docker-install VS dependabot-core

Installing Docker Engine on an Ubuntu EC2 instance The quickest way to install the Docker engine is using the get-docker.sh bash script on get.docker.com. Run the command below to download the script on your EC2 instance.

curl -fsSL https://get.docker.com -o get-docker.sh sh get-docker.sh

2.curl -fsSL https://get.docker.com/ | sh

curl https://get.docker.com | sh \ && docker run \ --privileged \ --pid=host \ --network=host \ alpine nsenter /proc/1/ns/mnt -- /bin/bash

[email protected]:~# curl -fsSL https://get.docker.com | sh - Client: Docker Engine - Community Version: 20.10.22 API version: 1.41 Go version: go1.18.9 Git commit: 3a2c30b Built: Thu Dec 15 22:28:04 2022 OS/Arch: linux/amd64 Context: default Experimental: true Server: Docker Engine - Community Engine: Version: 20.10.22 API version: 1.41 (minimum version 1.12) Go version: go1.18.9 Git commit: 42c8b31 Built: Thu Dec 15 22:25:49 2022 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.6.14 GitCommit: 9ba4b250366a5ddde94bb7c9d1def331423aa323 runc: Version: 1.1.4 GitCommit: v1.1.4-0-g5fd4c4d docker-init: Version: 0.19.0 GitCommit: de40ad0

[email protected]:~$ curl -fsSL https://get.docker.com | sh - Client: Docker Engine - Community Version: 20.10.22 API version: 1.41 Go version: go1.18.9 Git commit: 3a2c30b Built: Thu Dec 15 22:28:04 2022 OS/Arch: linux/amd64 Context: default Experimental: true Server: Docker Engine - Community Engine: Version: 20.10.22 API version: 1.41 (minimum version 1.12) Go version: go1.18.9 Git commit: 42c8b31 Built: Thu Dec 15 22:25:49 2022 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.6.14 GitCommit: 9ba4b250366a5ddde94bb7c9d1def331423aa323 runc: Version: 1.1.4 GitCommit: v1.1.4-0-g5fd4c4d docker-init: Version: 0.19.0 GitCommit: de40ad0 ================================================================================ To run Docker as a non-privileged user, consider setting up the Docker daemon in rootless mode for your user: dockerd-rootless-setuptool.sh install Visit https://docs.docker.com/go/rootless/ to learn about rootless mode. To run the Docker daemon as a fully privileged service, but granting non-root users access, refer to https://docs.docker.com/go/daemon-access/ WARNING: Access to the remote API on a privileged Docker daemon is equivalent to root access on the host. Refer to the 'Docker daemon attack surface' documentation for details: https://docs.docker.com/go/attack-surface/ ================================================================================ [email protected]:~$ sudo usermod -aG docker ubuntu [email protected]:~$ newgrp docker [email protected]:~$ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

Did you try the instructions from docker’s official site? All it should take is either adding their repos and apt installing the few necessary packages or downloading and executing the script found at https://get.docker.com

[email protected]:~# curl -fsSL https://get.docker.com | sh - [email protected]:~# curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-linux-amd64 [email protected]:~# chmod +x ./kind [email protected]:~# mv ./kind /usr/local/bin/kind [email protected]:~# kind kind creates and manages local Kubernetes clusters using Docker container 'nodes' Usage: kind [command] Available Commands: build Build one of [node-image] completion Output shell completion code for the specified shell (bash, zsh or fish) create Creates one of [cluster] delete Deletes one of [cluster] export Exports one of [kubeconfig, logs] get Gets one of [clusters, nodes, kubeconfig] help Help about any command load Loads images into nodes version Prints the kind CLI version Flags: -h, --help help for kind --loglevel string DEPRECATED: see -v instead -q, --quiet silence all stderr output -v, --verbosity int32 info log verbosity, higher value produces more output --version version for kind Use "kind [command] --help" for more information about a command.

curl -fsSL https://get.docker.com -o get-docker.sh sh get-docker.sh

[email protected]:~# systemctl stop k0scontroller [email protected]:~# k0s reset WARN[2022-11-20 22:02:24] To ensure a full reset, a node reboot is recommended. [email protected]:~# curl -fsSL https://get.docker.com | sh - # Executing docker install script, commit: 4f282167c425347a931ccfd95cc91fab041d414f + sh -c apt-get update -qq >/dev/null + sh -c DEBIAN_FRONTEND=noninteractive apt-get install -y -qq apt-transport-https ca-certificates curl >/dev/null + sh -c mkdir -p /etc/apt/keyrings && chmod -R 0755 /etc/apt/keyrings + sh -c curl -fsSL "https://download.docker.com/linux/ubuntu/gpg" | gpg --dearmor --yes -o /etc/apt/keyrings/docker.gpg + sh -c chmod a+r /etc/apt/keyrings/docker.gpg + sh -c echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu jammy stable" > /etc/apt/sources.list.d/docker.list + sh -c apt-get update -qq >/dev/null + sh -c DEBIAN_FRONTEND=noninteractive apt-get install -y -qq --no-install-recommends docker-ce docker-ce-cli containerd.io docker-compose-plugin docker-scan-plugin >/dev/null + version_gte 20.10 + [-z] + return 0 + sh -c DEBIAN_FRONTEND=noninteractive apt-get install -y -qq docker-ce-rootless-extras >/dev/null + sh -c docker version Client: Docker Engine - Community Version: 20.10.21 API version: 1.41 Go version: go1.18.7 Git commit: baeda1f Built: Tue Oct 25 18:01:58 2022 OS/Arch: linux/amd64 Context: default Experimental: true Server: Docker Engine - Community Engine: Version: 20.10.21 API version: 1.41 (minimum version 1.12) Go version: go1.18.7 Git commit: 3056208 Built: Tue Oct 25 17:59:49 2022 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.6.10 GitCommit: 770bd0108c32f3fb5c73ae1264f7e503fe7b2661 runc: Version: 1.1.4 GitCommit: v1.1.4-0-g5fd4c4d docker-init: Version: 0.19.0 GitCommit: de40ad0 ================================================================================ To run Docker as a non-privileged user, consider setting up the Docker daemon in rootless mode for your user: dockerd-rootless-setuptool.sh install Visit https://docs.docker.com/go/rootless/ to learn about rootless mode. To run the Docker daemon as a fully privileged service, but granting non-root users access, refer to https://docs.docker.com/go/daemon-access/ WARNING: Access to the remote API on a privileged Docker daemon is equivalent to root access on the host. Refer to the 'Docker daemon attack surface' documentation for details: https://docs.docker.com/go/attack-surface/ ================================================================================ [email protected]:~# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

An important point is that this kind of metadata often needs to be accessible from outside the build system itself. You need that for example in order to integration with renovate-bot or github's dependabot, to check your dependencies against CVEs, to build SBOMs and various other additional tasks that are not part of the build itself, but related to the build's metadata. This is all functionality I don't want to reimplement, I want to use what's already out there. And for that the build system needs to have some minimum amount of compatibility with existing standard metadata files like pom.xml or build.gradle

To avoid any potential data breaches, it is recommended that users upgrade to a patched version of MinIO (RELEASE.2023-03-20T20-16-18Z) and integrate security tooling such as docker-cli-scan or use Github’s built-in monitoring for supply chain vulnerabilities, which already contains a record referencing this vulnerability.

I recognize that it does not handle chart updates, but it's might still ease the burden of applying minor releases easily etc. For the chart versions themselves, unfortunately dependabot does not support this and will not, but something like renovatebot does. Could be worth looking into as a dual approach

Disclosure: Renovate author

Renovate is indeed AGPL, but if you're just running it as a CLI, do you think there's anything to "watch out for"? It does not make any project you run it against AGPL, that's for sure.

Also you should be aware that dependabot-core, which dependabot-gitlab wraps, is not technically Open Source at all: https://github.com/dependabot/dependabot-core/blob/main/LICE...

I very much appreciate Dependabot! I like how it can pick up dependencies in interesting places.

For example, the Globus @ Stanford web site (https://globus.stanford.edu) uses GitHub Pages (repo at https://github.com/stanford-rc/globus.stanford.edu). I have a Gemfile in the repo: When I want to test changes locally, I use Bundler to install everything I need, and to launch Jekyll. Even though the Gemfile isn't used 'in production', Dependabot still warns me, so that I don't run older, vulnerable software on my laptop.

At the same time, I can't be sure if Dependabot is picking up dependencies for my Python project.

In my latest project (https://github.com/stanford-rc/globus-group-manager), I'm using pyproject.toml to hold all of the Python dependencies for the project, something that Setuptools is now supporting experimentally (woot!). I've configured Dependabot, and it has picked up my repo's `pyproject.toml` file, but I can't tell if it has actually cataloged my Python dependencies.

Looking around the web also does not give me a clear answer. For example, https://github.com/dependabot/feedback/issues/57 is titled "pyproject.toml support", but it refers specifically to Poetry (and indeed, Poetry v1 is listed as supported at https://docs.github.com/en/code-security/dependabot/dependab...). But Setuptools is not.

https://github.community/t//2576 asks about Setuptools support, and has been pretty dormant. I thought setup.cfg was supported after https://github.com/dependabot/dependabot-core/pull/3423, but another project of mine (https://github.com/stanford-rc/mais-apis-python/network/depe...) doesn't show anything for setup.cfg.

> This plus the fact that Dependabot is not able to update Docker Compose files at this time.

https://github.com/dependabot/dependabot-core/issues/390 upvote and/or implement it as a fork and run it in an Action.

> The other problem that I have is there is no easy way (probably for good reason due to potential abuse) to manually trigger Dependabot. So Dependabot might run once a day or not do so for quite a while.

There is, it's just hidden in https://github.com/:org/:repo/network/updates > click "last updated ..." and then click "Check for Updates" and it'll start a manual run.

Waiting for Yarn v2/v3 support in Dependabot has been a saga.

https://github.com/dependabot/dependabot-core/issues/1297

https://github.com/dependabot/dependabot-core is good.

Have you ever heard Dependabot? Just check it out https://github.com/dependabot/dependabot-core

Although I did just find this when doing a sanity check with Google - https://github.com/dependabot/dependabot-core/issues/3121