Dockerfile: Bump base Ubuntu to 24.04 #924
Conversation
|
For reviewers: would it be better to use an image digest here to pin a known working version? |
Yes - it feel like relying on a tag ( |
kbs/docker/Dockerfile
Outdated
| make ARCH=${ARCH} install-kbs | ||
|
|
||
| FROM ubuntu:22.04 | ||
| FROM ubuntu:24.04 |
There was a problem hiding this comment.
In this file for sure additional change needs to be made - include gpg package in apt-get -> without gpg building will fail with 14.17 /bin/sh: 1: gpg: not found
RUN apt-get update && \
apt-get install -y \
curl \
gpg \
gnupg-agent && \
if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | \
gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
apt-get update && \
apt-get install -y --no-install-recommends \
libsgx-dcap-default-qpl \
libsgx-dcap-quote-verify \
libtss2-tctildr0 \
libtss2-esys-3.0.2-0 ; \
fi && \
apt clean all && \
rm -rf /tmp/*
There was a problem hiding this comment.
apt-key: not found should be handled, too.
There was a problem hiding this comment.
This PR should be rebased (plus, gpg installation added) and tested after #923 is merged.
One meaningful feedback from @mythi: |
BbolroC
force-pushed
the
use-hash-for-dockerfile
branch
2 times, most recently
from
af0c8cd to
78c763c
Compare
kbs/docker/coco-as-grpc/Dockerfile
Outdated
| FROM --platform=${BUILDPLATFORM:-linux/amd64} docker.io/library/rust:latest AS builder | ||
| FROM --platform=${BUILDPLATFORM:-linux/amd64} \ | ||
| docker.io/library/rust@sha256:6e6d04bd50cd4c433a805c58c13f186a508c5b5417b9b61cae40ec28e0593c51 \ | ||
| AS builder # rust:latest |
There was a problem hiding this comment.
noticed that we also use rust:1.85.1 in kbs-client-image's dockerfile. Could we mention the rust version than latest in all dockerfiles?
There was a problem hiding this comment.
yep, it totally makes sense. thanks!
BbolroC
force-pushed
the
use-hash-for-dockerfile
branch
4 times, most recently
from
d40e27a to
37b8996
Compare
The base image used for building KBS (`rust:slim`) was recently updated, and its toolchain now requires glibc 2.38. However, the runtime base image is still `ubuntu:22.04`, which only provides glibc 2.35. This mismatch causes runtime errors, e.g.: ``` /usr/local/bin/kbs: /lib/s390x-linux-gnu/libc.so.6: version `GLIBC_2.38' not found (required by /usr/local/bin/kbs) ``` This commit updates the runtime image to `ubuntu:24.04` to match the required glibc version. Additionally, the update pins the image by digest rather than tag to prevent similar regressions. Signed-off-by: Hyounggyu Choi <[email protected]>
BbolroC
force-pushed
the
use-hash-for-dockerfile
branch
from
37b8996 to
10becf4
Compare
|
The "KBS Rust Suites / Check (ubuntu-24.04-arm, coco-as-builtin,coco-as-grpc,intel-trust-authority-as,sample_only,cca-at... (pull_request)Failing after 2m" error is a known issue not related to the PR and discussed in #918 |
Xynnn007
merged commit 8e1dbc7
into
confidential-containers:main
4 participants
The base image used for building KBS (
rust:slim) was recently updated, and its toolchain now requires glibc 2.38. However, the runtime base image is stillubuntu:22.04, which only provides glibc 2.35.This mismatch causes runtime errors, e.g.:
This PR updates the runtime image to
ubuntu:24.04to match the required glibc version.Additionally, the update pins the image by digest rather than tag to prevent similar regressions.
Signed-off-by: Hyounggyu Choi [email protected]