7d440b39e9
Currently the Pegleg base image is python:3.6, after a full build of the Pegleg image and pushing it to quay it was discovered that the final image had more than 600 vulnerabilities in the image scan report [0]. When inspecting other Airship projects it became evident that only the Pegleg and Spyglass projects were using python:3.6. The remaining projects use ubuntu:16.04 as their default base image Locally scanning with Clair [1] confirmed that the base image plays a substantial role in the number and severity of vulnerabilities present in the final Pegleg image. By switching from python:3.6 to ubuntu:16.04 the number of vulnerabilities reported by Clair was reduced to 130, none of which were high - from the original 600+ with ~50 high. This patchset makes the following changes with the aim to reduce the vulnerability count and severity in the final Pegleg image by: 1. Updating the Dockerfile for Ubuntu builds to use 16.04 2. Updating the Dockerfile to install necessary packages for Pegleg to run that are not included with the ubuntu:16.04 base image 3. Renaming the Dockerfile to accurately reflect the Ubuntu distribution 4. Updating the docker build jobs in .zuul.yaml to set the distribution to ubuntu_xenial 5. Updating the Makefile to set distribution to ubuntu_xenial 6. Updating the pegleg.sh script to use the correct image tag with the changes to the distribution in (1-5) 7. Updating the documentation to reflect that the Ubuntu base image is 16.04 (Xenial) [0]: https://quay.io/repository/airshipit/pegleg/manifest/sha256:86d47bf777216eb28c4fc3594e57b0f758fd532b7e88a17ab8e5bd4f42dcd44e?tab=vulnerabilities [1]: https://github.com/arminc/clair-scanner Change-Id: I3c5ef761f9ea01b9673f6a2d08c499e8dc409c9d |
||
---|---|---|
doc | ||
images/pegleg | ||
pegleg | ||
releasenotes | ||
site_yamls/site | ||
tests | ||
tools | ||
.dockerignore | ||
.gitignore | ||
.gitreview | ||
.style.yapf | ||
.zuul.yaml | ||
LICENSE | ||
Makefile | ||
README.rst | ||
requirements.txt | ||
setup.py | ||
test-requirements.txt | ||
tox.ini |
README.rst
Pegleg
Introduction
Pegleg is a document aggregator that provides early linting and validations via Deckhand, a document management micro-service within Airship.
Pegleg supports local and remote Git repositories. Remote repositories can be cloned using a variety of protocols -- HTTP(S) or SSH. Afterward, specific revisions within those repositories can be checked out, their documents aggregated, linted, and passed to the rest of Airship for orchestration, allowing document authors to manage their site definitions using version control.
Find more documentation for Pegleg on Read the Docs.
Core Responsibilities
- aggregation - Aggregates all documents required for site deployment across multiple Git repositories, each of which can be used to maintain separate document sets in isolation
- linting - Configurable linting checks documents for common syntactical and semantical mistakes
Getting Started
For more detailed installation and setup information, please refer to the Getting Started guide.
Integration Points
Pegleg has the following integration points: