diff --git a/components/image-collector/Dockerfile b/components/image-collector/Dockerfile index 1daf01c14..6f4853f2f 100644 --- a/components/image-collector/Dockerfile +++ b/components/image-collector/Dockerfile @@ -4,7 +4,7 @@ # Rather than build the binary, retrieve the already-built binary from # the OpenTelemetry image -FROM otel/opentelemetry-collector-contrib:0.147.0 AS collector +FROM otel/opentelemetry-collector-contrib:0.152.0 AS collector # Aggregate the collector licenses from binary # and from root of the PGO repo @@ -34,6 +34,7 @@ FROM registry.access.redhat.com/ubi9/ubi-minimal COPY --from=build --chmod=0777 /otelcol-contrib /otelcol-contrib COPY --from=build /licenses /licenses -RUN microdnf install -y 'logrotate' 'procps-ng' +RUN microdnf update -y --nodocs \ + && microdnf install -y 'logrotate' 'procps-ng' USER 2 diff --git a/components/image-pgadmin/Dockerfile b/components/image-pgadmin/Dockerfile index 7662c809b..c079ad08e 100644 --- a/components/image-pgadmin/Dockerfile +++ b/components/image-pgadmin/Dockerfile @@ -3,7 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 ARG BASE_VERSION=ubi9 -ARG PGADMIN4_VERSION=9.13 +ARG PGADMIN4_VERSION=9.15 ARG PYTHON_VERSION=3.11 ARG PG_MAJOR=18 @@ -97,6 +97,7 @@ ARG BASE_VERSION RUN rpm -ivh "https://dl.fedoraproject.org/pub/epel/epel-release-latest-${BASE_VERSION##ubi}.noarch.rpm" \ && rpm -ivh "https://download.postgresql.org/pub/repos/yum/reporpms/EL-${BASE_VERSION##ubi}-$(arch)/pgdg-redhat-repo-latest.noarch.rpm" \ +&& microdnf update -y --nodocs \ && microdnf install -y --nodocs --setopt install_weak_deps=0 \ --enablerepo='epel' \ 'krb5-libs' \ diff --git a/components/image-pgbackrest/Dockerfile b/components/image-pgbackrest/Dockerfile index f3a45f3de..302095f8a 100644 --- a/components/image-pgbackrest/Dockerfile +++ b/components/image-pgbackrest/Dockerfile @@ -38,6 +38,7 @@ RUN rpm -ivh \ # Delete the repo file as it is large and unneeded. ARG PGBACKREST_VERSION RUN rpm -ivh "https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-$(arch)/pgdg-redhat-repo-latest.noarch.rpm" \ + && microdnf update -y --nodocs \ && microdnf install -y --nodocs --setopt install_weak_deps=0 'shadow-utils' \ && groupadd --gid 26 postgres \ && useradd --gid 26 --uid 26 --no-log-init postgres \ diff --git a/components/image-pgbouncer/Dockerfile b/components/image-pgbouncer/Dockerfile index 56b9ea220..e7fad45c2 100644 --- a/components/image-pgbouncer/Dockerfile +++ b/components/image-pgbouncer/Dockerfile @@ -4,10 +4,11 @@ FROM registry.access.redhat.com/ubi9/ubi-minimal -ARG PGBOUNCER_VERSION=1.24.1 +ARG PGBOUNCER_VERSION=1.25.2 # The c-ares package is in the rhel-9-for-$(arch)-baseos-rpms repo, so we must enable it RUN rpm -ivh "https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-$(arch)/pgdg-redhat-repo-latest.noarch.rpm" \ + && microdnf update -y --nodocs \ && microdnf install -y --nodocs --setopt install_weak_deps=0 \ --enablerepo="rhel-9-for-$(arch)-baseos-rpms" \ "pgbouncer-${PGBOUNCER_VERSION}" \ diff --git a/components/image-postgres/Dockerfile.postgis b/components/image-postgres/Dockerfile.postgis index 7ecceb188..d9bd7321f 100644 --- a/components/image-postgres/Dockerfile.postgis +++ b/components/image-postgres/Dockerfile.postgis @@ -26,6 +26,10 @@ rpm -ivh "https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-$(arch)/pg # Disable module to avoid conflicts microdnf --assumeyes module disable postgresql || true +# Refresh base packages so any CVE patches that landed in the upstream +# repos after the parent crunchy-postgres image was built are picked up. +microdnf update -y --nodocs + microdnf install -y --nodocs --setopt install_weak_deps=0 \ --enablerepo="codeready-builder-for-rhel-9-$(arch)-rpms" \ perl \ diff --git a/components/image-postgres/Dockerfile.postgres b/components/image-postgres/Dockerfile.postgres index fb8f59ec9..31d33431d 100644 --- a/components/image-postgres/Dockerfile.postgres +++ b/components/image-postgres/Dockerfile.postgres @@ -4,7 +4,7 @@ FROM registry.access.redhat.com/ubi9/ubi-minimal -ARG PATRONI_VERSION=4.0.6 +ARG PATRONI_VERSION=4.1.3 ARG PGBACKREST_VERSION=2.58.0 ARG POSTGRES_VERSION=18 @@ -32,6 +32,11 @@ rpm -ivh "https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm # Disable the built-in PostgreSQL module to avoid conflicts with PGDG packages microdnf --assumeyes module disable postgresql || true +# Refresh all base-image packages against the current RHEL/EPEL/PGDG repos so +# the build picks up CVE patches that landed after ubi-minimal was last +# republished. +microdnf update -y --nodocs + # Ensure complete timezone database is present (some minimal UBI layers # can have tzdata partially pruned); reinstall guarantees fresh /usr/share/zoneinfo microdnf reinstall -y --nodocs 'tzdata' diff --git a/components/image-postgres/Dockerfile.postgres-upgrade b/components/image-postgres/Dockerfile.postgres-upgrade index ed4542a73..1b0ee55ac 100644 --- a/components/image-postgres/Dockerfile.postgres-upgrade +++ b/components/image-postgres/Dockerfile.postgres-upgrade @@ -18,6 +18,10 @@ rpm -ivh "https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-$(arch)/pg # Disable module to avoid conflicts microdnf --assumeyes module disable postgresql || true +# Refresh base packages so any CVE patches that landed in the upstream +# repos after the parent crunchy-postgres image was built are picked up. +microdnf update -y --nodocs + # Build package list for all target versions PKGS="$(for POSTGRES_VERSION in ${POSTGRES_UPGRADE_VERSIONS}; do POSTGRES_MAJOR_VERSION="${POSTGRES_VERSION%.*}"