From dcd558fd917f0281e607f04b636490a2767a39b0 Mon Sep 17 00:00:00 2001 From: anti Date: Sun, 3 May 2026 04:38:39 -0400 Subject: [PATCH] chore(infra): pin Docker base images by digest (DEBT-023) All base images (debian:bookworm-slim, ubuntu:22.04, ubuntu:20.04, rockylinux:9-minimal, centos:7, alpine:3.19, fedora:39, kalilinux/kali-rolling, archlinux:latest, honeynet/conpot:latest) now carry their resolved sha256 digest so 'docker pull' is deterministic. :tag retained for human readability; @sha256 is what Docker actually resolves. Refresh procedure documented at the top of decnet/distros.py. --- decnet/distros.py | 53 +++++++++++++++-------- decnet/models.py | 2 +- decnet/services/conpot.py | 2 +- decnet/templates/conpot/Dockerfile | 2 +- decnet/templates/cowrie/Dockerfile | 2 +- decnet/templates/docker_api/Dockerfile | 2 +- decnet/templates/elasticsearch/Dockerfile | 2 +- decnet/templates/ftp/Dockerfile | 2 +- decnet/templates/http/Dockerfile | 2 +- decnet/templates/https/Dockerfile | 2 +- decnet/templates/imap/Dockerfile | 2 +- decnet/templates/k8s/Dockerfile | 2 +- decnet/templates/ldap/Dockerfile | 2 +- decnet/templates/llmnr/Dockerfile | 2 +- decnet/templates/mongodb/Dockerfile | 2 +- decnet/templates/mqtt/Dockerfile | 2 +- decnet/templates/mssql/Dockerfile | 2 +- decnet/templates/mysql/Dockerfile | 2 +- decnet/templates/pop3/Dockerfile | 2 +- decnet/templates/postgres/Dockerfile | 2 +- decnet/templates/rdp/Dockerfile | 2 +- decnet/templates/redis/Dockerfile | 2 +- decnet/templates/sip/Dockerfile | 2 +- decnet/templates/smb/Dockerfile | 2 +- decnet/templates/smtp/Dockerfile | 2 +- decnet/templates/sniffer/Dockerfile | 2 +- decnet/templates/snmp/Dockerfile | 2 +- decnet/templates/ssh/Dockerfile | 4 +- decnet/templates/telnet/Dockerfile | 4 +- decnet/templates/tftp/Dockerfile | 2 +- decnet/templates/vnc/Dockerfile | 2 +- decnet/topology/compose.py | 3 +- development/DEBT.md | 11 +++-- 33 files changed, 74 insertions(+), 57 deletions(-) diff --git a/decnet/distros.py b/decnet/distros.py index 809f37a4..7f21a62c 100644 --- a/decnet/distros.py +++ b/decnet/distros.py @@ -18,69 +18,86 @@ class DistroProfile: build_base: str # apt-compatible image for service Dockerfiles (FROM ${BASE_IMAGE}) +# Base images are pinned by digest (sha256) to make `docker pull` +# reproducible — a registry-side rebuild of "debian:bookworm-slim" +# can't silently swap content under us. The :tag is kept for human +# readability; the @sha256 is what Docker actually resolves. +# Refresh procedure: `docker pull ` then `docker inspect +# --format '{{index .RepoDigests 0}}' `. Last refreshed 2026-05-03. +_DEBIAN_BOOKWORM = "debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252" +_UBUNTU_22_04 = "ubuntu:22.04@sha256:962f6cadeae0ea6284001009daa4cc9a8c37e75d1f5191cf0eb83fe565b63dd7" +_UBUNTU_20_04 = "ubuntu:20.04@sha256:8feb4d8ca5354def3d8fce243717141ce31e2c428701f6682bd2fafe15388214" +_ROCKY_9 = "rockylinux:9-minimal@sha256:305de618a5681ff75b1d608fd22b10f362867dff2f550a4f1d427d21cd7f42b4" +_CENTOS_7 = "centos:7@sha256:be65f488b7764ad3638f236b7b515b3678369a5124c47b8d32916d6487418ea4" +_ALPINE_3_19 = "alpine:3.19@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1" +_FEDORA_39 = "fedora:39@sha256:d63d63fe593749a5e8dbc8152427d40bbe0ece53d884e00e5f3b44859efa5077" +_KALI_ROLLING = "kalilinux/kali-rolling@sha256:1fd0364490011f245688c6ed9fee498a11cd779badfbb0b1d3a721d0f49f2d15" +_ARCH_LATEST = "archlinux:latest@sha256:5ba8bb318666baef4d33afefc0e65db80f38b23503cb8e7b150d315cc2d4d5da" + + DISTROS: dict[str, DistroProfile] = { "debian": DistroProfile( slug="debian", - image="debian:bookworm-slim", + image=_DEBIAN_BOOKWORM, display_name="Debian 12 (Bookworm)", hostname_style="generic", - build_base="debian:bookworm-slim", + build_base=_DEBIAN_BOOKWORM, ), "ubuntu22": DistroProfile( slug="ubuntu22", - image="ubuntu:22.04", + image=_UBUNTU_22_04, display_name="Ubuntu 