build: Update packages in release image #3635
Conversation
mergify
bot
added
the
component/build
|
The extra layer added to the container is ~300MB in size. This will be less if the base images are up to date. |
|
Thanks.. getting updated images in base and ceph image were tried. regardless, having an updated images with less vulnarabiliies here also helps. |
|
@Mergifyio rebase |
|
#3637 has been posted to correct this |
|
@Mergifyio rebase |
This will get updates released after the base image was built. This adds a layer and increase the image size, but significantly reduce the number of CVEs in the resultant image. Signed-off-by: Gert van den Berg <github@mohag.net>
|
To get the future behavior now, you can configure Or you can create a dedicated github account for squash and rebase operations, and use it in different |
✅ Branch has been successfully rebased |
|
/test ci/centos/k8s-e2e-external-storage/1.26 |
|
/test ci/centos/mini-e2e-helm/k8s-1.23 |
|
/test ci/centos/mini-e2e-helm/k8s-1.24 |
|
/test ci/centos/mini-e2e-helm/k8s-1.25 |
|
/test ci/centos/mini-e2e-helm/k8s-1.26 |
|
/test ci/centos/mini-e2e/k8s-1.23 |
|
/test ci/centos/mini-e2e/k8s-1.24 |
|
/test ci/centos/mini-e2e/k8s-1.25 |
|
/test ci/centos/mini-e2e/k8s-1.26 |
|
/test ci/centos/upgrade-tests-cephfs |
|
/test ci/centos/upgrade-tests-rbd |
mergify
bot
added
ok-to-test
|
/test ci/centos/k8s-e2e-external-storage/1.23 |
|
/test ci/centos/k8s-e2e-external-storage/1.24 |
|
/test ci/centos/k8s-e2e-external-storage/1.25 |
|
/test ci/centos/k8s-e2e-external-storage/1.26 |
|
/test ci/centos/mini-e2e-helm/k8s-1.23 |
|
/test ci/centos/mini-e2e-helm/k8s-1.24 |
|
/test ci/centos/mini-e2e-helm/k8s-1.25 |
|
/test ci/centos/mini-e2e-helm/k8s-1.26 |
|
/test ci/centos/mini-e2e/k8s-1.23 |
|
/test ci/centos/mini-e2e/k8s-1.24 |
|
/test ci/centos/mini-e2e/k8s-1.25 |
|
/test ci/centos/mini-e2e/k8s-1.26 |
|
/test ci/centos/upgrade-tests-cephfs |
|
/test ci/centos/upgrade-tests-rbd |
Describe what this PR does
This will get updates released after the base image was built. This adds a layer and increase the image size, but significantly reduce the number of CVEs in the resultant image.
This PR uses DNF to update the OS packages to the latest versions available at container build time.
Currently, this reduces the number of OS package CVEs (as detected by Trivy) from this:
to
Is there anything that requires special attention
Do you have any questions? No
Is the change backward compatible? Yes
Are there concerns around backward compatibility? No
Provide any external context for the change, if any.
Related issues
Related: #3538 (It does not fully fix it, but significantly reduce the issues found)
Related: ceph/ceph-container#2074 - A similar fix in the immediate base image
Future concerns
The package vulnerabilities not fixed is unexpected - this might be due to Trivy using a RHEL patch database instead of a CentOS stream one.
The vulnerabilities in the Go portion should also be addressed.
Show available bot commands
These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:
/retest ci/centos/<job-name>: retest the<job-name>after unrelatedfailure (please report the failure too!)
/retest all: run this in case the CentOS CI failed to start/report any testprogress or results