From 7d440b39e9cafc7244ae169e3d52e931f3ec5fea Mon Sep 17 00:00:00 2001 From: "Hughes, Alexander (ah8742)" Date: Thu, 23 May 2019 14:14:35 -0500 Subject: [PATCH] Update Pegleg base image to use Ubuntu 16.04 Currently the Pegleg base image is python:3.6, after a full build of the Pegleg image and pushing it to quay it was discovered that the final image had more than 600 vulnerabilities in the image scan report [0]. When inspecting other Airship projects it became evident that only the Pegleg and Spyglass projects were using python:3.6. The remaining projects use ubuntu:16.04 as their default base image Locally scanning with Clair [1] confirmed that the base image plays a substantial role in the number and severity of vulnerabilities present in the final Pegleg image. By switching from python:3.6 to ubuntu:16.04 the number of vulnerabilities reported by Clair was reduced to 130, none of which were high - from the original 600+ with ~50 high. This patchset makes the following changes with the aim to reduce the vulnerability count and severity in the final Pegleg image by: 1. Updating the Dockerfile for Ubuntu builds to use 16.04 2. Updating the Dockerfile to install necessary packages for Pegleg to run that are not included with the ubuntu:16.04 base image 3. Renaming the Dockerfile to accurately reflect the Ubuntu distribution 4. Updating the docker build jobs in .zuul.yaml to set the distribution to ubuntu_xenial 5. Updating the Makefile to set distribution to ubuntu_xenial 6. Updating the pegleg.sh script to use the correct image tag with the changes to the distribution in (1-5) 7. Updating the documentation to reflect that the Ubuntu base image is 16.04 (Xenial) [0]: https://quay.io/repository/airshipit/pegleg/manifest/sha256:86d47bf777216eb28c4fc3594e57b0f758fd532b7e88a17ab8e5bd4f42dcd44e?tab=vulnerabilities [1]: https://github.com/arminc/clair-scanner Change-Id: I3c5ef761f9ea01b9673f6a2d08c499e8dc409c9d --- images/pegleg/Dockerfile.ubuntu_xenial | 28 +++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/images/pegleg/Dockerfile.ubuntu_xenial b/images/pegleg/Dockerfile.ubuntu_xenial index b0a70977..7873c240 100644 --- a/images/pegleg/Dockerfile.ubuntu_xenial +++ b/images/pegleg/Dockerfile.ubuntu_xenial @@ -1,4 +1,4 @@ -ARG FROM=python:3.6 +ARG FROM=ubuntu:16.04 FROM ${FROM} ARG CFSSLURL=https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 @@ -9,6 +9,32 @@ LABEL org.opencontainers.image.source='https://opendev.org/airship/pegleg' LABEL org.opencontainers.image.vendor='The Airship Authors' LABEL org.opencontainers.image.licenses='Apache-2.0' +ENV LANG=C.UTF-8 +ENV LC_ALL=C.UTF-8 + +RUN set -ex \ + && apt-get update -qq \ + && apt-get install -y --no-install-recommends \ + ca-certificates \ + curl \ + gcc \ + git \ + libssl-dev \ + netbase \ + python3-dev \ + python3-pip \ + python3-setuptools \ + && python3 -m pip install -U pip \ + && apt-get autoremove -yqq --purge \ + && apt-get clean \ + && rm -rf \ + /tmp/* \ + /usr/share/doc \ + /usr/share/doc-base \ + /usr/share/man \ + /var/lib/apt/lists/* \ + /var/tmp/* + VOLUME /var/pegleg WORKDIR /var/pegleg