22.04 LTS (Jammy)", hostname_style="generic", - build_base="ubuntu:22.04", + build_base=_UBUNTU_22_04, ), "ubuntu20": DistroProfile( slug="ubuntu20", - image="ubuntu:20.04", + image=_UBUNTU_20_04, display_name="Ubuntu 20.04 LTS (Focal)", hostname_style="generic", - build_base="ubuntu:20.04", + build_base=_UBUNTU_20_04, ), "rocky9": DistroProfile( slug="rocky9", - image="rockylinux:9-minimal", + image=_ROCKY_9, display_name="Rocky Linux 9", hostname_style="rhel", - build_base="debian:bookworm-slim", # Dockerfiles use apt-get; fall back to debian + build_base=_DEBIAN_BOOKWORM, # Dockerfiles use apt-get; fall back to debian ), "centos7": DistroProfile( slug="centos7", - image="centos:7", + image=_CENTOS_7, display_name="CentOS 7", hostname_style="rhel", - build_base="debian:bookworm-slim", # Dockerfiles use apt-get; fall back to debian + build_base=_DEBIAN_BOOKWORM, # Dockerfiles use apt-get; fall back to debian ), "alpine": DistroProfile( slug="alpine", - image="alpine:3.19", + image=_ALPINE_3_19, display_name="Alpine Linux 3.19", hostname_style="minimal", - build_base="debian:bookworm-slim", # Dockerfiles use apt-get; fall back to debian + build_base=_DEBIAN_BOOKWORM, # Dockerfiles use apt-get; fall back to debian ), "fedora": DistroProfile( slug="fedora", - image="fedora:39", + image=_FEDORA_39, display_name="Fedora 39", hostname_style="rhel", - build_base="debian:bookworm-slim", # Dockerfiles use apt-get; fall back to debian + build_base=_DEBIAN_BOOKWORM, # Dockerfiles use apt-get; fall back to debian ), "kali": DistroProfile( slug="kali", - image="kalilinux/kali-rolling", + image=_KALI_ROLLING, display_name="Kali Linux (Rolling)", hostname_style="rolling", - build_base="kalilinux/kali-rolling", # Debian-based, apt-get compatible + build_base=_KALI_ROLLING, # Debian-based, apt-get compatible ), "arch": DistroProfile( slug="arch", - image="archlinux:latest", + image=_ARCH_LATEST, display_name="Arch Linux", hostname_style="rolling", - build_base="debian:bookworm-slim", # Dockerfiles use apt-get; fall back to debian + build_base=_DEBIAN_BOOKWORM, # Dockerfiles use apt-get; fall back to debian ), } diff --git a/decnet/models.py b/decnet/models.py index ed5f9555..f5466723 100644 --- a/decnet/models.py +++ b/decnet/models.py @@ -91,7 +91,7 @@ class DeckyConfig(BaseModel): services: list[str] = PydanticField(..., min_length=1) distro: str # slug from distros.DISTROS, e.g. "debian", "ubuntu22" base_image: str # Docker image for the base/IP-holder container - build_base: str = "debian:bookworm-slim" # apt-compatible image for service Dockerfiles + build_base: str = "debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252" # apt-compatible image for service Dockerfiles; digest pinned via distros.py hostname: str archetype: str | None = None # archetype slug if spawned from an archetype profile service_config: dict[str, dict] = PydanticField(default_factory=dict) diff --git a/decnet/services/conpot.py b/decnet/services/conpot.py index a4750483..6d9a6907 100644 --- a/decnet/services/conpot.py +++ b/decnet/services/conpot.py @@ -25,7 +25,7 @@ class ConpotService(BaseService): return { "build": { "context": str(self.dockerfile_context()), - "args": {"BASE_IMAGE": "honeynet/conpot:latest"}, + "args": {"BASE_IMAGE": "honeynet/conpot:latest@sha256:cd93e88d9e44b020db691fc4c75cb29e76b5e90ddbc408aca26e6c78c5646976"}, }, "container_name": f"{decky_name}-conpot", "restart": "unless-stopped", diff --git a/decnet/templates/conpot/Dockerfile b/decnet/templates/conpot/Dockerfile index 1d3bb3e7..1c02d7dd 100644 --- a/decnet/templates/conpot/Dockerfile +++ b/decnet/templates/conpot/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=honeynet/conpot:latest +ARG BASE_IMAGE=honeynet/conpot:latest@sha256:cd93e88d9e44b020db691fc4c75cb29e76b5e90ddbc408aca26e6c78c5646976 