From 5986cb4a50a5041f37d3942c6668fbb9c6a3089a Mon Sep 17 00:00:00 2001 From: Anton Bobrov Date: Mon, 4 May 2026 16:24:24 +0200 Subject: [PATCH] Rebuild phoenix and redis-commander images from source --- .github/workflows/build-and-push.yml | 28 ++++++++++++ Containerfile.phoenix | 44 ++++++++++++++++++ Containerfile.redis-commander | 55 +++++++++++++++++++++++ Makefile | 14 ++++++ compose.yaml | 10 ++++- openshift/deployment-phoenix.yml | 13 +++++- openshift/deployment-redis-commander.yml | 13 +++++- openshift/imagestream-phoenix.yml | 2 +- openshift/imagestream-redis-commander.yml | 2 +- 9 files changed, 175 insertions(+), 6 deletions(-) create mode 100644 Containerfile.phoenix create mode 100644 Containerfile.redis-commander diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 0731032d..fe1edeb3 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -90,6 +90,34 @@ jobs: image_name: "jira-issue-fetcher" # tag: "staging" + build-and-push-redis-commander: + runs-on: ubuntu-latest + steps: + - name: Build and push redis-commander to quay.io registry + uses: sclorg/build-and-push-action@adf1dee2b786ccbb2e2a708c3510a90e2ab3392d # v4.1.5 + with: + registry: "quay.io" + registry_namespace: "antbob/jotnar" + registry_username: ${{ secrets.REGISTRY_LOGIN }} + registry_token: ${{ secrets.REGISTRY_TOKEN }} + dockerfile: "Containerfile.redis-commander" + docker_context: "." + image_name: "redis-commander" + + build-and-push-phoenix: + runs-on: ubuntu-latest + steps: + - name: Build and push phoenix to quay.io registry + uses: sclorg/build-and-push-action@adf1dee2b786ccbb2e2a708c3510a90e2ab3392d # v4.1.5 + with: + registry: "quay.io" + registry_namespace: "antbob/jotnar" + registry_username: ${{ secrets.REGISTRY_LOGIN }} + registry_token: ${{ secrets.REGISTRY_TOKEN }} + dockerfile: "Containerfile.phoenix" + docker_context: "." + image_name: "phoenix" + build-and-push-supervisor: runs-on: ubuntu-latest steps: diff --git a/Containerfile.phoenix b/Containerfile.phoenix new file mode 100644 index 00000000..05e21c90 --- /dev/null +++ b/Containerfile.phoenix @@ -0,0 +1,44 @@ +# Rebuild Arize Phoenix 11.6.2 with patched dependencies: +# - SQLite >= 3.50.2 (CVE-2025-6965) +# - cryptography >= 46.0.7 (CVE-2026-39892) +# +# The upstream image (arizephoenix/phoenix:version-11.6.2) is based on +# gcr.io/distroless/python3-debian12 which ships SQLite 3.40.1 and +# cryptography 45.0.5. We compile SQLite from source and pip-install +# a fixed cryptography, then overlay both into the final image. + +ARG PHOENIX_VERSION=version-11.6.2 + +# --- Stage 1: build SQLite from source --- +FROM docker.io/library/debian:bookworm-slim AS sqlite-builder + +ARG SQLITE_VERSION=3500200 +ARG SQLITE_YEAR=2025 + +RUN apt-get update && \ + apt-get install -y --no-install-recommends gcc make wget ca-certificates libc6-dev && \ + rm -rf /var/lib/apt/lists/* + +RUN wget -q "https://www.sqlite.org/${SQLITE_YEAR}/sqlite-autoconf-${SQLITE_VERSION}.tar.gz" && \ + tar xzf "sqlite-autoconf-${SQLITE_VERSION}.tar.gz" && \ + cd "sqlite-autoconf-${SQLITE_VERSION}" && \ + ./configure --prefix=/usr/local && \ + make -j"$(nproc)" && \ + make install + +# --- Stage 2: build updated cryptography wheel --- +FROM docker.io/library/python:3.11-slim-bookworm AS crypto-builder + +RUN pip install --no-cache-dir --target=/tmp/packages "cryptography>=46.0.7" + +# --- Stage 3: patch the upstream Phoenix image --- +FROM docker.io/arizephoenix/phoenix:${PHOENIX_VERSION} + +# Copy the updated SQLite shared library over the system one. +# The distroless base has libsqlite3.so.0 at /usr/lib/x86_64-linux-gnu/. +COPY --from=sqlite-builder /usr/local/lib/libsqlite3.so.0* /usr/lib/x86_64-linux-gnu/ + +# Overlay upgraded cryptography package (upstream installs to /phoenix/env/). +COPY --from=crypto-builder /tmp/packages/cryptography/ /phoenix/env/cryptography/ + +CMD ["-m", "phoenix.server.main", "serve"] diff --git a/Containerfile.redis-commander b/Containerfile.redis-commander new file mode 100644 index 00000000..f1934a3c --- /dev/null +++ b/Containerfile.redis-commander @@ -0,0 +1,55 @@ +# Rebuild Redis Commander 0.9.0 with patched dependencies: +# - SQLite >= 3.50.2 (CVE-2025-6965) +# - Node.js >= 22.22.0 (CVE-2025-55130) +# - OpenSSL >= 3.3.7 (CVE-2026-31789) +# +# The upstream image (ghcr.io/joeferner/redis-commander:0.9.0) is based on +# Alpine 3.21 which ships SQLite 3.48.0. +# We compile SQLite from source and overlay the shared library. +# We also run apk upgrade to pull in patched Node.js and OpenSSL. + +ARG REDIS_COMMANDER_VERSION=0.9.0 + +# --- Stage 1: build SQLite from source --- +FROM docker.io/library/alpine:3.21 AS sqlite-builder + +ARG SQLITE_VERSION=3500200 +ARG SQLITE_YEAR=2025 + +RUN apk add --no-cache gcc make musl-dev wget + +RUN wget -q "https://www.sqlite.org/${SQLITE_YEAR}/sqlite-autoconf-${SQLITE_VERSION}.tar.gz" && \ + tar xzf "sqlite-autoconf-${SQLITE_VERSION}.tar.gz" && \ + cd "sqlite-autoconf-${SQLITE_VERSION}" && \ + CFLAGS="-O2 \ + -DSQLITE_ENABLE_FTS3_PARENTHESIS \ + -DSQLITE_ENABLE_COLUMN_METADATA \ + -DSQLITE_SECURE_DELETE \ + -DSQLITE_ENABLE_UNLOCK_NOTIFY \ + -DSQLITE_ENABLE_RTREE \ + -DSQLITE_ENABLE_GEOPOLY \ + -DSQLITE_USE_URI \ + -DSQLITE_ENABLE_DBSTAT_VTAB \ + -DSQLITE_MAX_VARIABLE_NUMBER=250000" \ + ./configure --prefix=/usr/local \ + --enable-threadsafe \ + --enable-session \ + --enable-fts3 \ + --enable-fts4 \ + --enable-fts5 && \ + make -j"$(nproc)" && \ + make install + +# --- Stage 2: patch the upstream Redis Commander image --- +FROM ghcr.io/joeferner/redis-commander:${REDIS_COMMANDER_VERSION} + +# Upgrade system packages to pick up patched Node.js and OpenSSL. +USER root +RUN apk upgrade --no-cache +USER 10000 + +# Copy the updated SQLite shared library over the system one. +# Alpine keeps libsqlite3 at /usr/lib/. +COPY --from=sqlite-builder /usr/local/lib/libsqlite3.so.0* /usr/lib/ + +CMD ["/redis-commander/docker/entrypoint.sh"] diff --git a/Makefile b/Makefile index 72f75c71..08c0f1a2 100644 --- a/Makefile +++ b/Makefile @@ -14,10 +14,24 @@ COMPOSE ?= $(shell command -v podman >/dev/null 2>&1 && echo "podman compose" || COMPOSE_AGENTS=$(COMPOSE) -f $(COMPOSE_FILE) --profile=agents COMPOSE_SUPERVISOR=$(COMPOSE) -f $(COMPOSE_FILE) --profile=supervisor +# Extract container tool (podman or docker) from COMPOSE +CONTAINER_TOOL ?= $(shell command -v podman >/dev/null 2>&1 && echo "podman" || echo "docker") +REGISTRY ?