Skip to content

Commit 7f40069

Browse files
Patch base-image CVEs and unblock tts-qwen-cuda build
The v1.1.0 docker-publish workflow flagged 22 CVEs in the Alpine and Ubuntu bases of the published images (2 critical OpenSSL + 20 high across libpng, libexpat, musl, nghttp2, zlib, OpenSSL libssl3/ libcrypto3). All in OS-level packages; real exploit surface is limited for our deployment because TLS terminates at CF Pages, not in the container, but better to ship clean bases. Add base-image security upgrades on top of each upstream: client/Dockerfile apk upgrade --no-cache (Alpine) docker/tts-kokoro/Dockerfile apt-get upgrade -y (Debian 13) docker/stt-whisper/Dockerfile apt-get upgrade -y (Ubuntu) docker/tts-qwen-cuda/Dockerfile apt-get upgrade -y (Ubuntu 22.04) Also unblock the tts-qwen-cuda build, which failed entirely on v1.1.0. Two compounding issues: 1. `sox` system binary missing. The Python `sox` package (transitive dep of faster-qwen3-tts) calls `sox --version` during setup.py. Add `sox` to the apt-get install line. 2. Numpy bootstrap. The Python `sox` package's setup.py imports its own module to read __version__, which transitively imports numpy. Without numpy already on disk, pip's metadata-generation step for sox fails before sox itself can be installed. Split the pip install into three steps so numpy is present when sox's egg_info runs: pip install torch (existing pin) pip install numpy (NEW pre-seed) pip install faster-qwen3-tts ... (the rest) Verified by rebuilding tts-qwen-cuda locally on Apple Silicon (arm64 emulation) with --no-cache. The other three images use well-known base-image upgrade patterns and rely on the existing CI workflow for validation.
1 parent 78fbc78 commit 7f40069

4 files changed

Lines changed: 22 additions & 3 deletions

File tree

client/Dockerfile

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,10 @@ COPY docker-entrypoint.sh /docker-entrypoint.d/00-agora-config.sh
5555
# scripts run as the container's runtime user (not root), so the entrypoint
5656
# needs write access to the static-root directory to rewrite config.js.
5757
USER root
58-
RUN chmod +x /docker-entrypoint.d/00-agora-config.sh && \
58+
# Pull latest Alpine security patches on top of the upstream base
59+
# (openssl libcrypto3/libssl3, libpng, libexpat, musl, nghttp2, zlib).
60+
RUN apk upgrade --no-cache && \
61+
chmod +x /docker-entrypoint.d/00-agora-config.sh && \
5962
chown 101:101 /usr/share/nginx/html /usr/share/nginx/html/config.js
6063
USER 101
6164

docker/stt-whisper/Dockerfile

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,8 @@ ENV ALLOW_ORIGINS=[\"*\"]
2929
# request doesn't 404. Skipped on subsequent starts (snapshot_download is
3030
# idempotent against the HF cache).
3131
USER root
32+
# Pull latest Ubuntu security patches on top of the upstream Speaches base.
33+
RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*
3234
COPY entrypoint.sh /usr/local/bin/agora-init.sh
3335
RUN chmod +x /usr/local/bin/agora-init.sh
3436
USER ubuntu

docker/tts-kokoro/Dockerfile

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,10 @@
2323

2424
FROM ghcr.io/remsky/kokoro-fastapi-cpu:latest
2525

26+
# Pull latest Debian security patches on top of the upstream base.
27+
USER root
28+
RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*
29+
2630
# Patch logging to WARNING level. Kokoro by default logs incoming request
2731
# text at DEBUG.
2832
RUN sed -i 's/"level": "DEBUG"/"level": "WARNING"/' /app/api/src/main.py && \

docker/tts-qwen-cuda/Dockerfile

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,11 @@
1414
FROM nvidia/cuda:12.4.1-cudnn-runtime-ubuntu22.04
1515

1616
ENV DEBIAN_FRONTEND=noninteractive
17-
RUN apt-get update && apt-get install -y --no-install-recommends \
18-
python3.11 python3.11-venv python3-pip ffmpeg curl ca-certificates \
17+
# `sox` is required at install time by faster-qwen3-tts (transitive dep
18+
# `sox` Python package calls the binary during setup.py). `apt upgrade`
19+
# pulls latest security patches for the Ubuntu 22.04 base.
20+
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
21+
python3.11 python3.11-venv python3-pip ffmpeg sox curl ca-certificates \
1922
&& rm -rf /var/lib/apt/lists/*
2023

2124
RUN python3.11 -m venv /opt/venv
@@ -25,6 +28,13 @@ ENV PATH="/opt/venv/bin:$PATH"
2528
# faster-qwen3-tts. The README is explicit: torch<=2.5.0 has graph-capture
2629
# bugs in this path, and Blackwell (RTX 50xx) needs cu128 / 2.7+.
2730
RUN pip install --no-cache-dir torch==2.5.1 --index-url https://download.pytorch.org/whl/cu124 \
31+
# Pre-seed numpy + sox before faster-qwen3-tts pulls them in. The Python
32+
# `sox` package's setup.py imports its own module to read __version__,
33+
# which transitively imports numpy. Without numpy already installed
34+
# pip's metadata-generation step for sox fails before sox itself can
35+
# be installed. Splitting the install ensures numpy is on disk when
36+
# sox's egg_info runs.
37+
&& pip install --no-cache-dir numpy \
2838
&& pip install --no-cache-dir \
2939
faster-qwen3-tts \
3040
fastapi==0.115.* \

0 commit comments

Comments
 (0)