[Security] Fixing vulnerabilities in the Dockerfile#5744
Closed
Swipe4057 wants to merge 17 commits intosgl-project:mainfrom
Closed
[Security] Fixing vulnerabilities in the Dockerfile#5744Swipe4057 wants to merge 17 commits intosgl-project:mainfrom
Swipe4057 wants to merge 17 commits intosgl-project:mainfrom
Conversation
Swipe4057
requested review from
HaiShaw,
Ying1123,
merrymercy and
zhyncs
as code owners
5 tasks
Collaborator
Collaborator
|
wait for yineng, thanks! |
Contributor
Author
|
@zhyncs I made a few more small changes to the Dockerfile to update apt and pip packages in order to completely eliminate all vulnerabilities. I can't run CI, and it seems it won't run with the modified Dockerfile. If that's the case, I'll need help running CI locally, as I don't have the necessary hardware and resources. |
Swipe4057
changed the title
2 tasks
zhyncs
reviewed
May 24, 2025
Contributor
Author
|
zhyncs Ubuntu22.04 to Ubuntu24.04, CUDA_VERSION=12.6.3, Pytorch 2.7.0 unlocked |
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
This PR aims to improve the security of SGLang's Docker image by upgrading the base image to a newer version with significantly fewer vulnerabilities. The current base image nvcr.io/nvidia/tritonserver:24.04-py3-min contains 69 vulnerabilities with exploitable exploits, while the newer nvcr.io/nvidia/tritonserver:24.12-py3-min version has only 17 vulnerabilities.
nvcr.io/nvidia/tritonserver:24.04-py3-min:
nvcr.io/nvidia/tritonserver:24.12-py3-min:
This upgrade is critically important for large corporations and enterprise users for several key security reasons:
Reduced Attack Surface
Mitigation of Known Exploits
Data exfiltration of sensitive model inputs/outputs
Privilege escalation attacks in containerized environments
Potential compromise of adjacent systems in Kubernetes clusters
Reduces findings in mandatory vulnerability scans
Modifications
Changed the base Docker image from nvcr.io/nvidia/tritonserver:24.04-py3-min to nvcr.io/nvidia/tritonserver:24.12-py3-min in sglang/docker/Dockerfile. Update linux-libc-dev and Pillow
Ubuntu22.04 to Ubuntu24.04!
CUDA_VERSION=12.6.3
Update to Pytorch 2.7.0 unlocked
Checklist