7d440b39e9
Currently the Pegleg base image is python:3.6, after a full build of the Pegleg image and pushing it to quay it was discovered that the final image had more than 600 vulnerabilities in the image scan report [0]. When inspecting other Airship projects it became evident that only the Pegleg and Spyglass projects were using python:3.6. The remaining projects use ubuntu:16.04 as their default base image Locally scanning with Clair [1] confirmed that the base image plays a substantial role in the number and severity of vulnerabilities present in the final Pegleg image. By switching from python:3.6 to ubuntu:16.04 the number of vulnerabilities reported by Clair was reduced to 130, none of which were high - from the original 600+ with ~50 high. This patchset makes the following changes with the aim to reduce the vulnerability count and severity in the final Pegleg image by: 1. Updating the Dockerfile for Ubuntu builds to use 16.04 2. Updating the Dockerfile to install necessary packages for Pegleg to run that are not included with the ubuntu:16.04 base image 3. Renaming the Dockerfile to accurately reflect the Ubuntu distribution 4. Updating the docker build jobs in .zuul.yaml to set the distribution to ubuntu_xenial 5. Updating the Makefile to set distribution to ubuntu_xenial 6. Updating the pegleg.sh script to use the correct image tag with the changes to the distribution in (1-5) 7. Updating the documentation to reflect that the Ubuntu base image is 16.04 (Xenial) [0]: https://quay.io/repository/airshipit/pegleg/manifest/sha256:86d47bf777216eb28c4fc3594e57b0f758fd532b7e88a17ab8e5bd4f42dcd44e?tab=vulnerabilities [1]: https://github.com/arminc/clair-scanner Change-Id: I3c5ef761f9ea01b9673f6a2d08c499e8dc409c9d |
||
|---|---|---|
| .. | ||
| Dockerfile.opensuse_15 | ||
| Dockerfile.ubuntu_xenial | ||