apunkt/plano
1
0
Fork 0
mirror of https://github.com/katanemo/plano.git synced 2026-04-25 00:36:34 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

fix cve_2025-6020 by removing libpam (#551)

Browse source 
* fix cve_2025-6020 by removing libpam

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This commit is contained in:
Adil Hafeez 2025-08-12 13:20:04 -07:00 committed by GitHub
parent 2639323dab
commit 950c9b443c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 15 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

23
arch/Dockerfile
View file

@ -3,17 +3,27 @@ FROM rust:1.82.0 AS builder
RUN rustup -v target add wasm32-wasip1
WORKDIR /arch
COPY crates .
RUN cargo build --release --target wasm32-wasip1 -p prompt_gateway -p llm_gateway
RUN cargo build --release -p brightstaff
# copy built filter into envoy image
FROM docker.io/envoyproxy/envoy:v1.34-latest AS envoy
#Build config generator, so that we have a single build image for both Rust and Python
FROM python:3.12-slim AS arch
# Purge PAM to avoid CVE-2025-6020 and install needed tools
# 1) Install what you need while apt still works
RUN set -eux; \
apt-get update; \
apt-get install -y --no-install-recommends supervisor gettext-base curl; \
apt-get clean; rm -rf /var/lib/apt/lists/*
# 2) Force-remove PAM packages (dont use apt here)
# We ignore dependencies and remove files so scanners dont find them.
RUN set -eux; \
dpkg -r --force-depends libpam-modules libpam-modules-bin libpam-runtime libpam0g || true; \
dpkg -P --force-all libpam-modules libpam-modules-bin libpam-runtime libpam0g || true; \
rm -rf /etc/pam.d /lib/*/security /usr/lib/security || true
RUN apt-get update && apt-get install -y supervisor gettext-base curl && apt-get clean && rm -rf /var/lib/apt/lists/*
COPY --from=builder /arch/target/wasm32-wasip1/release/prompt_gateway.wasm /etc/envoy/proxy-wasm-plugins/prompt_gateway.wasm
COPY --from=builder /arch/target/wasm32-wasip1/release/llm_gateway.wasm /etc/envoy/proxy-wasm-plugins/llm_gateway.wasm
@ -29,11 +39,8 @@ COPY arch/arch_config_schema.yaml .
COPY arch/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
RUN pip install requests
RUN touch /var/log/envoy.log
RUN mkdir -p /var/log/supervisor/
RUN touch /var/log/supervisor/supervisord.log
RUN mkdir -p /var/log/supervisor && touch /var/log/envoy.log /var/log/supervisor/supervisord.log
ENTRYPOINT ["sh","-c", "/usr/bin/supervisord"]
# ENTRYPOINT ["sh","-c", "python config_generator.py && envsubst < /etc/envoy/envoy.yaml > /etc/envoy.env_sub.yaml && envoy -c /etc/envoy.env_sub.yaml --log-level trace 2>&1 | tee /var/log/envoy.log"]
# ENTRYPOINT ["sh","-c", "python config_generator.py && envsubst < /etc/envoy/envoy.yaml > /etc/envoy.env_sub.yaml && envoy -c /etc/envoy.env_sub.yaml --component-log-level wasm:info 2>&1 | tee /var/log/envoy.log"]