[gdal-dev] Upgrade or remove Java JDK 17 in GDAL Docker image

Matt Luck - NOAA Affiliate matt.luck at noaa.gov
Fri Sep 13 06:55:48 PDT 2024 

 Thank you Even, these are very helpful suggestions.

I tried removing jdk and flattening the image but jdk was still there in
the diff folder.

Because of other dependencies, we are trying to stay with v3.8. I tried to
regenerate using v3.8.5 (git hash1d418c1). I updated ARG
ARROW_VERSION=15.0.2-1 after getting the error

The following packages have unmet dependencies:
>  libarrow-dev : Depends: libarrow1500 (= 15.0.1-1) but 15.0.2-1 is to be
> installed


This time I get to:

Step 46/46 : RUN . /buildscripts/bh-set-envvars.sh     &&
> /buildscripts/bh-gdal.sh
> ...
> -- Configuring done
> -- Generating done
> -- Build files have been written to: /gdal/build
> [  1%] Building CXX object
> port/CMakeFiles/cpl_iconv.dir/cpl_recode_iconv.cpp.o
> ...
> [ 51%] Built target gdal_MRF
> make: *** [Makefile:136: all] Error 2
> The command '/bin/sh -c . /buildscripts/bh-set-envvars.sh     &&
> /buildscripts/bh-gdal.sh' returned a non-zero code: 2


How can I resolve this error?

Alternatively, we have considered a different solution that uses
ubuntu:22.04 as our base image and then installing GDAL but also having
problems with installing GDAL (I can't seem to get past dependency
conflicts for v3.8.5 in pipenv so trying v3.8.3), getting an error:

Collecting gdal==3.8.3 (from -r
> /tmp/pipenv-gde160cj-requirements/pipenv-ndnw2zi0-hashed-reqs.txt (line 62))
>   Downloading GDAL-3.8.3.tar.gz (802 kB)
>      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 802.5/802.5 kB 104.5 MB/s eta
> 0:00:00
>   Preparing metadata (setup.py): started
>   Preparing metadata (setup.py): finished with status 'error'
> error: subprocess-exited-with-error
>
>   × python setup.py egg_info did not run successfully.
>   │ exit code: 1



> Exception: Python bindings of GDAL 3.8.3 require at least libgdal 3.8.3,
> but 3.4.1 was found


How can we upgrade libgdal (in our Dockerfile)?

Many thanks!
Matt





------------------------------
*From:* Even Rouault <even.rouault at spatialys.com>
*Sent:* Monday, September 9, 2024 1:56 PM
*To:* Matt Luck - NOAA Affiliate <matt.luck at noaa.gov>;
gdal-dev at lists.osgeo.org <gdal-dev at lists.osgeo.org>
*Subject:* Re: [gdal-dev] Upgrade or remove Java JDK 17 in GDAL Docker image


Matt,


Several potential solutions:


1) Regenerate the Docker image from sources:


git clone https://github.com/OSGeo/gdal

cd gdal

./docker/ubuntu-full/build.sh


2) Same as 1), but before edit ./docker/ubuntu-full/Dockerfile to remove
all traces of java/jdk from it


3) Use the existing image, remove the openjdk package, and "flatten" the
Docker layers with docker export / docker import (cf
https://forums.docker.com/t/how-to-flatten-an-image-with-127-parents/1600/2),
so that the layer where it was installed disappears


4) Wait a couple hours while I'm regenerating it to be updated to
17.0.12+7-1ubuntu2~24.04


Even


Le 09/09/2024 à 19:29, Matt Luck - NOAA Affiliate via gdal-dev a écrit :

Hi, our IT department has detected a security vulnerability in the Java JDK
version 17 that's installed in the ubuntu-full docker image (see message
below). I am able to remove the Java files from the Docker image via the
Dockerfile and I've tried changing the `JAVA_VERSION` in the Dockerfile,
but there always seems to be a reference remaining in the Docker diff files
that I can't seem to get rid of.

To reproduce:
A `docker system prune -a -f`, then `sudo find /var/lib/docker/overlay2
-type d -name java-17-openjdk-amd64` finds nothing, but then `docker pull
ghcr.io/osgeo/gdal:ubuntu-full-3.9.1`
<http://ghcr.io/osgeo/gdal:ubuntu-full-3.9.1> followed by `sudo find
/var/lib/docker/overlay2 -type d -name java-17-openjdk-amd64` finds:
/var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/lib/jvm/java-17-openjdk-amd64
/var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/lib/debug/usr/lib/jvm/java-17-openjdk-amd64
/var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/share/gdb/auto-load/usr/lib/jvm/java-17-openjdk-amd64

Because they're diff files, those files exist whether or not they're
actually in the container and thus the vulnerability is always triggered.
Is there a solution and/or a way to either upgrade the Java version or
remove Java entirely if it's not needed so that we can deal with this issue
in the future?

On Mon, Jul 8, 2024 at 10:21 AM X wrote:

All,

Please see the vulns below and remediate as soon as possible. These are in
containers.

Path              :
/var/lib/docker/overlay2/48c2e3da9fc2282822d4522e28ca46788f5357a14a8a38f687e2cadbf9de68d7/diff/usr/lib/jvm/java-17-openjdk-amd64/
  Installed version : 17.0.8
  Fixed version     : Upgrade to a version greater than 17.0.10

Path              :
/var/lib/docker/overlay2/4aed72b0f0433c615afe67854c8c79bb7acca2fb01216bf6be25774180266f4d/diff/usr/lib/jvm/java-17-openjdk-amd64/
  Installed version : 17.0.8
  Fixed version     : Upgrade to a version greater than 17.0.10



_______________________________________________
gdal-dev mailing
listgdal-dev at lists.osgeo.orghttps://lists.osgeo.org/mailman/listinfo/gdal-dev

-- http://www.spatialys.com
My software is free, but my time generally not.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/gdal-dev/attachments/20240913/c5369590/attachment.htm>

More information about the gdal-dev mailing list