= quay.io/antbob/jotnar + .PHONY: build build: $(COMPOSE) -f $(COMPOSE_FILE) --profile=agents --profile=supervisor build +.PHONY: push +push: + @echo "Pushing images to $(REGISTRY)..." + $(CONTAINER_TOOL) push $(REGISTRY)/phoenix:latest + $(CONTAINER_TOOL) push $(REGISTRY)/redis-commander:latest + @echo "All images pushed successfully!" + +.PHONY: build-and-push +build-and-push: build push + .PHONY: run-beeai-bash run-beeai-bash: $(COMPOSE_AGENTS) run --rm triage-agent /bin/bash diff --git a/compose.yaml b/compose.yaml index 50c2db50..111aeef9 100644 --- a/compose.yaml +++ b/compose.yaml @@ -111,7 +111,10 @@ services: profiles: ["agents", "supervisor", "e2e-test"] phoenix: - image: docker.io/arizephoenix/phoenix:version-11.6.2 + image: quay.io/antbob/jotnar/phoenix:latest + build: + context: . + dockerfile: Containerfile.phoenix ports: - "0.0.0.0:6006:6006" environment: @@ -122,7 +125,10 @@ services: profiles: ["agents", "supervisor", "e2e-test"] redis-commander: - image: ghcr.io/joeferner/redis-commander:0.9.0 + image: quay.io/antbob/jotnar/redis-commander:latest + build: + context: . + dockerfile: Containerfile.redis-commander environment: - REDIS_HOSTS=local:valkey:6379 ports: diff --git a/openshift/deployment-phoenix.yml b/openshift/deployment-phoenix.yml index d9cdbad7..a3484f98 100644 --- a/openshift/deployment-phoenix.yml +++ b/openshift/deployment-phoenix.yml @@ -2,6 +2,17 @@ apiVersion: apps/v1 kind: Deployment metadata: name: phoenix + annotations: + image.openshift.io/triggers: | + [ + { + "from": { + "kind": "ImageStreamTag", + "name": "phoenix:prod" + }, + "fieldPath": "spec.template.spec.containers[?(@.name==\"phoenix\")].image" + } + ] spec: progressDeadlineSeconds: 600 replicas: 1 @@ -27,7 +38,7 @@ spec: - name: PHOENIX_PORT value: "6006" image: phoenix:prod - imagePullPolicy: IfNotPresent + imagePullPolicy: Always name: phoenix ports: - containerPort: 4317 diff --git a/openshift/deployment-redis-commander.yml b/openshift/deployment-redis-commander.yml index d4650609..e21d3714 100644 --- a/openshift/deployment-redis-commander.yml +++ b/openshift/deployment-redis-commander.yml @@ -2,6 +2,17 @@ apiVersion: apps/v1 kind: Deployment metadata: name: redis-commander + annotations: + image.openshift.io/triggers: | + [ + { + "from": { + "kind": "ImageStreamTag", + "name": "redis-commander:prod" + }, + "fieldPath": "spec.template.spec.containers[?(@.name==\"redis-commander\")].image" + } + ] spec: progressDeadlineSeconds: 600 replicas: 1 @@ -25,7 +36,7 @@ spec: - name: REDIS_HOSTS value: local:valkey:6379 image: redis-commander:prod - imagePullPolicy: IfNotPresent + imagePullPolicy: Always name: redis-commander ports: - containerPort: 8081 diff --git a/openshift/imagestream-phoenix.yml b/openshift/imagestream-phoenix.yml index 3eb6cbb3..2e870065 100644 --- a/openshift/imagestream-phoenix.yml +++ b/openshift/imagestream-phoenix.yml @@ -9,7 +9,7 @@ spec: - name: prod from: kind: DockerImage - name: docker.io/arizephoenix/phoenix:version-11.6.2 + name: quay.io/antbob/jotnar/phoenix:latest importPolicy: # Periodically query registry to synchronize tag and image metadata. scheduled: true diff --git a/openshift/imagestream-redis-commander.yml b/openshift/imagestream-redis-commander.yml index 098a80e2..46bb9dc0 100644 --- a/openshift/imagestream-redis-commander.yml +++ b/openshift/imagestream-redis-commander.yml @@ -7,7 +7,7 @@ spec: - name: prod from: kind: DockerImage - name: ghcr.io/joeferner/redis-commander:0.9.0 + name: quay.io/antbob/jotnar/redis-commander:latest importPolicy: # Periodically query registry to synchronize tag and image metadata. scheduled: true