FROM ${BASE_IMAGE} USER root diff --git a/decnet/templates/cowrie/Dockerfile b/decnet/templates/cowrie/Dockerfile index c8f0fba1..3dd9040c 100644 --- a/decnet/templates/cowrie/Dockerfile +++ b/decnet/templates/cowrie/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/docker_api/Dockerfile b/decnet/templates/docker_api/Dockerfile index 61e09d55..cd0de69c 100644 --- a/decnet/templates/docker_api/Dockerfile +++ b/decnet/templates/docker_api/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/elasticsearch/Dockerfile b/decnet/templates/elasticsearch/Dockerfile index 7087b291..c845a06a 100644 --- a/decnet/templates/elasticsearch/Dockerfile +++ b/decnet/templates/elasticsearch/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/ftp/Dockerfile b/decnet/templates/ftp/Dockerfile index d8f52dd9..ed4ab759 100644 --- a/decnet/templates/ftp/Dockerfile +++ b/decnet/templates/ftp/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/http/Dockerfile b/decnet/templates/http/Dockerfile index 19ff037f..0ac3ca50 100644 --- a/decnet/templates/http/Dockerfile +++ b/decnet/templates/http/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/https/Dockerfile b/decnet/templates/https/Dockerfile index 2371e64d..1338a20e 100644 --- a/decnet/templates/https/Dockerfile +++ b/decnet/templates/https/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/imap/Dockerfile b/decnet/templates/imap/Dockerfile index 35d1b675..a0d24a56 100644 --- a/decnet/templates/imap/Dockerfile +++ b/decnet/templates/imap/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/k8s/Dockerfile b/decnet/templates/k8s/Dockerfile index 1da62962..c9bf9ebd 100644 --- a/decnet/templates/k8s/Dockerfile +++ b/decnet/templates/k8s/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/ldap/Dockerfile b/decnet/templates/ldap/Dockerfile index 53636300..247c8e53 100644 --- a/decnet/templates/ldap/Dockerfile +++ b/decnet/templates/ldap/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/llmnr/Dockerfile b/decnet/templates/llmnr/Dockerfile index 724f4db5..b737295f 100644 --- a/decnet/templates/llmnr/Dockerfile +++ b/decnet/templates/llmnr/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/mongodb/Dockerfile b/decnet/templates/mongodb/Dockerfile index b0f472db..57bc761c 100644 --- a/decnet/templates/mongodb/Dockerfile +++ b/decnet/templates/mongodb/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/mqtt/Dockerfile b/decnet/templates/mqtt/Dockerfile index 11f9c6ee..f5726b40 100644 --- a/decnet/templates/mqtt/Dockerfile +++ b/decnet/templates/mqtt/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/mssql/Dockerfile b/decnet/templates/mssql/Dockerfile index fd2c972c..8ca88b3c 100644 --- a/decnet/templates/mssql/Dockerfile +++ b/decnet/templates/mssql/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/mysql/Dockerfile b/decnet/templates/mysql/Dockerfile index f3bb4f2a..55dfb815 100644 --- a/decnet/templates/mysql/Dockerfile +++ b/decnet/templates/mysql/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/pop3/Dockerfile b/decnet/templates/pop3/Dockerfile index 08ac966d..d8421caf 100644 --- a/decnet/templates/pop3/Dockerfile +++ b/decnet/templates/pop3/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/postgres/Dockerfile b/decnet/templates/postgres/Dockerfile index d564c9a1..5dd3d9c2 100644 --- a/decnet/templates/postgres/Dockerfile +++ b/decnet/templates/postgres/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/rdp/Dockerfile b/decnet/templates/rdp/Dockerfile index 14e3db98..0d8b544e 100644 --- a/decnet/templates/rdp/Dockerfile +++ b/decnet/templates/rdp/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/redis/Dockerfile b/decnet/templates/redis/Dockerfile index b644ccc5..5444932d 100644 --- a/decnet/templates/redis/Dockerfile +++ b/decnet/templates/redis/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/sip/Dockerfile b/decnet/templates/sip/Dockerfile index e42a5e2d..9844a2fa 100644 --- a/decnet/templates/sip/Dockerfile +++ b/decnet/templates/sip/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/smb/Dockerfile b/decnet/templates/smb/Dockerfile index f6f66110..0ca4f7ea 100644 --- a/decnet/templates/smb/Dockerfile +++ b/decnet/templates/smb/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/smtp/Dockerfile b/decnet/templates/smtp/Dockerfile index 3247774a..1354b42b 100644 --- a/decnet/templates/smtp/Dockerfile +++ b/decnet/templates/smtp/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/sniffer/Dockerfile b/decnet/templates/sniffer/Dockerfile index ff9a6fc9..818b0239 100644 --- a/decnet/templates/sniffer/Dockerfile +++ b/decnet/templates/sniffer/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/snmp/Dockerfile b/decnet/templates/snmp/Dockerfile index 9b796758..d22f4394 100644 --- a/decnet/templates/snmp/Dockerfile +++ b/decnet/templates/snmp/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/ssh/Dockerfile b/decnet/templates/ssh/Dockerfile index 03843b9a..846e2cb3 100644 --- a/decnet/templates/ssh/Dockerfile +++ b/decnet/templates/ssh/Dockerfile @@ -1,10 +1,10 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 # ── Stage 1: build the static auth-helper credential-capture binary ────────── # Compiled against musl so the resulting binary is fully static — runs on # any glibc/musl Linux without a libc version match. Stripped at link # time via -s so `file /usr/sbin/auth-helper` reports a generic ELF. -FROM debian:bookworm-slim AS auth-helper-build +FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 AS auth-helper-build RUN apt-get update && apt-get install -y --no-install-recommends musl-tools \ && rm -rf /var/lib/apt/lists/* COPY auth-helper/auth-helper.c /tmp/auth-helper.c diff --git a/decnet/templates/telnet/Dockerfile b/decnet/templates/telnet/Dockerfile index 94a75989..f8527ea0 100644 --- a/decnet/templates/telnet/Dockerfile +++ b/decnet/templates/telnet/Dockerfile @@ -1,11 +1,11 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 # ── Stage 1: build the static auth-helper credential-capture binary ────────── # Same source the SSH template builds — generic over PAM service. Wired # into /etc/pam.d/login below so every busybox-telnetd → /bin/login auth # attempt is captured before pam_unix runs. Static + musl: ~38 KB ELF, # zero libc version coupling, runs anywhere. -FROM debian:bookworm-slim AS auth-helper-build +FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 AS auth-helper-build RUN apt-get update && apt-get install -y --no-install-recommends musl-tools \ && rm -rf /var/lib/apt/lists/* COPY auth-helper/auth-helper.c /tmp/auth-helper.c diff --git a/decnet/templates/tftp/Dockerfile b/decnet/templates/tftp/Dockerfile index fec26b1a..81d56f2c 100644 --- a/decnet/templates/tftp/Dockerfile +++ b/decnet/templates/tftp/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/templates/vnc/Dockerfile b/decnet/templates/vnc/Dockerfile index 5957deec..25afb3fd 100644 --- a/decnet/templates/vnc/Dockerfile +++ b/decnet/templates/vnc/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=debian:bookworm-slim +ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 FROM ${BASE_IMAGE} RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/decnet/topology/compose.py b/decnet/topology/compose.py index 7de8a86a..df8e6128 100644 --- a/decnet/topology/compose.py +++ b/decnet/topology/compose.py @@ -24,7 +24,8 @@ import yaml from decnet.services.registry import get_service -_DEFAULT_BASE_IMAGE = "debian:bookworm-slim" +# Pinned by digest; refresh procedure documented in decnet/distros.py. +_DEFAULT_BASE_IMAGE = "debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252" # 8 chars matches the git short-SHA convention; collision-safe within # a single