docker: add apt-get upgrade to all Dockerfiles#45384
Merged
vincentkoc merged 4 commits intoopenclaw:mainfrom Mar 13, 2026
Merged
docker: add apt-get upgrade to all Dockerfiles#45384vincentkoc merged 4 commits intoopenclaw:mainfrom
vincentkoc merged 4 commits intoopenclaw:mainfrom
Conversation
jacobtomlinson
changed the title
openclaw-barnacle
bot
added
scripts
Contributor
Greptile SummaryThis PR adds
Confidence Score: 4/5
Prompt To Fix All With AIThis is a comment left during a code review.
Path: Dockerfile
Line: 135
Comment:
**`DEBIAN_FRONTEND` not set for `apt-get upgrade`**
`DEBIAN_FRONTEND=noninteractive` is applied to the subsequent `apt-get install` but not to `apt-get upgrade -y`. If any upgraded package triggers a `debconf` configuration dialog (e.g., a timezone or locale package), the build will hang because Docker's build context has no interactive terminal. The sandbox Dockerfiles avoid this by exporting `DEBIAN_FRONTEND` as an `ENV` variable that covers all commands in the layer.
```suggestion
DEBIAN_FRONTEND=noninteractive apt-get upgrade -y && \
```
How can I resolve this? If you propose a fix, please make it concise.
---
This is a comment left during a code review.
Path: Dockerfile
Line: 135
Comment:
**`--no-install-recommends` missing from `apt-get upgrade`**
All eight Dockerfiles pass `--no-install-recommends` to `apt-get install` to keep image layers minimal, but the newly added `apt-get upgrade -y` lines do not carry the same flag. When upgrading packages apt may pull in new recommended packages that weren't previously present, silently growing the image size.
This affects all changed files:
- `Dockerfile` line 135
- `Dockerfile.sandbox` line 10
- `Dockerfile.sandbox-browser` line 10
- `Dockerfile.sandbox-common` line 27
- `scripts/docker/cleanup-smoke/Dockerfile` line 8
- `scripts/docker/install-sh-e2e/Dockerfile` line 8
- `scripts/docker/install-sh-nonroot/Dockerfile` line 14
- `scripts/docker/install-sh-smoke/Dockerfile` line 14
For consistency with the rest of each `RUN` layer, consider adding `--no-install-recommends`:
```suggestion
apt-get upgrade -y --no-install-recommends && \
```
How can I resolve this? If you propose a fix, please make it concise.Last reviewed commit: 71a12da |
![greptile-apps[bot]](proxy.php?url=https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
…grade Prevents debconf hangs during Docker builds and avoids pulling in recommended packages that silently grow the image. Co-Authored-By: Claude <[email protected]>
…t-get upgrade" This reverts commit 6fc3839.
…grade Prevents debconf hangs during Docker builds and avoids pulling in recommended packages that silently grow the image. Co-Authored-By: Claude <[email protected]>
![chatgpt-codex-connector[bot]](proxy.php?url=https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c39a031e37
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| RUN --mount=type=cache,id=openclaw-bookworm-apt-cache,target=/var/cache/apt,sharing=locked \ | ||
| --mount=type=cache,id=openclaw-bookworm-apt-lists,target=/var/lib/apt,sharing=locked \ | ||
| apt-get update && \ | ||
| DEBIAN_FRONTEND=noninteractive apt-get upgrade -y --no-install-recommends && \ |
There was a problem hiding this comment.
Running apt-get upgrade here makes rebuilds of the same Git SHA depend on whatever package versions are live in Debian/Ubuntu mirrors at build time, so identical source revisions no longer produce identical images. In this repo that conflicts with the stated reproducibility contract for pinned base digests (Dockerfile:22), and it can cause release/provenance drift and hard-to-debug cache misses across CI runs; prefer bumping pinned base-image digests (or using snapshot repos) instead of upgrading in the Docker build.
Useful? React with 👍 / 👎.
Contributor
Author
There was a problem hiding this comment.
Ensuring packages are up to date means the container has the latest security fixes, this is more important that container reproducibility for each git SHA.
frankekn
pushed a commit
to xinhuagu/openclaw
that referenced
this pull request
Mar 14, 2026
* docker: add apt-get upgrade to patch base-image vulnerabilities Closes openclaw#45159 * docker: add DEBIAN_FRONTEND and --no-install-recommends to apt-get upgrade Prevents debconf hangs during Docker builds and avoids pulling in recommended packages that silently grow the image. Co-Authored-By: Claude <[email protected]> * Revert "docker: add DEBIAN_FRONTEND and --no-install-recommends to apt-get upgrade" This reverts commit 6fc3839. * docker: add DEBIAN_FRONTEND and --no-install-recommends to apt-get upgrade Prevents debconf hangs during Docker builds and avoids pulling in recommended packages that silently grow the image. Co-Authored-By: Claude <[email protected]> --------- Co-authored-by: Claude <[email protected]>
ecochran76
pushed a commit
to ecochran76/openclaw
that referenced
this pull request
Mar 14, 2026
* docker: add apt-get upgrade to patch base-image vulnerabilities Closes openclaw#45159 * docker: add DEBIAN_FRONTEND and --no-install-recommends to apt-get upgrade Prevents debconf hangs during Docker builds and avoids pulling in recommended packages that silently grow the image. Co-Authored-By: Claude <[email protected]> * Revert "docker: add DEBIAN_FRONTEND and --no-install-recommends to apt-get upgrade" This reverts commit 6fc3839. * docker: add DEBIAN_FRONTEND and --no-install-recommends to apt-get upgrade Prevents debconf hangs during Docker builds and avoids pulling in recommended packages that silently grow the image. Co-Authored-By: Claude <[email protected]> --------- Co-authored-by: Claude <[email protected]>
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
apt-get upgrade -ybeforeapt-get installin all 8 Dockerfiles that install system packages from a base imageFiles changed
Dockerfile(runtime stage)Dockerfile.sandboxDockerfile.sandbox-browserDockerfile.sandbox-commonscripts/docker/cleanup-smoke/Dockerfilescripts/docker/install-sh-e2e/Dockerfilescripts/docker/install-sh-nonroot/Dockerfilescripts/docker/install-sh-smoke/DockerfileCloses #45159
Test plan
docker build .completes successfully🤖 Generated with Claude Code