Home

Working with base images

We try to have reproducible builds and as part of this effort we use fixed base images. We use the digest list SHA256 to allow for multi-arch builds.

From time to time our builds will fail like so: https://github.com/amikos-tech/chroma-images/actions/runs/13387717593/job/37388097905

local-test-image:alpine (alpine 3.21.2)
=======================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                           │
├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2024-12797 │ HIGH     │ fixed  │ 3.3.2-r4          │ 3.3.3-r0      │ openssl: RFC7250 handshakes with unauthenticated servers │
│            │                │          │        │                   │               │ don't abort as expected                                  │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-12797               │
├────────────┤                │          │        │                   │               │                                                          │
│ libssl3    │                │          │        │                   │               │                                                          │
│            │                │          │        │                   │               │                                                          │
│            │                │          │        │                   │               │                                                          │
└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
Error: Process completed with exit code 1.

More often than not there will be a new image that fixes the problem. To fix run the following commands:

# pull the latest image
docker pull python:3.12-alpine
# get the SHA256 of the manifest digest - this is important for multi-arch builds
docker buildx imagetools inspect python:3.12-alpine

Name:      docker.io/library/python:3.12-alpine
MediaType: application/vnd.oci.image.index.v1+json
Digest:    sha256:28b8a72c4e0704dd2048b79830e692e94ac2d43d30c914d54def6abf74448a4e # this is the digest to pick
           
Manifests: 
  Name:        docker.io/library/python:3.12-alpine@sha256:f4f1137b6225c023d81901a4cfd746ffe0e194f05512a4e031f8d1fe5bd3f8db
  MediaType:   application/vnd.oci.image.manifest.v1+json
  Platform:    linux/amd64
  Annotations: 
    org.opencontainers.image.base.digest:     sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
    org.opencontainers.image.base.name:       alpine:3.21
    org.opencontainers.image.created:         2025-02-14T19:12:49Z
    org.opencontainers.image.revision:        9c50e071f7445d04776485e28d208d39c25fbbaa
    org.opencontainers.image.source:          https://github.com/docker-library/python.git#9c50e071f7445d04776485e28d208d39c25fbbaa:3.12/alpine3.21
    org.opencontainers.image.url:             https://hub.docker.com/_/python
    org.opencontainers.image.version:         3.12.9-alpine3.21
    com.docker.official-images.bashbrew.arch: amd64
...

Note

Pick the topmost digest

Update the project vars for the respective digest.