s360: Resolve library vulnerabilty#26161
Conversation
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Pull request overview
Updates SONiC build and Azure Pipelines defaults to use the publicmirror.azurecr.io container registry, aligning build-time configuration and CI image publishing with the new registry endpoint.
Changes:
- Switch default docker registry in
rules/configfromsonicdev-microsoft.azurecr.iotopublicmirror.azurecr.io. - Update Azure Pipelines parameters (
registry_url) to default topublicmirror.azurecr.iofor sonic-slave and sonic-mgmt pipelines.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
rules/config |
Changes default registry host used when pulling/pushing SONiC docker images during builds. |
.azure-pipelines/docker-sonic-slave.yml |
Updates the default registry URL parameter for sonic-slave CI builds. |
.azure-pipelines/docker-sonic-slave-template.yml |
Updates the default registry URL parameter used by the sonic-slave build template. |
.azure-pipelines/docker-sonic-mgmt.yml |
Updates the default registry URL parameter for sonic-mgmt image build/push pipeline. |
Comments suppressed due to low confidence (1)
.azure-pipelines/docker-sonic-slave-template.yml:28
registry_urlnow defaults topublicmirror.azurecr.io, but pushes depend on Docker@2 login viaregistry_conn. Ifregistry_connis still configured for the old registry, the subsequentdocker push $REGISTRY_SERVER/...will fail. Consider changing the defaultregistry_conn(or adding a check) so the login registry andregistry_urlstay in sync.
- name: registry_url
type: string
default: publicmirror.azurecr.io
- name: registry_conn
type: string
default: sonicdev
- name: pool
auspham
force-pushed
the
austinpham/36979761-update-docker-registry
branch
from
29351a0 to
60129e5
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
auspham
force-pushed
the
austinpham/36979761-update-docker-registry
branch
from
60129e5 to
fae3993
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Pull request overview
Updates SONiC build and CI defaults to use the publicmirror.azurecr.io container registry, aligning local build configuration (rules/config) with Azure Pipelines image build/push pipelines.
Changes:
- Switched the default docker registry server in
rules/configtopublicmirror.azurecr.io. - Updated Azure Pipelines defaults (
registry_url,registry_conn) for docker-sonic-slave and docker-sonic-mgmt builds to usepublicmirror.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
rules/config |
Updates default REGISTRY_SERVER to point builds/pulls at publicmirror.azurecr.io. |
.azure-pipelines/docker-sonic-slave.yml |
Changes default registry URL and service connection name used by the sonic-slave build pipeline. |
.azure-pipelines/docker-sonic-slave-template.yml |
Changes default registry URL and service connection name used by the sonic-slave template. |
.azure-pipelines/docker-sonic-mgmt.yml |
Changes default registry URL and service connection name used by the sonic-mgmt build/publish pipeline. |
auspham
force-pushed
the
austinpham/36979761-update-docker-registry
branch
from
fae3993 to
fd6bdd8
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
auspham
force-pushed
the
austinpham/36979761-update-docker-registry
branch
from
fd6bdd8 to
63ed114
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Pull request overview
Updates build/pipeline defaults to use the public mirror container registry, and adjusts docker-ptf build steps and dependency pinning.
Changes:
- Switch Azure Pipelines docker build defaults from
sonicdev-microsoft.azurecr.iotopublicmirror.azurecr.io. - Modify docker-ptf to install a Go toolchain and build
grpcurl/gnoicfrom source, plus update protobuf pinning for gnxi tooling. - Remove the
setuptools==65.5.1pin in the shared Dockerfile macro.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
dockers/dockerfile-macros.j2 |
Removes setuptools version pin used during “offending packages” installs. |
dockers/docker-ptf/gnxi-patches/0005-Enhance-gnmi_cli_py-4.patch |
Updates protobuf requirement version in gnxi patch. |
dockers/docker-ptf/Dockerfile.j2 |
Reworks grpcurl/gnoic install to build from source with Go; updates protobuf pin and related comments. |
.azure-pipelines/docker-sonic-slave.yml |
Default registry URL/connection updated to public mirror. |
.azure-pipelines/docker-sonic-slave-template.yml |
Default registry URL/connection updated to public mirror. |
.azure-pipelines/docker-sonic-mgmt.yml |
Default registry URL/connection updated to public mirror. |
| RUN pip3 install {{ pkg }} | ||
| RUN pip3 install setuptools==65.5.1 | ||
| RUN pip3 install setuptools | ||
| {%- endfor %} |
There was a problem hiding this comment.
Yes. It's better put outside for loop.
| # Install Go toolchain for building grpcurl and gnoic from source | ||
| # to ensure they use a patched Go stdlib (GO-2026-4337: crypto/tls) | ||
| {% if CONFIGURED_ARCH == "armhf" %} | ||
| RUN GO_ARCH=armv6l \ | ||
| {% elif CONFIGURED_ARCH == "arm64" %} | ||
| RUN GO_ARCH=arm64 \ | ||
| {% else %} | ||
| RUN GO_ARCH=amd64 \ | ||
| {% endif %} | ||
| && GO_VERSION=1.25.8 \ | ||
| && curl -L "https://go.dev/dl/go${GO_VERSION}.linux-${GO_ARCH}.tar.gz" -o /tmp/go.tar.gz \ | ||
| && tar -C /usr/local -xzf /tmp/go.tar.gz \ | ||
| && rm /tmp/go.tar.gz |
| # gnxi/gnmi_cli_py ships pre-generated _pb2.py stubs; they are | ||
| # Pin to 6.31.1 to match grpcio-tools keep a known-good version. | ||
| # Pin to 6.33.5 to match grpcio-tools keep a known-good version. | ||
| RUN set -e; \ | ||
| . /etc/os-release; \ | ||
| if [ "$VERSION_CODENAME" = "bookworm" ]; then \ | ||
| pip install protobuf==6.31.1; \ | ||
| pip install protobuf==6.33.5; \ |
|
|
||
| # Remove Go toolchain to reduce image size | ||
| RUN rm -rf /usr/local/go "$(go env GOPATH 2>/dev/null || echo $HOME/go)" | ||
| ENV PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" |
| - name: registry_url | ||
| type: string | ||
| default: sonicdev-microsoft.azurecr.io | ||
| default: publicmirror.azurecr.io |
There was a problem hiding this comment.
We can't change this
| - name: registry_url | ||
| type: string | ||
| default: sonicdev-microsoft.azurecr.io | ||
| default: publicmirror.azurecr.io |
There was a problem hiding this comment.
We can't change this
| - name: registry_url | ||
| type: string | ||
| default: sonicdev-microsoft.azurecr.io | ||
| default: publicmirror.azurecr.io |
There was a problem hiding this comment.
We can't change this
Signed-off-by: Austin Pham <[email protected]>
auspham
force-pushed
the
austinpham/36979761-update-docker-registry
branch
from
63ed114 to
8a895f3
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
auspham
changed the title
StormLiangMS
left a comment
StormLiangMS
left a comment
There was a problem hiding this comment.
Code Review
1. Go version 1.25.8 — does this exist?
Go's current latest stable is around 1.24.x. Please verify that go1.25.8 is actually available on https://go.dev/dl/ — if it doesn't resolve, the Docker build will fail silently with a curl download error.
2. setuptools unpinned — potential reproducibility risk
\\dockerfile
-
RUN pip3 install setuptools==65.5.1
-
RUN pip3 install setuptools
\
Fully unpinning setuptools means builds could pull different versions over time, risking non-reproducible builds. Consider pinning to a minimum safe version (e.g. setuptools>=75.0) instead of leaving it completely open.
3. protobuf bump 6.31.1 → 6.33.5 ✅
Consistently applied across all 3 locations (Dockerfile.j2, patch file, gnxi install). Looks good.
4. Building grpcurl/gnoic from source ✅
Good approach to address GO-2026-4337 (crypto/tls). Go toolchain cleanup at the end is a nice touch to keep image size down.
Overall looks good — just the two minor items above to address.
StormLiangMS
left a comment
StormLiangMS
left a comment
There was a problem hiding this comment.
LGTM — approving this PR for the security fixes.
The two minor items (Go version validation and setuptools pinning) can be addressed in a follow-up PR if needed.
|
Why I did it
After #25876, there are still some left over vulnerabilities. Majority is gnoic and go library. Some new introduces by the upgrade of protobuf==6.31.1.
This PR will try to address them
Work item tracking
How I did it
How to verify it
Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Description for the changelog
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)