dart-lang / dart-docker Goto Github PK
View Code? Open in Web Editor NEWDocker images for the Dart programming language (https://dart.dev)
License: BSD 3-Clause "New" or "Revised" License
dart-docker's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
Forkers
mit-mit athomas subfuzion cpswan pretodev odidev olusesa abasty aebrahim maxim040592 yasudacloud tryweirdier parloughdart-docker's Issues
support additional architectures
would be nice to build for multiple platforms
https://github.com/docker/buildx#building-multi-platform-images
.
.
Lag between SDK releases and Dart library image updates
It's been 5 days now since 2.17.1 was released, but the :latest build is still at 2.17.0
versions.json here was updated with the 2.17.1 hashes in #94 but somehow that hasn't triggered the (hopefully automated) process to get new images built.
Require Linux/ARM64 docker image for dart-lang/dart
Hi Team,
I have been working on building dart-lang/dart images for both amd64 and arm64 platform. Successfully build the docker image for both platforms. I have modified the Dockerfile to make it compatible for both the platforms and added arm64 support in docker-image.yml file.
Changes Required: odidev@54b8e46
Do you have any plans for releasing ARM64 images?
It will be very helpful if an ARM64 image is available. If interested, I will raise a PR.
Usage instructions
HI!
I'm in the process of dockerizing an application that uses dart 2.9.3. To that end I'm trying to use this repository to generate the correct Dockerfile, since the oldest available image is 2.12 (unless I use the deprecated Google images which are 300MB).
I'm not really well versed in the Dart ecosystem, so I'm having some trouble getting the files in the scripts directory to do what I think they should.
Any advice would be greatly appreciated, thanks!
Unable to run docker with dart cloud function in ARM machine (M1 Mac)
Was following Quickstart: Docker instructions under functions-framework-dart.
Downloaded the hello world project and ran docker build -t hellofunc .
Expected: No errors
Reality: Error found.
Logs
haris@Hariss-MacBook-Air functions-framework-dart-main % docker build -t hellofunc .
[+] Building 4.1s (16/18)
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 119B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/subfuzion/dart:slim 2.5s
=> [internal] load metadata for docker.io/google/dart:2.12 2.5s
=> CACHED [stage-1 1/2] FROM docker.io/subfuzion/dart:slim@sha256:1a60fa1089065c4dd86d0735becafab9d14dca828ba0ee19ab6b547c9e81e479 0.0s
=> [stage-0 1/11] FROM docker.io/google/dart:2.12@sha256:e058e2a4d9dbae12771cea71846be1695bd0012879f7de98617495cc235355d9 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 58.53kB 0.0s
=> CACHED [stage-0 2/11] WORKDIR /app 0.0s
=> CACHED [stage-0 3/11] COPY ./functions_framework/pubspec.yaml /app/functions_framework/ 0.0s
=> CACHED [stage-0 4/11] COPY ./functions_framework_builder/pubspec.yaml /app/functions_framework_builder/ 0.0s
=> CACHED [stage-0 5/11] COPY ./test/hello/pubspec.yaml /app/test/hello/ 0.0s
=> CACHED [stage-0 6/11] WORKDIR /app/test/hello 0.0s
=> CACHED [stage-0 7/11] RUN dart pub get 0.0s
=> CACHED [stage-0 8/11] COPY . ../.. 0.0s
=> CACHED [stage-0 9/11] RUN dart pub get --offline 0.0s
=> ERROR [stage-0 10/11] RUN dart pub run build_runner build --delete-conflicting-outputs 1.5s
------
> [stage-0 10/11] RUN dart pub run build_runner build --delete-conflicting-outputs:
#16 1.463
#16 1.463 ===== CRASH =====
#16 1.463 si_signo=Segmentation fault(11), si_code=1, si_addr=0xffffffffffffff90
#16 1.463 version=2.12.4 (stable) (Unknown timestamp) on "linux_x64"
#16 1.464 pid=10, thread=18, isolate_group=dartdev(0x4002c44000), isolate=dartdev(0x4002be9000)
#16 1.464 isolate_instructions=400648e000, vm_instructions=4001a0f020
#16 1.464 pc 0x000000400450a711 fp 0x0000004009210590 Unknown symbol
#16 1.465 pc 0x0000004008cc32b0 fp 0x00000040092105f8 Unknown symbol
#16 1.465 pc 0x0000004008cc3037 fp 0x0000004009210678 Unknown symbol
#16 1.465 pc 0x0000004008cc2ddd fp 0x00000040092106f0 Unknown symbol
#16 1.465 pc 0x0000004008cc1dfe fp 0x0000004009210768 Unknown symbol
#16 1.465 pc 0x0000004008cc14c0 fp 0x00000040092107e0 Unknown symbol
#16 1.465 pc 0x0000004008cc0e2f fp 0x0000004009210860 Unknown symbol
#16 1.465 pc 0x0000004008cc0aac fp 0x00000040092108d8 Unknown symbol
#16 1.465 pc 0x0000004008cc08a9 fp 0x0000004009210930 Unknown symbol
#16 1.465 pc 0x0000004008cc0419 fp 0x00000040092109d0 Unknown symbol
#16 1.465 pc 0x0000004008cbe818 fp 0x0000004009210a60 Unknown symbol
#16 1.465 pc 0x0000004008cbe414 fp 0x0000004009210ab0 Unknown symbol
#16 1.465 pc 0x000000400b0b2c81 fp 0x0000004009210b08 Unknown symbol
#16 1.465 pc 0x000000400b09dfdf fp 0x0000004009210b80 Unknown symbol
#16 1.465 pc 0x000000400b09bead fp 0x0000004009210c18 Unknown symbol
#16 1.465 pc 0x000000400b09b6c4 fp 0x0000004009210c70 Unknown symbol
#16 1.465 pc 0x0000004008cf712a fp 0x0000004009210d00 Unknown symbol
#16 1.465 pc 0x0000004008cf6925 fp 0x0000004009210db8 Unknown symbol
#16 1.465 pc 0x0000004008cb3e2b fp 0x0000004009210e78 Unknown symbol
#16 1.465 pc 0x0000004008cb79dc fp 0x0000004009210ef0 Unknown symbol
#16 1.465 pc 0x0000004008cb787c fp 0x0000004009210f58 Unknown symbol
#16 1.465 pc 0x0000004008cb753c fp 0x0000004009210ff8 Unknown symbol
#16 1.465 pc 0x000000400651946e fp 0x0000004009211048 Unknown symbol
#16 1.465 pc 0x000000400651ae9e fp 0x00000040092110a8 Unknown symbol
#16 1.465 pc 0x000000400651a3c2 fp 0x0000004009211130 Unknown symbol
#16 1.465 pc 0x000000400651c51b fp 0x0000004009211178 Unknown symbol
#16 1.465 pc 0x0000004006535a5e fp 0x00000040092111b8 Unknown symbol
#16 1.465 pc 0x0000004008cb4c7c fp 0x0000004009211258 Unknown symbol
#16 1.465 pc 0x0000004008cb79dc fp 0x00000040092112d0 Unknown symbol
#16 1.465 pc 0x0000004008cb787c fp 0x0000004009211338 Unknown symbol
#16 1.465 pc 0x0000004008cb753c fp 0x00000040092113d8 Unknown symbol
#16 1.465 pc 0x000000400651946e fp 0x0000004009211428 Unknown symbol
#16 1.465 pc 0x000000400651ae9e fp 0x0000004009211488 Unknown symbol
#16 1.465 pc 0x000000400651a3c2 fp 0x0000004009211510 Unknown symbol
#16 1.465 pc 0x0000004008cb7378 fp 0x0000004009211550 Unknown symbol
#16 1.465 pc 0x0000004008cb1a3d fp 0x00000040092115c0 Unknown symbol
#16 1.465 pc 0x0000004008cb17b9 fp 0x0000004009211620 Unknown symbol
#16 1.465 pc 0x0000004008cb10d9 fp 0x00000040092116b8 Unknown symbol
#16 1.465 pc 0x0000004008cb724f fp 0x0000004009211728 Unknown symbol
#16 1.465 pc 0x0000004008cb714d fp 0x0000004009211768 Unknown symbol
#16 1.465 pc 0x000000400651dd37 fp 0x00000040092117b0 Unknown symbol
#16 1.465 pc 0x000000400651e12e fp 0x00000040092117f0 Unknown symbol
#16 1.465 pc 0x000000400651e359 fp 0x0000004009211818 Unknown symbol
#16 1.465 pc 0x00000040065358bd fp 0x0000004009211858 Unknown symbol
#16 1.465 pc 0x00000040065363f7 fp 0x0000004009211880 Unknown symbol
#16 1.465 pc 0x000000400470265f fp 0x00000040092118f8 Unknown symbol
#16 1.468 pc 0x0000004001ba7690 fp 0x0000004009211990 dart::DartEntry::InvokeCode(dart::Code const&, dart::Array const&, dart::Array const&, dart::Thread*)+0x110
#16 1.469 pc 0x0000004001ba74c5 fp 0x00000040092119f0 dart::DartEntry::InvokeFunction(dart::Function const&, dart::Array const&, dart::Array const&, unsigned long)+0x175
#16 1.469 pc 0x0000004001ba9e1e fp 0x0000004009211a40 dart::DartLibraryCalls::HandleMessage(dart::Object const&, dart::Instance const&)+0x1ee
#16 1.470 pc 0x0000004001bd1d42 fp 0x0000004009211c30 dart::IsolateMessageHandler::HandleMessage(std::__2::unique_ptr<dart::Message, std::__2::default_delete<dart::Message> >)+0x4d2
#16 1.470 pc 0x0000004001bfe106 fp 0x0000004009211ca0 dart::MessageHandler::HandleMessages(dart::MonitorLocker*, bool, bool)+0x146
#16 1.470 pc 0x0000004001bfe7ba fp 0x0000004009211d00 dart::MessageHandler::TaskCallback()+0x1da
#16 1.471 pc 0x0000004001d0c708 fp 0x0000004009211d80 dart::ThreadPool::WorkerLoop(dart::ThreadPool::Worker*)+0x148
#16 1.471 pc 0x0000004001d0cbdc fp 0x0000004009211db0 dart::ThreadPool::Worker::Main(unsigned long)+0x5c
#16 1.472 pc 0x0000004001c8421d fp 0x0000004009211e70 /usr/lib/dart/bin/dart+0x1c8421d
#16 1.472 -- End of DumpStackTrace
#16 1.472 qemu: uncaught target signal 6 (Aborted) - core dumped
#16 1.482 Aborted
------
executor failed running [/bin/sh -c dart pub run build_runner build --delete-conflicting-outputs]: exit code: 134
[✓] Flutter (Channel stable, 2.2.1, on macOS 11.3.1 20E241 darwin-arm, locale en-SG)
• Flutter version 2.2.1 at /Users/haris/Development/flutter
• Framework revision 02c026b03c (11 days ago), 2021-05-27 12:24:44 -0700
• Engine revision 0fdb562ac8
• Dart version 2.13.1
• Pub download mirror https://pub.flutter-io.cn
[✓] Android toolchain - develop for Android devices (Android SDK version 30.0.3)
• Android SDK at /Users/haris/Library/Android/sdk
• Platform android-30, build-tools 30.0.3
• Java binary at: /Applications/Android Studio.app/Contents/jre/jdk/Contents/Home/bin/java
• Java version OpenJDK Runtime Environment (build 1.8.0_242-release-1644-b3-6915495)
• All Android licenses accepted.
[✓] Xcode - develop for iOS and macOS
• Xcode at /Applications/Xcode.app/Contents/Developer
• Xcode 12.4, Build version 12D4e
• CocoaPods version 1.10.1
[✓] Chrome - develop for the web
• Chrome at /Applications/Google Chrome.app/Contents/MacOS/Google Chrome
[✓] Android Studio (version 4.1)
• Android Studio at /Applications/Android Studio.app/Contents
• Flutter plugin can be installed from:
🔨 https://plugins.jetbrains.com/plugin/9212-flutter
• Dart plugin can be installed from:
🔨 https://plugins.jetbrains.com/plugin/6351-dart
• Java version OpenJDK Runtime Environment (build 1.8.0_242-release-1644-b3-6915495)
[✓] Connected device (2 available)
• macOS (desktop) • macos • darwin-arm64 • macOS 11.3.1 20E241 darwin-arm
• Chrome (web) • chrome • web-javascript • Google Chrome 91.0.4472.77
• No issues found!
Documentation on how to bind volume to minimal scatch : AOT : docker-compose
hi there, I'm trying to bind a volume from scratch, from my observation via the official Dockerfile, the location is "/app/bin" for my AOT compiled application. I've built a REST API server and used dart with docker-compose.
My problem is I cant Bin any volume from what my server creates maybe if someone uploads a picture or even my AOT self-produce file like from "Hive Database". somehow I need to persist it.
in my docker-compose.yml YAML file,
I did:
volumes: - ./user_server:/app/bin - hive_path:/app/bin/hive
I also did with:
volumes: - ./user_server:/app/bin
or even detail as
volumes: - ./user_server/hive:/app/bin/hive - or - - ./user_server:/app/bin/hive
nothing work. I tried to create the directory and try not to create the directory.
can you gave some work around?
Replace deprecated `set-output` command with environment file
In workflow, set-output command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information, see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
An image with Chrome and/or Firefox would be very convenient for testing purpose
How to execute healthcheck without curl
How to perform healthcheck shelf service without curl in docker swarm stack?
Should i use curlimages/curl instead scratch?
Or maybe run dart runtime with flag and check working instance with http request?
Add a CI test
Would be good to have some amount of CI testing.
For inspiration:
https://github.com/docker-library/golang/blob/master/.github/workflows/ci.yml
Reduce size of images that are based on jit snapshots
I have a long-running server that has code that runs slow when compiled AOT, and I want to optimize startup time and reduce the image size. I've tried doing the following:
FROM dart:2.17 AS build
WORKDIR /app
COPY pubspec.yaml .
RUN dart pub get
COPY . .
RUN dart pub get --offline
RUN dart compile jit-snapshot bin/server.dart
FROM scratch
COPY --from=build /runtime/ /
COPY --from=build /app/bin/server.jit app/bin/
EXPOSE 4002
ENTRYPOINT ["dart", "/app/bin/server.jit"]However, I get an error when I try to run the container, because dart is not found. Is there any way this could work, similar to AOT?
Using something like this
FROM dart:2.17
WORKDIR /app
COPY bin/server.jit /app/bin/
ENTRYPOINT ["dart", "bin/server.jit"]results in a 266.8MB image(!)
Use distroless for runtime images?
GoogleContainerTools/distroless
"Distroless" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.
The main benefit would seem to be image signing with cosign, though BusyBox might come in handy at times.
MIrrors
Is there any plan to include dart:mirrors in the Dart runtime for Docker in the future? (specifically I'm trying to run Conduit and right now it won't let me). Thankis!
error while running the container
I'm using the image provided in the official documentation for the flutter beta version, after I successfully build the image and run the container it existed immediately (EXITED (0)) with no logs indicating the type of the error,
Support versions besides buster
Hi there, I really love all the work by the dart team, Dart really has become one of my favorite languages (also outside of Flutter).
I am wondering why there are only buster-slim images in this repo - I require newer versions of many packages. Personally, I just copied the entire Dockerfile into my repo and changed buster -> sid, but it would be awesome to have them directly in here.
FROM dart:stabel-sid or something like that :)
Request sync on DevContainer Feature
Currently working on Devcontainer Feature (Github/VS Code) for Dart!
Would prefer it if Dart Feature mirrors the dart-docker as much as possible. If anyone working on dart-docker would reach out I'd appreciate it. Also, I may submit some PRs to this repo in line with my goal. Thanks
Automated tests to confirm availability of images on DockerHub
There have been numerous instances in the past where publication of images on DockerHub has significantly lagged updates to versions.json or where images for an instruction set architecture are missing e.g. #178 #105 #97 #93
A GitHub Actions workflow could confirm that image SHAs exist for expected tags, and a badge could be places on the README.md to indicate that all is well.
libatomic.so.1 needed in /runtime for RISC-V
Whilst testing container images with AOT binaries created from build images based on #140 I found that they wouldn't run:
/myaotbinaryname: error while loading shared libraries: libatomic.so.1: cannot open shared object file: No such file or directory
This can be remedied by copying /usr/lib/riscv64-linux-gnu/libatomic.so.1 into /runtime so it's available in the container.
I'm not entirely sure that this is a RISC-V specific thing, but given that many more people are likely to be testing Dart 3 betas on other platforms it's a strong possibility.
docker run atsigncompany/dartshowplatform:GHA_634 provides an example of a container without libatomic.so.1:
Unable to find image 'atsigncompany/dartshowplatform:GHA_634' locally
GHA_634: Pulling from atsigncompany/dartshowplatform
Digest: sha256:b85c81c69810999812baa6cc3e9ba32375d983bc4b5a9b27c4b15122093b5e6a
Status: Downloaded newer image for atsigncompany/dartshowplatform:GHA_634
/app/dartshowplatform: error while loading shared libraries: libatomic.so.1: cannot open shared object file: No such file or directory
Whilst docker run atsigncompany/dartshowplatform:GHA_635 provides an example of a container with libatomic.so.1 in the linux/riscv64 image:
Unable to find image 'atsigncompany/dartshowplatform:GHA_635' locally
GHA_635: Pulling from atsigncompany/dartshowplatform
Digest: sha256:a3bb9afd99a2b981ac29fd8d4dea21d1d6a03f1cd03b3dfd9e36adf864b6e24c
Status: Downloaded newer image for atsigncompany/dartshowplatform:GHA_635
3.0.0-290.3.beta (beta) (Tue Mar 21 16:51:50 2023 +0000) on "linux_riscv64"
Source for the examples above is at https://github.com/atsign-company/at_dockerfiles
Add git so that dart pub get works for pubspecs with git dependencies
At present git isn't part of the base image or included in the Dockerfile template, so when a Dockerfile using FROM dart tries to run dart pub get the result is a sequence of:
Git command is not "git": Pub failed to run subprocess `git`: ProcessException: No such file or directory
Command: git --version
Git command is not "git.cmd": Pub failed to run subprocess `git.cmd`: ProcessException: No such file or directory
Command: git.cmd --version
This can be fixed by adding git to the apt-get section of the Dockerfile e.g.
RUN set -eux; \
apt-get update; \
apt-get install -y --no-install-recommends \
ca-certificates \
curl \
openssh-client \
unzip \
dnsutils \
git \
; \The overall package diff (comparing apt list --installed between the existing dart image and one with git added) ends up being:
22a23,24
> git-man/now 1:2.20.1-2+deb10u3 all [installed,local]
> git/now 1:2.20.1-2+deb10u3 amd64 [installed,local]
41a44
> libcurl3-gnutls/now 7.64.0-4+deb10u2 amd64 [installed,local]
46a50,51
> liberror-perl/now 0.17027-2 all [installed,local]
> libexpat1/now 2.2.6-2+deb10u1 amd64 [installed,local]
52a58,59
> libgdbm-compat4/now 1.18.1-4 amd64 [installed,local]
> libgdbm6/now 1.18.1-4 amd64 [installed,local]
84a92
> libpcre2-8-0/now 10.32-5 amd64 [installed,local]
85a94
> libperl5.28/now 5.28.1-6+deb10u1 amd64 [installed,local]
117a127,128
> perl-modules-5.28/now 5.28.1-6+deb10u1 all [installed,local]
> perl/now 5.28.1-6+deb10u1 amd64 [installed,local]
resulting in an extra 76MB used by the raw image, which becomes 34MB when compressed on Docker Hub (for x64 arch).
Obviously people can workaround this by putting apt-get install -y git into their own Dockerfiles using FROM dart, and even create their own build images with git added. But as dart pub get is such a common thing to run, the various trade offs of image size, build times etc. would favour having a key ecosystem dependency like git in place.
installing with docker ... Could not find a file named "pubspec.yaml" in "/app"
I tried to follow docker installation. unfortunately, the given docker content and/or the command to create fails. the following output should be showing the problem because it is all that is shown.
C:\Workspace\dart>docker build -t dart-server .
[+] Building 4.5s (9/14)
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 735B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 34B 0.0s
=> [internal] load metadata for docker.io/library/dart:stable 3.1s
=> [auth] library/dart:pull token for registry-1.docker.io 0.0s
=> [build 1/7] FROM docker.io/library/dart:stable@sha256:76d0bf1a79e33bd6e104275aba3d8a1e8479705323ec0e8b00ced40616024c7b 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 2B 0.0s
=> CACHED [build 2/7] WORKDIR /app 0.0s
=> CACHED [build 3/7] COPY pubspec.* ./ 0.0s
=> ERROR [build 4/7] RUN dart pub get 1.1s
------
> [build 4/7] RUN dart pub get:
#9 0.892 Could not find a file named "pubspec.yaml" in "/app".
