Copilot commented on code in PR #614:
URL: https://github.com/apache/apisix-docker/pull/614#discussion_r2909677392
##########
all-in-one/apisix-dashboard/Dockerfile:
##########
@@ -17,60 +17,56 @@
ARG ENABLE_PROXY=false
ARG ETCD_VERSION=v3.4.14
-ARG APISIX_VERSION=master
+ARG APISIX_VERSION=3.15.0
ARG APISIX_DASHBOARD_VERSION=master
-# Build Apache APISIX
-FROM openresty/openresty:1.25.3.2-0-alpine-fat AS production-stage
+# Build Apache APISIX (using official package with apisix-nginx-module)
+FROM debian:bullseye-slim AS production-stage
ARG APISIX_VERSION
ARG ENABLE_PROXY
LABEL apisix_version="${APISIX_VERSION}"
-RUN set -x \
- && (test "${ENABLE_PROXY}" != "true" || /bin/sed -i
's,http://dl-cdn.alpinelinux.org,https://mirrors.aliyun.com,g'
/etc/apk/repositories) \
- && apk add --no-cache --virtual .builddeps \
- automake \
- autoconf \
- libtool \
- pkgconfig \
- cmake \
- make \
- clang \
- wget \
- git \
- openldap-dev \
- pcre2-dev \
- sudo \
- && wget
https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz \
- && tar -zxvf yaml-0.2.5.tar.gz \
- && cd yaml-0.2.5 \
- && ./configure --prefix=/usr \
- && make \
- && make install \
- && ln -s /usr/lib/libyaml-0.so.2 /usr/local/lib/libyaml-0.so.2 \
- && curl
https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh
-sL | bash - \
- && git config --global url.https://github.com/.insteadOf git://github.com/
\
- && luarocks install
https://raw.githubusercontent.com/apache/apisix/master/apisix-master-0.rockspec
--tree=/usr/local/apisix/deps PCRE_DIR=/usr/local/openresty/pcre \
- && cp -v
/usr/local/apisix/deps/lib/luarocks/rocks-5.1/apisix/${APISIX_VERSION}-0/bin/apisix
/usr/bin/ \
- && (if [ "$APISIX_VERSION" = "master" ] || [ "$APISIX_VERSION" \> "2.2" ];
then echo 'use shell ';else bin='#!
/usr/local/openresty/luajit/bin/luajit\npackage.path =
"/usr/local/apisix/?.lua;" .. package.path'; sed -i "1s@.*@$bin@"
/usr/bin/apisix ; fi;) \
- && mv /usr/local/apisix/deps/share/lua/5.1/apisix /usr/local/apisix \
- && apk del .builddeps build-base make unzip clang wget
+RUN set -ex; \
+ arch=$(dpkg --print-architecture); \
+ apt-get update; \
+ apt-get -y install --no-install-recommends wget gnupg ca-certificates
curl; \
+ codename=$(grep -Po 'VERSION="[0-9]+ \(\K[^)]+' /etc/os-release); \
+ case "${arch}" in \
+ amd64) \
+ wget -O - https://repos.apiseven.com/pubkey.gpg | apt-key add - \
+ && echo "deb https://repos.apiseven.com/packages/debian $codename
main" \
+ | tee /etc/apt/sources.list.d/apisix.list ;; \
+ arm64) \
+ wget -O - https://repos.apiseven.com/pubkey.gpg | apt-key add - \
+ && echo "deb https://repos.apiseven.com/packages/arm64/debian
$codename main" \
+ | tee /etc/apt/sources.list.d/apisix.list ;; \
Review Comment:
Using `apt-key add` is deprecated on Debian/Ubuntu and adds the key to the
global trusted keyring. Prefer installing the repo key into
`/usr/share/keyrings` (via `gpg --dearmor`) and referencing it with `deb
[signed-by=...] ...` to avoid future breakage and reduce the trust scope.
##########
all-in-one/apisix-dashboard/Dockerfile:
##########
@@ -17,60 +17,56 @@
ARG ENABLE_PROXY=false
ARG ETCD_VERSION=v3.4.14
-ARG APISIX_VERSION=master
+ARG APISIX_VERSION=3.15.0
ARG APISIX_DASHBOARD_VERSION=master
-# Build Apache APISIX
-FROM openresty/openresty:1.25.3.2-0-alpine-fat AS production-stage
+# Build Apache APISIX (using official package with apisix-nginx-module)
+FROM debian:bullseye-slim AS production-stage
Review Comment:
The PR description focuses on removing check_standalone_config.sh, but this
Dockerfile also switches the APISIX build to a Debian-based image and changes
the default APISIX_VERSION (and overall build approach). This is a substantial
behavioral change that should either be called out explicitly in the PR
description or moved into a separate PR to keep scope/risk reviewable.