deployment's network namespace. diff --git a/development/DEBT.md b/development/DEBT.md index 6711cfd4..55ef7d1e 100644 --- a/development/DEBT.md +++ b/development/DEBT.md @@ -494,10 +494,9 @@ The prober already computes JARM (`worker.py:286`), HASSH (`worker.py:334`), and ### ~~DEBT-022 — Debug `print()` in correlation engine~~ ✅ CLOSED (false positive) `decnet/correlation/engine.py:20` — The `print()` call is inside the module docstring as a usage example, not in executable code. No production code path affected. -### DEBT-023 — Unpinned base Docker images -**Files:** All `templates/*/Dockerfile` -`debian:bookworm-slim` and similar tags are used without digest pinning. Image contents can silently change on `docker pull`, breaking reproducibility and supply-chain integrity. -**Status:** Deferred — requires `docker pull` access to resolve current digests for each base image. +### ~~DEBT-023 — Unpinned base Docker images~~ ✅ RESOLVED +**Files:** `decnet/distros.py`, `decnet/models.py`, `decnet/topology/compose.py`, `decnet/services/conpot.py`, all `decnet/templates/*/Dockerfile` +Resolved 2026-05-03. All base images now carry `image:tag@sha256:` references. Tags retained for human readability; `@sha256` is what Docker actually resolves, so a registry-side rebuild can no longer swap content under us. Pinned: `debian:bookworm-slim`, `ubuntu:22.04`, `ubuntu:20.04`, `rockylinux:9-minimal`, `centos:7`, `alpine:3.19`, `fedora:39`, `kalilinux/kali-rolling`, `archlinux:latest`, `honeynet/conpot:latest`. Refresh procedure documented at the top of `decnet/distros.py` (`docker pull ` + `docker inspect --format '{{index .RepoDigests 0}}' `). ### ~~DEBT-024 — Stale service version hardcoded in Redis template~~ ✅ RESOLVED ~~**File:** `templates/redis/server.py:15`~~ @@ -705,7 +704,7 @@ user who needs it. | ~~DEBT-020~~ | ✅ | Docs | resolved | | ~~DEBT-021~~ | ✅ | Architecture | resolved `de84cc6` | | ~~DEBT-022~~ | ✅ | Code Quality | closed (false positive) | -| DEBT-023 | 🟢 Low | Infra | deferred (needs docker pull) | +| ~~DEBT-023~~ | ✅ | Infra | resolved 2026-05-03 | | ~~DEBT-024~~ | ✅ | Infra | resolved | | ~~DEBT-025~~ | ✅ | Build | resolved | | ~~DEBT-026~~ | ✅ | Features | resolved 2026-05-03 | @@ -732,5 +731,5 @@ user who needs it. | DEBT-048 | 🟡 Medium | TTP / Intel provider mapping review (recurring) | open / recurring | | DEBT-049 | 🟡 Medium | TTP / Sigma adapter (post-v1) | open | -**Remaining open:** DEBT-011 (Alembic), DEBT-023 (image pinning), DEBT-027 (Dynamic bait store), DEBT-028 (deploy endpoint tests), DEBT-032 (fingerprint rotation detection), DEBT-033 (transcript shard rotation), DEBT-036 (session-profile ingester), DEBT-037 (webhook delivery hardening), DEBT-038 (SSH PAM cred-capture limitations — document-only), DEBT-042 (orchestrator failure-count window), DEBT-043 (frontend test framework), DEBT-045 (EmailLifter heavyweight — partial paid; carved-out follow-ups remain), DEBT-046 (mal-hash feed), DEBT-048 (TTP intel provider mapping review — recurring quarterly), DEBT-049 (TTP Sigma adapter — post-v1). +**Remaining open:** DEBT-011 (Alembic), DEBT-027 (Dynamic bait store), DEBT-028 (deploy endpoint tests), DEBT-032 (fingerprint rotation detection), DEBT-033 (transcript shard rotation), DEBT-036 (session-profile ingester), DEBT-037 (webhook delivery hardening), DEBT-038 (SSH PAM cred-capture limitations — document-only), DEBT-042 (orchestrator failure-count window), DEBT-043 (frontend test framework), DEBT-045 (EmailLifter heavyweight — partial paid; carved-out follow-ups remain), DEBT-046 (mal-hash feed), DEBT-048 (TTP intel provider mapping review — recurring quarterly), DEBT-049 (TTP Sigma adapter — post-v1). **Estimated remaining effort:** ~21 hours plus the new EmailLifter / TTP follow-ups. DEBT-030 Phase B (optimistic staged-buffer editor) is a follow-up, not debt.