Clean up manual installation of git and git-lfs in ubi base image and bump git-lfs version to 3.4.0
This is one in a series of MRs to clean up and reduce actual and potential CVE reports runner fips images:
What does this MR do?
This MR:
- Builds
git
in a separate layer in theubi
base image. - Attempts to consolidate installation of
git-lfs
in all docker images to a single script. D.R.Y.
Why was this MR needed?
Building git requires a bunch of packages we neither need or want in a final runtime image. We can keep the final image small by building git in a separate layer, and just copying the final products over to the final image.
Previously we had 4 different ways of installing git-lfs
in the various docker images, including building it from source in one case. This was madness. In addition, version 3.4.0 of git-lfs includes a number of vulnerability fixes, which means we no longer need to install it from source. This now makes it possible to consolidate how we install git-lfs
in all images.
This will address a number of CVE vulnerabilities.
What's the best way to test this MR?
CI pipeline passes and image (and downstream images) are built.
What are the relevant issue numbers?
- closes https://gitlab.com/gitlab-org/gitlab-runner/-/issues/36001
- closes https://gitlab.com/gitlab-org/gitlab-runner/-/issues/36002
- closes https://gitlab.com/gitlab-org/gitlab-runner/-/issues/36012
- closes https://gitlab.com/gitlab-org/gitlab-runner/-/issues/36000
- closes https://gitlab.com/gitlab-org/gitlab-runner/-/issues/36005
- closes https://gitlab.com/gitlab-org/gitlab-runner/-/issues/36006
- closes #29944 (closed)
- https://gitlab.com/gitlab-org/gitlab-runner/-/issues/31065#note_1460548929
Notes
- Best reviewed commit-at-a-time