Missing latest hub.docker.com/r/hexpm/elixir images built with ubuntu-noble-20240423

Questions / Help
, , , , , ,
1

Greetings

I was reviewing the security vulnerabilities of my production images, specifically the difference between the latest default Dockerfile configuration generated with mix phx.gen.release --docker, bullseye-20240423-slim

image
image1132×195 19.1 KB

and Ubuntu’s recently released 24.04 LTS version, Noble Numbat, noble-20240423

image
image1132×153 13.9 KB

Issue

Unfortunately the hexpm/elixir registry only has a few versions of elixir built with erlang 25.2.3 about 3 days ago, and only for arm64/v8.

image
image1179×722 51.7 KB

Question

Is the service that creates these images set to build and release them slowly on purpose, or is there some issue with it?

The relevant OTP images do exist in builds.hex.pm/builds/otp/ubuntu-24.04/builds.txt

...
OTP-26.2.3 928d03e6da416208fce7b9a7dbbfbb4f25d26c37 2024-04-25T22:38:03Z
OTP-26.2.4 e26c5206dc98ec1b8f978fceaa61fd1354266ccb 2024-04-25T22:24:21Z
...

Temp fix

What I’m doing in the meantime is just building with the previous beta version of noble, and then copy and run the app with the official bare noble image

 ARG ELIXIR_VERSION=1.16.2
 ARG OTP_VERSION=26.2.4
 ARG DISTRO_NAME=ubuntu
 ARG BUILD_IMAGE_VERSION=noble-20240225
 ARG RELEASE_IMAGE_VERSION=noble-20240423

 ARG BUILDER_IMAGE="hexpm/elixir:${ELIXIR_VERSION}-erlang-${OTP_VERSION}-${DISTRO_NAME}-${BUILD_IMAGE_VERSION}"
 ARG RUNNER_IMAGE="${DISTRO_NAME}:${RELEASE_IMAGE_VERSION}"
1 Like
2

I was surprised to see an ubuntu release without any vulnerabilities at all (even with low or unspecified severity)… But if we look now, it’s just as the usual same “vulnerable” packages… I guess the analyzing tool (Docker Scout) had just not yet finished at that time…

I usually use Alpine images (even for other stacks than Elixir/Phoenix) and it’s just running fine… Any reason why going with Ubuntu instead of Alpine?

2 Likes
3

Alpine is using musl instead of glibc. From what I remember musl was reported to be slower in the context of OTP runtime.

2 Likes
4

Huh, seriously? Do you have a link? I’d love to test.

1 Like
5

Read from this post going forward.

4 Likes
6

Thanks. Quite curious and informative. But in any case OTP 27 is due pretty soon (May 2024 IIRC) so it won’t matter.

It’s a shame that an effort to disentangle the legacy horrible mess that is libc leads to discovering how many pieces of software rely on its leaky abstractions but oh well, real software requires compromises.

3 Likes
7

I should’ve mentioned the vulnerability arc was just what led me to the issue that the registry is missing the latest images. Classic X-Y problem, my bad.

You’re 100% correct and I also suspected Scout hadn’t finished its scans, which is why I wanted to build and scan it locally to see what was going on.

This is the noble-20240423 hub image now but Scout is actually behind on reporting some of the latest glibc CVEs that have already been patched 4 days ago and awaiting repo updates to v2.40

image
image834×204 14 KB

2 Likes
8

The real issue in this thread is still pending:

What’s the deal with hexbob and the outstanding noble images
– Seinfeld

9

Sorted :+1: