mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
d58edcb51cda22940236d5ef23351f3d8912c9f5
stack/docker/postgres/Dockerfile
Jason Woltje d58edcb51c
Some checks failed
ci/woodpecker/push/infra Pipeline failed
Details
ci/woodpecker/push/coordinator Pipeline was successful
Details
ci/woodpecker/push/api Pipeline failed
Details
fix(#363,#364,#365): fix pipeline #362 failures — gosu setuid, trivy CVEs, test exclusions 
- docker/postgres/Dockerfile: remove setuid bit (chmod +sx → +x), gosu 1.17+ rejects setuid
- apps/coordinator/Dockerfile: upgrade setuptools>=80.9 and wheel>=0.46.2 to fix 5 HIGH CVEs
  (CVE-2026-23949 jaraco.context path traversal, CVE-2026-24049 wheel privilege escalation)
- .woodpecker/api.yml: exclude 4 pre-existing integration test files from CI (M4/M5 debt)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-12 16:23:52 -06:00

45 lines
1.7 KiB
Docker
Raw Blame History

# PostgreSQL with pgvector and up-to-date gosu
#
# Override the base image's gosu binary with the latest from tianon/gosu.
# The postgres base image bundles gosu built with Go 1.24.6, which contains:
# - CVE-2025-68121 (CRITICAL): crypto/tls vulnerability
# - CVE-2025-58183 (HIGH): archive/tar unbounded allocation
# - CVE-2025-61726 (HIGH): net/url memory exhaustion
# - CVE-2025-61728 (HIGH): archive/zip CPU exhaustion
# - CVE-2025-61729 (HIGH): crypto/x509 DoS
# - CVE-2025-61730 (HIGH): TLS 1.3 handshake vulnerability
# The tianon/gosu image is rebuilt with recent Go toolchains, eliminating these CVEs.
# Using COPY --from avoids `go install` failures (gosu lacks semver Go module tags).
FROM postgres:17.7-alpine3.22
LABEL maintainer="Mosaic Stack <dev@mosaic.local>"
LABEL description="PostgreSQL 17 with pgvector extension and patched gosu"
# Replace vulnerable gosu binary with latest pre-built version from tianon/gosu
COPY --from=tianon/gosu /gosu /usr/local/bin/gosu
RUN chmod +x /usr/local/bin/gosu && gosu nobody true
# Update Alpine packages for any remaining OS-level patches
RUN apk update && apk upgrade
# Install build dependencies for pgvector
RUN apk add --no-cache --virtual .build-deps \
git \
build-base
# Clone and build pgvector v0.7.4 (without LLVM bitcode compilation)
RUN git clone --branch v0.7.4 https://github.com/pgvector/pgvector.git /tmp/pgvector \
&& cd /tmp/pgvector \
&& make OPTFLAGS="" with_llvm=no \
&& make install with_llvm=no \
&& rm -rf /tmp/pgvector
# Clean up build dependencies to reduce image size
RUN apk del .build-deps
# Copy initialization scripts
COPY init-scripts/ /docker-entrypoint-initdb.d/
# Expose PostgreSQL port
EXPOSE 5432
Reference in New Issue View Git Blame Copy Permalink