABEL stage="build"

@ -28,8 +34,7 @@ RUN ${GOROOT}/bin/go version && ${GOROOT}/bin/go env
 RUN dnf config-manager --disable \
    tcmu-runner,tcmu-runner-source,tcmu-runner-noarch || true

-RUN dnf -y update \
-        && dnf -y install --nodocs \
+RUN dnf -y install --nodocs \
 	librados-devel librbd-devel \
 	/usr/bin/cc \
 	make \
@ -56,7 +61,7 @@ COPY . ${SRC_DIR}
 RUN make cephcsi

 #-- Final container
-FROM ${BASE_IMAGE}
+FROM updated_base

 ARG SRC_DIR