##########
all-in-one/apisix-dashboard/Dockerfile:
##########
@@ -17,60 +17,56 @@
ARG ENABLE_PROXY=false
ARG ETCD_VERSION=v3.4.14
-ARG APISIX_VERSION=master
+ARG APISIX_VERSION=3.15.0
ARG APISIX_DASHBOARD_VERSION=master
-# Build Apache APISIX
-FROM openresty/openresty:1.25.3.2-0-alpine-fat AS production-stage
+# Build Apache APISIX (using official package with apisix-nginx-module)
+FROM debian:bullseye-slim AS production-stage
ARG APISIX_VERSION
ARG ENABLE_PROXY
LABEL apisix_version="${APISIX_VERSION}"
-RUN set -x \
- && (test "${ENABLE_PROXY}" != "true" || /bin/sed -i
's,http://dl-cdn.alpinelinux.org,https://mirrors.aliyun.com,g'
/etc/apk/repositories) \
- && apk add --no-cache --virtual .builddeps \
- automake \
- autoconf \
- libtool \
- pkgconfig \
- cmake \
- make \
- clang \
- wget \
- git \
- openldap-dev \
- pcre2-dev \
- sudo \
- && wget
https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz \
- && tar -zxvf yaml-0.2.5.tar.gz \
- && cd yaml-0.2.5 \
- && ./configure --prefix=/usr \
- && make \
- && make install \
- && ln -s /usr/lib/libyaml-0.so.2 /usr/local/lib/libyaml-0.so.2 \
- && curl
https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh
-sL | bash - \
- && git config --global url.https://github.com/.insteadOf git://github.com/
\
- && luarocks install
https://raw.githubusercontent.com/apache/apisix/master/apisix-master-0.rockspec
--tree=/usr/local/apisix/deps PCRE_DIR=/usr/local/openresty/pcre \
- && cp -v
/usr/local/apisix/deps/lib/luarocks/rocks-5.1/apisix/${APISIX_VERSION}-0/bin/apisix
/usr/bin/ \
- && (if [ "$APISIX_VERSION" = "master" ] || [ "$APISIX_VERSION" \> "2.2" ];
then echo 'use shell ';else bin='#!
/usr/local/openresty/luajit/bin/luajit\npackage.path =
"/usr/local/apisix/?.lua;" .. package.path'; sed -i "1s@.*@$bin@"
/usr/bin/apisix ; fi;) \
- && mv /usr/local/apisix/deps/share/lua/5.1/apisix /usr/local/apisix \
- && apk del .builddeps build-base make unzip clang wget
+RUN set -ex; \
+ arch=$(dpkg --print-architecture); \
+ apt-get update; \
+ apt-get -y install --no-install-recommends wget gnupg ca-certificates
curl; \
+ codename=$(grep -Po 'VERSION="[0-9]+ \(\K[^)]+' /etc/os-release); \
+ case "${arch}" in \
+ amd64) \
+ wget -O - https://repos.apiseven.com/pubkey.gpg | apt-key add - \
+ && echo "deb https://repos.apiseven.com/packages/debian $codename
main" \
+ | tee /etc/apt/sources.list.d/apisix.list ;; \
+ arm64) \
+ wget -O - https://repos.apiseven.com/pubkey.gpg | apt-key add - \
+ && echo "deb https://repos.apiseven.com/packages/arm64/debian
$codename main" \
+ | tee /etc/apt/sources.list.d/apisix.list ;; \
+ esac; \
+ apt-get update \
+ && apt-get install -y apisix=${APISIX_VERSION}-0 \
+ && apt-get purge -y --auto-remove wget gnupg \
+ && rm -rf /var/lib/apt/lists/* \
+ && openresty -V \
+ && apisix version
# Build etcd
-FROM alpine:3.13 AS etcd-stage
+FROM debian:bullseye-slim AS etcd-stage
ARG ETCD_VERSION
LABEL etcd_version="${ETCD_VERSION}"
WORKDIR /tmp
-RUN wget
https://github.com/etcd-io/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-amd64.tar.gz
\
- && tar -zxvf etcd-${ETCD_VERSION}-linux-amd64.tar.gz \
- && ln -s etcd-${ETCD_VERSION}-linux-amd64 etcd
+RUN set -ex; \
+ arch=$(dpkg --print-architecture); \
+ apt-get update \
+ && apt-get install -y --no-install-recommends wget ca-certificates \
+ && wget
https://github.com/etcd-io/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-${arch}.tar.gz
\
+ && tar -zxvf etcd-${ETCD_VERSION}-linux-${arch}.tar.gz \
Review Comment:
This Dockerfile downloads prebuilt `etcd` binaries via `wget` directly from
GitHub releases and places them into the final image without any checksum or
signature verification. If the release tarball or the download channel is
compromised, an attacker could supply a malicious `etcd`/`etcdctl` binary that
runs with full privileges inside the APISIX container. Add explicit integrity
verification for the downloaded archive (for example, by validating a pinned
checksum or signature) before extracting and copying the binaries into the
image.
