diff --git a/crates/fakecloud-rds/assets/mariadb/Dockerfile b/crates/fakecloud-rds/assets/mariadb/Dockerfile index 7ae186c9..2d0d68b1 100644 --- a/crates/fakecloud-rds/assets/mariadb/Dockerfile +++ b/crates/fakecloud-rds/assets/mariadb/Dockerfile @@ -5,10 +5,22 @@ # tries to pull that tag first and falls back to building from this # Dockerfile locally when the pull fails. +# MARIADB_VERSION must sit before the first FROM so its substitution is +# available across all stages. ARG MARIADB_VERSION=10.11 + +# Rebuild gosu from source with current Go to eliminate upstream +# mariadb image's bundled go1.24.6 stdlib CVEs in /usr/local/bin/gosu. +FROM golang:1.25-bookworm AS gosu-builder +ENV CGO_ENABLED=0 +RUN go install -ldflags='-s -w' github.com/tianon/gosu@v0.0.0-20250923190938-6456aaa0f3c8 + FROM mariadb:${MARIADB_VERSION} USER root + +COPY --from=gosu-builder /go/bin/gosu /usr/local/bin/gosu +RUN chmod 0755 /usr/local/bin/gosu # UDF plugin API structs are vendored inline in fakecloud_udf.c so we # only need a C compiler + libcurl headers. Keeping the dep set # symmetric with the mysql Dockerfile means a single source of truth diff --git a/crates/fakecloud-rds/assets/mysql/Dockerfile b/crates/fakecloud-rds/assets/mysql/Dockerfile index 7a30e973..3ff17e12 100644 --- a/crates/fakecloud-rds/assets/mysql/Dockerfile +++ b/crates/fakecloud-rds/assets/mysql/Dockerfile @@ -10,10 +10,37 @@ # procedures so SQL inside an RDS-managed MySQL instance can invoke # fakecloud Lambda functions. +# MYSQL_VERSION must sit before the first FROM so its substitution is +# available across all stages. ARG MYSQL_VERSION=8.0 + +# Rebuild gosu from source with current Go to eliminate upstream +# mysql:8.0 image's bundled go1.24.6 stdlib CVEs in /usr/local/bin/gosu. +FROM golang:1.25-bookworm AS gosu-builder +ENV CGO_ENABLED=0 +RUN go install -ldflags='-s -w' github.com/tianon/gosu@v0.0.0-20250923190938-6456aaa0f3c8 + FROM mysql:${MYSQL_VERSION} USER root + +COPY --from=gosu-builder /go/bin/gosu /usr/local/bin/gosu +RUN chmod 0755 /usr/local/bin/gosu + +# Strip the bundled `mysql-shell` (mysqlsh) tooling. We drive the +# server over the wire from Rust (`mysql_async`); mysqlsh is never +# invoked, but its vendored Python site-packages bring pyOpenSSL + +# other libraries that Trivy flags as CVEs we cannot fix without +# a coordinated upstream re-release. +RUN set -eux; \ + if command -v microdnf >/dev/null 2>&1; then \ + microdnf remove -y mysql-shell || true; \ + microdnf clean all; \ + elif command -v apt-get >/dev/null 2>&1; then \ + apt-get remove -y --purge mysql-shell || true; \ + rm -rf /var/lib/apt/lists/*; \ + fi; \ + rm -rf /usr/lib/mysqlsh /usr/bin/mysqlsh # UDF needs only gcc + libcurl headers; mysql plugin API structs are # vendored inline in fakecloud_udf.c (the upstream mysql:8.0 image # strips its community release repo so `mysql-community-devel` is not diff --git a/crates/fakecloud-rds/assets/postgres/Dockerfile b/crates/fakecloud-rds/assets/postgres/Dockerfile index e25dfe4d..bf9286dd 100644 --- a/crates/fakecloud-rds/assets/postgres/Dockerfile +++ b/crates/fakecloud-rds/assets/postgres/Dockerfile @@ -4,10 +4,26 @@ # (plus a rolling : tag). RdsRuntime::ensure_postgres_image # tries to pull that tag first and falls back to building from this # Dockerfile locally when the pull fails (dev / unreleased / airgapped). +# PG_VERSION must sit before the first FROM so its substitution is +# available across all stages. Inside each stage it has to be +# re-declared (Dockerfile spec) for `RUN`/`COPY` references to expand. ARG PG_VERSION=16 + +# Rebuild `gosu` from source with current Go to eliminate the upstream +# postgres image's bundled `/usr/local/bin/gosu` Go-stdlib CVEs (Trivy +# flags 8 HIGH + 1 CRITICAL on go1.24.6 stdlib at scan time). gosu +# upstream is rarely re-released; pinning the source version + rebuilding +# on every image build means we control the stdlib version baked in. +FROM golang:1.25-bookworm AS gosu-builder +ENV CGO_ENABLED=0 +RUN go install -ldflags='-s -w' github.com/tianon/gosu@v0.0.0-20250923190938-6456aaa0f3c8 + FROM postgres:${PG_VERSION} ARG PG_VERSION +COPY --from=gosu-builder /go/bin/gosu /usr/local/bin/gosu +RUN chmod 0755 /usr/local/bin/gosu + RUN apt-get update \ && apt-get install -y --no-install-recommends \ postgresql-plpython3-${PG_VERSION} \