Upgrade Docker base image Ubuntu 22 -> Ubuntu 24

[StegSchreck]

User description

Description

Uprage from Ubuntu 22 LTS to Ubuntu 24 LTS
See #2251

Motivation and Context

Newer bas OS somes with security patches and newer software, e.g. Python 3.12 instead of 3.10

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist

• I have read the contributing document.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

---

PR Type

Enhancement

---

Description

• Upgraded the Docker base image in Base/Dockerfile from Ubuntu 22 (jammy) to Ubuntu 24 (noble).
• Updated APT sources in both Base/Dockerfile and Video/Dockerfile to use the new Ubuntu 24 (noble) repositories.

---

Changes walkthrough 📝

	Relevant files
Enhancement	Dockerfile Upgrade Docker Base Image and APT Sources to Ubuntu 24      Base/Dockerfile Updated base image from Ubuntu 22 (jammy) to Ubuntu 24 (noble) Updated APT sources to point to the new Ubuntu 24 repositories +4/-4      Dockerfile Update APT Sources to Ubuntu 24 in Video Dockerfile            Video/Dockerfile Updated APT sources to point to the new Ubuntu 24 (noble) repositories +3/-3

---

💡 PR-Agent usage:
Comment /help on the PR to get a list of all available PR-Agent tools and their descriptions

[CLAassistant]

All committers have signed the CLA.

[qodo-merge-pro]

PR Description updated to latest commit (5227639)

• Copy walkthrough table to "Files Changed" Tab

[qodo-merge-pro]

PR Review 🔍

⏱️ Estimated effort to review [1-5]	2, because the changes are straightforward, involving only updates to the base image and APT sources in Dockerfiles. The modifications are limited to version strings and do not involve complex logic or algorithms.
🧪 Relevant tests	No
⚡ Possible issues	Compatibility Issues: Upgrading the base image and APT sources might introduce compatibility issues with existing software or dependencies that are not yet fully supported or tested with Ubuntu 24. It's crucial to ensure that all components work as expected in the new environment.
🔒 Security concerns	No

[qodo-merge-pro]

PR Code Suggestions ✨

Category	Suggestions
Enhancement	✅ Add source package repositories to the Dockerfile. Suggestion Impact: The suggestion to enhance Dockerfile compatibility with multiple architectures was implemented. The condition to check the architecture using `dpkg --print-architecture` was added. code diff: -RUN if [ "${TARGETARCH}" = "amd64" ]; then \ +RUN if [ "$(dpkg --print-architecture)" = "amd64" ]; then \ echo "deb http://archive.ubuntu.com/ubuntu noble main universe\n" > /etc/apt/sources.list \ && echo "deb http://archive.ubuntu.com/ubuntu noble-updates main universe\n" >> /etc/apt/sources.list \ && echo "deb http://security.ubuntu.com/ubuntu noble-security main universe\n" >> /etc/apt/sources.list ; \ Consider adding the deb-src lines for source packages in the Dockerfile. This will allow you to fetch source packages using apt-get source, which can be useful for debugging or custom builds. Base/Dockerfile [40-42] echo "deb http://archive.ubuntu.com/ubuntu noble main universe\n" > /etc/apt/sources.list \ +&& echo "deb-src http://archive.ubuntu.com/ubuntu noble main universe\n" >> /etc/apt/sources.list \ && echo "deb http://archive.ubuntu.com/ubuntu noble-updates main universe\n" >> /etc/apt/sources.list \ -&& echo "deb http://security.ubuntu.com/ubuntu noble-security main universe\n" >> /etc/apt/sources.list ; +&& echo "deb-src http://archive.ubuntu.com/ubuntu noble-updates main universe\n" >> /etc/apt/sources.list \ +&& echo "deb http://security.ubuntu.com/ubuntu noble-security main universe\n" >> /etc/apt/sources.list \ +&& echo "deb-src http://security.ubuntu.com/ubuntu noble-security main universe\n" >> /etc/apt/sources.list ;
	✅ Enhance Dockerfile compatibility with multiple architectures. Suggestion Impact: The commit added a conditional statement to check the architecture using `dpkg --print-architecture` and applied different configurations based on the architecture, which aligns with the suggestion to enhance compatibility with multiple architectures. code diff: -RUN echo "deb http://archive.ubuntu.com/ubuntu jammy main universe\n" > /etc/apt/sources.list \ - && echo "deb http://archive.ubuntu.com/ubuntu jammy-updates main universe\n" >> /etc/apt/sources.list \ - && echo "deb http://security.ubuntu.com/ubuntu jammy-security main universe\n" >> /etc/apt/sources.list +RUN if [ "$(dpkg --print-architecture)" = "amd64" ]; then \ + echo "deb http://archive.ubuntu.com/ubuntu jammy main universe\n" > /etc/apt/sources.list \ + && echo "deb http://archive.ubuntu.com/ubuntu jammy-updates main universe\n" >> /etc/apt/sources.list \ + && echo "deb http://security.ubuntu.com/ubuntu jammy-security main universe\n" >> /etc/apt/sources.list ; \ + fi To ensure that the Docker image can be built on architectures other than amd64, consider adding similar conditional statements for other architectures or a default configuration that applies to all architectures. Video/Dockerfile [18-20] -RUN echo "deb http://archive.ubuntu.com/ubuntu noble main universe\n" > /etc/apt/sources.list \ -&& echo "deb http://archive.ubuntu.com/ubuntu noble-updates main universe\n" >> /etc/apt/sources.list \ -&& echo "deb http://security.ubuntu.com/ubuntu noble-security main universe\n" >> /etc/apt/sources.list +RUN if [ "${TARGETARCH}" = "amd64" ]; then \ + echo "deb http://archive.ubuntu.com/ubuntu noble main universe\n" > /etc/apt/sources.list \ + && echo "deb http://archive.ubuntu.com/ubuntu noble-updates main universe\n" >> /etc/apt/sources.list \ + && echo "deb http://security.ubuntu.com/ubuntu noble-security main universe\n" >> /etc/apt/sources.list ; \ + else \ + echo "deb http://archive.ubuntu.com/ubuntu noble main universe\n" > /etc/apt/sources.list \ + && echo "deb http://archive.ubuntu.com/ubuntu noble-updates main universe\n" >> /etc/apt/sources.list \ + && echo "deb http://security.ubuntu.com/ubuntu noble-security main universe\n" >> /etc/apt/sources.list ; \ + fi

[amardeep2006]

I feel it’s too early to start using Ubuntu 24.04 .
In my opinion we should let the new version settle down as there are typically teething issue in first year of new release .

[diemol]

Several failures in the build. What is your motivation to move to Ubuntu 24, @StegSchreck? @amardeep2006 makes a good point.

[VietND96]

I guess the failure will be solved when he reverted changes in Video/Dockerfile, since this image we reused from other project, and they did not move on 24.04.
I think we can follow some popular open-source projects, once they drop the change, we also release.

[StegSchreck]

The failures are all caused by the configuration of Video/Dockerfile because it is trying to install things via pip that are independently installed viy the OS package manager. I thought this image is based on the Base/Dockerfile though - therefore I aligned it with the same changes. The overall dependencies between all the docker images in this repo might have confused me. I will revert this change.

Regading the motivation: this docker image is two years behind now. I want to use modern Python 3.12 in my code which is using the standalone-firefox as base. Ubuntu 22 only comes with Python 3.10. I have considered other ways of achieveing the ssame effect, but updating the base image is the straight-forward way. Additionally all users would profit from more uptodate software, including security fixes on top of the new features I mentioned before.

[diemol]

I was surprised to find out that 24.04 was released one month ago.

A wide range of users uses these images, and I do not feel comfortable forcing them now to use the new Ubuntu version.

I prefer to wait and then migrate.

[VietND96]

@StegSchreck, can you also sign the CLA? Later we can go ahead without the pending item

[StegSchreck]

@StegSchreck, can you also sign the CLA? Later we can go ahead without the pending item

Done.

[VietND96]

@StegSchreck, can you also sign the CLA? Later we can go ahead without the pending item

Done.

It looks like your commit without email or the email in the commit author doesn't match with CLA input. Can you take some time to check?

[StegSchreck]

@StegSchreck, can you also sign the CLA? Later we can go ahead without the pending item

Done.

It looks like your commit without email or the email in the commit author doesn't match with CLA input. Can you take some time to check?

I have re-signed the CLA with my second e-mail address.

[skycanine]

@diemol and @team Ubuntu 22 has some high level CVES (security vulnerabilities). We will very soon be blocked by our organization, United Health Group, from using this selenium helm chart if it does not extend the Ubuntu 24 image.

[amardeep2006]

@diemol and @team Ubuntu 22 has some high level CVES (security vulnerabilities). We will very soon be blocked by our organization, United Health Group, from using this selenium helm chart if it does not extend the Ubuntu 24 image.

@skycanine Can you please share the scan report and docker image tags that were scanned.
Ubuntu 22 LTS is supported till 01 Apr 2027 so it should get all the security updates. I do not think Canonical will selectively send updates to Ubuntu 24 and miss on 22 .

The trick is to keep updating the base image which this project does with the help of Renovate bot. Dockerfile also has apt-get update and apt-get upgrade commands to auto patch the vulnerable packages .

Older images built sometimes back may have the vulnerable packages but the newer builds should automatically be patched.

[skycanine]

@amardeep2006

[skycanine]

@amardeep2006 Second page:

[skycanine]

"Ubuntu 22 LTS is supported till 01 Apr 2027 so it should get all the security updates." - I think I may have checked on this myself and found there was no fix when I last checked.

The vulnerability still exists in "docker.repo1.uhc.com/selenium/node-chrome:4.21.0-20240522"; the screen shot above shows a slightly older image.

[skycanine]

https://ubuntu.com/security/CVE-2016-1585

[VietND96]

Looks like CVE-2016-1585 didn't come from the base OS 22.04 image since it is not present in list https://hub.docker.com/layers/library/ubuntu/jammy/images/sha256-2af372c1e2645779643284c7dc38775e3dbbc417b2d784a27c5a9eb784014fb8?context=explore
When looking into layers, it appears in step install noVNC, so I think we should wait for the dependency has a fix for it.

[amardeep2006]

I looked at https://bugs.launchpad.net/apparmor/+bug/1597017
and seems some backport in (slow) progress for Jammy .

[VietND96]

I intend to configure the next release to publish both Jammy and Noble. For the main tags convention, it will use Noble, and Jammy will be tagged as jammy-latest. What do you think of this approach?