Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build: Update packages in release image #3635

Merged
merged 1 commit into from
Feb 1, 2023
Merged

build: Update packages in release image #3635

merged 1 commit into from
Feb 1, 2023

Conversation

mohag
Copy link
Contributor

@mohag mohag commented Feb 1, 2023

Describe what this PR does

This will get updates released after the base image was built. This adds a layer and increase the image size, but significantly reduce the number of CVEs in the resultant image.

This PR uses DNF to update the OS packages to the latest versions available at container build time.

Currently, this reduces the number of OS package CVEs (as detected by Trivy) from this:

quay.io/cephcsi/cephcsi:canary (redhat 8.6)

Total: 42 (UNKNOWN: 0, LOW: 1, MEDIUM: 38, HIGH: 3, CRITICAL: 0)

to

quay.io/cephcsi/cephcsi:canary (redhat 8.6)

Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)

Is there anything that requires special attention

Do you have any questions? No

Is the change backward compatible? Yes

Are there concerns around backward compatibility? No

Provide any external context for the change, if any.

  • The ceph/cephcsi image uses the ceph/ceph image as base
  • The ceph/ceph image uses the centos/centos:stream8 image as base
  • That CentOS 8 image was last updated 4 months ago and contains several vulnerable packages that have updates available that address the vulnerabilities
  • This installs all the available updates at build time to address the problem of outdated base images

Related issues

Related: #3538 (It does not fully fix it, but significantly reduce the issues found)
Related: ceph/ceph-container#2074 - A similar fix in the immediate base image

Future concerns

The package vulnerabilities not fixed is unexpected - this might be due to Trivy using a RHEL patch database instead of a CentOS stream one.

The vulnerabilities in the Go portion should also be addressed.


Show available bot commands

These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:

  • /retest ci/centos/<job-name>: retest the <job-name> after unrelated
    failure (please report the failure too!)
  • /retest all: run this in case the CentOS CI failed to start/report any test
    progress or results

@mergify mergify bot added the component/build Issues and PRs related to compiling Ceph-CSI label Feb 1, 2023
@mohag
Copy link
Contributor Author

mohag commented Feb 1, 2023

The extra layer added to the container is ~300MB in size. This will be less if the base images are up to date.

@humblec
Copy link
Collaborator

humblec commented Feb 1, 2023

Thanks.. getting updated images in base and ceph image were tried. regardless, having an updated images with less vulnarabiliies here also helps.

humblec
humblec previously approved these changes Feb 1, 2023
@humblec humblec added this to the release-3.8 milestone Feb 1, 2023
deploy/cephcsi/image/Dockerfile Outdated Show resolved Hide resolved
@mergify mergify bot dismissed humblec’s stale review February 1, 2023 09:17

Pull request has been modified.

@mohag mohag requested a review from nixpanic February 1, 2023 09:18
nixpanic
nixpanic previously approved these changes Feb 1, 2023
Copy link
Member

@nixpanic nixpanic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@nixpanic nixpanic requested a review from a team February 1, 2023 09:23
Madhu-1
Madhu-1 previously approved these changes Feb 1, 2023
yati1998
yati1998 previously approved these changes Feb 1, 2023
humblec
humblec previously approved these changes Feb 1, 2023
@nixpanic
Copy link
Member

nixpanic commented Feb 1, 2023

@Mergifyio rebase

@mergify
Copy link
Contributor

mergify bot commented Feb 1, 2023

rebase

⚠️ Comments with bot_account set are disabled

⚠ The subscription needs to be updated to enable this feature.

@nixpanic
Copy link
Member

nixpanic commented Feb 1, 2023

rebase

warning Comments with bot_account set are disabled

warning The subscription needs to be updated to enable this feature.

#3637 has been posted to correct this

@Madhu-1
Copy link
Collaborator

Madhu-1 commented Feb 1, 2023

@Mergifyio rebase

This will get updates released after the base image was built. This adds a layer
and increase the image size, but significantly reduce the number of CVEs in the
resultant image.

Signed-off-by: Gert van den Berg <github@mohag.net>
@mergify
Copy link
Contributor

mergify bot commented Feb 1, 2023

⚠️ This pull request got rebased on behalf of a random user of the organization.
This behavior will change on the 1st February 2023, Mergify will pick the author of the pull request instead.

To get the future behavior now, you can configure bot_account options (e.g.: bot_account: { author } or update_bot_account: { author }.

Or you can create a dedicated github account for squash and rebase operations, and use it in different bot_account options.

@mergify
Copy link
Contributor

mergify bot commented Feb 1, 2023

rebase

✅ Branch has been successfully rebased

@mergify mergify bot dismissed stale reviews from yati1998, Madhu-1, humblec, and nixpanic February 1, 2023 13:45

Pull request has been modified.

@nixpanic nixpanic added the ok-to-test Label to trigger E2E tests label Feb 1, 2023
@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/k8s-e2e-external-storage/1.26

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/mini-e2e-helm/k8s-1.23

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/mini-e2e-helm/k8s-1.24

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/mini-e2e-helm/k8s-1.25

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/mini-e2e-helm/k8s-1.26

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/mini-e2e/k8s-1.23

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/mini-e2e/k8s-1.24

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/mini-e2e/k8s-1.25

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/mini-e2e/k8s-1.26

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/upgrade-tests-cephfs

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/upgrade-tests-rbd

@mergify mergify bot added ok-to-test Label to trigger E2E tests and removed ok-to-test Label to trigger E2E tests labels Feb 1, 2023
@mergify mergify bot merged commit c3d5b78 into ceph:devel Feb 1, 2023
@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/k8s-e2e-external-storage/1.23

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/k8s-e2e-external-storage/1.24

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/k8s-e2e-external-storage/1.25

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/k8s-e2e-external-storage/1.26

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/mini-e2e-helm/k8s-1.23

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/mini-e2e-helm/k8s-1.24

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/mini-e2e-helm/k8s-1.25

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/mini-e2e-helm/k8s-1.26

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/mini-e2e/k8s-1.23

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/mini-e2e/k8s-1.24

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/mini-e2e/k8s-1.25

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/mini-e2e/k8s-1.26

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/upgrade-tests-cephfs

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

/test ci/centos/upgrade-tests-rbd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component/build Issues and PRs related to compiling Ceph-CSI
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants