From 36307e6b9a8389e5e19ac25ce997c1ec4b5d759c Mon Sep 17 00:00:00 2001 From: PavelYadrov Date: Fri, 10 Apr 2026 16:56:56 +0300 Subject: [PATCH 1/8] fix: Update Dockerfiles to enhance security and package versions --- curator/docker/backup-docker/Dockerfile | 6 +++--- curator/opensearch_indices_cleaner/docker/Dockerfile | 6 ++++++ integration-tests/docker/Dockerfile | 2 +- integration-tests/docker/requirements.txt | 1 + 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/curator/docker/backup-docker/Dockerfile b/curator/docker/backup-docker/Dockerfile index f3293ece..c23ec069 100644 --- a/curator/docker/backup-docker/Dockerfile +++ b/curator/docker/backup-docker/Dockerfile @@ -1,4 +1,4 @@ -FROM --platform=$BUILDPLATFORM golang:1.26.1-alpine3.23 as builder +FROM --platform=$BUILDPLATFORM golang:1.26-alpine3.23 as builder ARG BUILDPLATFORM ARG TARGETOS ARG TARGETARCH @@ -37,12 +37,12 @@ RUN apk add --no-cache wget python3 python3-dev py3-pip \ #https://peps.python.org/pep-0668/ RUN apk add --no-cache wget python3 py3-pip \ - && pip install --break-system-packages --upgrade pip setuptools wheel \ + && pip install --break-system-packages --upgrade pip setuptools==80.10.2 wheel==0.46.2 \ && pip install --break-system-packages \ opensearch-py==2.5.0 \ elasticsearch==7.17.12 \ curator-opensearch==0.0.13 \ - urllib3 \ + urllib3==2.6.0 \ click #Download necessary tools diff --git a/curator/opensearch_indices_cleaner/docker/Dockerfile b/curator/opensearch_indices_cleaner/docker/Dockerfile index 8fe2e9cd..8670afd2 100644 --- a/curator/opensearch_indices_cleaner/docker/Dockerfile +++ b/curator/opensearch_indices_cleaner/docker/Dockerfile @@ -18,6 +18,12 @@ RUN set -x \ # Upgrade all tools to avoid vulnerabilities RUN set -x && apk upgrade --no-cache --available +# Upgrade tools from edge to avoid vulnerabilities +RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/main" > /etc/apk/repositories \ + && echo "https://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \ + && apk add --update --upgrade --no-cache \ + libcrypto3 libssl3 binutils zlib + RUN set -x \ && python3 -m unittest discover -s ${ELASTICSEARCH_INDICES_CLEANER_HOME} -p "*_tests.py" diff --git a/integration-tests/docker/Dockerfile b/integration-tests/docker/Dockerfile index d748e74e..00a13b04 100644 --- a/integration-tests/docker/Dockerfile +++ b/integration-tests/docker/Dockerfile @@ -24,7 +24,7 @@ RUN set -x \ RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/main" > /etc/apk/repositories \ && echo "https://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \ && apk add --update --upgrade --no-cache \ - libcurl curl + libcurl curl libcrypto3 USER 1000:0 diff --git a/integration-tests/docker/requirements.txt b/integration-tests/docker/requirements.txt index 7ea9f858..99aab472 100644 --- a/integration-tests/docker/requirements.txt +++ b/integration-tests/docker/requirements.txt @@ -1,3 +1,4 @@ robotframework-requests==0.9.7 python-dateutil==2.9.0 jsonpath==0.82.2 +urllib3==2.6.3 \ No newline at end of file From e1dadd3d25a52f606f0b78d8a7d1677ba225d1e8 Mon Sep 17 00:00:00 2001 From: PavelYadrov Date: Mon, 13 Apr 2026 10:34:54 +0300 Subject: [PATCH 2/8] fix: Upgrade opensearch-py to version 2.8.0 in Dockerfile for improved compatibility --- curator/docker/backup-docker/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curator/docker/backup-docker/Dockerfile b/curator/docker/backup-docker/Dockerfile index c23ec069..16623578 100644 --- a/curator/docker/backup-docker/Dockerfile +++ b/curator/docker/backup-docker/Dockerfile @@ -39,7 +39,7 @@ RUN apk add --no-cache wget python3 python3-dev py3-pip \ RUN apk add --no-cache wget python3 py3-pip \ && pip install --break-system-packages --upgrade pip setuptools==80.10.2 wheel==0.46.2 \ && pip install --break-system-packages \ - opensearch-py==2.5.0 \ + opensearch-py==2.8.0 \ elasticsearch==7.17.12 \ curator-opensearch==0.0.13 \ urllib3==2.6.0 \ From 86a5590e6b77f1ba39cb867a378698279eeecd78 Mon Sep 17 00:00:00 2001 From: PavelYadrov Date: Mon, 13 Apr 2026 12:25:30 +0300 Subject: [PATCH 3/8] fix: Downgrade urllib3 to version 1.26.20 in Dockerfile for compatibility with existing dependencies --- curator/docker/backup-docker/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curator/docker/backup-docker/Dockerfile b/curator/docker/backup-docker/Dockerfile index 16623578..4ab7af4f 100644 --- a/curator/docker/backup-docker/Dockerfile +++ b/curator/docker/backup-docker/Dockerfile @@ -42,7 +42,7 @@ RUN apk add --no-cache wget python3 py3-pip \ opensearch-py==2.8.0 \ elasticsearch==7.17.12 \ curator-opensearch==0.0.13 \ - urllib3==2.6.0 \ + urllib3==1.26.20 \ click #Download necessary tools From 3c1b487999a020bface4d82060418242b312d791 Mon Sep 17 00:00:00 2001 From: PavelYadrov Date: Mon, 13 Apr 2026 13:34:26 +0300 Subject: [PATCH 4/8] fix: 3rd party upgrades --- curator/docker/backup-docker/Dockerfile | 2 +- curator/opensearch_indices_cleaner/docker/Dockerfile | 2 +- integration-tests/docker/Dockerfile | 3 ++- integration-tests/docker/requirements.txt | 4 +++- monitoring/docker/Dockerfile | 8 ++++++++ monitoring/docker/config/requirements.txt | 6 ++++-- operator/Dockerfile | 2 +- tls-init/docker/Dockerfile | 2 +- 8 files changed, 21 insertions(+), 8 deletions(-) diff --git a/curator/docker/backup-docker/Dockerfile b/curator/docker/backup-docker/Dockerfile index 4ab7af4f..d4c5e946 100644 --- a/curator/docker/backup-docker/Dockerfile +++ b/curator/docker/backup-docker/Dockerfile @@ -74,7 +74,7 @@ RUN chmod +x ${ELASTICSEARCH_CURATOR_HOME}/* RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/main" > /etc/apk/repositories \ && echo "https://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \ && apk add --update --upgrade --no-cache \ - pcre2 libcurl curl + pcre2 libcurl curl py3-setuptools py3-setuptools-pyc musl-utils USER 1000:0 diff --git a/curator/opensearch_indices_cleaner/docker/Dockerfile b/curator/opensearch_indices_cleaner/docker/Dockerfile index 8670afd2..d43820f6 100644 --- a/curator/opensearch_indices_cleaner/docker/Dockerfile +++ b/curator/opensearch_indices_cleaner/docker/Dockerfile @@ -10,7 +10,7 @@ COPY scripts/indices_cleaner_tests.py ${ELASTICSEARCH_INDICES_CLEANER_HOME}/indi # Return back 5.8.1 version for 'elasticsearch-curator' in requirements when 'botocore' version is compatible with 5.8.1 version of 'elasticsearch-curator' RUN set -x \ && apk add --upgrade --no-cache build-base apk-tools \ - && pip3 install --upgrade pip setuptools \ + && pip3 install --upgrade pip setuptools==80.10.2 jaraco.context==6.1.0 \ && pip3 install -r ${ELASTICSEARCH_INDICES_CLEANER_HOME}/requirements.txt \ && pip3 install --upgrade urllib3 \ && rm -rf /var/cache/apk/* diff --git a/integration-tests/docker/Dockerfile b/integration-tests/docker/Dockerfile index 00a13b04..010ef473 100644 --- a/integration-tests/docker/Dockerfile +++ b/integration-tests/docker/Dockerfile @@ -17,6 +17,7 @@ COPY robot ${ROBOT_HOME} RUN chmod -R 775 ${ROBOT_HOME}/tests/opensearch/ha/test-data-resources/* RUN set -x \ + && pip install --no-cache-dir --upgrade pip==26.0 \ && pip3 install -r ${ROBOT_HOME}/requirements.txt \ && apk add --no-cache curl \ && rm -rf /var/cache/apk/* @@ -24,7 +25,7 @@ RUN set -x \ RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/main" > /etc/apk/repositories \ && echo "https://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \ && apk add --update --upgrade --no-cache \ - libcurl curl libcrypto3 + libcurl curl libcrypto3 musl-dev musl-utils musl libssl3 libuuid binutils vim xxd vim-common USER 1000:0 diff --git a/integration-tests/docker/requirements.txt b/integration-tests/docker/requirements.txt index 99aab472..86eab84d 100644 --- a/integration-tests/docker/requirements.txt +++ b/integration-tests/docker/requirements.txt @@ -1,4 +1,6 @@ robotframework-requests==0.9.7 python-dateutil==2.9.0 jsonpath==0.82.2 -urllib3==2.6.3 \ No newline at end of file +urllib3==2.6.3 +cryptography==46.0.7 +requests==2.32.0 diff --git a/monitoring/docker/Dockerfile b/monitoring/docker/Dockerfile index 1c067823..e77c888a 100644 --- a/monitoring/docker/Dockerfile +++ b/monitoring/docker/Dockerfile @@ -19,6 +19,14 @@ RUN set -x \ # Upgrade all tools to avoid vulnerabilities RUN set -x && apk upgrade --no-cache --available +# Upgrade tools from edge to avoid vulnerabilities +RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/main" > /etc/apk/repositories \ + && echo "https://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \ + && apk add --update --upgrade --no-cache \ + net-snmp-tools net-snmp-libs net-snmp-agent-libs musl musl-utils libcrypto3 libssl3 \ + setpriv libcap-utils libcap2 libcap-getcap libcap libexpat zlib iputils-arping iputils-clockdiff \ + iputils iputils-ping iputils-tracepath openssl + RUN rm /usr/lib/python3.12/EXTERNALLY-MANAGED # Install misc tools diff --git a/monitoring/docker/config/requirements.txt b/monitoring/docker/config/requirements.txt index 49555a1b..8b6b025a 100644 --- a/monitoring/docker/config/requirements.txt +++ b/monitoring/docker/config/requirements.txt @@ -1,2 +1,4 @@ -requests==2.32.4 -kubernetes==21.7.0 \ No newline at end of file +requests==2.33.0 +kubernetes==21.7.0 +pyasn1==0.6.3 +cryptography==46.0.7 diff --git a/operator/Dockerfile b/operator/Dockerfile index d91ed403..56b03a8c 100644 --- a/operator/Dockerfile +++ b/operator/Dockerfile @@ -47,7 +47,7 @@ RUN set -x && apk upgrade --no-cache --available RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/main" > /etc/apk/repositories \ && echo "https://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \ && apk add --update --upgrade --no-cache \ - pcre2 libcurl curl + pcre2 libcurl curl musl musl-utils libcrypto3 libssl3 zlib openssl RUN addgroup ${GROUP_NAME} && adduser -D -G ${GROUP_NAME} -u ${USER_UID} ${USER_NAME} USER ${USER_UID} diff --git a/tls-init/docker/Dockerfile b/tls-init/docker/Dockerfile index 1053464c..4cefc092 100644 --- a/tls-init/docker/Dockerfile +++ b/tls-init/docker/Dockerfile @@ -23,7 +23,7 @@ RUN set -x \ RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/main" > /etc/apk/repositories \ && echo "https://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \ && apk add --update --upgrade --no-cache \ - libcurl curl + libcurl curl musl musl-utils libcrypto3 libssl3 zlib openssl musl-dev WORKDIR ${OPENSEARCH_TLS_INIT_HOME} From 94d1e82c42a678372ff4ed66c11e8ab9ba666563 Mon Sep 17 00:00:00 2001 From: PavelYadrov Date: Mon, 13 Apr 2026 15:58:49 +0300 Subject: [PATCH 5/8] fix: Downgrade opensearch-py to version 2.5.0 and remove specific urllib3 version in Dockerfile for compatibility --- curator/docker/backup-docker/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/curator/docker/backup-docker/Dockerfile b/curator/docker/backup-docker/Dockerfile index d4c5e946..7ee0f800 