Outdated docsbuilder.sh pulls Antora container w/ EOL nodejs

tk2345 commented

2026-03-15 12:11:05 +00:00

Instances of docsbuilder.sh in various repos pull one of two container images, docker.io/antora/antora or registry.gitlab.com/fedora/docs/docs-website/docs-fp-o. Both images are outdated and contain numerous security issues.

The docker image uses alpine 3.18.3 from 2023-08-07 as base image and ships with nodejs 16.20.2 (EOL 2023-09-12).

The gitlab image uses fedora-minimal 42 from mid-2025 (exact date unknown) as base image and has been pushed to a registry not typically used by Fedora.

[Edited for clarity.]

Instances of docsbuilder.sh in various repos pull one of two container images, docker.io/antora/antora or registry.gitlab.com/fedora/docs/docs-website/docs-fp-o. Both images are outdated and contain numerous security issues. The docker image uses alpine 3.18.3 from 2023-08-07 as base image and ships with nodejs 16.20.2 (EOL 2023-09-12). The gitlab image uses fedora-minimal 42 from mid-2025 (exact date unknown) as base image and has been pushed to a registry not typically used by Fedora. [Edited for clarity.]

tk2345 commented

2026-03-18 16:47:31 +00:00

Author

I didn't find the Containerfile for the gitlab image. podman history reports

CREATED BY
/bin/sh -c #(nop) ENTRYPOINT [ "antora" ]
/bin/sh -c #(nop) WORKDIR /antora
/bin/sh -c npm i -g @antora/cli@3.1 @antora/site-generator@3.1 @antora/lunr-extension@1.0.0-alpha.8 cheerio @asciidoctor/tabs
/bin/sh -c microdnf -y install --setopt=install_weak_deps=False     nodejs-npm &&     microdnf clean all
KIWI 10.2.24

[Edited]

I didn't find the Containerfile for the gitlab image. podman history reports ``` CREATED BY /bin/sh -c #(nop) ENTRYPOINT [ "antora" ] /bin/sh -c #(nop) WORKDIR /antora /bin/sh -c npm i -g @antora/cli@3.1 @antora/site-generator@3.1 @antora/lunr-extension@1.0.0-alpha.8 cheerio @asciidoctor/tabs /bin/sh -c microdnf -y install --setopt=install_weak_deps=False nodejs-npm && microdnf clean all KIWI 10.2.24 ``` [Edited]

jflory7 added this to the (deleted) project

2026-04-08 23:37:36 +00:00

hricky was assigned by pbokoc

2026-04-21 13:39:56 +00:00

jflory7 added the

help wanted

label

2026-05-05 13:47:15 +00:00

jflory7 added this to the 2026 Q2 Team Goals milestone

2026-05-05 13:47:20 +00:00

jflory7 commented

2026-05-05 14:17:21 +00:00

Owner

Discussed in 2026-05-05 Docs Team meeting.

The team briefly touched base on this ticket. It was confirmed that the primary script updates need to happen in the docs-template repository first before the changes are propagated via submodules to the other repositories.

Follow-up Items:

Action: @hricky to add a comment update on progress and next steps for updates to the Docs Template repo.

_Discussed in [2026-05-05 Docs Team meeting](https://discussion.fedoraproject.org/t/fedora-docs-team-meeting-2026-05-05-organization-wide-issue-labels-workflow-updates/190491)_. --- The team briefly touched base on this ticket. It was confirmed that the primary script updates need to happen in the `docs-template` repository first before the changes are propagated via submodules to the other repositories. **Follow-up Items:** * **Action:** @hricky to add a comment update on progress and next steps for updates to the Docs Template repo.

tk2345 commented

2026-05-06 05:14:24 +00:00

Author

Attached the results of security scans with docker.io/anchore/grype.

[Edited]

Attached the results of security scans with docker.io/anchore/grype. [Edited]

gitlab.txt

16 KiB

docker.txt

17 KiB

pbokoc added this to the Docs Team Meeting Planner project

2026-05-06 13:25:22 +00:00

pbokoc referenced this issue from docs/quick-docs

2026-05-07 09:24:10 +00:00

Should docsbuilder.sh still point to gitlab? #965

hricky commented

2026-05-19 12:24:54 +00:00

Member

Thanks for reporting this. We've inspected the container image and found some context:

$ skopeo inspect --config docker://registry.gitlab.com/fedora/docs/docs-website/docs-fp-o:latest | jq --raw-output 'paths(scalars) as $p | "\($p | join(".")): \(getpath($p))"'

created: 2025-09-08T07:32:40.306152409Z
author: Fedora Project Contributors <devel@lists.fedoraproject.org>
architecture: amd64
os: linux
config.Env.0: PATH=/usr/local/bin:/usr/bin
config.Env.1: container=oci
config.Entrypoint.0: antora
config.WorkingDir: /antora
config.Labels.io.buildah.version: 1.41.3
config.Labels.license: MIT
config.Labels.name: fedora-minimal
config.Labels.org.opencontainers.image.license: MIT
config.Labels.org.opencontainers.image.name: fedora-minimal
config.Labels.org.opencontainers.image.url: https://fedoraproject.org/
config.Labels.org.opencontainers.image.vendor: Fedora Project
config.Labels.org.opencontainers.image.version: 42
config.Labels.vendor: Fedora Project
config.Labels.version: 42
rootfs.type: layers
rootfs.diff_ids.0: sha256:3fcb3d71e4d61771e41ba3477a4dc3ec76c691d62df1485f6066afb6aba06ea6
rootfs.diff_ids.1: sha256:57e476bdd34476dfe3d97eb677e2a3028729e7af831f99fa104d4b7bab4bd81c
rootfs.diff_ids.2: sha256:24797174a01895712662fb22d5f7260cd35974bfdb5c8e3befdc0fa8e72be980
history.0.created: 2025-06-27T06:49:04.209448073Z
history.0.created_by: KIWI 10.2.24
history.0.author: Fedora Project Contributors <devel@lists.fedoraproject.org>
history.1.created: 2025-09-08T07:32:07.29065309Z
history.1.created_by: /bin/sh -c microdnf -y install --setopt=install_weak_deps=False     nodejs-npm &&     microdnf clean all
history.1.author: Fedora Project Contributors <devel@lists.fedoraproject.org>
history.1.comment: FROM registry.fedoraproject.org/fedora-minimal:42
history.2.created: 2025-09-08T07:32:38.628786226Z
history.2.created_by: /bin/sh -c npm i -g @antora/cli@3.1 @antora/site-generator@3.1 @antora/lunr-extension@1.0.0-alpha.8 cheerio @asciidoctor/tabs
history.2.author: Fedora Project Contributors <devel@lists.fedoraproject.org>
history.3.created: 2025-09-08T07:32:40.216596244Z
history.3.created_by: /bin/sh -c #(nop) WORKDIR /antora
history.3.author: Fedora Project Contributors <devel@lists.fedoraproject.org>
history.3.empty_layer: true
history.4.created: 2025-09-08T07:32:40.306375404Z
history.4.created_by: /bin/sh -c #(nop) ENTRYPOINT [ "antora" ]
history.4.author: Fedora Project Contributors <devel@lists.fedoraproject.org>
history.4.empty_layer: true

The container image pulled by docsbuilder.sh is likely built from a similar Containerfile:

https://forge.fedoraproject.org/docs/docs-fp-o/src/branch/prod/build-scripts/Dockerfile

It appears the above Containerfile is used in OpenShift to rebuild the whole site for Fedora.

We will continue to investigate the relevance of the image and the security status to address the concerns you raised.

Thanks for reporting this. We've inspected the container image and found some context: ``` $ skopeo inspect --config docker://registry.gitlab.com/fedora/docs/docs-website/docs-fp-o:latest | jq --raw-output 'paths(scalars) as $p | "\($p | join(".")): \(getpath($p))"' created: 2025-09-08T07:32:40.306152409Z author: Fedora Project Contributors <devel@lists.fedoraproject.org> architecture: amd64 os: linux config.Env.0: PATH=/usr/local/bin:/usr/bin config.Env.1: container=oci config.Entrypoint.0: antora config.WorkingDir: /antora config.Labels.io.buildah.version: 1.41.3 config.Labels.license: MIT config.Labels.name: fedora-minimal config.Labels.org.opencontainers.image.license: MIT config.Labels.org.opencontainers.image.name: fedora-minimal config.Labels.org.opencontainers.image.url: https://fedoraproject.org/ config.Labels.org.opencontainers.image.vendor: Fedora Project config.Labels.org.opencontainers.image.version: 42 config.Labels.vendor: Fedora Project config.Labels.version: 42 rootfs.type: layers rootfs.diff_ids.0: sha256:3fcb3d71e4d61771e41ba3477a4dc3ec76c691d62df1485f6066afb6aba06ea6 rootfs.diff_ids.1: sha256:57e476bdd34476dfe3d97eb677e2a3028729e7af831f99fa104d4b7bab4bd81c rootfs.diff_ids.2: sha256:24797174a01895712662fb22d5f7260cd35974bfdb5c8e3befdc0fa8e72be980 history.0.created: 2025-06-27T06:49:04.209448073Z history.0.created_by: KIWI 10.2.24 history.0.author: Fedora Project Contributors <devel@lists.fedoraproject.org> history.1.created: 2025-09-08T07:32:07.29065309Z history.1.created_by: /bin/sh -c microdnf -y install --setopt=install_weak_deps=False nodejs-npm && microdnf clean all history.1.author: Fedora Project Contributors <devel@lists.fedoraproject.org> history.1.comment: FROM registry.fedoraproject.org/fedora-minimal:42 history.2.created: 2025-09-08T07:32:38.628786226Z history.2.created_by: /bin/sh -c npm i -g @antora/cli@3.1 @antora/site-generator@3.1 @antora/lunr-extension@1.0.0-alpha.8 cheerio @asciidoctor/tabs history.2.author: Fedora Project Contributors <devel@lists.fedoraproject.org> history.3.created: 2025-09-08T07:32:40.216596244Z history.3.created_by: /bin/sh -c #(nop) WORKDIR /antora history.3.author: Fedora Project Contributors <devel@lists.fedoraproject.org> history.3.empty_layer: true history.4.created: 2025-09-08T07:32:40.306375404Z history.4.created_by: /bin/sh -c #(nop) ENTRYPOINT [ "antora" ] history.4.author: Fedora Project Contributors <devel@lists.fedoraproject.org> history.4.empty_layer: true ``` The container image pulled by `docsbuilder.sh` is likely built from a similar Containerfile: https://forge.fedoraproject.org/docs/docs-fp-o/src/branch/prod/build-scripts/Dockerfile It appears the above Containerfile is used in OpenShift to rebuild the whole site for Fedora. We will continue to investigate the relevance of the image and the security status to address the concerns you raised.

hricky commented

2026-05-19 12:40:00 +00:00

Member

Actually, the container image pulled by docsbuilder.sh is likely built from this Containerfile:

https://forge.fedoraproject.org/docs/docs-fp-o/src/branch/prod/Dockerfile

Actually, the container image pulled by `docsbuilder.sh` is likely built from this Containerfile: https://forge.fedoraproject.org/docs/docs-fp-o/src/branch/prod/Dockerfile

pbokoc added the

labels

2026-05-29 12:21:05 +00:00

hricky commented

2026-06-02 17:54:10 +00:00

Member

We discussed the issue in the community meeting. We will update the container image that the script pulls in the short term. We will create a dedicated repository for the script and a new container build process in the long term.

We discussed the issue in the [community meeting](https://meetbot.fedoraproject.org/meeting_matrix_fedoraproject-org/2026-06-02/fedora-docs-team-meeting-2026-06-02.2026-06-02-13.00.log.html). We will update the container image that the script pulls in the short term. We will create a dedicated repository for the script and a new container build process in the long term.

👍 1

hricky commented

2026-06-05 17:30:32 +00:00

Member

Context on the current situation:

AIUI, the GitLab CI (.gitlab-ci.yml) was previously building and pushing the container image to the GitLab registry. Specifically, it would:

Build the image from the Dockerfile in the prod branch
Push it to registry.gitlab.com/fedora/docs/docs-website/docs-fp-o:latest
Only trigger on pushes to the prod branch when the Dockerfile or .gitlab-ci.yml changed

The docsbuilder.sh script pulls this image and builds the preview.

Current blocker:

Following the migration to Fedora Forge, we no longer have a functional CI in place to automatically build and push updated images. We will likely need a runner for the Fedora Forge Docs org for this.

Temporary solutions:

Manual build and push: Build the image locally with an updated Dockerfile and push it to a dedicated repo in quay.io. We will likely need this repo in the long term anyway. This is the quickest path forward but requires manual intervention each time the image needs updating.
Add local build option to the script: Modify the script to support an option that builds the container image locally before running the docs module preview. This makes the workflow self-contained, though we will need to provide a Containerfile or document how to create one.

The first approach would unblock the immediate issue while we work on the permanent CI solution. The second can be implemented in the longer term.

Context on the current situation: AIUI, the GitLab CI ([`.gitlab-ci.yml`](https://forge.fedoraproject.org/docs/docs-fp-o/src/branch/prod/.gitlab-ci.yml)) was previously building and pushing the container image to the GitLab registry. Specifically, it would: - Build the image from the [`Dockerfile`](https://forge.fedoraproject.org/docs/docs-fp-o/src/branch/prod/Dockerfile) in the `prod` branch - Push it to `registry.gitlab.com/fedora/docs/docs-website/docs-fp-o:latest` - Only trigger on pushes to the `prod` branch when the `Dockerfile` or `.gitlab-ci.yml` changed The `docsbuilder.sh` script pulls this image and builds the preview. Current blocker: Following the migration to Fedora Forge, we no longer have a functional CI in place to automatically build and push updated images. We will likely need a runner for the Fedora Forge Docs org for this. Temporary solutions: 1. Manual build and push: Build the image locally with an updated `Dockerfile` and push it to a dedicated repo in `quay.io`. We will likely need this repo in the long term anyway. This is the quickest path forward but requires manual intervention each time the image needs updating. 2. Add local build option to the script: Modify the script to support an option that builds the container image locally before running the docs module preview. This makes the workflow self-contained, though we will need to provide a Containerfile or document how to create one. The first approach would unblock the immediate issue while we work on the permanent CI solution. The second can be implemented in the longer term.

Rows
Columns

Outdated docsbuilder.sh pulls Antora container w/ EOL nodejs #19