##########
all-in-one/apisix-dashboard/Dockerfile:
##########
@@ -17,60 +17,56 @@
ARG ENABLE_PROXY=false
ARG ETCD_VERSION=v3.4.14
-ARG APISIX_VERSION=master
+ARG APISIX_VERSION=3.15.0
ARG APISIX_DASHBOARD_VERSION=master
-# Build Apache APISIX
-FROM openresty/openresty:1.25.3.2-0-alpine-fat AS production-stage
+# Build Apache APISIX (using official package with apisix-nginx-module)
+FROM debian:bullseye-slim AS production-stage
ARG APISIX_VERSION
ARG ENABLE_PROXY
LABEL apisix_version="${APISIX_VERSION}"
-RUN set -x \
- && (test "${ENABLE_PROXY}" != "true" || /bin/sed -i
's,http://dl-cdn.alpinelinux.org,https://mirrors.aliyun.com,g'
/etc/apk/repositories) \
- && apk add --no-cache --virtual .builddeps \
- automake \
- autoconf \
- libtool \
- pkgconfig \
- cmake \
- make \
- clang \
- wget \
- git \
- openldap-dev \
- pcre2-dev \
- sudo \
- && wget
https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz \
- && tar -zxvf yaml-0.2.5.tar.gz \
- && cd yaml-0.2.5 \
- && ./configure --prefix=/usr \
- && make \
- && make install \
- && ln -s /usr/lib/libyaml-0.so.2 /usr/local/lib/libyaml-0.so.2 \
- && curl
https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh
-sL | bash - \
- && git config --global url.https://github.com/.insteadOf git://github.com/
\
- && luarocks install
https://raw.githubusercontent.com/apache/apisix/master/apisix-master-0.rockspec
--tree=/usr/local/apisix/deps PCRE_DIR=/usr/local/openresty/pcre \
- && cp -v
/usr/local/apisix/deps/lib/luarocks/rocks-5.1/apisix/${APISIX_VERSION}-0/bin/apisix
/usr/bin/ \
- && (if [ "$APISIX_VERSION" = "master" ] || [ "$APISIX_VERSION" \> "2.2" ];
then echo 'use shell ';else bin='#!
/usr/local/openresty/luajit/bin/luajit\npackage.path =
"/usr/local/apisix/?.lua;" .. package.path'; sed -i "1s@.*@$bin@"
/usr/bin/apisix ; fi;) \
- && mv /usr/local/apisix/deps/share/lua/5.1/apisix /usr/local/apisix \
- && apk del .builddeps build-base make unzip clang wget
+RUN set -ex; \
+ arch=$(dpkg --print-architecture); \
+ apt-get update; \
+ apt-get -y install --no-install-recommends wget gnupg ca-certificates
curl; \
+ codename=$(grep -Po 'VERSION="[0-9]+ \(\K[^)]+' /etc/os-release); \
+ case "${arch}" in \
+ amd64) \
+ wget -O - https://repos.apiseven.com/pubkey.gpg | apt-key add - \
+ && echo "deb https://repos.apiseven.com/packages/debian $codename
main" \
+ | tee /etc/apt/sources.list.d/apisix.list ;; \
+ arm64) \
+ wget -O - https://repos.apiseven.com/pubkey.gpg | apt-key add - \
+ && echo "deb https://repos.apiseven.com/packages/arm64/debian
$codename main" \
+ | tee /etc/apt/sources.list.d/apisix.list ;; \
+ esac; \
Review Comment:
The `case "${arch}"` has no default branch. On any unsupported architecture
the build will proceed without configuring the APISIX repo and then fail later
with a less actionable apt error. Add a `*)` branch that prints a clear message
and exits non-zero (or map additional supported arches explicitly).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
