Images: Bump Alpine to v3.21. (#12528)

k8s-infra-cherrypick-robot · dependabot[bot] · Gacko · web-flow · commit 0d98a278b7d7 · 2024-12-21T00:52:10.000+01:00
Co-authored-by: dependabot[bot] &lt;49699333+dependabot[bot]@users.noreply.github.com&gt;
Co-authored-by: Marco Ebert &lt;marco_ebert@icloud.com&gt;
diff --git a/Makefile b/Makefile
@@ -110,7 +110,7 @@ clean-chroot-image: ## Removes local image
 
 .PHONY: build
 build:  ## Build ingress controller, debug tool and pre-stop hook.
-	E2E_IMAGE=golang:$(GO_VERSION)-alpine3.20 USE_SHELL=/bin/sh build/run-in-docker.sh \
+	E2E_IMAGE=golang:$(GO_VERSION)-alpine3.21 USE_SHELL=/bin/sh build/run-in-docker.sh \
 		MAC_OS=$(MAC_OS) \
 		PKG=$(PKG) \
 		ARCH=$(ARCH) \
diff --git a/docs/examples/customization/sysctl/patch.json b/docs/examples/customization/sysctl/patch.json
@@ -4,7 +4,7 @@
 			"spec": {
 				"initContainers": [{
 					"name": "sysctl",
-					"image": "alpine:3.20",
+					"image": "alpine:3.21",
 					"securityContext": {
 						"privileged": true
 					},
diff --git a/images/cfssl/rootfs/Dockerfile b/images/cfssl/rootfs/Dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM alpine:3.20
+FROM alpine:3.21
 
 RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
 RUN apk update \
diff --git a/images/custom-error-pages/rootfs/Dockerfile b/images/custom-error-pages/rootfs/Dockerfile
@@ -14,7 +14,7 @@
 
 ARG GOLANG_VERSION
 
-FROM golang:${GOLANG_VERSION}-alpine3.20 as builder
+FROM golang:${GOLANG_VERSION}-alpine3.21 as builder
 
 RUN apk update \
     && apk upgrade && apk add git
diff --git a/images/ext-auth-example-authsvc/rootfs/Dockerfile b/images/ext-auth-example-authsvc/rootfs/Dockerfile
@@ -1,6 +1,6 @@
 ARG GOLANG_VERSION
 
-FROM golang:${GOLANG_VERSION}-alpine3.20 as builder
+FROM golang:${GOLANG_VERSION}-alpine3.21 as builder
 RUN mkdir /authsvc
 WORKDIR /authsvc
 COPY . ./
diff --git a/images/fastcgi-helloserver/rootfs/Dockerfile b/images/fastcgi-helloserver/rootfs/Dockerfile
@@ -13,7 +13,7 @@
 # limitations under the License.
 ARG GOLANG_VERSION
 
-FROM golang:${GOLANG_VERSION}-alpine3.20 as builder
+FROM golang:${GOLANG_VERSION}-alpine3.21 as builder
 
 WORKDIR /go/src/k8s.io/ingress-nginx/images/fastcgi
 
diff --git a/images/go-grpc-greeter-server/rootfs/Dockerfile b/images/go-grpc-greeter-server/rootfs/Dockerfile
@@ -1,6 +1,6 @@
 ARG GOLANG_VERSION
 
-FROM golang:${GOLANG_VERSION}-alpine3.20 as build
+FROM golang:${GOLANG_VERSION}-alpine3.21 as build
 
 WORKDIR /go/src/greeter-server
 
diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile
@@ -11,7 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-FROM alpine:3.20 as builder
+FROM alpine:3.21 as builder
 
 COPY . /
 
@@ -21,7 +21,7 @@ RUN apk update \
   && /build.sh
 
 # Use a multi-stage build
-FROM alpine:3.20
+FROM alpine:3.21
 
 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin
 
@@ -66,7 +66,7 @@ RUN apk update \
   ); \
   for dir in "${writeDirs[@]}"; do \
   mkdir -p ${dir}; \
-  chown -R www-data.www-data ${dir}; \
+  chown -R www-data:www-data ${dir}; \
   done'
 
 EXPOSE 80 443
diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
@@ -414,6 +414,21 @@ Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
 " > /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
 
+# NGINX compiles a small test program to check if an added module works as expected.
+#
+# ModSecurity-nginx provides 'printf("hello");' as a test, but newer versions of GCC,
+# as included in Alpine 3.21, do not allow implicit declaration of function 'printf':
+#
+#   objs/autotest.c:7:5: error: implicit declaration of function 'printf' [-Wimplicit-function-declaration]
+#
+# For this reason we replace 'printf("hello");' by 'msc_init();', which is always available.
+#
+# This fix is taken from a PR, that has been proposed to the ModSecurity-nginx project:
+#
+#   https://github.com/owasp-modsecurity/ModSecurity-nginx/pull/275
+#
+sed -i "s/ngx_feature_test='printf(\"hello\");'/ngx_feature_test='msc_init();'/" $BUILD_PATH/ModSecurity-nginx/config
+
 # build nginx
 cd "$BUILD_PATH/nginx-$NGINX_VERSION"
 
@@ -609,7 +624,7 @@ adduser -S -D -H -u 101 -h /usr/local/nginx -s /sbin/nologin -G www-data -g www-
 
 for dir in "${writeDirs[@]}"; do
   mkdir -p ${dir};
-  chown -R www-data.www-data ${dir};
+  chown -R www-data:www-data ${dir};
 done
 
 rm -rf /etc/nginx/owasp-modsecurity-crs/.git
diff --git a/images/test-runner/rootfs/Dockerfile b/images/test-runner/rootfs/Dockerfile
@@ -15,7 +15,7 @@ ARG BASE_IMAGE
 ARG GOLANG_VERSION
 ARG ETCD_VERSION
 
-FROM golang:${GOLANG_VERSION}-alpine3.20 as GO
+FROM golang:${GOLANG_VERSION}-alpine3.21 as GO
 FROM registry.k8s.io/etcd:${ETCD_VERSION} as etcd
 
 FROM ${BASE_IMAGE}
diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile
@@ -59,7 +59,7 @@ RUN bash -xeu -c ' \
   ); \
   for dir in "${writeDirs[@]}"; do \
     mkdir -p ${dir}; \
-    chown -R www-data.www-data ${dir}; \
+    chown -R www-data:www-data ${dir}; \
   done' \
   # LD_LIBRARY_PATH does not work so below is needed for  opentelemetry/other modules
   # Put libs of newer modules under `/modules_mount/<other>/lib` and add that path below
diff --git a/rootfs/Dockerfile-chroot b/rootfs/Dockerfile-chroot
@@ -23,7 +23,7 @@ RUN apk update \
   && apk upgrade \
   && /chroot.sh
 
-FROM alpine:3.20
+FROM alpine:3.21
 
 ARG TARGETARCH
 ARG VERSION
@@ -78,7 +78,7 @@ RUN bash -xeu -c ' \
   ); \
   for dir in "${writeDirs[@]}"; do \
     mkdir -p ${dir}; \
-    chown -R www-data.www-data ${dir}; \
+    chown -R www-data:www-data ${dir}; \
   done' \
   # LD_LIBRARY_PATH does not work so below is needed for  opentelemetry/other modules
   # Put libs of newer modules under `/modules_mount/<other>/lib` and add that path below
@@ -103,7 +103,7 @@ RUN  ln -sf /chroot/etc/nginx /etc/nginx \
   && touch /chroot/var/log/nginx/access.log \
   && chown www-data:www-data /chroot/var/log/nginx/access.log \
   && echo "" > /chroot/etc/resolv.conf \
-  && chown -R www-data.www-data /chroot/var/log/nginx /chroot/etc/resolv.conf \
+  && chown -R www-data:www-data /chroot/var/log/nginx /chroot/etc/resolv.conf \
   && mknod -m 0666 /chroot/dev/null c 1 3 \
   && mknod -m 0666 /chroot/dev/random c 1 8 \
   && mknod -m 0666 /chroot/dev/urandom c 1 9 \
diff --git a/rootfs/chroot.sh b/rootfs/chroot.sh
@@ -39,12 +39,13 @@ writeDirs=( \
 
 for dir in "${writeDirs[@]}"; do
   mkdir -p ${dir};
-  chown -R www-data.www-data ${dir};
+  chown -R www-data:www-data ${dir};
 done
 
 mkdir -p  /chroot/lib /chroot/proc /chroot/usr /chroot/bin /chroot/dev /chroot/run 
 cp /etc/passwd /etc/group /etc/hosts /chroot/etc/
 cp -a /usr/* /chroot/usr/
 cp -a /etc/nginx/* /chroot/etc/nginx/
 cp -a /etc/ingress-controller/* /chroot/etc/ingress-controller/
-cp /lib/ld-musl-* /lib/libcrypto* /lib/libssl* /lib/libz* /chroot/lib/
+cp /lib/ld-musl-* /chroot/lib/
+cp /usr/lib/libcrypto* /usr/lib/libssl* /usr/lib/libz* /chroot/usr/lib/
diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile
@@ -1,7 +1,7 @@
 ARG E2E_BASE_IMAGE
 FROM ${E2E_BASE_IMAGE} AS BASE
 
-FROM alpine:3.20
+FROM alpine:3.21
 
 RUN apk update \
 	&& apk upgrade && apk add -U --no-cache \