------
executor failed running [/bin/sh -c dart pub get]: exit code: 66
Latest stable SDK still not on DockerHub a week after version.json was bumped here
I know that it can sometimes take a day or so for new images to make their way through Docker's CD pipeline, but after a week it seems like something might be stuck/broken.
Implement templating support
Need a script for applying templates (currently only Dockerfile-debian.template).
Got 'AOT compilation failed' when 'dart compile exe'
Here is my Dockerfile
FROM dart:stable AS build
WORKDIR /app
COPY pubspec.* ./
RUN dart pub get
COPY . .
RUN dart pub get --offline
RUN dart compile -v exe bin/main.dart -o bin/server
FROM scratch
COPY --from=build /runtime/ /
COPY --from=build /app/bin/server /app/bin/
EXPOSE 8080
CMD ["/app/bin/server"]
I got this
Compiling /app/bin/main.dart to /app/bin/server using format exe:
Generating AOT kernel dill.
Error: AOT compilation failed
Generating AOT kernel dill failed!
The command '/bin/sh -c dart compile -v exe bin/main.dart -o bin/server' returned a non-zero code: 64
pubspec.yaml
environment:
sdk: '>=2.12.0 <3.0.0'
dependencies:
dio: 4.0.0
web_socket_channel: 2.1.0
html: 0.15.0
puppeteer: 2.2.0
shelf: 1.1.4
shelf_router: 1.0.0
shelf_static: 1.0.0
sembast: 3.1.0+2
dev_dependencies:
test: ^1.16.0
System info
Centos 7.4.1708 amd64
Docker version 20.10.7, build f0df350
No Armv7 image in 2.17.0 tag on Docker Hub
If I try to pull dart:2.17.0 from a Linux armv7 system:
$ sudo docker pull dart:2.17.0
2.17.0: Pulling from library/dart
no matching manifest for linux/arm/v7 in the manifest list entries
Taking a look at the tag on Docker hub only x64 and armv8 are there:
Yet I can see armv7 alongside those image SHAs in the latest tag:
So it looks like the manifest for 2.0.17 is incomplete and needs to be updated.
Copy pubspec.lock file
RISC-V image for beta channel
Now dart has experimental support for RISC-V in beta channel. Having the RISC-V container image for beta channel would be nice.
Incorrect permissions on /usr/lib/dart/bin on linux aarch64 2.14.4 build
This prevents the dart command from being used by a non-root user.
Steps to reproduce (on M1 mac mini)
docker run --rm -it dart:stable
root@84cc7db4dc9c:~# ls -l /usr/lib/dart
total 32
-rw-r--r-- 1 root root 1502 Oct 13 02:12 LICENSE
-rw-r--r-- 1 root root 981 Oct 13 02:12 README
drwx------ 5 root root 4096 Oct 13 03:11 bin
-rw-r--r-- 1 root root 928 Oct 13 03:00 dartdoc_options.yaml
drwxr-xr-x 3 root root 4096 Oct 13 02:54 include
drwxr-xr-x 26 root root 4096 Oct 13 03:04 lib
-rw-r--r-- 1 root root 41 Oct 13 03:00 revision
-rw-r--r-- 1 root root 7 Oct 13 03:00 version
This would be fixed by with RUN chmod 755 /usr/lib/dart/bin
Upgrade to Debian bookworm
bullseye is old - and has unpatched critical vulnerabilities
Determine best format for the AOT runtime image
Currently the runtime image assumes that you compile your server app to a Dart exe.
Should we consider copying in https://dart.dev/tools/dartaotruntime to the image, and then serve the app from even smaller AOT snapshots rather than a full exe?
exec: "dart": executable file not found in $PATH: unknown
If execute $ docker container run --rm --user 1000 dart:2.14.3 dart create app then can get an error
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "dart": executable file not found in $PATH: unknown.
If you look at the permissions for /usr/lib/dart, you can see that the run dart is possible only from the root user.
root@aac25d7e5b7d:~# ls -lah /usr/lib/
total 4.0K
drwxr-xr-x 1 root root 188 Oct 7 12:59 .
drwxr-xr-x 1 root root 70 Sep 27 00:00 ..
drwxr-xr-x 1 root root 98 Sep 27 00:00 apt
drwx------ 1 root root 122 Sep 29 04:25 dart
drwxr-xr-x 1 root root 14 Apr 19 16:41 dpkg
...
Therefore, I think that run chmod 0755 -R /usr/lib/dart/ after install dart will solve the problem.
Deprecate/discontinue google/dart and dart-lang/dart_docker
With the official images, we should start telling people to migrate from the old images so that we can eventually sunset our use of google/dart and archive the dart-lang/docker_dart (especially because it's easily confused with dart-lang/dart-docker)
Checklist:
- Update readme: https://github.com/dart-lang/dart-docker/pulls
- Update readme on https://registry.hub.docker.com/r/google/dart/
- Update release scripts to no longer publish to this registry when releasing: cl/420720564
- Anything else on https://registry.hub.docker.com/r/google/dart/ to mark discontinued?
- Mark https://github.com/dart-lang/dart_docker as Archived
- Move https://github.com/dart-lang/dart_docker to https://github.com/dart-archive
- Shutdown infra that is used to publish the docker old images.
Seg fault when building on Apple Silicon for linux/amd64 target - related to Dart SDK carat syntax in pubspec
See reproducible repo here: https://github.com/pattobrien/docker_dart_build_failure
Docker + Dart Build Failure
When building a Dart app for linux/amd64 on a MacOS (M1) machine, the build fails with a seg fault error (11).
However, when changing the dart sdk version in pubspec.yaml to use hyphen syntax (rather than carat),
the build succeeds.
# pubspec.yaml
name: docker_dart_build_failure
environment:
sdk: ^3.0.0
# sdk: ">=3.0.0 <4.0.0" # Uncomment this to fix the Docker build failuresI believe carat syntax has become the new default as of Dart 3 when running dart create, so its likely that the switch will cause more people to see the issue over time.
FWIW - I found several issues that mentioned similar seg faults with workarounds or insufficient reproducibility steps, so I dug into reproducing the issue. Hope this info helps out.
Requirements
A MacOS (M1) machine with docker installed.
❯ flutter doctor
Doctor summary (to see all details, run flutter doctor -v):
[✓] Flutter (Channel stable, 3.13.6, on macOS 13.5.2 22G91 darwin-arm64, locale en-US)
[!] Android toolchain - develop for Android devices (Android SDK version 33.0.0-rc1)
✗ Android license status unknown.
Run `flutter doctor --android-licenses` to accept the SDK licenses.
See https://flutter.dev/docs/get-started/install/macos#android-setup for more details.
