[DNM until v2.9.1 is released] Migrate the base image to bci-busybox
#186
Conversation
snasovich
changed the title
bci-busyboxbci-busybox
|
PR rebased. |
| RUN rm -f /chroot/bin/sh && ln -s /chroot/bin/bash /chroot/bin/sh | ||
|
|
||
| RUN zypper refresh && \ | ||
| zypper -n in wget file |
There was a problem hiding this comment.
Wonder if we should start adding as a precaution the FIPS related packages - openssl and patterns-base-fips - as in rancher/rancher#46575.
There was a problem hiding this comment.
I had quite a few issues trying to add openssl on this image. The main one being:
error: failed to exec scriptlet interpreter /bin/sh: No such file or directory
error: %prein(openssl-3-3.1.4-150600.5.10.1.x86_64) scriptlet failed, exit status 127
error: openssl-3-3.1.4-150600.5.10.1.x86_64: install failed
Installation of openssl-3-3.1.4-150600.5.10.1.x86_64 failed:
Error: Subprocess failed. Error: RPM failed: Command exited with status 1.
error]
Note that /bin/sh does exist and was a symlink to bash. I am happy to investigate a fix and add it if this is required as part of this PR.
There was a problem hiding this comment.
Agree in skipping it for now. Let's wait for the Hostbusters team to review this.
There was a problem hiding this comment.
Had another look at this and still same issues building BCI with FIPS. My understanding is that the image we were using wasn't FIPS compliant. Is this needed for rke-tools?
There was a problem hiding this comment.
Agree ^, let's leave those packages out and add later when/if needed.
There was a problem hiding this comment.
@pjbgf Could you rebase to resolve the conflicts?
The overall changes look good to me, and it appears that most of these utilities aren't being used by rke-tools, so I'm approving the PR. However, I do have some concerns about potential regressions from removing a utility that might be relied on by users, or cases where its usage isn't immediately obvious. This might be something we only catch through QA validation. Would it make sense to hold off until v2.10? That way, we can validate it more thoroughly during testing for new k8s minor version v1.31, as opposed to just a patch release.
The aim of this change is to decrease the long-term number of CVEs this image gets due to the decreased attack surface. As a result, the final image is 40MB lighter and does not contain the following commands: add-shell bbconfig blkdiscard busybox chroot cifsiostat c_rehash crond crontab depmod dumpkmap envsubst fbsplash fc-conflist fc-list fc-match fc-pattern fc-query fc-scan fc-validate fdflush fstrim geoiplookup6 getty halt hwclock ifconfig ifdown ifenslave ifup init inotifyd insmod iostat ipaddr iplink ipneigh iproute iprule kbd_mode link linux32 linux64 logread lsmod modinfo modprobe mountpoint ntpd partprobe printenv raidautorun rdate rdev readahead reboot remove-shell rev rfkill rmmod route swapoff swapon syslogd tapestat traceroute6 tree unlzop watchdog xsltproc Signed-off-by: Paulo Gomes <paulo.gomes@suse.com>
|
@kinarashah the push for |
| FROM scratch as final | ||
| COPY --from=build /chroot / | ||
|
|
||
| LABEL maintainer "Rancher Labs <support@rancher.com>" |
There was a problem hiding this comment.
Wonder if we should change to SUSE Rancher instead.
Issues:
rke-toolstobci-busyboxrancher#46099rke-toolstobci-busyboxrancher#46626rke-toolstobci-busyboxrancher#46627The aim of this change is to decrease the long-term number of CVEs this image gets due to the decreased attack surface. As a result, the final image is 40MB lighter and does not contain the following commands:
The list above was generated by comparing a local image with the previous tagged version: