Upgrade base image to debian 12, upgrade packages and openresty to cve free version

ddelnano · ddelnano · commit 92f4ed74de79 · 2026-02-19T21:28:26.000-08:00
Signed-off-by: Dom Del Nano &lt;ddelnano@gmail.com&gt;
diff --git a/bazel/container_images.bzl b/bazel/container_images.bzl
@@ -42,18 +42,18 @@ def _container_image(name, digest, repository):
     )
 
 def base_images():
-    # Based on alpine 3.15.9, using OpenResty 1.21.4.1
-    # https://hub.docker.com/layers/openresty/openresty/alpine-apk-amd64/images/sha256-2259f28de01f85c22e32b6964254a4551c54a1d554cd4b5f1615d7497e1a09ce?context=explore
+    # Based on alpine 3.18.12, using OpenResty 1.27.1.2
+    # https://hub.docker.com/r/openresty/openresty/tags?name=1.27.1.2-11-alpine-apk
     _container_image(
         name = "openresty",
         repository = "openresty/openresty",
-        digest = "sha256:2259f28de01f85c22e32b6964254a4551c54a1d554cd4b5f1615d7497e1a09ce",
+        digest = "sha256:56fc9f7abc449a6d3eb06f63eca536fb61c16a3a53ab3fa7b9bb4dd6af614787",
     )
 
     _container_image(
         name = "base_image",
-        repository = "distroless/base",
-        digest = "sha256:8267a5d9fa15a538227a8850e81cf6c548a78de73458e99a67e8799bbffb1ba0",
+        repository = "distroless/base-debian12",
+        digest = "sha256:1f144c77a9ecaaa132fc3037b4417d9f9fd0b7a50101c696af5cb186876aa2a3",
     )
 
     _container_image(
diff --git a/bazel/external/ubuntu_packages/debs.json b/bazel/external/ubuntu_packages/debs.json
@@ -12,16 +12,16 @@
       "checksum": "9a9aee10c7804ff678719fb2887fa4758d5d94c7cb03c1b50fbccb0c4ee43dcc"
    },
    {
-      "path": "main/n/ncurses/libtinfo6_6.4-2_amd64.deb",
-      "checksum": "9627a3d3d2b9fed9fc5828962a52a6f70de8bb73dca9a9a432cab4b0159e68cb"
+      "path": "main/n/ncurses/libtinfo6_6.4-4_amd64.deb",
+      "checksum": "072d908f38f51090ca28ca5afa3b46b2957dc61fe35094c0b851426859a49a51"
    },
    {
       "path": "main/libu/libunwind/libunwind8_1.6.2-3_amd64.deb",
       "checksum": "571cb2968ba9eaa817ae3bad792e4dbb80950c72d28b92ea3ea67becd08e8711"
    },
    {
-      "path": "main/x/xz-utils/liblzma5_5.4.1-0.2_amd64.deb",
-      "checksum": "2c9c51f281997ce5963e3b22b928dec13adafb8e3079bc02f89e51db9891bfd2"
+      "path": "main/x/xz-utils/liblzma5_5.4.1-1_amd64.deb",
+      "checksum": "d321b9502b16aac534e1c691afbe3dc5e125e5091aa35bea026c59b25ebe82e7"
    },
    {
       "path": "main/z/zlib/zlib1g_1.2.13.dfsg-1ubuntu4_amd64.deb",
diff --git a/bazel/external/ubuntu_packages/packages.bzl b/bazel/external/ubuntu_packages/packages.bzl
@@ -38,14 +38,14 @@ def download_ubuntu_packages():
     )
     http_file(
         name = "liblzma5",
-        urls = ["https://storage.googleapis.com/pixie-dev-public/ubuntu-debs/1655507056/liblzma5_5.4.1-0.2_amd64.deb"],
-        sha256 = "2eb9eec6d213ea17938ef5c552f360a1093386acfe185e8c7cccdc60b984744d",
+        urls = ["http://deb.debian.org/debian/pool/main/x/xz-utils/liblzma5_5.4.1-1_amd64.deb"],
+        sha256 = "d321b9502b16aac534e1c691afbe3dc5e125e5091aa35bea026c59b25ebe82e7",
         downloaded_file_path = "out.deb",
     )
     http_file(
         name = "libtinfo6",
-        urls = ["https://storage.googleapis.com/pixie-dev-public/ubuntu-debs/1655507056/libtinfo6_6.4-2_amd64.deb"],
-        sha256 = "9d857ace717312b56acf7775b23e6400eef98c1eb7b0db111a799709c6d97353",
+        urls = ["http://deb.debian.org/debian/pool/main/n/ncurses/libtinfo6_6.4-4_amd64.deb"],
+        sha256 = "072d908f38f51090ca28ca5afa3b46b2957dc61fe35094c0b851426859a49a51",
         downloaded_file_path = "out.deb",
     )
     http_file(

Original file line number	Diff line number	Diff line change
`@@ -12,16 +12,16 @@`
`12`	`12`	`"checksum": "9a9aee10c7804ff678719fb2887fa4758d5d94c7cb03c1b50fbccb0c4ee43dcc"`
`13`	`13`	`},`
`14`	`14`	`{`
`15`		`- "path": "main/n/ncurses/libtinfo6_6.4-2_amd64.deb",`
`16`		`- "checksum": "9627a3d3d2b9fed9fc5828962a52a6f70de8bb73dca9a9a432cab4b0159e68cb"`
	`15`	`+ "path": "main/n/ncurses/libtinfo6_6.4-4_amd64.deb",`
	`16`	`+ "checksum": "072d908f38f51090ca28ca5afa3b46b2957dc61fe35094c0b851426859a49a51"`
`17`	`17`	`},`
`18`	`18`	`{`
`19`	`19`	`"path": "main/libu/libunwind/libunwind8_1.6.2-3_amd64.deb",`
`20`	`20`	`"checksum": "571cb2968ba9eaa817ae3bad792e4dbb80950c72d28b92ea3ea67becd08e8711"`
`21`	`21`	`},`
`22`	`22`	`{`
`23`		`- "path": "main/x/xz-utils/liblzma5_5.4.1-0.2_amd64.deb",`
`24`		`- "checksum": "2c9c51f281997ce5963e3b22b928dec13adafb8e3079bc02f89e51db9891bfd2"`
	`23`	`+ "path": "main/x/xz-utils/liblzma5_5.4.1-1_amd64.deb",`
	`24`	`+ "checksum": "d321b9502b16aac534e1c691afbe3dc5e125e5091aa35bea026c59b25ebe82e7"`
`25`	`25`	`},`
`26`	`26`	`{`
`27`	`27`	`"path": "main/z/zlib/zlib1g_1.2.13.dfsg-1ubuntu4_amd64.deb",`
Original file line number	Diff line number	Diff line change
`@@ -38,14 +38,14 @@ def download_ubuntu_packages():`
`38`	`38`	`)`
`39`	`39`	`http_file(`
`40`	`40`	`name = "liblzma5",`
`41`		`- urls = ["https://storage.googleapis.com/pixie-dev-public/ubuntu-debs/1655507056/liblzma5_5.4.1-0.2_amd64.deb"],`
`42`		`- sha256 = "2eb9eec6d213ea17938ef5c552f360a1093386acfe185e8c7cccdc60b984744d",`
	`41`	`+ urls = ["http://deb.debian.org/debian/pool/main/x/xz-utils/liblzma5_5.4.1-1_amd64.deb"],`
	`42`	`+ sha256 = "d321b9502b16aac534e1c691afbe3dc5e125e5091aa35bea026c59b25ebe82e7",`
`43`	`43`	`downloaded_file_path = "out.deb",`
`44`	`44`	`)`
`45`	`45`	`http_file(`
`46`	`46`	`name = "libtinfo6",`
`47`		`- urls = ["https://storage.googleapis.com/pixie-dev-public/ubuntu-debs/1655507056/libtinfo6_6.4-2_amd64.deb"],`
`48`		`- sha256 = "9d857ace717312b56acf7775b23e6400eef98c1eb7b0db111a799709c6d97353",`
	`47`	`+ urls = ["http://deb.debian.org/debian/pool/main/n/ncurses/libtinfo6_6.4-4_amd64.deb"],`
	`48`	`+ sha256 = "072d908f38f51090ca28ca5afa3b46b2957dc61fe35094c0b851426859a49a51",`
`49`	`49`	`downloaded_file_path = "out.deb",`
`50`	`50`	`)`
`51`	`51`	`http_file(`