in src/patch_helper.py [0:0]
def trigger_enhanced_scan_patching(image_uri, patch_details_path, python_version=None):
"""
This method initiates the processing for enhanced scan patching of the images. It triggers the enhanced scanning for the
image and then gets the result to find the impacted packages. These impacted packages are then sent to the extract_apt_patch_data.py
script that executes in the GENERATE mode to get the list of all the impacted packages that can be upgraded and their version in the
released image. This data is then used to create the apt upgrade command and is dumped in the form of install_script_os.sh.
Note: We need to do a targeted package upgrade to upgrade the impacted packages to esnure that the image does not inflate.
:param image_uri: str, image_uri
:param s3_downloaded_path: str, Path where the relevant data is downloaded
:param python_version: str, python_version
:return: str, Returns constants.SUCCESS to allow the multi-threaded caller to know that the method has succeeded.
"""
impacted_packages = get_impacted_os_packages(image_uri=image_uri, python_version=python_version)
dlc_repo_folder_mount = os.path.join(os.sep, get_cloned_folder_path())
image_specific_patch_folder = os.path.join(
os.sep, patch_details_path
) # image_specific_patch_folder
docker_run_cmd = f"docker run -v {dlc_repo_folder_mount}:/deep-learning-containers -v {image_specific_patch_folder}:/image-specific-patch-folder -id --entrypoint='/bin/bash' {image_uri} "
container_id = run(f"{docker_run_cmd}", hide=True).stdout.strip()
try:
docker_exec_cmd = f"docker exec -i {container_id}"
## Update key in case nginx exists
container_setup_cmd = """bash -c 'VARIABLE=$(apt-key list 2>&1 | { grep -c nginx || true; }) && if [ "$VARIABLE" != 0 ]; then echo "Nginx exists, thus upgrade" && curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && apt-key add /usr/share/keyrings/nginx-archive-keyring.gpg; fi && apt-get update'"""
run(f"{docker_exec_cmd} {container_setup_cmd}", hide=True)
save_file_name = "os_summary.json"
script_run_cmd = f"""python /deep-learning-containers/miscellaneous_scripts/extract_apt_patch_data.py --save-result-path /image-specific-patch-folder/{save_file_name} --mode_type generate"""
if impacted_packages:
script_run_cmd = (
f"""{script_run_cmd} --impacted-packages {",".join(impacted_packages)}"""
)
run(f"{docker_exec_cmd} {script_run_cmd}", hide=True)
with open(os.path.join(os.sep, patch_details_path, save_file_name), "r") as readfile:
saved_json_data = json.load(readfile)
print(f"For {image_uri} => {saved_json_data}")
patch_package_dict = saved_json_data["patch_package_dict"]
patch_package_list = list(patch_package_dict.keys())
echo_cmd = """ echo "echo N/A" """
file_concat_cmd = f"tee {patch_details_path}/install_script_os.sh"
if patch_package_list:
echo_cmd = f"""echo "apt-get update && apt-get install -y --only-upgrade {" ".join(patch_package_list)}" """
if os.getenv("IS_CODEBUILD_IMAGE") is None:
file_concat_cmd = f"sudo {file_concat_cmd}"
complete_command = f"{echo_cmd} | {file_concat_cmd}"
print(f"For {image_uri} => {complete_command}")
run(complete_command, hide=True)
finally:
run(f"docker rm -f {container_id}", hide=True, warn=True)
return constants.SUCCESS