Conversation
|
Caution Review failedAn error occurred during the review process. Please try again later. 📝 WalkthroughWalkthroughDockerfiles for UBI 9 and UBI 10 now install tmux by downloading and extracting architecture-specific prebuilt tmux release tarballs from GitHub and placing the tmux binary at Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
hmm.. looks like installation is failing - https://github.com/tmux/tmux/wiki/Installing |
|
@ibuziuk I believe that RUN <<'EOF'
set -euf -o pipefail
TEMP_DIR="$(mktemp -d)"
cd "${TEMP_DIR}"
TMUX_VERSION="3.6a"
case "$TARGETARCH" in
amd64)
TMUX_ARCH="x86_64"
;;
arm64)
TMUX_ARCH="arm64"
;;
*)
echo "Skipping tmux install for unsupported architecture: $TARGETARCH"
exit 0
;;
esac
TMUX_TGZ="tmux-${TMUX_VERSION}-linux-${TMUX_ARCH}.tar.gz"
TMUX_TGZ_URL="https://github.com/tmux/tmux-builds/releases/download/v${TMUX_VERSION}/${TMUX_TGZ}"
curl -sSLO "${TMUX_TGZ_URL}"
tar -xz --no-same-owner -f "${TMUX_TGZ}"
mv tmux /usr/local/bin/tmux
chmod +x /usr/local/bin/tmux
cd -
rm -rf "${TEMP_DIR}"
EOF |
Signed-off-by: Ilya Buziuk <ibuziuk@redhat.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@universal/ubi10/Dockerfile`:
- Around line 561-576: The temp directory is created unconditionally
(TEMP_DIR="$(mktemp -d)") before the architecture check, so the script can exit
on unsupported architectures and leak TEMP_DIR; fix by either moving the
TEMP_DIR creation to after the case that sets TMUX_ARCH (so mktemp only runs for
supported arch), or add a cleanup trap immediately after creating TEMP_DIR
(e.g., trap 'rm -rf "$TEMP_DIR"' EXIT) and ensure any early exits (the default
case in the case statement that echoes and exits) will trigger the trap; update
the Dockerfile around the TEMP_DIR creation and the architecture case to
implement one of these two approaches and reference TEMP_DIR, the case
statement, and the default exit path.
- Around line 582-585: The Dockerfile currently fetches and installs tmux using
TMUX_TGZ_URL/ TMUX_TGZ without any integrity checks; update the tmux install
block to verify the artifact before moving it to /usr/local/bin/tmux by either
(1) adding a checksum verification step: obtain or embed the expected SHA256 for
TMUX_TGZ, download the checksum alongside the tarball, run sha256sum (or openssl
dgst -sha256) and abort the build on mismatch, or (2) if an upstream GPG
signature exists, fetch the signature and upstream public key and verify the
tarball before extraction, or (3) if neither is available, add an explicit
documented acceptance of risk and gate installation with an opt-in build ARG
(e.g., TMUX_INSECURE_ACCEPT) so the default build fails; reference TMUX_TGZ_URL,
TMUX_TGZ and the final install steps (tar -xz ... mv tmux /usr/local/bin/tmux
chmod +x) when implementing the check and fail-fast behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 7416499d-f45b-408c-8de7-1725e4f36e2a
📒 Files selected for processing (2)
universal/ubi10/Dockerfileuniversal/ubi9/Dockerfile
🚧 Files skipped from review as they are similar to previous changes (1)
- universal/ubi9/Dockerfile
| TEMP_DIR="$(mktemp -d)" | ||
| cd "${TEMP_DIR}" | ||
|
|
||
| TMUX_VERSION="3.6a" | ||
|
|
||
| case "$TARGETARCH" in | ||
| amd64) | ||
| TMUX_ARCH="x86_64" | ||
| ;; | ||
| arm64) | ||
| TMUX_ARCH="arm64" | ||
| ;; | ||
| *) | ||
| echo "Skipping tmux install for unsupported architecture: $TARGETARCH" | ||
| exit 0 | ||
| ;; |
There was a problem hiding this comment.
Avoid temp-dir leak on unsupported architectures.
Line 561 creates TEMP_DIR before the arch case; on unsupported arch (Line 575), script exits before cleanup (Line 588).
♻️ Proposed fix
-TEMP_DIR="$(mktemp -d)"
-cd "${TEMP_DIR}"
-
TMUX_VERSION="3.6a"
case "$TARGETARCH" in
@@
*)
echo "Skipping tmux install for unsupported architecture: $TARGETARCH"
exit 0
;;
esac
+TEMP_DIR="$(mktemp -d)"
+cd "${TEMP_DIR}"
+
TMUX_TGZ="tmux-${TMUX_VERSION}-linux-${TMUX_ARCH}.tar.gz"
TMUX_TGZ_URL="https://github.com/tmux/tmux-builds/releases/download/v${TMUX_VERSION}/${TMUX_TGZ}"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| TEMP_DIR="$(mktemp -d)" | |
| cd "${TEMP_DIR}" | |
| TMUX_VERSION="3.6a" | |
| case "$TARGETARCH" in | |
| amd64) | |
| TMUX_ARCH="x86_64" | |
| ;; | |
| arm64) | |
| TMUX_ARCH="arm64" | |
| ;; | |
| *) | |
| echo "Skipping tmux install for unsupported architecture: $TARGETARCH" | |
| exit 0 | |
| ;; | |
| TMUX_VERSION="3.6a" | |
| case "$TARGETARCH" in | |
| amd64) | |
| TMUX_ARCH="x86_64" | |
| ;; | |
| arm64) | |
| TMUX_ARCH="arm64" | |
| ;; | |
| *) | |
| echo "Skipping tmux install for unsupported architecture: $TARGETARCH" | |
| exit 0 | |
| ;; | |
| esac | |
| TEMP_DIR="$(mktemp -d)" | |
| cd "${TEMP_DIR}" | |
| TMUX_TGZ="tmux-${TMUX_VERSION}-linux-${TMUX_ARCH}.tar.gz" | |
| TMUX_TGZ_URL="https://github.com/tmux/tmux-builds/releases/download/v${TMUX_VERSION}/${TMUX_TGZ}" |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@universal/ubi10/Dockerfile` around lines 561 - 576, The temp directory is
created unconditionally (TEMP_DIR="$(mktemp -d)") before the architecture check,
so the script can exit on unsupported architectures and leak TEMP_DIR; fix by
either moving the TEMP_DIR creation to after the case that sets TMUX_ARCH (so
mktemp only runs for supported arch), or add a cleanup trap immediately after
creating TEMP_DIR (e.g., trap 'rm -rf "$TEMP_DIR"' EXIT) and ensure any early
exits (the default case in the case statement that echoes and exits) will
trigger the trap; update the Dockerfile around the TEMP_DIR creation and the
architecture case to implement one of these two approaches and reference
TEMP_DIR, the case statement, and the default exit path.
There was a problem hiding this comment.
There was a problem hiding this comment.
Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!
| curl -sSLO "${TMUX_TGZ_URL}" | ||
| tar -xz --no-same-owner -f "${TMUX_TGZ}" | ||
| mv tmux /usr/local/bin/tmux | ||
| chmod +x /usr/local/bin/tmux |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
TMUX_VERSION="3.6a"
echo "Release assets:"
curl -fsSL "https://api.github.com/repos/tmux/tmux-builds/releases/tags/v${TMUX_VERSION}" \
| jq -r '.assets[].name' | sort
for arch in x86_64 arm64; do
tgz="tmux-${TMUX_VERSION}-linux-${arch}.tar.gz"
url="https://github.com/tmux/tmux-builds/releases/download/v${TMUX_VERSION}/${tgz}"
echo "Inspecting ${tgz}"
curl -fsSLO "${url}"
tar -tzf "${tgz}" | head -n 20
rm -f "${tgz}"
doneRepository: devfile/developer-images
Length of output: 309
🏁 Script executed:
# Read the Dockerfile to see the tmux installation block and surrounding context
cat -n universal/ubi10/Dockerfile | sed -n '570,595p'Repository: devfile/developer-images
Length of output: 1019
🏁 Script executed:
# Search for other curl/tar installation patterns in the same Dockerfile to compare
rg -n "curl.*-O|tar.*-xz|checksum|sha256" universal/ubi10/Dockerfile | head -30Repository: devfile/developer-images
Length of output: 1662
🏁 Script executed:
# Check if there's a .sha256 or checksum file available for tmux releases
curl -fsSL "https://api.github.com/repos/tmux/tmux-builds/releases/tags/v3.6a" | jq '.assets[] | {name, browser_download_url}'Repository: devfile/developer-images
Length of output: 117
Verify tmux artifact integrity before installing binary.
Line 582 downloads and installs an executable without checksum validation. Multiple other tools in this Dockerfile (Krew, Helm, Kustomize, TKN, KN, Terraform, E2FSPROGS) verify checksums; tmux should follow the same pattern for supply-chain security. While tmux-builds does not publish checksums, consider alternative verification methods (e.g., GPG signatures if available, hash comparison with upstream documentation) or explicitly document the risk acceptance.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@universal/ubi10/Dockerfile` around lines 582 - 585, The Dockerfile currently
fetches and installs tmux using TMUX_TGZ_URL/ TMUX_TGZ without any integrity
checks; update the tmux install block to verify the artifact before moving it to
/usr/local/bin/tmux by either (1) adding a checksum verification step: obtain or
embed the expected SHA256 for TMUX_TGZ, download the checksum alongside the
tarball, run sha256sum (or openssl dgst -sha256) and abort the build on
mismatch, or (2) if an upstream GPG signature exists, fetch the signature and
upstream public key and verify the tarball before extraction, or (3) if neither
is available, add an explicit documented acceptance of risk and gate
installation with an opt-in build ARG (e.g., TMUX_INSECURE_ACCEPT) so the
default build fails; reference TMUX_TGZ_URL, TMUX_TGZ and the final install
steps (tar -xz ... mv tmux /usr/local/bin/tmux chmod +x) when implementing the
check and fail-fast behavior.
There was a problem hiding this comment.
There was a problem hiding this comment.
Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!
|
Pull Request UBI 10 images published ✨ Base: quay.io/devfile/base-developer-image:ubi10-pr-254 |
|
Pull Request images published ✨ Base: quay.io/devfile/base-developer-image:pr-254 |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dkwon17, ibuziuk, rohanKanojia The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
The PR is working & looks good to me |
4 participants
Developer Sandbox - https://workspaces.openshift.com#https://github.com/devfile/developer-images/pull/254
https://github.com/tmux/tmux
https://github.com/tmux/tmux/wiki/Installing
required for https://github.com/manusa/ai-beacon#contributing
Summary by CodeRabbit
New Features
tmuxto container images, enabling terminal multiplexing and session management capabilities within containers.