Skip to content

ROX-9598: Use ubi-minimal image#1054

Merged
janisz merged 4 commits intomasterfrom
tj/use-ubi8-minimal-1
Mar 26, 2022
Merged

ROX-9598: Use ubi-minimal image#1054
janisz merged 4 commits intomasterfrom
tj/use-ubi8-minimal-1

Conversation

@janisz
Copy link
Copy Markdown
Contributor

@janisz janisz commented Mar 23, 2022
edited
Loading

Description

Currently we are using full ubi image which has all kind of different packages installed by default.
Since our application is a simple executable and we only need a couple of compression libs (for bleve, rocksdb) and some unix tools (kill for tests) we can use ubi-minimal to limit potential vulnerabilities. In the future we can event switch to ubi-micro to reduce number of tools/libs even more.

Once it's get merged we can revert #906 as vulnerabilities should get fixed.

Checklist

  • Investigated and inspected CI test results
  • Unit test and regression tests added
  • Evaluated and added CHANGELOG entry if required
  • Determined and documented upgrade steps
  • Documented user facing changes (create PR based on stackrox/openshift-docs and merge into rhacs-docs)

If any of these don't apply, please comment below.

Testing Performed

CI

@janisz janisz marked this pull request as draft March 23, 2022 15:21
@ghost
Copy link
Copy Markdown

ghost commented Mar 23, 2022
edited by ghost
Loading

Tag for build #355918 is 3.69.x-211-g8f45d7db74.

💻 For deploying this image using the dev scripts, run the following first:

export MAIN_IMAGE_TAG='3.69.x-211-g8f45d7db74'

📦 You can also generate an installation bundle with:

docker run -i --rm stackrox/main:3.69.x-211-g8f45d7db74 central generate interactive > bundle.zip

🕹️ A roxctl binary artifact can be downloaded from CircleCI.

@janisz janisz force-pushed the tj/use-ubi8-minimal-1 branch from 3c220d4 to 5de5c0d Compare March 23, 2022 17:12
@janisz janisz force-pushed the tj/use-ubi8-minimal-1 branch 3 times, most recently from 17e4977 to 0fa8268 Compare March 24, 2022 18:50
@janisz janisz force-pushed the tj/use-ubi8-minimal-1 branch from 8d73652 to 28c096d Compare March 25, 2022 15:12
@janisz janisz force-pushed the tj/use-ubi8-minimal-1 branch from 2940c57 to 8f45d7d Compare March 25, 2022 17:40
@janisz janisz changed the title WIP: Tj/use ubi8 minimal 1 ROX-9598: Use ubi-minimal image Mar 25, 2022
janisz
janisz commented Mar 25, 2022
View reviewed changes
image/rhel/Dockerfile
dnf clean all && \
microdnf upgrade && \
rpm -i /tmp/snappy.rpm && \
microdnf install lz4 bzip2 util-linux && \
Copy link
Copy Markdown
Contributor Author

@janisz janisz Mar 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

util-linux brings kill wich is used in e2e tests

janisz
janisz commented Mar 25, 2022
View reviewed changes
image/static-bin/import-additional-cas
set -euo pipefail

[ -d /usr/local/share/ca-certificates ] || exit 0
[ "$(find /usr/local/share/ca-certificates -maxdepth 1 -name '*.crt' | wc -l)" -gt 0 ] || exit 0
Copy link
Copy Markdown
Contributor Author

@janisz janisz Mar 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Find is not available on ubi-minimal so we need to handle this without it

@janisz janisz requested review from msugakov and parametalol March 25, 2022 19:16
@janisz janisz marked this pull request as ready for review March 25, 2022 19:17
@janisz janisz requested a review from gavin-stackrox March 25, 2022 20:46
@janisz janisz enabled auto-merge (squash) March 25, 2022 20:47
@gavin-stackrox
Copy link
Copy Markdown
Contributor

gavin-stackrox commented Mar 25, 2022

It would be good to see how this image fares with all qa tests and maybe some OS4 clusters.

@janisz janisz mentioned this pull request Mar 25, 2022
Merged
@janisz janisz added ci-aks-tests ci-all-qa-tests Tells CI to run all API tests (not just BAT). labels Mar 25, 2022
@janisz
Copy link
Copy Markdown
Contributor Author

janisz commented Mar 25, 2022

@gavin-stackrox I added labels and rerun workflow.

Some of tests are not stable so there could be failures not related to this change.

@gavin-stackrox
Copy link
Copy Markdown
Contributor

gavin-stackrox commented Mar 25, 2022

@gavin-stackrox I added labels and rerun workflow.

Some of tests are not stable so there could be failures not related to this change.

haha. that is a lot of labels.

gavin-stackrox
gavin-stackrox reviewed Mar 25, 2022
View reviewed changes
image/static-bin/import-additional-cas
[ "$(find /usr/local/share/ca-certificates -maxdepth 1 -name '*.crt' | wc -l)" -gt 0 ] || exit 0
cp -L /usr/local/share/ca-certificates/* /etc/pki/ca-trust/source/anchors
update-ca-trust
cp -L /usr/local/share/ca-certificates/* /etc/pki/ca-trust/source/anchors && update-ca-trust || echo "No custom certificates"
Copy link
Copy Markdown
Contributor

@gavin-stackrox gavin-stackrox Mar 25, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So update-ca-trust will fail if there is nothing in /etc/pki/ca-trust/source/anchors cp -L /usr/local/share/ca-certificates/* /etc/pki/ca-trust/source/anchors will fail if there is nothing in /usr/local/share/ca-certificates/*? In which case the find was never required?

gavin-stackrox
gavin-stackrox suggested changes Mar 25, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@gavin-stackrox gavin-stackrox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I will approve depending on CI in a few hours and then it will auto-merge.

@janisz
Copy link
Copy Markdown
Contributor Author

janisz commented Mar 26, 2022

az aro create --resource-group acs-1648289903 --name acs-1648289903 --vnet acs-1648289903 --master-subnet master-subnet --worker-subnet worker-subnet --worker-count 4 --worker-vm-size Standard_D4s_v3 --pull-secret @/root/.redhat/pull-secret.txt --verbose
(ResourceQuotaExceeded) Resource quota of cores exceeded. Maximum allowed: 328, Current in use: 296, Additional requested: 40.
Code: ResourceQuotaExceeded

@gavin-stackrox gavin-stackrox self-requested a review March 26, 2022 17:43
gavin-stackrox
gavin-stackrox approved these changes Mar 26, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@gavin-stackrox gavin-stackrox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI looks good.

@janisz janisz merged commit b2b2c7d into master Mar 26, 2022
@janisz janisz deleted the tj/use-ubi8-minimal-1 branch March 26, 2022 17:43
@parametalol parametalol mentioned this pull request Mar 31, 2022
Closed
RTann pushed a commit that referenced this pull request Apr 6, 2022
@janisz
ROX-9598: Use ubi-minimal image (#1054)
dade25b 
Co-authored-by: Michaël Petrov <michael@redhat.com>
@janisz janisz mentioned this pull request May 5, 2022
Closed
@janisz janisz mentioned this pull request Mar 4, 2025
Merged
5 tasks
@janisz janisz mentioned this pull request Mar 25, 2025
Closed
5 tasks
@janisz janisz mentioned this pull request Oct 22, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@parametalol parametalol Awaiting requested review from parametalol

@msugakov msugakov Awaiting requested review from msugakov

1 more reviewer

@gavin-stackrox gavin-stackrox gavin-stackrox approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/central area/helm ci-all-qa-tests Tells CI to run all API tests (not just BAT). team/merlin

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@janisz @gavin-stackrox @parametalol