So it took me ~3 hours to fix a Bug that should've taken ~10 minutes ...
I was trying to mitigate an issue with one of our Alpine Linux-based images, where our IBM Container Registry (ICR) Vulnerability Advisor (VA) tool was (rightly) complaining about our exposure to CVE-2021-36159 with apk-tools.
I knew that the mitigation was to update the Dockerfile to ensure that this package was updated.
However, given that I'm building from someone else's GH project, where I don't control the Dockerfile per se, I wanted to have my Jenkins Pipeline job amend the Dockerfile "in flight".
So the Dockerfile had the line: -
FROM alpine:3.13 AS run
so I used a bit of sed sweetness to add: -
RUN apk --no-cache upgrade apk-tools
How hard can it be ?
I even tested it using Bash: -
echo "RUN apk --no-cache add procps" > /tmp/foo.txt
cat /tmp/foo.txt
RUN apk --no-cache add procps
sed -i 's/RUN apk --no-cache add procps/RUN apk --no-cache add procps\nRUN apk --no-cache upgrade apk-tools/g' /tmp/foo.txt
cat /tmp/foo.txt
RUN apk --no-cache add procps
RUN apk --no-cache upgrade apk-tools
Easy right ?
Nah, not with Bash embedded in Groovy via a Jenkinsfile ...
Each and every time I ran my Pipeline, the sed command threw up: -
10:45:38 sed: -e expression #1, char 61: unterminated `s' command
etc.
I tried various different incarnations .... with different separators, including / and ; but to no avail.
The internet had the answer, as per usual ....
specifically this: -
2. Insert lines using Regular expression
which provided the following example: -
sed '/PATTERN/ i <LINE-TO-BE-ADDED>' FILE.txt
I tested this manually: -
echo "RUN apk --no-cache add procps" > /tmp/foo.txt
cat /tmp/foo.txt
RUN apk --no-cache add procps
sed -i "/RUN apk --no-cache add procps/a RUN apk --no-cache upgrade apk-tools" /tmp/foo.txt
cat /tmp/foo.txt
RUN apk --no-cache add procps
RUN apk --no-cache upgrade apk-tools
And, better still, it worked within Jenkins: -
11:42:04 Step 14/29 : RUN apk --no-cache add procps
11:42:04 ---> Running in 9505a71400bb
11:42:04 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/s390x/APKINDEX.tar.gz
11:42:04 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/s390x/APKINDEX.tar.gz
11:42:04 (1/5) Installing libintl (0.20.2-r2)
11:42:04 (2/5) Installing ncurses-terminfo-base (6.2_p20210109-r0)
11:42:04 (3/5) Installing ncurses-libs (6.2_p20210109-r0)
11:42:04 (4/5) Installing libproc (3.3.16-r0)
11:42:04 (5/5) Installing procps (3.3.16-r0)
11:42:04 Executing busybox-1.32.1-r6.trigger
11:42:04 OK: 7 MiB in 19 packages
11:42:05 Removing intermediate container 9505a71400bb
11:42:05 ---> a4947b0b1d8d
11:42:05 Step 15/29 : RUN apk --no-cache upgrade apk-tools
which is nice :-)
I've raised an issue with the original project's GH repo, as it'd be better to get apk-tools upgraded at "source" so to speak, but I'm rather happy with my experience - every day is, indeed, a school day
No comments:
Post a Comment