chore: switch to ubuntu:noble as base image (#2064)

[holtgrewe]

Summary by CodeRabbit

• New Features

  • Updated package dependencies for improved compatibility.
  • Enhanced support for broader Python 3.x versions.

• Bug Fixes

  • Adjusted PostgreSQL client dependencies for better functionality.

• Chores

  • Updated base image to a newer version for improved stability.
  • Consolidated Python dependency management in the Dockerfile.

[coderabbitai]

Walkthrough

The changes in this pull request involve updates to the Pipfile and the Dockerfile. The Pipfile reflects an update to the altamisa package version from ~=0.2.5 to ~=0.3.0, and the Python version requirement is broadened from 3.10 to 3. The Dockerfile changes the base image from python:3.10-bookworm to ubuntu:noble, updates PostgreSQL client dependencies, and modifies how Python dependencies are managed, including moving pipenv installation to system dependencies.

Changes

File	Change Summary
backend/Pipfile	- Updated altamisa version from ~=0.2.5 to ~=0.3.0. - Changed Python version from 3.10 to 3.
utils/docker/Dockerfile	- Changed base image from python:3.10-bookworm to ubuntu:noble. - Updated PostgreSQL repository from bookworm-pgdg to noble-pgdg. - Updated worker image from 0.14.0 to 0.16.0. - Modified dependency installations, consolidating pipenv installation.

Possibly related issues

• Switch to ubuntu:noble as base image #2064: This change directly addresses the request to switch the base image to ubuntu:noble.
• Use Ubuntu 24/noble as Docker base image #2012: This change aligns with the request to use ubuntu:noble as the Docker base image for improved compatibility with modern dependencies.

🐰 In the garden, I hop and play,
With packages updated, hip-hip-hooray!
From bookworm to noble, we swiftly glide,
New dependencies, come take a ride!
A sprinkle of Python, a dash of cheer,
Let’s build our project, the future is near! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

deps-report 🔍

Commit scanned: 32ff28f

Vulnerable dependencies

4 dependencies have vulnerabilities 😱

Dependency	Advisory	Versions impacted
djangorestframework (transitive)	Affected versions of the package djangorestframework are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter due to improper input sanitization before splitting and joining with tags.	<3.15.2
jinja2 (transitive)	In Jinja2, the from_string function is prone to Server Side Template Injection (SSTI) where it takes the source parameter as a template object, renders it, and then returns it. The attacker can exploit it with INJECTION COMMANDS in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing.	>=0
setuptools (transitive)	Affected versions of Setuptools allow for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system.	<70.0.0
sqlalchemy	Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints. sqlalchemy/sqlalchemy#8563	<2.0.0b1

Outdated dependencies

37 outdated dependencies found (including 17 outdated major versions)😢

Dependency	Installed version	Latest version
alabaster (transitive)	0.7.16	1.0.0
argon2-cffi (transitive)	21.3.0	23.1.0
billiard (transitive)	3.6.4.0	4.2.1
crispy-bootstrap4 (transitive)	2022.1	2024.10
django	3.2.25	5.1.2
django-model-utils (transitive)	4.3.1	5.0.0
django-rest-knox (transitive)	4.2.0	5.0.2
django-sodar-core	0.13.4	1.0.2
mistune (transitive)	2.0.5	3.0.2
packaging (transitive)	23.2	24.1
protobuf	3.20.3	5.28.3
setuptools (transitive)	67.6.1	75.2.0
sphinx (transitive)	6.2.1	8.1.3
sphinx-rtd-theme (transitive)	1.2.2	3.0.1
sqlalchemy	1.4.54	2.0.36
unidecode (transitive)	0.4.21	1.3.8
xmlschema (transitive)	2.5.1	3.4.2

Dependency	Installed version	Latest version
botocore (transitive)	1.35.36	1.35.49
celery (transitive)	5.2.7	5.4.0
django-autocomplete-light (transitive)	3.9.4	3.11.0
django-crispy-forms (transitive)	2.0	2.3
django-db-file-storage (transitive)	0.5.5	0.5.6.1
django-debug-toolbar	4.3.0	4.4.6
django-environ (transitive)	0.10.0	0.11.2
django-iconify (transitive)	0.1.1	0.4
django-plugins-bihealth	0.4.0	0.5.2
django-postgres-copy	2.3.7	2.7.6
djangorestframework (transitive)	3.14.0	3.15.2
docutils (transitive)	0.18.1	0.21.2
drf-keyed-list-bihealth	0.1.1	0.2.1
markdown (transitive)	3.4.1	3.7
mypy-protobuf (dev)	3.3.0	3.6.0
pydantic-core (transitive)	2.23.4	2.25.0
requests-http-signature	0.2.0	0.7.1
rules (transitive)	3.3	3.5
versioneer (transitive)	0.28	0.29
wheel (transitive)	0.40.0	0.44.0

_Logs

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 5fe9665 and 32ff28f.

⛔ Files ignored due to path filters (1)

• backend/Pipfile.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• backend/Pipfile (2 hunks)
• utils/docker/Dockerfile (4 hunks)

🔇 Additional comments (6)

backend/Pipfile (1)

112-112: Verify Python version compatibility with dependencies.

While broadening the Python version requirement from "3.10" to "3" aligns with the switch to ubuntu:noble (which uses Python 3.12), this change could introduce compatibility issues. Many dependencies in the Pipfile have specific version constraints that might not work across all Python 3.x versions.

Let's verify the compatibility:

Consider either:

1. Keeping the specific Python 3.10 requirement if dependencies aren't tested with newer versions
2. Explicitly setting it to "3.12" to match ubuntu:noble's Python version

utils/docker/Dockerfile (5)

91-92: Consolidate Installation of pipenv with System Dependencies

Installing pipenv alongside system dependencies improves the build process by reducing layers and potential issues with Python package installations.

---

145-145: Ensure Compatibility with Updated Worker Image Version

The worker image has been updated to 0.16.0. Ensure that this version is compatible with your application and that any breaking changes have been addressed.

---

69-70: Ensure Application Compatibility with Python 3.12

The Dockerfile installs Python 3.12 and sets it as the default Python interpreter. Please verify that your application code and dependencies are compatible with Python 3.12, as there may be deprecations or changes affecting your code.

To identify potential compatibility issues, consider running the following script:

#!/bin/bash
# Description: Check for deprecated modules and syntax incompatible with Python 3.12.

# Search for deprecated syntax (example: usage of `async` and `await` as identifiers).
rg '\b(async|await)\b' --include '*.py'

# Check for removed modules (example: `asyncio.coroutines` module).
rg 'from asyncio import coroutines' --include '*.py'

---

138-138: Verify Necessity and Availability of New Packages

The addition of librocksdb8.9 and libsqlite3-0 packages suggests changes in application dependencies. Please confirm that these packages are required and are available in the Ubuntu Noble repositories.

You can check the availability of these packages with the following script:

#!/bin/bash
# Description: Verify that `librocksdb8.9` and `libsqlite3-0` are available.

# Update package lists.
apt-get update

# Check package availability.
apt-cache policy librocksdb8.9 libsqlite3-0

---

42-42: Ensure Compatibility with Ubuntu Noble

The base image has been changed to ubuntu:noble. Please verify that all system dependencies and configurations are compatible with this Ubuntu version, as there might be changes in package availability and versions.

To check for potential compatibility issues with system packages, you can run the following script:

✅ Verification successful

Ubuntu Noble compatibility verified

Based on the Dockerfile analysis, the system dependencies and configurations are properly handled for Ubuntu Noble:

• The required PostgreSQL 12 repository is correctly configured for Noble
• All essential packages are explicitly installed:
  • Core dependencies: curl, ldap-utils, libldap2-dev, libsasl2-dev
  • Python stack: postgresql-client-12, libpq-dev, python3.12, python3-pip
  • Runtime dependencies: librocksdb8.9, libsqlite3-0
• Proper cleanup of package cache is implemented
• Python environment and alternatives are correctly configured

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that required packages are available in Ubuntu Noble repositories.

# Update package lists.
apt-get update

# Check availability of essential packages.
apt-cache policy postgresql-client-12 libpq-dev python3.12 python3-pip librocksdb8.9 libsqlite3-0

Length of output: 373

---

Script:

#!/bin/bash
# Let's analyze the Dockerfile to understand the system dependencies and configurations

# First, check the Dockerfile content
cat utils/docker/Dockerfile

# Then, search for any other Dockerfiles in the repository
fd Dockerfile

# Look for package requirements or dependency files
fd -e txt -e ini -e conf -e yaml -e yml -e toml | grep -i "require\|depend\|packages"

Length of output: 8174

[coderabbitai]

⚠️ Potential issue

Separate unrelated dependency update.

The altamisa version update from ~=0.2.5 to ~=0.3.0 appears unrelated to the PR's objective of switching the base image. Consider moving this change to a separate PR focused on dependency updates to maintain clear change tracking and easier rollback if needed.

-altamisa = "~=0.3.0"
+altamisa = "~=0.2.5"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	altamisa = "~=0.3.0"
	altamisa = "~=0.2.5"

[tedil]

This package upgrade is needed because of the broader python version support added in this PR

[coderabbitai]

@tedil, thank you for the clarification. Understood that the altamisa package upgrade is needed for the broader Python version support added in this PR.

(・ω・)

---

✏️ Learnings added

Learnt from: tedil
PR: varfish-org/varfish-server#2065
File: backend/Pipfile:8-8
Timestamp: 2024-10-28T12:59:54.233Z
Learning: When updating Python version support to a broader range (e.g., changing `python_version = "3.10"` to `python_version = "3"` in `backend/Pipfile`), the `altamisa` package should be upgraded to `~=0.3.0` to maintain compatibility.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[coderabbitai]

⚠️ Potential issue

Avoid Using Deprecated apt-key Command

The apt-key add command is deprecated and may lead to security issues. It's recommended to use keyrings and the signed-by option in your sources list.

Consider updating the key addition and repository setup as follows:

- wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc \
- | apt-key add - && \
+ wget --quiet -O /usr/share/keyrings/postgresql-archive-keyring.gpg \
+     https://www.postgresql.org/media/keys/ACCC4CF8.asc && \

And modify the repository entry:

- echo "deb http://apt.postgresql.org/pub/repos/apt noble-pgdg main" \
-     > /etc/apt/sources.list.d/pgdg.list
+ echo "deb [signed-by=/usr/share/keyrings/postgresql-archive-keyring.gpg] \
+     http://apt.postgresql.org/pub/repos/apt noble-pgdg main" \
+     > /etc/apt/sources.list.d/pgdg.list

Committable suggestion was skipped due to low confidence.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 91%. Comparing base (ee993e9) to head (32ff28f).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##            main   #2065     +/-   ##
=======================================
  Coverage     91%     91%             
=======================================
  Files        676     677      +1     
  Lines      38463   39635   +1172     
=======================================
+ Hits       35118   36225   +1107     
- Misses      3345    3410     +65     

see 6 files with indirect coverage changes