[✓] Xcode - develop for iOS and macOS (Xcode 15.0.1)
[!] Android Studio (not installed)
[✓] VS Code (version 1.84.0)
[✓] VS Code (version 1.78.2)
[✓] Connected device (1 available)
[✓] Network resources
! Doctor found issues in 2 categories.
Steps to reproduce
Requirements: MacOS (M1)
- Clone the reproducible repo (or run
dart create docker_dart_build_failure, which defaults to using carat syntax for the dart sdk env variable). - Run
docker build --platform=linux/amd64 .to run the docker build command.
Observed Error
Seg fault error (11) when compiling the dart app.
❯ sh build.sh
[+] Building 5.8s (10/12) docker:desktop-linux
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 548B 0.0s
=> [internal] load metadata for docker.io/library/dart:stable 0.4s
=> [auth] library/dart:pull token for registry-1.docker.io 0.0s
=> [build 1/5] FROM docker.io/library/dart:stable@sha256:2432c3e2162542ee9d701b9d8524a3220f0182d37407382efa8fd782d1273e82 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 21.39kB 0.0s
=> CACHED [build 2/5] WORKDIR /app 0.0s
=> [build 3/5] COPY . . 0.0s
=> [build 4/5] RUN dart pub get 4.1s
=> ERROR [build 5/5] RUN dart compile exe bin/docker_dart_build_failure.dart -o bin/docker_dart_build_failure 1.2s
> [build 5/5] RUN dart compile exe bin/docker_dart_build_failure.dart -o bin/docker_dart_build_failure:
> 1.149
> 1.149 ===== CRASH =====
> 1.149 si_signo=Trace/breakpoint trap(5), si_code=1, si_addr=0xffff7e421d39
> 1.149 version=3.1.5 (stable) (Tue Oct 24 04:57:17 2023 +0000) on "linux_x64"
> 1.149 pid=15, thread=20, isolate_group=main(0x5555578ce540), isolate=main(0x5555578d0da0)
> 1.149 os=linux, arch=x64, comp=no, sim=no
> 1.149 isolate_instructions=ffff7e69f000, vm_instructions=55555739dd20
> 1.149 fp=7ffff5cfaa30, sp=7ffff5cfa9f8, pc=ffff7e421d39
...
> 1.149 pc 0x00005555574db7f8 fp 0x00007ffff5cfd6d0 dart::DartEntry::InvokeFunction+0xc8
> 1.149 pc 0x00005555574dd376 fp 0x00007ffff5cfd710 dart::DartLibraryCalls::HandleMessage+0x126
> 1.149 pc 0x00005555574f8b7f fp 0x00007ffff5cfdca0 dart::IsolateMessageHandler::HandleMessage+0x2bf
> 1.149 pc 0x000055555751a657 fp 0x00007ffff5cfdd10 dart::MessageHandler::HandleMessages+0x127
> 1.149 pc 0x000055555751ac44 fp 0x00007ffff5cfdd60 dart::MessageHandler::TaskCallback+0x1e4
> 1.149 pc 0x0000555557617ccb fp 0x00007ffff5cfdde0 dart::ThreadPool::WorkerLoop+0x14b
> 1.149 pc 0x0000555557617f68 fp 0x00007ffff5cfde10 dart::ThreadPool::Worker::Main+0x78
> 1.149 pc 0x00005555575a19a6 fp 0x00007ffff5cfded0 dart::ThreadStart+0xd6
> 1.149 -- End of DumpStackTrace
> 1.156 Error: AOT compilation failed
## 1.157 Generating AOT kernel dill failed!
## Dockerfile:8
6 | RUN dart pub get
7 |
8 | >>> RUN dart compile exe bin/docker_dart_build_failure.dart -o bin/docker_dart_build_failure
9 |
10 | # Build minimal serving image from AOT-compiled `/server` and required system
---
ERROR: failed to solve: process "/bin/sh -c dart compile exe bin/docker_dart_build_failure.dart -o bin/docker_dart_build_failure" did not complete successfully: exit code: 64
Request to support multi arch images for additional arm architectures
Issue originally created in subfuzion/dart-docker-slim repo. See discussion at: #11
Terminology for runtime image
I find the "scratch" terminology here a bit confusing.
The regular docker scratch image is indeed "scratch" as in "empty".
Could we say something like this?
# Create a minimal runtime environment for executing AOT-compiled Dart code
# with the smallest possible image size.
pub is unavailable on 2.17
Hi,
I'm using dart:2.17 in the-benchmarker/web-frameworks#5339
I have the following error
=> ERROR [4/7] RUN pub get --no-precompile
Should I change a PATH or anything ?
Regards,
Amazon ECR reports vulnerabilities for the dart development image
Hello, I firstly want to thank you for your hard work on this solution. I've managed to deploy a working container on Amazon ECR and running via ECS and EC2!
However I am getting a lot of vulnerabilities whenever the docker image is scanned by AWS's vulnerability checker:
Critical: 0
High: 8
Medium: 27
Low: 20
Informational: 54
Undefined: 5
Total: 114
The Dockerfile being used is configured as such:
FROM dart:stable
# Resolve app dependencies.
WORKDIR /app
COPY pubspec.* ./
RUN dart pub get
# Copy app source code and update packages
COPY . .
