Switch base image to Chainguard to mitigate security vulnerabilities

docker/Dockerfile.common

@@ -1,45 +1,36 @@
-ARG BASE_IMAGE=ubuntu:20.04
-FROM ${BASE_IMAGE}
+FROM cgr.dev/chainguard/wolfi-base AS base
 
-# Necessary to install tzdata. It will default to UTC.
+# Non-interactive for tzdata/etc.
 ENV DEBIAN_FRONTEND=noninteractive
 
 # Make sure we enable all GPU if we have one
 ENV NVIDIA_DRIVER_CAPABILITIES=all
 
-RUN apt-get update && \
-    apt-get install -y \
+# Install needed system packages (Wolfi uses apk, not apt-get)
+RUN apk update && \
+    apk add --no-cache \
+      bash \
       wget \
       apache2 \
       apache2-dev \
-      libapr1-dev \
       apache2-utils && \
-    rm -rf /var/lib/apt/lists/*
-
-COPY --from=tianon/gosu /gosu /usr/local/bin/
-
-# Set up needed permissions and users
-# - User groups:
-#   - trame-user: non-priviledge user for running and accessing data
-#     => (optional) Provide runtime env TRAME_USER_DATA=/docker/path to query which user to map trame-user to
-#   - docker: group to be remapped to docker host group to allow docker in docker.
-#     - trame-user can perform docker operaction by allowing access to /var/run/docker.sock
-#   - proxy-mapping: group for r/w on mapping file
-#     - trame-user so the launcher can update the mapping file (w)
-#     - www-data so that apache can read the file and handle the network routing (r)
-#   - www-data: apache user
-#     - added to proxy-mapping so it can read the mapping file for routing network
-#     - added to trame-user so it can serve user data
-# - Magic numbers:
-#   - 1000: Default first user
-#   - 5001/5002: Large id to prevent conflict with existing host uid/gid
-RUN groupadd trame-user -g 1000 && \
-    groupadd proxy-mapping -g 5001 && \
-    groupadd docker -g 5002 && \
-    useradd -u 1000 -g trame-user -G proxy-mapping -s /sbin/nologin trame-user && \
-    usermod -a -G proxy-mapping www-data && \
-    usermod -a -G trame-user www-data && \
-    usermod -a -G docker trame-user && \
+    rm -rf /var/cache/apk/*
+
+# Copy gosu from Chainguard version or install it
+RUN apk add --no-cache gosu
+
+# Set up users and groups similar to Dockerfile.common
+RUN addgroup -g 1000 trame-user && \
+    addgroup -g 5001 proxy-mapping && \
+    addgroup -g 5002 docker && \
+    adduser -D -u 1000 -G trame-user trame-user && \
+    addgroup trame-user proxy-mapping && \
+    addgroup -S -g 82 www-data && \
+    # Create the www-data user with correct uid/gid before adding to supplementary groups
+    adduser -S -u 82 -G www-data www-data && \
+    addgroup www-data proxy-mapping && \
+    addgroup www-data trame-user && \
+    addgroup trame-user docker && \
     mkdir -p /opt/trame && \
     chown -R trame-user:trame-user /opt/trame && \
     mkdir -p /home/trame-user && \
@@ -50,26 +41,22 @@ RUN groupadd trame-user -g 1000 && \
     mkdir -p /deploy && \
     chown -R trame-user:trame-user /deploy
 
-# Copy the apache configuration file into place
+# Copy the apache configuration file into place (bring these files into build context or adjust path)
 COPY config/apache/001-trame.conf /etc/apache2/sites-available/001-trame.conf
 COPY config/apache/001-trame.tpl  /opt/trame/apache.tpl
 COPY config/default-launcher.json /opt/trame/default-launcher.json
 
-# Configure the apache web server
-RUN a2enmod vhost_alias && \
-    a2enmod proxy && \
-    a2enmod proxy_http && \
-    a2enmod proxy_wstunnel && \
-    a2enmod rewrite && \
-    a2enmod headers && \
-    a2dissite 000-default.conf && \
-    a2ensite 001-trame && \
-    a2dismod autoindex -f
+# Ensure /etc/apache2/ports.conf exists with default Listen directive for apache2
+RUN if [ ! -f /etc/apache2/ports.conf ]; then \
+      echo "Listen 80" > /etc/apache2/ports.conf; \
+    fi
 
-# Copy the scripts into place
+# Note: Wolfi/Chainguard's apache2 does not have debian-style modules, use BuildKit to customize if needed
+
+# Copy scripts into place
 COPY scripts/* /opt/trame/
 
-# Open port 80 to the world outside the container
 EXPOSE 80
 
 ENTRYPOINT ["/opt/trame/entrypoint.sh"]
+

docker/Dockerfile.pip

@@ -1,32 +1,31 @@
 ARG BASE_IMAGE=trame-common
 FROM ${BASE_IMAGE}
 
-ARG PYTHON_VERSION=3.9
+ARG PYTHON_VERSION=3.13
 
-RUN apt-get update && \
-    apt-get install -y \
-      python${PYTHON_VERSION} \
-      # python-distutils is required to install pip
-      python${PYTHON_VERSION}-distutils \
-      # python-is-python3 creates a symlink for python to python3
-      python-is-python3 \
-      # For creating virtual environments
-      python${PYTHON_VERSION}-venv && \
-    rm -rf /var/lib/apt/lists/*
+# Install Python and required dependencies (but do NOT install the system-provided pip to avoid vulnerable versions)
+RUN apk update && \
+    apk add --no-cache \
+      python-${PYTHON_VERSION} \
+      python-${PYTHON_VERSION}-dev \
+      py${PYTHON_VERSION}-virtualenv \
+      py3-wheel \
+      wget
 
-# Set python3 to python3.x (otherwise, it will be python3.8)
-RUN if [ "$PYTHON_VERSION" != "3" ] ; then update-alternatives --install /usr/bin/python3 python3 /usr/bin/python${PYTHON_VERSION} 1 ;fi
+# Create a symlink to set python3 to the desired python version, if not default
+RUN if [ "$PYTHON_VERSION" != "3" ]; then ln -sf /usr/bin/python${PYTHON_VERSION} /usr/bin/python3; fi
 
 # Never use a cache directory for pip, both here in this Dockerfile
 # and when we run the container.
 ENV PIP_NO_CACHE_DIR=1
 
-# Install and upgrade pip
-RUN wget -q -O- https://bootstrap.pypa.io/get-pip.py | python${PYTHON_VERSION} && \
-    pip install -U pip
-
-# Install setup dependencies
-RUN pip install PyYAML wheel
+# Install pip safely, pinning to >=25.2 to avoid GHSA-4xh5-x5gv-qwph
+RUN python${PYTHON_VERSION} -m ensurepip --upgrade || true && \
+    wget -O /tmp/get-pip.py https://bootstrap.pypa.io/get-pip.py && \
+    python${PYTHON_VERSION} /tmp/get-pip.py --no-cache-dir --force-reinstall && \
+    pip install --no-cache-dir --upgrade 'pip>=25.2' && \
+    rm -f /tmp/get-pip.py && \
+    pip install --no-cache-dir PyYAML wheel
 
 # Copy the pip scripts into place
 COPY scripts/pip/* /opt/trame/