100644 --- a/curator/docker/backup-docker/Dockerfile +++ b/curator/docker/backup-docker/Dockerfile @@ -39,10 +39,10 @@ RUN apk add --no-cache wget python3 python3-dev py3-pip \ RUN apk add --no-cache wget python3 py3-pip \ && pip install --break-system-packages --upgrade pip setuptools==80.10.2 wheel==0.46.2 \ && pip install --break-system-packages \ - opensearch-py==2.8.0 \ + opensearch-py==2.5.0 \ elasticsearch==7.17.12 \ curator-opensearch==0.0.13 \ - urllib3==1.26.20 \ + urllib3 \ click #Download necessary tools From 112024f103ecc2968d8cd4533bd9d3de1dbb38ec Mon Sep 17 00:00:00 2001 From: PavelYadrov Date: Mon, 13 Apr 2026 16:55:39 +0300 Subject: [PATCH 6/8] fix: Update Dockerfile to remove specific versions for setuptools and wheel, enhancing compatibility with package installations --- curator/docker/backup-docker/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curator/docker/backup-docker/Dockerfile b/curator/docker/backup-docker/Dockerfile index 7ee0f800..45eb03f5 100644 --- a/curator/docker/backup-docker/Dockerfile +++ b/curator/docker/backup-docker/Dockerfile @@ -37,7 +37,7 @@ RUN apk add --no-cache wget python3 python3-dev py3-pip \ #https://peps.python.org/pep-0668/ RUN apk add --no-cache wget python3 py3-pip \ - && pip install --break-system-packages --upgrade pip setuptools==80.10.2 wheel==0.46.2 \ + && pip install --break-system-packages --upgrade pip setuptools wheel \ && pip install --break-system-packages \ opensearch-py==2.5.0 \ elasticsearch==7.17.12 \ From 43b1c8d5ae8eddf44f859205cc467748ca390767 Mon Sep 17 00:00:00 2001 From: PavelYadrov Date: Tue, 28 Apr 2026 12:50:51 +0300 Subject: [PATCH 7/8] fix: update GitHub token usage in workflows for improved security --- .github/workflows/bump-test-workflows-version.yaml | 2 +- .github/workflows/cleanup-old-docker-container.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/bump-test-workflows-version.yaml b/.github/workflows/bump-test-workflows-version.yaml index 0c831156..498c36c0 100644 --- a/.github/workflows/bump-test-workflows-version.yaml +++ b/.github/workflows/bump-test-workflows-version.yaml @@ -22,7 +22,7 @@ jobs: with: ref: main persist-credentials: true - token: ${{ secrets.GH_ACCESS_TOKEN }} + token: ${{ github.token }} - name: Update version env: GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/cleanup-old-docker-container.yaml b/.github/workflows/cleanup-old-docker-container.yaml index 9dfd96bb..5e369e51 100644 --- a/.github/workflows/cleanup-old-docker-container.yaml +++ b/.github/workflows/cleanup-old-docker-container.yaml @@ -64,4 +64,4 @@ jobs: dry-run: ${{ env.DRY_RUN }} debug: ${{ env.DEBUG }} env: - PACKAGE_TOKEN: ${{ secrets.GH_RWD_PACKAGE_TOKEN }} + PACKAGE_TOKEN: ${{ github.token }} From 0f90a9af6133263712418252ea2714fa81fd74f5 Mon Sep 17 00:00:00 2001 From: PavelYadrov Date: Wed, 13 May 2026 11:25:41 +0300 Subject: [PATCH 8/8] chore: update base image in Dockerfile to version 0.1.14 --- curator/docker/backup-docker/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curator/docker/backup-docker/Dockerfile b/curator/docker/backup-docker/Dockerfile index 35ba8c27..c97ce373 100644 --- a/curator/docker/backup-docker/Dockerfile +++ b/curator/docker/backup-docker/Dockerfile @@ -16,7 +16,7 @@ RUN go mod download COPY curator/docker/backup-docker/indices_migration_tool/main.go main.go RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} GO111MODULE=on go build -a -o migration_tool main.go -FROM ghcr.io/netcracker/qubership-backup-daemon-go:main +FROM ghcr.io/netcracker/qubership-backup-daemon-go:0.1.14 ARG TARGETOS ARG TARGETARCH