diff --git a/.devcontainer/devcontainer-lock.json b/.devcontainer/devcontainer-lock.json index 8c1e7d6..6c23165 100644 --- a/.devcontainer/devcontainer-lock.json +++ b/.devcontainer/devcontainer-lock.json @@ -19,4 +19,4 @@ "integrity": "sha256:e81d52725655c8ffb861605feac7ad155b447d51af65f6c3a03cab32d59f1e16" } } -} +} \ No newline at end of file diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 98c2e4a..cb68f7a 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -11,8 +11,7 @@ "extensions": [ "EditorConfig.EditorConfig", "GitHub.vscode-github-actions", - "GitHub.vscode-pull-request-github", - "ms-vsliveshare.vsliveshare" + "GitHub.vscode-pull-request-github" ] } } diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a3fbaf7..021b064 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,7 +25,7 @@ jobs: - name: Install cosign id: install_cosign - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - name: Log in to GitHub Container Registry id: ghcr_login @@ -37,7 +37,7 @@ jobs: - name: Build and Push id: build_and_push - uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: push: true tags: ghcr.io/${{ github.repository }}:${{ github.ref_name }} @@ -50,7 +50,7 @@ jobs: - name: Generate SBOM id: generate_sbom - uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 + uses: anchore/sbom-action@1ca97d9028b51809cf6d3c934c3e160716e1b605 # v0.17.5 with: image: ghcr.io/${{ github.repository }}:${{ github.ref_name }} format: cyclonedx-json diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 16248a5..57b03b1 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -30,7 +30,10 @@ jobs: - name: Scan id: scan - uses: aquasecurity/trivy-action@a20de5420d57c4102486cdd9578b45609c99d7eb # v0.26.0 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 with: image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }} severity: HIGH,CRITICAL diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0989623..cf58389 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,7 @@ jobs: - name: Set Up Container Structure Test id: setup_container_structure_test - uses: ministryofjustice/github-actions/setup-container-structure-test@eaec2bb18f6dd19dd0fcb3cc48f7803a3731b7e5 # v18.1.5 + uses: ministryofjustice/github-actions/setup-container-structure-test@9f2e1064389dae6ca4098470b933da7042675e59 # v18.3.1 - name: Test id: test diff --git a/.trivyignore b/.trivyignore index cc569c0..5f8a342 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,3 +1,2 @@ -# In the Linux kernel, the following vulnerability has been resolved: -# exec: Fix ToCToU between perm check and set-uid/gid usage +# Ubuntu CVE-2024-43882 diff --git a/Dockerfile b/Dockerfile index 65c1f5f..f20829b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ #checkov:skip=CKV_DOCKER_2: HEALTHCHECK not required - Health checks are implemented downstream of this image -FROM public.ecr.aws/ubuntu/ubuntu@sha256:5b2fc4131b3c134a019c3ea815811de70e6ad9ee1626f59bf302558a95b436e5 +FROM public.ecr.aws/ubuntu/ubuntu@sha256:fb95efe0d22be277f10250f15e5172ec0fe22c37eca2ba55e78b526c447eec23 LABEL org.opencontainers.image.vendor="Ministry of Justice" \ org.opencontainers.image.authors="Analytical Platform (analytical-platform@digital.justice.gov.uk)" \ @@ -17,7 +17,7 @@ ENV CONTAINER_USER="analyticalplatform" \ PIP_BREAK_SYSTEM_PACKAGES="1" \ CUDA_VERSION="12.6.1" \ NVIDIA_DISABLE_REQUIRE="true" \ - NVIDIA_CUDA_CUDART_VERSION="12.6.68-1" \ + NVIDIA_CUDA_CUDART_VERSION="12.6.77-1" \ NVIDIA_CUDA_COMPAT_VERSION="560.35.03-1" \ NVIDIA_VISIBLE_DEVICES="all" \ NVIDIA_DRIVER_CAPABILITIES="compute,utility" \ diff --git a/Makefile b/Makefile index 79b7c39..ae9e650 100644 --- a/Makefile +++ b/Makefile @@ -1,14 +1,20 @@ -.PHONY: test build run +.PHONY: build scan test run IMAGE_NAME ?= ghcr.io/ministryofjustice/analytical-platform-airflow-python-base IMAGE_TAG ?= local +TRIVY_DB_REPOSITORY ?= public.ecr.aws/aquasecurity/trivy-db:2 +TRIVY_JAVA_DB_REPOSITORY ?= public.ecr.aws/aquasecurity/trivy-java-db:1 + run: build docker run --rm -it $(IMAGE_NAME):$(IMAGE_TAG) test: build container-structure-test test --platform linux/amd64 --config test/container-structure-test.yml --image $(IMAGE_NAME):$(IMAGE_TAG) +scan: build + trivy image --platform linux/amd64 --severity HIGH,CRITICAL $(IMAGE_NAME):$(IMAGE_TAG) + build: @ARCH=`uname --machine`; \ case $$ARCH in \ diff --git a/README.md b/README.md index c1b3875..53f6f5a 100644 --- a/README.md +++ b/README.md @@ -57,3 +57,31 @@ apt-get update apt-cache policy ${PACKAGE} # for example curl, git or gpg ``` + +### NVIDIA CUDA + +The latest version of NVIDIA can be obtained by running: + +```bash +docker run -it --rm --platform linux/amd64 public.ecr.aws/ubuntu/ubuntu:24.04 + +apt-get update + +apt-get install --yes curl gpg + +curl --location --fail-with-body \ + "https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/x86_64/3bf863cc.pub" \ + --output "3bf863cc.pub" + +cat 3bf863cc.pub | gpg --dearmor --output nvidia.gpg + +install -D --owner root --group root --mode 644 nvidia.gpg /etc/apt/keyrings/nvidia.gpg + +echo "deb [signed-by=/etc/apt/keyrings/nvidia.gpg] https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/x86_64 /" > /etc/apt/sources.list.d/cuda.list + +apt-get update --yes + +apt-cache policy cuda-cudart-12-6 + +apt-cache policy cuda-compat-12-6 +```