-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DNM until v2.9.1 is released] Migrate the base image to bci-busybox
#186
base: master
Are you sure you want to change the base?
Conversation
bci-busybox
bci-busybox
PR rebased. |
RUN rm -f /chroot/bin/sh && ln -s /chroot/bin/bash /chroot/bin/sh | ||
|
||
RUN zypper refresh && \ | ||
zypper -n in wget file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wonder if we should start adding as a precaution the FIPS related packages - openssl
and patterns-base-fips
- as in rancher/rancher#46575.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had quite a few issues trying to add openssl
on this image. The main one being:
error: failed to exec scriptlet interpreter /bin/sh: No such file or directory
error: %prein(openssl-3-3.1.4-150600.5.10.1.x86_64) scriptlet failed, exit status 127
error: openssl-3-3.1.4-150600.5.10.1.x86_64: install failed
Installation of openssl-3-3.1.4-150600.5.10.1.x86_64 failed:
Error: Subprocess failed. Error: RPM failed: Command exited with status 1.
error]
Note that /bin/sh
does exist and was a symlink to bash. I am happy to investigate a fix and add it if this is required as part of this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree in skipping it for now. Let's wait for the Hostbusters team to review this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Had another look at this and still same issues building BCI with FIPS. My understanding is that the image we were using wasn't FIPS compliant. Is this needed for rke-tools
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree ^, let's leave those packages out and add later when/if needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pjbgf Could you rebase to resolve the conflicts?
The overall changes look good to me, and it appears that most of these utilities aren't being used by rke-tools, so I'm approving the PR. However, I do have some concerns about potential regressions from removing a utility that might be relied on by users, or cases where its usage isn't immediately obvious. This might be something we only catch through QA validation. Would it make sense to hold off until v2.10? That way, we can validate it more thoroughly during testing for new k8s minor version v1.31, as opposed to just a patch release.
The aim of this change is to decrease the long-term number of CVEs this image gets due to the decreased attack surface. As a result, the final image is 40MB lighter and does not contain the following commands: add-shell bbconfig blkdiscard busybox chroot cifsiostat c_rehash crond crontab depmod dumpkmap envsubst fbsplash fc-conflist fc-list fc-match fc-pattern fc-query fc-scan fc-validate fdflush fstrim geoiplookup6 getty halt hwclock ifconfig ifdown ifenslave ifup init inotifyd insmod iostat ipaddr iplink ipneigh iproute iprule kbd_mode link linux32 linux64 logread lsmod modinfo modprobe mountpoint ntpd partprobe printenv raidautorun rdate rdev readahead reboot remove-shell rev rfkill rmmod route swapoff swapon syslogd tapestat traceroute6 tree unlzop watchdog xsltproc Signed-off-by: Paulo Gomes <paulo.gomes@suse.com>
@kinarashah the push for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved from security point of view only. Further approval from Hostbusters is needed.
Made only a comment that is not mandatory.
FROM scratch as final | ||
COPY --from=build /chroot / | ||
|
||
LABEL maintainer "Rancher Labs <support@rancher.com>" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wonder if we should change to SUSE Rancher instead.
Issues:
rke-tools
tobci-busybox
rancher#46099rke-tools
tobci-busybox
rancher#46626rke-tools
tobci-busybox
rancher#46627The aim of this change is to decrease the long-term number of CVEs this image gets due to the decreased attack surface. As a result, the final image is 40MB lighter and does not contain the following commands:
The list above was generated by comparing a local image with the previous tagged version: