Skip to content

harden(cerro-torre): replace flaky cgr.dev runtime base with glibc-matched ubuntu:24.04#45

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/cerro-torre-runtime-base
May 15, 2026
Merged

harden(cerro-torre): replace flaky cgr.dev runtime base with glibc-matched ubuntu:24.04#45
hyperpolymath merged 1 commit into
mainfrom
claude/cerro-torre-runtime-base

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 15, 2026

Summary

Hardens cerro-torre's container runtime stage by removing the
dependency on cgr.dev/chainguard/wolfi-base:latest, which made the
non-blocking container-stack-smoke canary flaky:

  • the Chainguard free tier is unpinnable (:latest only — no version
    tags, digests rotate out), and
  • it frequently returns 403 from restricted networks (reproduced
    here), so the runtime stage could not be pulled at all.

Change

Runtime base → ubuntu:24.04 (the same base, and glibc 2.39, as the
ada-builder stage). This is the only safe target:

  • ct (GNAT) and cerro-sign (Rust) are dynamically linked against the
    builder's glibc. A musl base (alpine / wolfi-static) cannot run
    them; an older-glibc base (debian:stable-slim = glibc 2.36) breaks
    on the GLIBC_2.3x symbols GNAT 15 emits. Matching the builder's libc
    is required for the artefacts to run.
  • ubuntu:24.04 is already pulled for the builder stage, so no additional
    base image is fetched.
  • libcurl runtime + TLS roots now come from apt (libcurl4,
    ca-certificates); the non-root cerro user is created with Debian
    groupadd/useradd syntax.

Trade-off: the runtime image is larger than wolfi-base (~139 MB), accepted
in exchange for a reliably-pullable, libc-correct, pinnable-by-policy base
and a green smoke canary.

Verification (local, real containers)

Built the full multi-stage image (ada-builder + hardened runtime). The
sh.rustup.rs 403 in this sandbox blocks the Rust cerro-sign build, so
cerro-sign was stubbed for the local check only (the runtime-base
change is what's under test; the cerro-sign COPY is unchanged and
CI-exercised). Results:

  • ada-builder: alr -n buildSuccess: Build finished successfully
  • full build exports successfully; cgr.dev no longer referenced
  • docker run cerro-torre:rt --versionCerro Torre 0.1.0-alpha
  • runtime user: uid=999(cerro) gid=999(cerro) (non-root preserved)
  • the glibc-linked ct resolves and runs in the ubuntu:24.04 runtime

Test plan

  • container-stack-smoke builds cerro-torre/Containerfile with
    docker + podman (no cgr.dev fetch; sh.rustup.rs reachable on
    GitHub runners so cerro-sign builds for real)
  • resulting image runs ct --version as non-root

https://claude.ai/code/session_01744NnsooPgw5S6JK11fAaw

Generated by Claude Code

@claude
harden(cerro-torre): drop cgr.dev runtime base for glibc-matched ubuntu
5f33441 
The runtime stage used cgr.dev/chainguard/wolfi-base:latest, whose free
tier is unpinnable (:latest only) and frequently 403s from restricted
networks, making the non-blocking smoke build flaky.

Switch the runtime base to ubuntu:24.04 — the same base (and glibc 2.39)
as the ada-builder stage. This is the only safe choice: ct/cerro-sign are
dynamically linked against the builder's glibc, so a musl base
(alpine/wolfi-static) cannot run them and an older-glibc base
(debian-slim = 2.36) breaks on the GLIBC_2.3x symbols GNAT 15 emits.
ubuntu:24.04 is already pulled for the builder, so no extra base image is
fetched. libcurl runtime + CA roots come from apt (libcurl4,
ca-certificates); the non-root user is created with Debian useradd syntax.

Verified locally: full multi-stage build succeeds and the final image
runs `ct --version` as the non-root cerro user with the glibc binary
resolving correctly.

https://claude.ai/code/session_01744NnsooPgw5S6JK11fAaw
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 15, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@hyperpolymath hyperpolymath marked this pull request as ready for review May 15, 2026 20:24
@hyperpolymath hyperpolymath merged commit 6d57448 into main May 15, 2026
38 checks passed
@hyperpolymath hyperpolymath deleted the claude/cerro-torre-runtime-base branch May 15, 2026 20:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hyperpolymath @claude