github/OpenHands
1
0
Fork 0
mirror of https://github.com/OpenHands/OpenHands.git synced 2026-03-22 13:47:19 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
82b2e306d2ce2bb50e1f5cce2be28b7a750074ab
OpenHands/enterprise/Dockerfile
openhands 82b2e306d2 fix(enterprise): use apt-get install --only-upgrade for targeted package updates 
apt-get upgrade does not accept package arguments - it upgrades all packages.
Changed to apt-get install --only-upgrade to correctly target specific
packages for security updates (GnuPG CVEs).

Co-authored-by: openhands <openhands@all-hands.dev>
2026-03-20 21:55:55 -05:00

62 lines
2.1 KiB
Docker
Raw Blame History

ARG OPENHANDS_VERSION=latest
ARG BASE="ghcr.io/openhands/openhands"
FROM ${BASE}:${OPENHANDS_VERSION}
# Datadog labels
LABEL com.datadoghq.tags.service="deploy"
LABEL com.datadoghq.tags.env="${DD_ENV}"
# Install Node.js v20+ and npm (which includes npx)
# Apply security updates to fix CVEs
RUN apt-get update && \
apt-get install -y curl && \
curl -fsSL https://deb.nodesource.com/setup_24.x | bash - && \
apt-get install -y nodejs && \
apt-get install -y jq gettext && \
# Apply security updates for packages with available fixes
apt-get install --only-upgrade -y \
libc-bin \
libc6 \
libgnutls30 \
libsqlite3-0 \
perl-base \
# GnuPG packages - CVE-2026-24882 (HIGH), CVE-2025-68972 (MEDIUM)
dirmngr \
gnupg \
gnupg-l10n \
gnupg-utils \
gpg \
gpg-agent \
gpg-wks-client \
gpgconf \
gpgsm \
gpgv && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
# Install poetry and export before importing current code.
RUN /app/.venv/bin/pip install poetry poetry-plugin-export
# Install Python dependencies from poetry.lock for reproducible builds
# Copy lock files first for better Docker layer caching
COPY --chown=openhands:openhands enterprise/pyproject.toml enterprise/poetry.lock /tmp/enterprise/
RUN cd /tmp/enterprise && \
# Export only main dependencies with hashes for supply chain security
/app/.venv/bin/poetry export --only main -o requirements.txt && \
# Remove the local path dependency (openhands-ai is already in base image)
sed -i '/^-e /d; /openhands-ai/d' requirements.txt && \
# Install pinned dependencies from lock file
/app/.venv/bin/pip install -r requirements.txt && \
# Cleanup - return to /app before removing /tmp/enterprise
cd /app && \
rm -rf /tmp/enterprise && \
/app/.venv/bin/pip uninstall -y poetry poetry-plugin-export
WORKDIR /app
COPY --chown=openhands:openhands --chmod=770 enterprise .
USER openhands
# Command will be overridden by Kubernetes deployment template
CMD ["uvicorn", "saas_server:app", "--host", "0.0.0.0", "--port", "3000"]
Reference in New Issue View Git Blame Copy Permalink