In our CI systems, we should be sure to never do a download of packages. We've had a few instances where the fetch_or_download errored, and the script interpreted that as a missing file. So the script happily did another download and continued.

In ubuntu 16, the timezone was set to etc/utc by default, in ubuntu 18 a default timezone is not set, which causes a configuration dialog to show up when apt-get installing tzdata.

$ docker pull gcr.io/gcp-runtimes/ubuntu_16_0_4
$ docker run --rm -it gcr.io/gcp-runtimes/ubuntu_16_0_4 ls -l /etc/localtime
lrwxrwxrwx 1 root root 27 Jan 1 1970 /etc/localtime -> /usr/share/zoneinfo/Etc/UTC

$ docker pull gcr.io/google-appengine-qa/ubuntu_18_0_4:beta
$ docker run --rm -it gcr.io/google-appengine-qa/ubuntu_18_0_4:beta ls -l /etc/localtime
ls: cannot access '/etc/localtime': No such file or directory

We currently use the :latest tag to get the newest ubuntu 16 images for development and for nightly builds and would like to continue to do so with ubuntu 18.

The current README.md states that the Ubuntu images are still works in progress and that the builds are not reproducible. I'm not sure what reproducibility means in this context, too.

The commits that update that portion of the README.md were made around a year ago. Is this still accurate? Nothing in the managed base images documentation mentions WIP or reproducibility. Similarly, nothing in the marketplace make any such mention.

Are these Ubuntu images production ready?

Thanks!

CONTRIB.md says that developers should test changes with make all DEBIAN_SUITE=jessie, but this gives an error message:

cd mkdebootstrap && docker build \
		-t google/mkdebootstrap \
		--build-arg DOCKER_VERSION=1.11.2 \
		.
unable to prepare context: unable to evaluate symlinks in Dockerfile path: lstat /usr/local/google/home/dgreiman/code/github/debian-docker/mkdebootstrap/Dockerfile: no such file or directory
make: *** [mkdebootstrap] Error 1

I think the instructions should instead be something like ./build.sh -r 'gcr.io/cloud-python-runtime-qa' -v jessie except using some other project name. And the Makefile should be updated or removed.

I am trying to install net-tools , tcpdump & curl in marketplace.gcr.io/google/centos7:latest image.

It fails with error

Failed:
  setup.noarch 0:2.8.71-10.el7

Other errors in the yum install

  Installing : setup-2.8.71-10.el7.noarch                                 8/114Error unpacking rpm package setup-2.8.71-10.el7.noarch

warning: /etc/group created as /etc/group.rpmnew
warning: /etc/gshadow created as /etc/gshadow.rpmnew
error: unpacking of archive failed on file /etc/hosts: cpio: rename
  Installing : filesystem-3.2-25.el7.x86_64                               9/114
error: setup-2.8.71-10.el7.noarch: install failed

Any solution?

I have difficulties finding the actual list of installed packages and tools in this repo. This would be beneficial to update the Dockerfile in case of a change.

Hi
is it planned to build the Debian slim variants as well?
They are used a lot nowadays.

Thanks

Hi,
Can't use yum in the latest base image, rpm -q --qf '%{version}\n' centos-release is used by yum to calculate $releasever.

On the previous release:

[atcloud@sauron-web-5b699b9778-6c6zk app]$ rpm -q --qf '%{version}\n' centos-release
7

On the current release:

[root@0aaf79f74e0e app]# rpm -q --qf '%{version}\n' centos-release
package centos-release is not installed

I worked around this by doing echo 7 > /etc/yum/vars/releasever.

Debian jessie is stable now and contains newer versions of lots of software over wheezy (e.g, python 3.4 over 3.2).

I'm trying to use launcher.gcr.io/google/ubuntu18_04 for a custom build container on GCP Cloud build but I can't build the container due to missing manifest.

Dockerfile:

FROM launcher.gcr.io/google/ubuntu18_04

RUN apt-get update && \
  apt-get -y install zip

ENTRYPOINT ["zip"]

Cloud Build Log

BUILD
Already have image (with digest): gcr.io/cloud-builders/docker
Sending build context to Docker daemon  3.072kB


Step 1/3 : FROM launcher.gcr.io/google/ubuntu18_04
manifest for launcher.gcr.io/google/ubuntu18_04:latest not found
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/docker" failed: exit status 1

Internal discussion at:
https://groups.google.com/a/google.com/forum/#!topic/container-tools/AvEPvV63axk

Lets make sure, as i pointed out in the thread, the download_pkgs test is the culprit and move the https://github.com/GoogleCloudPlatform/base-images-docker/blob/master/tests/package_managers/BUILD#L39 to ROOT/integration.
That way we can still keep the commit hook as is.