RUN dart pub get --offline
RUN dart run build_runner build --delete-conflicting-outputs
# Start server.
EXPOSE 12021
CMD ["dart", "bin/server.dart"]Would really appreciate some help on how to resolve this issue. Thanks so much in advance :)
These vulnerabilities are as follows:
| Name | Package | Severity | Description |
|---|---|---|---|
| CVE-2022-22823 | expat:2.2.6-2+deb10u1 | HIGH | build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. |
| CVE-2022-22824 | expat:2.2.6-2+deb10u1 | HIGH | defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. |
| CVE-2022-22822 | expat:2.2.6-2+deb10u1 | HIGH | addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. |
| CVE-2022-23852 | expat:2.2.6-2+deb10u1 | HIGH | Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES. |
| CVE-2022-23219 | glibc:2.28-10 | HIGH | The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution. |
| CVE-2019-25013 | glibc:2.28-10 | HIGH | The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read. |
| CVE-2022-23218 | glibc:2.28-10 | HIGH | The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution. |
| CVE-2021-33574 | glibc:2.28-10 | HIGH | The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact. |
| CVE-2021-22947 | curl:7.64.0-4+deb10u2 | MEDIUM | When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got before the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server. |
| CVE-2021-22946 | curl:7.64.0-4+deb10u2 | MEDIUM | A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (--ssl-reqd on the command line orCURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations withoutTLS contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network. |
| CVE-2021-22924 | curl:7.64.0-4+deb10u2 | MEDIUM | libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths case insensitively,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate. |
| CVE-2022-22827 | expat:2.2.6-2+deb10u1 | MEDIUM | storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. |
| CVE-2021-45960 | expat:2.2.6-2+deb10u1 | MEDIUM | In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). |
| CVE-2022-22826 | expat:2.2.6-2+deb10u1 | MEDIUM | nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. |
| CVE-2022-22825 | expat:2.2.6-2+deb10u1 | MEDIUM | lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. |
| CVE-2021-46143 | expat:2.2.6-2+deb10u1 | MEDIUM | In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. |
| CVE-2018-12886 | gcc-8:8.3.0-6 | MEDIUM | stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against. |
| CVE-2021-40330 | git:1:2.20.1-2+deb10u3 | MEDIUM | git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring. |
| CVE-2021-21300 | git:1:2.20.1-2+deb10u3 | MEDIUM | Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. before cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6. |
| CVE-2021-35942 | glibc:2.28-10 | MEDIUM | The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations. |
| CVE-2020-1751 | glibc:2.28-10 | MEDIUM | An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability. |
| CVE-2021-3326 | glibc:2.28-10 | MEDIUM | The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service. |
| CVE-2021-43618 | gmp:2:6.1.2+dfsg-4 | MEDIUM | GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms. |
| CVE-2021-33560 | libgcrypt20:1.8.4-5+deb10u1 | MEDIUM | Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP. |
| CVE-2019-12290 | libidn2:2.0.5-1+deb10u1 | MEDIUM | GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated. |
| CVE-2019-13115 | libssh2:1.8.0-2.1 | MEDIUM | In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855. |
| CVE-2017-16932 | libxml2:2.9.4+dfsg1-7+deb10u2 | MEDIUM | parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities. |
| CVE-2016-9318 | libxml2:2.9.4+dfsg1-7+deb10u2 | MEDIUM | libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. |
| CVE-2020-11080 | nghttp2:1.36.0-2+deb10u1 | MEDIUM | In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection. |
| CVE-2021-41617 | openssh:1:7.9p1-10+deb10u2 | MEDIUM | sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user. |
| CVE-2019-20454 | pcre2:10.32-5 | MEDIUM | An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c. |
| CVE-2020-14155 | pcre3:2:8.39-12 | MEDIUM | libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring. |
| CVE-2020-16156 | perl:5.28.1-6+deb10u1 | MEDIUM | CPAN 2.28 allows Signature Verification Bypass. |
| CVE-2019-3844 | systemd:241-7~deb10u8 | MEDIUM | It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled. |
| CVE-2019-3843 | systemd:241-7~deb10u8 | MEDIUM | It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled. |
| CVE-2016-2781 | coreutils:8.30-3 | LOW | chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. |
| CVE-2021-22898 | curl:7.64.0-4+deb10u2 | LOW | curl 7.7 through 7.76.1 suffers from an information disclosure when the -t command line option, known as CURLOPT_TELNETOPTIONS in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol. |
| CVE-2019-15847 | gcc-8:8.3.0-6 | LOW | The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same. |
| CVE-2020-6096 | glibc:2.28-10 | LOW | An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data. |
| CVE-2021-27645 | glibc:2.28-10 | LOW | The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c. |
| CVE-2019-19126 | glibc:2.28-10 | LOW | On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. |
| CVE-2020-27618 | glibc:2.28-10 | LOW | The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228. |
| CVE-2020-10029 | glibc:2.28-10 | LOW | The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c. |
| CVE-2020-1752 | glibc:2.28-10 | LOW | A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32. |
| CVE-2016-10228 | glibc:2.28-10 | LOW | The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service. |
| CVE-2019-14855 | gnupg2:2.2.12-1+deb10u1 | LOW | A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18. |
| CVE-2019-13627 | libgcrypt20:1.8.4-5+deb10u1 | LOW | It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7. |
| CVE-2021-36086 | libsepol:2.8-1 | LOW | The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list). |
| CVE-2021-36087 | libsepol:2.8-1 | LOW | The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block. |
| CVE-2021-36084 | libsepol:2.8-1 | LOW | The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper). |
| CVE-2021-36085 | libsepol:2.8-1 | LOW | The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map). |
| CVE-2019-17498 | libssh2:1.8.0-2.1 | LOW | In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. |
| CVE-2019-17543 | lz4:1.8.3-1+deb10u1 | LOW | LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk." |
| CVE-2018-7169 | shadow:1:4.5-1.1 | LOW | An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation. |
| CVE-2021-37600 | util-linux:2.33.1-0.1 | LOW | ** DISPUTED ** An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments. |
| CVE-2011-3374 | apt:1.8.2.3 | INFORMATIONAL | It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. |
| CVE-2019-18276 | bash:5.0-4 | INFORMATIONAL | An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected. |
| CVE-2017-18018 | coreutils:8.30-3 | INFORMATIONAL | In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. |
| CVE-2021-22922 | curl:7.64.0-4+deb10u2 | INFORMATIONAL | When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk. |
| CVE-2021-22923 | curl:7.64.0-4+deb10u2 | INFORMATIONAL | When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened. |
| CVE-2013-0340 | expat:2.2.6-2+deb10u1 | INFORMATIONAL | expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE. |
| CVE-2018-1000021 | git:1:2.20.1-2+deb10u3 | INFORMATIONAL | GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack). |
| CVE-2019-1010025 | glibc:2.28-10 | INFORMATIONAL | ** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability." |
| CVE-2019-1010023 | glibc:2.28-10 | INFORMATIONAL | ** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat." |
| CVE-2019-1010024 | glibc:2.28-10 | INFORMATIONAL | ** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat." |
| CVE-2010-4756 | glibc:2.28-10 | INFORMATIONAL | The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. |
| CVE-2019-9192 | glibc:2.28-10 | INFORMATIONAL | ** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern. |
| CVE-2019-1010022 | glibc:2.28-10 | INFORMATIONAL | ** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat." |
| CVE-2018-20796 | glibc:2.28-10 | INFORMATIONAL | In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep. |
| CVE-2011-3389 | gnutls28:3.6.7-4+deb10u7 | INFORMATIONAL | The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. |
| CVE-2004-0971 | krb5:1.17-3+deb10u3 | INFORMATIONAL | The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files. |
| CVE-2018-5709 | krb5:1.17-3+deb10u3 | INFORMATIONAL | An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. |
| CVE-2018-6829 | libgcrypt20:1.8.4-5+deb10u1 | INFORMATIONAL | cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. |
| CVE-2019-9893 | libseccomp:2.3.3-4 | INFORMATIONAL | libseccomp before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE), which might able to lead to bypassing seccomp filters and potential privilege escalations. |
| CVE-2018-1000654 | libtasn1-6:4.13-3 | INFORMATIONAL | GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file. |
| CVE-2021-39537 | ncurses:6.1+20181013-2+deb10u2 | INFORMATIONAL | An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow. |
| CVE-2020-15719 | openldap:2.4.47+dfsg-3+deb10u6 | INFORMATIONAL | libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux. |
| CVE-2017-14159 | openldap:2.4.47+dfsg-3+deb10u6 | INFORMATIONAL | slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript. |
| CVE-2015-3276 | openldap:2.4.47+dfsg-3+deb10u6 | INFORMATIONAL | The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. |
| CVE-2017-17740 | openldap:2.4.47+dfsg-3+deb10u6 | INFORMATIONAL | contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. |
| CVE-2016-20012 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. |
| CVE-2007-2243 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483. |
| CVE-2020-14145 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected. |
| CVE-2020-12062 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | ** DISPUTED ** The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances." |
| CVE-2018-15919 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.' |
| CVE-2008-3234 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username. |
| CVE-2020-15778 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | ** DISPUTED ** scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows." |
| CVE-2019-16905 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH. |
| CVE-2007-2768 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243. |
| CVE-2019-6110 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred. |
| CVE-2007-6755 | openssl:1.1.1d-0+deb10u7 | INFORMATIONAL | The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE. |
| CVE-2010-0928 | openssl:1.1.1d-0+deb10u7 | INFORMATIONAL | OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." |
| CVE-2019-20838 | pcre3:2:8.39-12 | INFORMATIONAL | libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454. |
| CVE-2017-16231 | pcre3:2:8.39-12 | INFORMATIONAL | ** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used. |
| CVE-2017-11164 | pcre3:2:8.39-12 | INFORMATIONAL | In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression. |
| CVE-2017-7246 | pcre3:2:8.39-12 | INFORMATIONAL | Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file. |
| CVE-2017-7245 | pcre3:2:8.39-12 | INFORMATIONAL | Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file. |
| CVE-2011-4116 | perl:5.28.1-6+deb10u1 | INFORMATIONAL | _is_safe in the File::Temp module for Perl does not properly handle symlinks. |
| CVE-2019-19882 | shadow:1:4.5-1.1 | INFORMATIONAL | shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8). |
| CVE-2007-5686 | shadow:1:4.5-1.1 | INFORMATIONAL | initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers. |
Handshake error in dart client using this dart docker image when calling kubernetes api from inside pod
EDIT: Not considered an issue of dart-docker.
