From 2838244d592a911db2741a73770d2bf91d7a4fc2 Mon Sep 17 00:00:00 2001
From: Alexander Smolyakov <v-asmoliakov@microsoft.com>
Date: Wed, 2 Aug 2023 19:12:32 +0400
Subject: [PATCH 1/7] [anaconda] Refactor Dockerfile to decrease image size

---
 src/anaconda/.devcontainer/Dockerfile | 72 +++++++++++++--------------
 1 file changed, 35 insertions(+), 37 deletions(-)

diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile
index 455e054bde..0315e24cdd 100644
--- a/src/anaconda/.devcontainer/Dockerfile
+++ b/src/anaconda/.devcontainer/Dockerfile
@@ -3,9 +3,44 @@ FROM continuumio/anaconda3:2023.03-1 as upstream
 # Verify OS version is expected one
 RUN . /etc/os-release && if [ "${VERSION_CODENAME}" != "bullseye" ]; then exit 1; fi
 
+# Temporary: Upgrade python packages due to mentioned CVEs
+# They are installed by the base image (continuumio/anaconda3) which does not have the patch.
+RUN python3 -m pip install \
+    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21797
+    --upgrade joblib \
+    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24065
+    cookiecutter \
+    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34749
+    mistune \
+    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
+    numpy \
+    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25577
+    werkzeug \
+    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32862
+    nbconvert \
+   # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370
+    tornado
+
+RUN conda install \ 
+    # https://github.com/advisories/GHSA-5cpq-8wj7-hf2v
+    pyopenssl=23.2.0 \ 
+    cryptography=41.0.2 \
+    # https://github.com/advisories/GHSA-j8r2-6x86-q33q
+    requests=2.31.0
+
 # Reset and copy updated files with updated privs to keep image size down
 FROM mcr.microsoft.com/devcontainers/base:0-bullseye
 COPY --from=upstream /opt /opt/
+
+ARG USERNAME=vscode
+
+# Create the conda group and add remote user to the group
+RUN groupadd -r conda --gid 900 \ 
+    && usermod -aG conda ${USERNAME}
+
+# Copy opt folder, set ownership and group permissions
+COPY --chown=${USERNAME}:conda --chmod=g+s --from=upstream /opt /opt/
+
 USER root
 
 # Copy scripts to execute
@@ -43,24 +78,6 @@ RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
     && echo "conda activate base" >> ~/.bashrc \
     && apt-get clean -y && rm -rf /var/lib/apt/lists/* /tmp/library-scripts/add-notice.sh
 
-# Temporary: Upgrade python packages due to mentioned CVEs
-# They are installed by the base image (continuumio/anaconda3) which does not have the patch.
-RUN python3 -m pip install \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21797
-    --upgrade joblib \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24065
-    cookiecutter \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34749
-    mistune \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
-    numpy \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25577
-    werkzeug \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32862
-    nbconvert \
-   # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370
-    tornado
-
 # Copy environment.yml (if found) to a temp location so we can update the environment. Also
 # copy "noop.txt" so the COPY instruction does not fail if no environment.yml exists.
 # COPY environment.yml* .devcontainer/noop.txt /tmp/conda-tmp/
@@ -71,22 +88,3 @@ RUN if [ -f "/tmp/conda-tmp/environment.yml" ]; then umask 0002 && /opt/conda/bi
 # [Optional] Uncomment this section to install additional OS packages.
 # RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
 #     && apt-get -y install --no-install-recommends <your-package-list-here>
-
-# Temporary: Upgrade python packages due to mentioned CVEs
-# They are installed by the base image (continuumio/anaconda3) which does not have the patch.
-RUN conda install \ 
-    # https://github.com/advisories/GHSA-5cpq-8wj7-hf2v
-    pyopenssl=23.2.0 \ 
-    cryptography=41.0.2 \
-    # https://github.com/advisories/GHSA-j8r2-6x86-q33q
-    requests=2.31.0
-
-# Create conda group, update conda directory permissions, 
-# add user to conda group
-# Note: We need to execute these commands after pip install / conda update 
-# since pip doesn't preserve directory permissions
-RUN groupadd -r conda --gid 900 \
-    && chown -R :conda /opt/conda \
-    && chmod -R g+w /opt/conda \
-    && find /opt -type d | xargs -n 1 chmod g+s \
-    && usermod -aG conda ${USERNAME}

From 58b9043cd256f7372293e2ed91ffa58dd4ded106 Mon Sep 17 00:00:00 2001
From: Alexander Smolyakov <v-asmoliakov@microsoft.com>
Date: Wed, 2 Aug 2023 20:23:08 +0400
Subject: [PATCH 2/7] Update Dockerfile

---
 src/anaconda/.devcontainer/Dockerfile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile
index 0315e24cdd..b78a0a6996 100644
--- a/src/anaconda/.devcontainer/Dockerfile
+++ b/src/anaconda/.devcontainer/Dockerfile
@@ -30,7 +30,6 @@ RUN conda install \
 
 # Reset and copy updated files with updated privs to keep image size down
 FROM mcr.microsoft.com/devcontainers/base:0-bullseye
-COPY --from=upstream /opt /opt/
 
 ARG USERNAME=vscode
 
@@ -39,7 +38,7 @@ RUN groupadd -r conda --gid 900 \
     && usermod -aG conda ${USERNAME}
 
 # Copy opt folder, set ownership and group permissions
-COPY --chown=${USERNAME}:conda --chmod=g+s --from=upstream /opt /opt/
+COPY --chown=:conda --chmod=070 --from=upstream /opt /opt/
 
 USER root
 

From 6e511af45af5666dbda0bda29502efaab7c86fce Mon Sep 17 00:00:00 2001
From: Alexander Smolyakov <v-asmoliakov@microsoft.com>
Date: Thu, 3 Aug 2023 13:13:59 +0400
Subject: [PATCH 3/7] Resolve review comments

- Bump `base` devcontainer version
- Update permissions
---
 src/anaconda/.devcontainer/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile
index b78a0a6996..8ec033d4ee 100644
--- a/src/anaconda/.devcontainer/Dockerfile
+++ b/src/anaconda/.devcontainer/Dockerfile
@@ -29,7 +29,7 @@ RUN conda install \
     requests=2.31.0
 
 # Reset and copy updated files with updated privs to keep image size down
-FROM mcr.microsoft.com/devcontainers/base:0-bullseye
+FROM mcr.microsoft.com/devcontainers/base:1-bullseye
 
 ARG USERNAME=vscode
 
@@ -38,7 +38,7 @@ RUN groupadd -r conda --gid 900 \
     && usermod -aG conda ${USERNAME}
 
 # Copy opt folder, set ownership and group permissions
-COPY --chown=:conda --chmod=070 --from=upstream /opt /opt/
+COPY --chown=:conda --chmod=775 --from=upstream /opt /opt/
 
 USER root
 

From 4bf3c7b2557d0555b2c8c2d47810927437e815e7 Mon Sep 17 00:00:00 2001
From: Alexander Smolyakov <v-asmoliakov@microsoft.com>
Date: Fri, 4 Aug 2023 12:44:26 +0400
Subject: [PATCH 4/7] Update src/anaconda/.devcontainer/Dockerfile

Co-authored-by: Samruddhi Khandale <samruddhikhandale@github.com>
---
 src/anaconda/.devcontainer/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile
index 8ec033d4ee..8134bf5c06 100644
--- a/src/anaconda/.devcontainer/Dockerfile
+++ b/src/anaconda/.devcontainer/Dockerfile
@@ -38,7 +38,7 @@ RUN groupadd -r conda --gid 900 \
     && usermod -aG conda ${USERNAME}
 
 # Copy opt folder, set ownership and group permissions
-COPY --chown=:conda --chmod=775 --from=upstream /opt /opt/
+COPY --chown=:conda --chmod=775 --from=upstream /opt/conda /opt/conda
 
 USER root
 

From fb6f5b32a41f9aa891ebb1fe9d70bed764dc45b8 Mon Sep 17 00:00:00 2001
From: Alexander Smolyakov <v-asmoliakov@microsoft.com>
Date: Fri, 4 Aug 2023 14:27:01 +0400
Subject: [PATCH 5/7] Revert "Update src/anaconda/.devcontainer/Dockerfile"

This reverts commit 4bf3c7b2557d0555b2c8c2d47810927437e815e7.
---
 src/anaconda/.devcontainer/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile
index 8134bf5c06..8ec033d4ee 100644
--- a/src/anaconda/.devcontainer/Dockerfile
+++ b/src/anaconda/.devcontainer/Dockerfile
@@ -38,7 +38,7 @@ RUN groupadd -r conda --gid 900 \
     && usermod -aG conda ${USERNAME}
 
 # Copy opt folder, set ownership and group permissions
-COPY --chown=:conda --chmod=775 --from=upstream /opt/conda /opt/conda
+COPY --chown=:conda --chmod=775 --from=upstream /opt /opt/
 
 USER root
 

From ffece92eedb493a66f2cd3798efecbfa29c7a734 Mon Sep 17 00:00:00 2001
From: Alexander Smolyakov <v-asmoliakov@microsoft.com>
Date: Tue, 8 Aug 2023 17:58:36 +0400
Subject: [PATCH 6/7] Set permissions for `/opt/conda` folder

---
 src/anaconda/.devcontainer/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile
index 8ec033d4ee..6eb771c2a5 100644
--- a/src/anaconda/.devcontainer/Dockerfile
+++ b/src/anaconda/.devcontainer/Dockerfile
@@ -37,8 +37,8 @@ ARG USERNAME=vscode
 RUN groupadd -r conda --gid 900 \ 
     && usermod -aG conda ${USERNAME}
 
-# Copy opt folder, set ownership and group permissions
-COPY --chown=:conda --chmod=775 --from=upstream /opt /opt/
+COPY --chown=:conda --chmod=775 --from=upstream /opt/conda /opt/conda
+RUN chmod =2775 /opt/conda
 
 USER root
 

From 00716b5065f99b5fdf2d537981893ce3036b1895 Mon Sep 17 00:00:00 2001
From: Alexander Smolyakov <v-asmoliakov@microsoft.com>
Date: Tue, 8 Aug 2023 17:59:30 +0400
Subject: [PATCH 7/7] Restore comment

---
 src/anaconda/.devcontainer/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile
index 6eb771c2a5..9160c63ba0 100644
--- a/src/anaconda/.devcontainer/Dockerfile
+++ b/src/anaconda/.devcontainer/Dockerfile
@@ -37,6 +37,7 @@ ARG USERNAME=vscode
 RUN groupadd -r conda --gid 900 \ 
     && usermod -aG conda ${USERNAME}
 
+# Copy opt folder, set ownership and group permissions
 COPY --chown=:conda --chmod=775 --from=upstream /opt/conda /opt/conda
 RUN chmod =2775 /opt/conda