chore(infra): pin Docker base images by digest (DEBT-023)

All base images (debian:bookworm-slim, ubuntu:22.04, ubuntu:20.04, rockylinux:9-minimal, centos:7, alpine:3.19, fedora:39, kalilinux/kali-rolling, archlinux:latest, honeynet/conpot:latest) now carry their resolved sha256 digest so 'docker pull' is deterministic. :tag retained for human readability; @sha256 is what Docker actually resolves. Refresh procedure documented at the top of decnet/distros.py.
2026-05-03 04:38:39 -04:00
parent 6e19d3a25a
commit dcd558fd91
33 changed files with 74 additions and 57 deletions
--- a/decnet/distros.py
+++ b/decnet/distros.py
@@ -18,69 +18,86 @@ class DistroProfile:
    build_base: str     # apt-compatible image for service Dockerfiles (FROM ${BASE_IMAGE})


+# Base images are pinned by digest (sha256) to make `docker pull`
+# reproducible — a registry-side rebuild of "debian:bookworm-slim"
+# can't silently swap content under us.  The :tag is kept for human
+# readability; the @sha256 is what Docker actually resolves.
+# Refresh procedure: `docker pull <tag>` then `docker inspect
+# --format '{{index .RepoDigests 0}}' <tag>`.  Last refreshed 2026-05-03.
+_DEBIAN_BOOKWORM = "debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252"
+_UBUNTU_22_04    = "ubuntu:22.04@sha256:962f6cadeae0ea6284001009daa4cc9a8c37e75d1f5191cf0eb83fe565b63dd7"
+_UBUNTU_20_04    = "ubuntu:20.04@sha256:8feb4d8ca5354def3d8fce243717141ce31e2c428701f6682bd2fafe15388214"
+_ROCKY_9         = "rockylinux:9-minimal@sha256:305de618a5681ff75b1d608fd22b10f362867dff2f550a4f1d427d21cd7f42b4"
+_CENTOS_7        = "centos:7@sha256:be65f488b7764ad3638f236b7b515b3678369a5124c47b8d32916d6487418ea4"
+_ALPINE_3_19     = "alpine:3.19@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1"
+_FEDORA_39       = "fedora:39@sha256:d63d63fe593749a5e8dbc8152427d40bbe0ece53d884e00e5f3b44859efa5077"
+_KALI_ROLLING    = "kalilinux/kali-rolling@sha256:1fd0364490011f245688c6ed9fee498a11cd779badfbb0b1d3a721d0f49f2d15"
+_ARCH_LATEST     = "archlinux:latest@sha256:5ba8bb318666baef4d33afefc0e65db80f38b23503cb8e7b150d315cc2d4d5da"
+
+
 DISTROS: dict[str, DistroProfile] = {
    "debian": DistroProfile(
        slug="debian",
-        image="debian:bookworm-slim",
+        image=_DEBIAN_BOOKWORM,
        display_name="Debian 12 (Bookworm)",
        hostname_style="generic",
-        build_base="debian:bookworm-slim",
+        build_base=_DEBIAN_BOOKWORM,
    ),
    "ubuntu22": DistroProfile(
        slug="ubuntu22",
-        image="ubuntu:22.04",
+        image=_UBUNTU_22_04,
        display_name="Ubuntu 22.04 LTS (Jammy)",
        hostname_style="generic",
-        build_base="ubuntu:22.04",
+        build_base=_UBUNTU_22_04,
    ),
    "ubuntu20": DistroProfile(
        slug="ubuntu20",
-        image="ubuntu:20.04",
+        image=_UBUNTU_20_04,
        display_name="Ubuntu 20.04 LTS (Focal)",
        hostname_style="generic",
-        build_base="ubuntu:20.04",
+        build_base=_UBUNTU_20_04,
    ),
    "rocky9": DistroProfile(
        slug="rocky9",
-        image="rockylinux:9-minimal",
+        image=_ROCKY_9,
        display_name="Rocky Linux 9",
        hostname_style="rhel",
-        build_base="debian:bookworm-slim",  # Dockerfiles use apt-get; fall back to debian
+        build_base=_DEBIAN_BOOKWORM,  # Dockerfiles use apt-get; fall back to debian
    ),
    "centos7": DistroProfile(
        slug="centos7",
-        image="centos:7",
+        image=_CENTOS_7,
        display_name="CentOS 7",
        hostname_style="rhel",
-        build_base="debian:bookworm-slim",  # Dockerfiles use apt-get; fall back to debian
+        build_base=_DEBIAN_BOOKWORM,  # Dockerfiles use apt-get; fall back to debian
    ),
    "alpine": DistroProfile(
        slug="alpine",
-        image="alpine:3.19",
+        image=_ALPINE_3_19,
        display_name="Alpine Linux 3.19",
        hostname_style="minimal",
-        build_base="debian:bookworm-slim",  # Dockerfiles use apt-get; fall back to debian
+        build_base=_DEBIAN_BOOKWORM,  # Dockerfiles use apt-get; fall back to debian
    ),
    "fedora": DistroProfile(
        slug="fedora",
-        image="fedora:39",
+        image=_FEDORA_39,
        display_name="Fedora 39",
        hostname_style="rhel",
-        build_base="debian:bookworm-slim",  # Dockerfiles use apt-get; fall back to debian
+        build_base=_DEBIAN_BOOKWORM,  # Dockerfiles use apt-get; fall back to debian
    ),
    "kali": DistroProfile(
        slug="kali",
-        image="kalilinux/kali-rolling",
+        image=_KALI_ROLLING,
        display_name="Kali Linux (Rolling)",
        hostname_style="rolling",
-        build_base="kalilinux/kali-rolling",  # Debian-based, apt-get compatible
+        build_base=_KALI_ROLLING,  # Debian-based, apt-get compatible
    ),
    "arch": DistroProfile(
        slug="arch",
-        image="archlinux:latest",
+        image=_ARCH_LATEST,
        display_name="Arch Linux",
        hostname_style="rolling",
-        build_base="debian:bookworm-slim",  # Dockerfiles use apt-get; fall back to debian
+        build_base=_DEBIAN_BOOKWORM,  # Dockerfiles use apt-get; fall back to debian
    ),
 }