Any example of how to use the Dart VM for local development with Docker?
This may be out of the scope of this project and if so, my apologies, but I'm trying to setup Dart with Docker in such a way that I can use the Dart VM instead of an AoT executable. I want to do this to support local development as if I was running dart run.
I'm so very close to having it working but Im not sure what I need to change to get it to successfully run!
My issue seems to be stemming from errors that look like this:
lib/controllers/account_controller.dart:7:8: Error: Error when reading '/Users/bradcypert/.pub-cache/hosted/pub.dartlang.org/steward-0.1.0/lib/steward.dart': No such file or directory
lib/models/license.dart:1:8: Error: Error when reading '/Users/bradcypert/.pub-cache/hosted/pub.dartlang.org/stormberry-0.4.0/lib/stormberry.dart': No such file or directory
lib/models/account.dart:3:8: Error: Error when reading '/Users/bradcypert/.pub-cache/hosted/pub.dartlang.org/uuid-3.0.5/lib/uuid.dart': No such file or directory
Namely, any and all of my dependencies are not being found when running inside of the container. It looks like you can set the pub cache directory via an environment variable, and I had some success setting that to my local directory, but then running the application outside of docker becomes a pain. I have those dependencies installed locally and I can run my app by running dart run lib/app.dart as long as I'm not running the app through docker (but this isnt ideal).
I've tried running the AoT version shared in this project but a library that im using uses Dart Mirrors, too.
Any tips?
Thanks and files are attached for context.
Here's my dockerfile:
FROM dart:2.16
WORKDIR /app
COPY . /app
RUN dart pub get
CMD /bin/bash -c "dart run lib/app.dart"and my compose:
version: "3.9"
services:
server:
build: .
ports:
- "4040:4040"
volumes:
- .:/appOnly root user can run /usr/lib/dart/bin/dart
Inside of /usr/lib the dart directory stands alone as only being accessible by root:
:/usr/lib$ ls -la
total 64
drwxr-xr-x 1 root root 4096 Jun 3 14:26 .
drwxr-xr-x 1 root root 4096 May 11 00:00 ..
drwxr-xr-x 5 root root 4096 May 11 00:00 apt
drwx------ 5 root root 4096 May 21 11:03 dart
drwxr-xr-x 3 root root 4096 Dec 7 2020 dpkg
drwxr-xr-x 3 root root 4096 Apr 6 2019 gcc
drwxr-xr-x 3 root root 4096 Jun 3 14:26 git-core
drwxr-xr-x 3 root root 4096 May 1 2019 locale
drwxr-xr-x 1 root root 4096 Apr 23 2019 mime
drwxr-xr-x 2 root root 4096 Jun 3 14:26 openssh
-rw-r--r-- 1 root root 261 Mar 19 23:44 os-release
drwxr-xr-x 2 root root 4096 Dec 19 2019 sasl2
drwxr-xr-x 3 root root 4096 Jun 3 14:26 ssl
drwxr-xr-x 3 root root 4096 Jun 3 14:26 systemd
drwxr-xr-x 2 root root 4096 May 11 00:00 tmpfiles.d
drwxr-xr-x 1 root root 4096 Jun 3 14:26 x86_64-linux-gnuThis means that any containers built to use a non root user need a workaround in the Dockerfile like:
RUN chmod -R 755 /usr/lib/dart/In the case where I tripped across this I'm not doing a two stage build to create and copy an AOT binary because I need dart run --observe to profile memory usage.
Changes in my source code are not included when rebuilding Docker container
I've made changes to my source code (for my Dart API server) but when rebuilding its Docker container (docker-compose up -d dartserver), those changes are not shown. It seems the original source code is not rebuilt. Am I missing something?
I've run my Dart server from my IDE with Postman and all is OK, my problem is when rebuilding my Dart container.
I've not modified Dockerfile file found in my Dart project.
I thought it is maybe a problem with Git so I deleted .git directory with same result.
Sqlite3
What would be the best way to include Sqlite3 into the image so that it can be used by packages such as https://pub.dev/packages/drift?
Fix image in official docs repo
Need a scaled down image that doesn't scale so large. The current Dart logo is taking up a full page's worth of real estate in Docker Hub (see: https://hub.docker.com/_/dart). The fix should be pushed to the official docs repo to replace dart/logo.png: https://github.com/docker-library/docs/tree/master/dart
Add "$HOME/.pub-cache/bin" to the PATH
It would be great if the "$HOME/.pub-cache/bin" path would be part of the image's PATH variable:
One case this is interesting is for a CI step which installs an executable dart package via dart pub global activate.
If the mentioned path would be in PATH those executables could be run using their name directly and omitting recompilation on multiple calls.
Dart sqlcipher simple
We have an API that uses sqlcipher,
We have included sqlcipher binary in the bin folder and then copied it to dockerfile to container but docker filed to start sqlcipher.
can you please help us with how we can include sqlcipher in a dart docker container?
Use newer Debian stable base image than debian:bullseye-slim
The image template here presently starts FROM debian:bullseye-slim, which uses the (now) oldstable release.
Debian 12 "Bookworm" is the present stable release (since Jul 2023).
Debian 11 "Bullseye" isn't scheduled for end of life until ~2024-07, but it would be good to get ahead of that.
No linux/arm/v7 image for 2.17.6
There's a linux/arm/v7 image carrying Dart version 2.17.5 with a digest of d6828fadccac that's found its way into the latest, stable-sdk, stable, sdk, 2.17-sdk, 2.17, 2-sdk and 2 tags:
But there doesn't (yet) seem to be a linux/arm/v7 image with Dart version 2.17.6, and so the 2.17.6 or 2.17.6-sdk tags only have linux/amd64 and linux/arm64/v8:
This happened before with #93 so there seems to be an intermittent issue with the automated build process.
Crash when building linux/amd64 image on arm64
When I try to build an image for a Dart app on an Apple Silicon device, but for linux/amd64, running dart pub get crashes with a segmentation fault.
docker build --platform linux/amd64 .
FROM dart
RUN cat > pubspec.yaml <<EOF
name: foo
dependencies:
http: ^1.0.0
EOF
RUN dart pub get[+] Building 2.0s (6/6) FINISHED docker:desktop-linux
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 183B 0.0s
=> [internal] load metadata for docker.io/library/dart:latest 0.6s
=> CACHED [1/3] FROM docker.io/library/dart@sha256:faf300f790cadb2e34182dd75c5f14642e21c625396055a16aa967170dfb71d7 0.0s
=> [2/3] RUN cat > pubspec.yaml <<EOF 0.1s
=> ERROR [3/3] RUN dart pub get 1.3s
------
> [3/3] RUN dart pub get:
1.120 Resolving dependencies...
1.235 pubspec.yaml has no lower-bound SDK constraint.
1.235 You should edit pubspec.yaml to contain an SDK constraint:
1.235
1.235 environment:
1.235 sdk: '^3.0.0'
1.235
1.235 See https://dart.dev/go/sdk-constraint
1.252
1.252 ===== CRASH =====
1.252 si_signo=Segmentation fault(11), si_code=1, si_addr=0x808080808080809f
1.252 version=3.0.7 (stable) (Mon Jul 24 13:17:56 2023 +0000) on "linux_x64"
1.252 pid=8, thread=16, isolate_group=dartdev(0x40032cd800), isolate=dartdev(0x40032cf000)
1.252 os=linux, arch=x64, comp=no, sim=no
1.252 isolate_instructions=ffff7f53d000, vm_instructions=40021123e0
1.252 fp=400a553e00, sp=400a553dd8, pc=ffff7f704cf9
1.253 pc 0x0000ffff7f704cf9 fp 0x000000400a553e00 Unknown symbol
1.253 pc 0x0000ffff7f70633c fp 0x000000400a553e28 Unknown symbol
1.253 pc 0x0000ffff7e79837c fp 0x000000400a553e50 Unknown symbol
1.253 pc 0x0000ffff7e796c57 fp 0x000000400a553ea8 Unknown symbol
1.253 pc 0x0000ffff7e793f5d fp 0x000000400a553ef8 Unknown symbol
1.253 pc 0x0000ffff7e793bc0 fp 0x000000400a553f30 Unknown symbol
1.253 pc 0x0000ffff7e793a41 fp 0x000000400a553f70 Unknown symbol
1.253 pc 0x0000ffff7f70646e fp 0x000000400a553fa8 Unknown symbol
1.253 pc 0x0000ffff7e793977 fp 0x000000400a553fd8 Unknown symbol
1.253 pc 0x0000ffff7e79389f fp 0x000000400a554010 Unknown symbol
1.253 pc 0x0000ffff7e78edd3 fp 0x000000400a554070 Unknown symbol
1.253 pc 0x0000ffff7f2a0c65 fp 0x000000400a554128 Unknown symbol
1.253 pc 0x0000ffff7e78d33b fp 0x000000400a554178 Unknown symbol
1.253 pc 0x0000ffff7e78e7f6 fp 0x000000400a5541d8 Unknown symbol
1.253 pc 0x0000ffff7e78c7d5 fp 0x000000400a554260 Unknown symbol
1.253 pc 0x0000ffff7e78be16 fp 0x000000400a5542c8 Unknown symbol
1.253 pc 0x0000ffff7f585a13 fp 0x000000400a554348 Unknown symbol
1.253 pc 0x0000ffff7e789e2d fp 0x000000400a554390 Unknown symbol
1.253 pc 0x0000ffff7e789d13 fp 0x000000400a5543d8 Unknown symbol
1.253 pc 0x0000ffff7f58325d fp 0x000000400a554420 Unknown symbol
1.253 pc 0x0000ffff7f5833c5 fp 0x000000400a554460 Unknown symbol
1.253 pc 0x0000ffff7f5835c6 fp 0x000000400a554488 Unknown symbol
1.253 pc 0x0000ffff7f5d9b69 fp 0x000000400a5544c8 Unknown symbol
1.253 pc 0x0000ffff7f5dbc72 fp 0x000000400a554508 Unknown symbol
1.253 pc 0x0000ffff7f702f0c fp 0x000000400a554580 Unknown symbol
1.255 pc 0x000000400227c478 fp 0x000000400a554610 dart::DartEntry::InvokeCode(dart::Code const&, unsigned long, dart::Array const&, dart::Array const&, dart::Thread*)+0x128
1.255 pc 0x000000400227c2fd fp 0x000000400a554670 dart::DartEntry::InvokeFunction(dart::Function const&, dart::Array const&, dart::Array const&, unsigned long)+0xed
1.255 pc 0x000000400227e05e fp 0x000000400a5546b0 dart::DartLibraryCalls::HandleMessage(long, dart::Instance const&)+0x12e
1.256 pc 0x000000400229d91f fp 0x000000400a554c40 dart::IsolateMessageHandler::HandleMessage(std::__2::unique_ptr<dart::Message, std::__2::default_delete<dart::Message>>)+0x2bf
1.256 pc 0x00000040022c2527 fp 0x000000400a554cb0 dart::MessageHandler::HandleMessages(dart::MonitorLocker*, bool, bool)+0x127
1.257 pc 0x00000040022c2b54 fp 0x000000400a554d00 dart::MessageHandler::TaskCallback()+0x1e4
1.257 pc 0x00000040023d00db fp 0x000000400a554d80 dart::ThreadPool::WorkerLoop(dart::ThreadPool::Worker*)+0x14b
1.257 pc 0x00000040023d0528 fp 0x000000400a554db0 dart::ThreadPool::Worker::Main(unsigned long)+0x78
1.258 pc 0x00000040023539d6 fp 0x000000400a554e70 dart+0x23539d6
1.258 -- End of DumpStackTrace
1.258 qemu: uncaught target signal 6 (Aborted) - core dumped
1.264 Aborted
------
Dockerfile:9
--------------------
7 | EOF
8 |
9 | >>> RUN dart pub get
10 |
--------------------
ERROR: failed to solve: process "/bin/sh -c dart pub get" did not complete successfully: exit code: 134
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.