Hello,

I've been trying to find what documentation I can but so far have been unable to get packages like curl installed into my image.

Currently my WORKSPACE file looks like:

load(
    "@io_bazel_rules_docker//container:container.bzl",
    "container_pull",
)

container_pull(
    name = "ubuntu_python",
    registry = "index.docker.io",
    repository = "library/ubuntu",
    tag = "14.04",
    digest = "sha256:2feffff9eeca4e736f9f8e57813a97fe930554f474f7795ffa5a9261adeaaf44",
)

And then in the relevant build file I have the following:

load("@io_bazel_rules_docker//container:container.bzl", "container_image")
load("@base_images_docker//package_managers:download_pkgs.bzl", "download_pkgs")
load("@base_images_docker//package_managers:install_pkgs.bzl", "install_pkgs")

download_pkgs(
    name = "anvil_builder_pkgs",
    image_tar = "@ubuntu_python//image",
    packages = ["curl"],
)

install_pkgs(
    name = "anvil_builder_install_pkgs",
    image_tar = "@ubuntu_python//image",
    installables_tar = ":anvil_builder_pkgs",
    output_image_name = "anvil_image",
)

container_image(
    name = "anvil_builder",
    base = ":anvil_builder_install_pkgs",
    cmd = ["/etc"],
    tars = [":anvil_tar"]
)

The :anvil_builder target runs successfully and the contents of my anvil_tar are in the image, but curl remains unavailable.

Any help would be appreciated. I believe documentation as mentioned here: #222 would help.

CentOS 7 base image build works with docker, but not with rootless buildah/podman due to yum failure in chroot.sh. For the detailed log, refer to centos7-buildah-podman.log. For even more details, refer to issue #1657 on the container/buildah repo.

1. $buildah bud -f Dockerfile.build -t builder .
2. $podman run --privileged -v $(pwd):/workspace builder /build.sh

In running yum -y -q --releasever=7 install yum centos-release in chroot.sh,

... snip ...
error: Failed to initialize NSS library
There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:

cannot import name ts

Please install a package which provides this module, or
verify that the module is installed correctly.

It's possible that the above module doesn't match the
current version of Python, which is:
2.7.5 (default, Apr 9 2019, 14:30:50)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

If you cannot solve this problem yourself, please go to
the yum faq at:
http://yum.baseurl.org/wiki/Faq

These should be available sometime next week. Daily builds seem to be up already in https://partner-images.canonical.com/core/bionic/current/

These base images are available in the GCR cloud-marketplace on GCP, so I assumed that using these managed images for builds and runtime on GCP would also mean that scanning for vulnerabilities would work.

The CentOS official library base, from which the Centos image in this repo is based, scans fine, but the Bazel base build here cannot be scanned by all major scanners including Google's own API containerscanning.googleapis.com

Scanners tested:

• twistlock
• aqua trivy
• aqua csp
• clair
• containerscanning.googleapis.com

They all fail with errors and or fail to read OS packages correctly.

containerscanning.googleapis.com fails with "Not supported"

This is something I've been poking around at lately. I'm opening this issue to track progress.

@kevingessner opened an GoogleContainerTools/distroless#181 where download_pkgs and install_pkgs can be useful to them.
Document these.

Write now the workaround it is to use the script which explicitly call the "_fetch" target.
https://github.com/GoogleCloudPlatform/base-images-docker/blob/master/bootstrap_image.sh#L43

Here is an issue to track recommended improvements to the Ubuntu image:

• Add curl and ca-certificates to the 'ubuntu' base image
• Evaluate the debian configuration done in mkdebootstrap.sh and copy any necessary changes to the Ubuntu image configuration

send email to [email protected]

When called in the base dir, this replace matches this path and replaces it as well, causing the file not to be found.

For the Debian 9 base image, could downloading packages via TLS be added?

I can create a pull request for this that edits the shell script that builds this image to get started.

This is from something similar I've done that would give you an idea about how the pull request would look:

RUN apt update && apt install -y apt-transport-https git ca-certificates

RUN rm -f /etc/apt/sources.list \
  && echo "deb https://deb.debian.org/debian stretch main" > /etc/apt/sources.list \
  && echo "deb https://deb.debian.org/debian stretch-updates main" >> /etc/apt/sources.list \
  && echo "deb https://deb.debian.org/debian-security stretch/updates main" >> /etc/apt/sources.list

NOTE: Also open to other suggestions like maybe adding a README file or putting how to do this somewhere in the comments.

Google maintains these images and makes them available, partially for "auditability", and partially as a convenience to Google Cloud Customers (e.g. see the documentation at the following page). It would be great if we could get Debian 10 included, now that is the stable distribution of Debian.

https://cloud.google.com/container-registry/docs/managed-base-images

cc @dlorenc @sharifelgamal

unsure if these are applicable to Debian, but creating this bug to track here. my original comment:

I'm imagining something like installing and running a list of software packages, or maybe even a language runtime, and just checking certain simple interactions between the software and Debian itself (syscalls, etc). Maybe these are more integration tests of the underlying software and not Debian.

just sparking a little discussion on whether we think these apply to Debian at all. can close if we decide they're not going to happen.

Tasks:

• Add machineid
• Update documentation
• Remove makefile, old build system
• Verify a container-diff output, make sure we're not breaking anything
• Add a buster build.

Hi,

I've been trying to build the image gcr.io/gcp-runtimes/ubuntu_16_0_4:latest
using following commands with
bazel 3.6.0
Docker version 19.03.8
OS : "Ubuntu18.04"

bazel run   //ubuntu:bootstrap_ubuntu_16_0_4 

output:

base-images-docker/ubuntu# bazel run   //ubuntu:bootstrap_ubuntu_16_0_4
DEBUG: Rule 'bazel_skylib' indicated that a canonical reproducible form can be obtained by modifying arguments commit = "f83cb8dd6f5658bc574ccd873e25197055265d1c", shallow_since = "1543273402 -0500" and dropping ["tag"]
DEBUG: Repository bazel_skylib instantiated at:
  no stack (--record_rule_instantiation_callstack not enabled)
Repository rule git_repository defined at:
  /root/.cache/bazel/_bazel_root/7ca5a63e7fc307a47a39afc1190ef7e9/external/bazel_tools/tools/build_defs/repo/git.bzl:199:33: in <toplevel>
DEBUG: Rule 'distroless' indicated that a canonical reproducible form can be obtained by modifying arguments shallow_since = "1553880894 -0400"
DEBUG: Repository distroless instantiated at:
  no stack (--record_rule_instantiation_callstack not enabled)
Repository rule git_repository defined at:
  /root/.cache/bazel/_bazel_root/7ca5a63e7fc307a47a39afc1190ef7e9/external/bazel_tools/tools/build_defs/repo/git.bzl:199:33: in <toplevel>
ERROR: /root/siddesh/bazel/base-images-docker/store/git/BUILD:17:10: no such package '@bazel_tools//third_party/py/gflags': BUILD file not found in directory 'third_party/py/gflags' of external repository @bazel_tools. Add a BUILD file to a directory to mark it as a package. and referenced by '//store/git:git'
ERROR: Analysis of target '//ubuntu:bootstrap_ubuntu_16_0_4' failed; build aborted: Analysis failed
INFO: Elapsed time: 0.501s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (2 packages loaded, 0 targets configured)
FAILED: Build did NOT complete successfully (2 packages loaded, 0 targets configured)
    Fetching @local_config_cc; fetching
    Fetching @six; fetching

Is this the correct approach ? Any help would be appreciated.

I was not able to build image using official steps here : https://github.com/GoogleContainerTools/base-images-docker/blob/master/CONTRIB.md
#2867 .

Ubuntu 16.04 LTS reached the end of standard support in April 2021. Updates are only provided through Extended Security Maintenance (ESM) which must be purchased from Canonical¹. The latest publicly-available version of Ubuntu 16.04 LTS is affected by 343 CVEs.

This image should be dropped out of security concerns. Base images are available for Ubuntu 18.04 LTS and 20.04 LTS, which remain under standard support.

When running apt-get update on the latest image, there are two packages that are out of date:

base-files: Container: 9.9+deb9u2; Latest: 9.9+deb9u3
sensible-utils: Container: 0.0.9; Latest: 0.0.9+deb9u1

Looking at the Debian changelog, these are unimportant, but I'm a bit surprised that the base-files update dated "Sun, 19 Nov 2017 16:25:10 +0100" in the Changelog is missing. The sensible-utils one makes more sense: It is a security update from 2017-12-20.

AFAICT, the WORKSPACE specifies DEB_SNAPSHOT = "20171218T034107Z". I grabbed Packages.gz from: http://snapshot.debian.org/archive/debian/20171218T034107Z/dists/stretch/main/binary-amd64/

It clearly contains a reference base-files version 9.9+deb9u3, which should be what is picked up by the bazel rules ... I think. Is it possible that something went wrong when building this release?

I'm referring to the container with sha256:6c76ed9ff726a1433243c3c2e8806e4f2ef2cbacddaca7c9e15f7d4312b1bb9f

@xingao267 while testing python-dev package inside the docker image encountered the following issue:

dpkg: regarding ./python_2.7.9-1_amd64.deb containing python, pre-dependency problem:
 python pre-depends on python-minimal (= 2.7.9-1)
  python-minimal is unpacked, but has never been configured.

dpkg: error processing archive ./python_2.7.9-1_amd64.deb (--install):
 pre-dependency problem - not installing python
dpkg: dependency problems prevent configuration of python-dev:
 python-dev depends on python (= 2.7.9-1); however:
  Package python is not installed.

dpkg: error processing package python-dev (--install):
 dependency problems - leaving unconfigured

This leaves the image in a half installed state.
If you check the dpkg status file, the python-dev image is unpacked

Package: python-dev
Status: install ok unpacked

Package: python
Status: install ok not-installed

Running dpkg --configure returns error:

dpkg --configure -a
dpkg: dependency problems prevent configuration of python-dev:
 python-dev depends on python (= 2.7.13-2); however:
  Package python is not installed.

dpkg: error processing package python-dev (--configure):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 python-dev

If you run --yet-to-unpack you will see python not unpacked.

dpkg --yet-to-unpack
 python               (no description available)

Steps to recover from here:

1. Unpack the deb in question

root@e85c2a4efe3e:/# dpkg --unpack /var/cache/apt/archives/python_2.7.13-2_amd64.deb 
(Reading database ... 11259 files and directories currently installed.)
Preparing to unpack .../python_2.7.13-2_amd64.deb ...
Unpacking python (2.7.13-2) ...
root@e85c2a4efe3e:/# dpkg --yet-to-unpack
root@e85c2a4efe3e:/# 

2. Configure the packages now.

root@e85c2a4efe3e:/# dpkg --configure -a
Setting up python (2.7.13-2) ...
Setting up python-dev (2.7.13-2) ...
root@e85c2a4efe3e:/# 

Change the install commands to

1. Add --force-depends flag to dpkg -i to install the dependencies
   Why not use --unpack first and then configure as mentioned in the steps above?
   Well, install does a lot more than unpack. You can see the details in man pages for dpkg.
2. Run dpkg --configure -a command

For centos builds
docker run --privileged -v $(pwd):/workspace builder /build.sh

mounting $(pwd) results in base-images-docker/centos but build.sh looks for: tar -C /target -cf /workspace/centos/layer.tar .

and it fails because /workspace/centos dir doesn't exist (host side will be centos/centos).

Either need to mount one dir up $(pwd)/..:/workspace or cd to one dir and to start the builder.

OS : "Ubuntu18.04.3"
Bazel version: 3.5.1

output:

..../base-images-docker# bazel build //...
Starting local Bazel server and connecting to it...
INFO: Repository package_bundle instantiated at:
  no stack (--record_rule_instantiation_callstack not enabled)
Repository rule _dpkg_list defined at:
  /root/.cache/bazel/_bazel_root/79717b8c2447ffa4376fe3fac2b3fb22/external/distroless/package_manager/dpkg.bzl:19:29: in <toplevel>
ERROR: An error occurred during the fetch of repository 'package_bundle':
   Traceback (most recent call last):
        File "/root/.cache/bazel/_bazel_root/79717b8c2447ffa4376fe3fac2b3fb22/external/distroless/package_manager/dpkg.bzl", line 10, column 34, in _dpkg_list_impl
                "--package-files", ",".join([repository_ctx.path(src_path) for src_path in repository_ctx.attr.sources]),
Error in join: expected string for sequence element 0, got 'path'
ERROR: no such package '@package_bundle//file': expected string for sequence element 0, got 'path'
INFO: Elapsed time: 7.383s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (16 packages loaded)
    currently loading: debian/reproducible

Context: I need to use the shell form ENTRYPOINT to be able to do variable substitution e.g.
ENTRYPOINT exec java -javaagent:dd-java-agent.jar ${JAVA_OPTS} -jar /app.jar.

It seems that container-structure-test does not support the shell form, as it fails when I run an entrypoint validation like so:

  entrypoint: ["/bin/sh", "-c", "exec", "java", "-javaagent:dd-java-agent.jar", "${JAVA_OPTS}", "-jar", "/app.jar"]

(I've also tried substituting JAVA_OPTS with a literal value)
and the test fails with the following error:

Error

=== RUN: Metadata Test
--- FAIL
duration: 0s
Error: Image entrypoint [/bin/sh -c exec java -javaagent:dd-java-agent.jar ${JAVA_OPTS} -jar /app.jar] does not match expected entrypoint: [/bin/sh -c exec java -javaagent:dd-java-agent.jar ${JAVA_OPTS} -jar /app.jar]

Will this be supported and/or is there a workaround for this?

