Update docker images and centos repos to address CVE false positives

projectcalico · Oct 11, 2021 · 05f8598 · 05f8598
1 parent f6c7e99
commit 05f8598
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 8 deletions.
diff --git a/Dockerfile.amd64 b/Dockerfile.amd64
@@ -13,7 +13,7 @@
 # limitations under the License.
 ARG ARCH=x86_64
 ARG GIT_VERSION=unknown
-ARG IPTABLES_VER=1.8.4-15
+ARG IPTABLES_VER=1.8.4-17
 ARG LIBNFTNL_VER=1.1.5-4
 ARG RUNIT_VER=2.1.2
 ARG BIRD_IMAGE=calico/bird:latest
@@ -31,7 +31,7 @@ ARG ARCH
 ARG IPTABLES_VER
 ARG LIBNFTNL_VER
 ARG RUNIT_VER
-ARG CENTOS_MIRROR_BASE_URL=http://vault.centos.org/8.3.2011
+ARG CENTOS_MIRROR_BASE_URL=https://vault.centos.org/8.4.2105
 ARG LIBNFTNL_SOURCERPM_URL=${CENTOS_MIRROR_BASE_URL}/BaseOS/Source/SPackages/libnftnl-${LIBNFTNL_VER}.el8.src.rpm
 ARG IPTABLES_SOURCERPM_URL=${CENTOS_MIRROR_BASE_URL}/BaseOS/Source/SPackages/iptables-${IPTABLES_VER}.el8.src.rpm
 
@@ -88,13 +88,14 @@ RUN sed -i '/%files$/a \
 RUN rpmbuild -bb /root/rpmbuild/SPECS/iptables.spec
 
 # runit is not available in ubi or CentOS repos so build it.
-RUN wget -P /tmp http://smarden.org/runit/runit-${RUNIT_VER}.tar.gz && \
-    gunzip /tmp/runit-${RUNIT_VER}.tar.gz && \
-    tar -xpf /tmp/runit-${RUNIT_VER}.tar -C /tmp && \
+# get it from the debian repos as the official website doesn't support https
+RUN wget -P /tmp https://ftp.debian.org/debian/pool/main/r/runit/runit_${RUNIT_VER}.orig.tar.gz && \
+    gunzip /tmp/runit_${RUNIT_VER}.orig.tar.gz && \
+    tar -xpf /tmp/runit_${RUNIT_VER}.orig.tar -C /tmp && \
     cd /tmp/admin/runit-${RUNIT_VER}/ && \
     package/install
 
-FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 as ubi
+FROM registry.access.redhat.com/ubi8/ubi-minimal:8.4 as ubi
 ARG ARCH
 ARG GIT_VERSION
 ARG IPTABLES_VER

diff --git a/centos.repo b/centos.repo
@@ -1,13 +1,13 @@
 [centos-8-base-os]
 name = CentOS - BaseOS
-baseurl = http://vault.centos.org/8.1.1911/BaseOS/x86_64/os
+baseurl = https://mirror.rackspace.com/CentOS/8.4.2105/BaseOS/x86_64/os/
 enabled = 1
 gpgkey = https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official
 gpgcheck = 1
 
 [centos-8-appstream]
 name = CentOS - AppStream
-baseurl = http://vault.centos.org/8.1.1911/AppStream/x86_64/os
+baseurl = https://mirror.rackspace.com/CentOS/8.4.2105/AppStream/x86_64/os/
 enabled = 1
 gpgkey = https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official
 gpgcheck = 1
diff --git a/clean-up-filesystem.sh b/clean-up-filesystem.sh
@@ -245,10 +245,12 @@ packages_to_keep=(
   libcrypto
   libelf
   libgcc
+  libibverbs
   libmnl
   libnetfilter
   libnfnetlink
   libnftnl
+  libnl3
   libnss
   libpcap
   libpwquality