Conversation
…ication & also update kube-scheduler and model-proxy
…duler and watchdog
…in in dockerfile for k8s host device plugin
There was a problem hiding this comment.
Pull request overview
This pull request implements a comprehensive security update across all container images in the repository, including Ubuntu updates, Go version updates, Node.js package updates (lodash, qs, diff), and Python package updates. The changes involve updating base images, upgrading dependencies, and adding proper image pull policies to Kubernetes deployment configurations.
Changes:
- Updated Go versions across multiple Dockerfiles (targeting 1.24.x)
- Updated Node.js dependencies (lodash to 4.17.23, qs to 6.14.1, diff to 8.0.3)
- Replaced custom nginx builds with official nginx:1.29.4 base image
- Added imagePullPolicy: Always to Kubernetes deployments
- Replaced patch files with inline go mod edits for better maintainability
- Updated various tools (nerdctl, docker, frp) to newer versions
- Added proper apt cache cleanup in several Dockerfiles
Reviewed changes
Copilot reviewed 27 out of 31 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| src/webportal-dind/build/webportal-dind.common.dockerfile | Added multi-stage build for runc, updated Docker version, improved cleanup |
| src/webportal-dind/build/install.sh | Updated Docker version to 29.2.0, removed buildx/compose, improved cleanup |
| src/watchdog/build/watchdog.common.dockerfile | Updated Go to 1.24.13-alpine3.22 and Alpine to 3.22 |
| src/rest-server/yarn.lock, package.json | Updated lodash, qs, and diff dependencies |
| src/pylon/build/reverseproxy.common.dockerfile | Replaced binary download with building frp from source |
| src/pylon/build/pylon.common.dockerfile | Replaced custom nginx build with official nginx:1.29.4 image |
| src/postgresql/build/postgresql.k8s.dockerfile | Added multi-stage build for gosu binary |
| src/model-proxy/build/model-proxy.common.dockerfile | Updated Go version to 1.25.7 |
| src/job-exporter/build/job-exporter.common.dockerfile | Updated nerdctl to 2.2.1 |
| src/hivedscheduler/deploy/hivedscheduler.yaml.template | Added imagePullPolicy: Always |
| src/hivedscheduler/build/kube-scheduler.k8s.dockerfile | Updated kube-scheduler to v1.35.0 |
| src/hivedscheduler/build/hivedscheduler.k8s.dockerfile | Updated Go to 1.24.13-alpine3.22 and Alpine to 3.22 |
| src/frameworkcontroller/build/frameworkcontroller.common.dockerfile | Updated Go to 1.24.13-alpine3.22 and Alpine to 3.22 |
| src/frameworkcontroller/build/frameworkbarrier.common.dockerfile | Updated Go to 1.24.11-alpine3.21 (inconsistent with other files) |
| src/device-plugin/deploy/start.sh.template | Added imagePullPolicy modifications |
| src/device-plugin/deploy/device-plugin.yaml.template | Added imagePullPolicy: Always |
| src/device-plugin/build/k8s-rocm-device-plugin.k8s.dockerfile | Updated Go to 1.24.12-alpine, replaced patch with inline mod edits |
| src/device-plugin/build/k8s-rocm-device-plugin-patches/0001-*.patch | Removed patch file (replaced with inline edits) |
| src/device-plugin/build/k8s-rdma-shared-dev-plugin.k8s.dockerfile | Updated Go to 1.24.13-alpine, added inline mod edits |
| src/device-plugin/build/k8s-nvidia-device-plugin.k8s.dockerfile | Replaced base image with multi-stage build using golang:1.25.6 |
| src/device-plugin/build/k8s-host-device-plugin.k8s.dockerfile | Updated Go to 1.24.13, replaced patch with inline mod edits |
| src/device-plugin/build/k8s-host-device-plugin-patches/0001-*.patch | Removed patch file (replaced with inline edits) |
| src/database-controller/src/yarn.lock, package.json | Updated lodash and qs dependencies |
| src/copilot-chat/build/copilot-chat.common.dockerfile | Added pip upgrade command |
| src/alert-manager/src/job-status-change-notification/yarn.lock, package.json | Updated lodash and qs dependencies |
| src/alert-manager/src/alert-handler/yarn.lock, package.json | Updated lodash and qs dependencies |
| src/alert-manager/build/redis-monitoring.common.dockerfile | Added multi-stage build for gosu binary |
Comments suppressed due to low confidence (1)
src/frameworkcontroller/build/frameworkbarrier.common.dockerfile:36
- Inconsistent Alpine base image version. The builder stage uses alpine3.21 but other similar files use alpine3.22. The runtime stage (line 36) also uses alpine:3.21. Both should be updated to alpine:3.22 for consistency with the frameworkcontroller.common.dockerfile and to ensure the latest security updates.
FROM golang:1.24.11-alpine3.21 as builder
ENV GOPATH=/go
ENV PROJECT_DIR=/src
ENV INSTALL_DIR=/opt/frameworkcontroller/frameworkbarrier
RUN apk update && apk add --no-cache bash && \
mkdir -p ${PROJECT_DIR} ${INSTALL_DIR}
COPY src ${PROJECT_DIR}
RUN ${PROJECT_DIR}/build/frameworkbarrier/go-build.sh && \
mv ${PROJECT_DIR}/dist/frameworkbarrier/* ${INSTALL_DIR}
FROM alpine:3.21
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -1,11 +1,26 @@ | |||
| FROM golang:1.24 as builder | |||
|
|
|||
| ARG RUNCVERSION=1.4.0 | |||
There was a problem hiding this comment.
Inconsistent runc version specified. The ARG RUNCVERSION is set to 1.4.0, but this version does not exist in the opencontainers/runc repository. The latest stable versions are in the 1.1.x and 1.2.x range. This should be changed to a valid version such as v1.2.8 or v1.2.2 to ensure the build succeeds.
| @@ -11,10 +11,17 @@ ARG GOARCH=${TARGETARCH} | |||
|
|
|||
| RUN git clone --branch 1.31.4-0.1.0 --single-branch https://github.com/everpeace/k8s-host-device-plugin.git /go/src/k8s-host-device-plugin | |||
|
|
|||
| COPY ./build/k8s-host-device-plugin-patches/0001-update-Golang-toolchain-to-1.24.patch /go/src/k8s-host-device-plugin/ | |||
| WORKDIR /go/src/k8s-host-device-plugin | |||
| RUN git apply ./0001-update-Golang-toolchain-to-1.24.patch | |||
| RUN go mod download | |||
|
|
|||
| RUN go mod edit -go=1.24 -toolchain=go1.24.12 | |||
There was a problem hiding this comment.
Inconsistent Go toolchain version. Line 4 uses golang:1.24.13 as the base image but line 16 sets the toolchain to go1.24.12. These should be consistent - either both should be 1.24.12 or both should be 1.24.13. Recommend using 1.24.13 for both to ensure consistency and latest security patches.
| RUN chmod +x /app/proxy-client | ||
|
|
||
| # Ensure the binary is executable | ||
| RUN chmod +x /app/proxy-client |
There was a problem hiding this comment.
Duplicate chmod command. The chmod +x command is executed twice for /app/proxy-client on lines 27 and 30. One of these lines should be removed as it's redundant.
| RUN chmod +x /app/proxy-client |
| -require=github.com/opencontainers/runc@v1.2.8 \ | ||
| -require=golang.org/x/net@v0.38.0 \ | ||
| -require=github.com/opencontainers/runtime-spec@v1.2.0 && \ | ||
| go mod tidy -go=1.24.12 |
There was a problem hiding this comment.
Inconsistent go mod tidy toolchain version. Line 4 uses golang:1.24.13-alpine as the base image, but line 27 runs go mod tidy -go=1.24.12. The toolchain version should match the base image version. Change line 27 to use -go=1.24.13 instead of -go=1.24.12.
| go mod tidy -go=1.24.12 | |
| go mod tidy -go=1.24.13 |
| -require=google.golang.org/grpc@v1.72.1 \ | ||
| -require=k8s.io/kubelet@v0.33.1 | ||
|
|
||
| RUN go mod tidy -go=1.24.12 |
There was a problem hiding this comment.
Inconsistent go mod tidy toolchain version. Line 4 uses golang:1.24.13 as the base image, but line 24 runs go mod tidy -go=1.24.12. The toolchain version should match the base image version. Change line 24 to use -go=1.24.13 instead of -go=1.24.12.
| RUN go mod tidy -go=1.24.12 | |
| RUN go mod tidy -go=1.24.13 |
| # SOFTWARE | ||
|
|
||
| FROM golang:1.24.9-alpine3.21 as builder | ||
| FROM golang:1.24.11-alpine3.21 as builder |
There was a problem hiding this comment.
Inconsistent Go version used. This Dockerfile uses golang:1.24.11-alpine3.21 while other similar files in the same component (frameworkcontroller.common.dockerfile) use golang:1.24.13-alpine3.22. For consistency and to ensure the latest security patches, this should be updated to golang:1.24.13-alpine3.22 to match the frameworkcontroller.common.dockerfile.
|
|
||
| ARG RUNCVERSION=1.4.0 | ||
|
|
||
| RUN apt update && apt install -y make gcc linux-libc-dev libseccomp-dev pkg-config |
There was a problem hiding this comment.
Missing apt cache cleanup in the builder stage. After installing packages with apt on line 5, the package cache should be cleaned to reduce image size. Add && apt-get clean && rm -rf /var/lib/apt/lists/* after the package installation.
| RUN apt-get update && \ | ||
| apt-get upgrade -y && \ | ||
| apt-get -y install bash curl | ||
|
|
||
| # Install Python dependencies | ||
| RUN apt-get -y install build-essential python3 python3-pip | ||
| RUN pip3 install jinja2 |
There was a problem hiding this comment.
Missing apt cache cleanup. After installing packages with apt-get on lines 18-24, the package cache should be cleaned to reduce image size. Add && apt-get clean && rm -rf /var/lib/apt/lists/* at the end of the RUN command on line 24.
Security Update for all the container images including the ubuntu update and other package update for node.js and Python