$ docker pull gcr.io/cloud-marketplace/google/ubuntu16_04@sha256:5125aac627c68226c6ad6083d0e3419bc6252bea1eb9d6e7258ecfd67233d655
sha256:5125aac627c68226c6ad6083d0e3419bc6252bea1eb9d6e7258ecfd67233d655: Pulling from cloud-marketplace/google/ubuntu16_04
Digest: sha256:5125aac627c68226c6ad6083d0e3419bc6252bea1eb9d6e7258ecfd67233d655
Status: Image is up to date for gcr.io/cloud-marketplace/google/ubuntu16_04@sha256:5125aac627c68226c6ad6083d0e3419bc6252bea1eb9d6e7258ecfd67233d655

$ docker inspect gcr.io/cloud-marketplace/google/ubuntu16_04@sha256:5125aac627c68226c6ad6083d0e3419bc6252bea1eb9d6e7258ecfd67233d655

It shows the CMD is set to "/tmp/installer.sh", which doesn't seem to be right?

I checked the debian8 one, it was set to
[
"/bin/sh",
"-c",
"/bin/bash"
],

@dlorenc is this published as gcr.io/google-appengine/debian8?

Currently install_pkgs deletes all the appropriate files and resets the created ts of its generated docker image properly, but still needs to reset the access/modified time of each file in each of its layers. We should import tar_to_dockerimage.py from runtimes-common/ftl and use that to open up the tarballs for each layer and iterate through its files and strip away its timestamps.

Once index.docker.io support multiple trusted build per repo.

This repo is not restricted to producing debian images.
Currently we also produce node images and going forward we want to add ubuntu as well.
Hence we are thinking of rename this to more suitable name base-images-docker.

Ubuntu 20.04 LTS was released last year.
https://wiki.ubuntu.com/FocalFossa/ReleaseNotes

When will it be available in marketplace.gcr.io/google?

Hi,

I wondering if we can use these "base images" to create images that will be run outside the Google platform or if there are some restrictions ?

regards,
Eric

CVE scanners fail to read OS packages in the Centos7 image

Related: #912

Scanners tested:

• twistlock
• aqua trivy
• aqua csp
• clair
• containerscanning.googleapis.com

They all fail with errors and or fail to read OS packages correctly.

containerscanning.googleapis.com fails with "Not supported"

Output of trivy scan with -debug mode:

trivy -d gcr.io/cloud-marketplace/google/centos7:latest
2020-02-19T11:54:26.172+1100    DEBUG   Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2020-02-19T11:54:26.173+1100    WARN    You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed
2020-02-19T11:54:26.173+1100    DEBUG   cache dir: ~/Library/Caches/trivy
2020-02-19T11:54:26.177+1100    DEBUG   DB update was skipped because DB is the latest
2020-02-19T11:54:26.177+1100    DEBUG   DB Schema: 1, Type: 1, UpdatedAt: 2020-02-19 00:11:37.370796627 +0000 UTC, NextUpdate: 2020-02-19 12:11:37.370796227 +0000 UTC
2020-02-19T11:54:26.178+1100    DEBUG   Vulnerability type:  [os library]
2020-02-19T11:54:26.399+1100    DEBUG   OS family: centos, OS version: 7.7.1908
2020-02-19T11:54:26.401+1100    FATAL   error in image scan:
    github.com/aquasecurity/trivy/internal/standalone.run
        /home/circleci/project/internal/standalone/run.go:73
  - failed to scan the image:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanImage
        /home/circleci/project/pkg/scanner/scan.go:102
  - failed to analyze OS packages:
    github.com/aquasecurity/trivy/pkg/scanner/ospkg.Scanner.Scan
        /home/circleci/project/pkg/scanner/ospkg/scan.go:43
  - Failed to analyze packages:
    github.com/aquasecurity/fanal/analyzer.init
        /go/pkg/mod/github.com/aquasecurity/[email protected]/analyzer/analyzer.go:30

This page has a six-step process for installing 'gcloud', including one that doesn't work on this image (The step with lsb_release).

https://cloud.google.com/sdk/downloads

This image should already have the apt database setup with the correct paths, repositories, and keys.

I am wondering why you are not using the official debian image?