ROX-10097: Use official nginx image for docs by janisz · Pull Request #1576 · stackrox/stackrox

janisz · 2022-05-05T12:49:36Z

Description

Current docs image contains much more packages then we need. This creates big areas for vulnerabilities.
By using smaller official image we reduce number of potentially vulnerable packages.

Config was obtained with docker run -p 8081:8080 registry.access.redhat.com/ubi8/nginx-120:latest cat /etc/nginx/nginx.conf but it will be better if we could use defaults and expose port 80 and changed to reflect new static files path.

Testing Performed

N/A

msugakov

Sorry. I don't think we should do this. I don't know what problem the image size causes and why it is worth solving.

parametalol · 2022-05-05T13:26:00Z

The list of installed packages might be different, hence the vulnerable surface. I'd support the change if the difference is dramatic.

janisz · 2022-05-05T14:21:01Z

docker run -it -p 8081:8080 registry.access.redhat.com/ubi8/nginx-120:latest dnf list installed
Not root, Subscription Management repositories not updated

This system is not registered with an entitlement server. You can use subscription-manager to register.

Installed Packages
acl.x86_64                                          2.2.53-1.el8                                    @System                                   
audit-libs.x86_64                                   3.0-0.17.20191104git1c2f876.el8                 @System                                   
basesystem.noarch                                   11-5.el8                                        @System                                   
bash.x86_64                                         4.4.20-2.el8                                    @System                                   
bind-libs.x86_64                                    32:9.11.26-6.el8                                @RHEL-8.5.0-updates-20220420.0-AppStream-1
bind-libs-lite.x86_64                               32:9.11.26-6.el8                                @RHEL-8.5.0-updates-20220420.0-AppStream-1
bind-license.noarch                                 32:9.11.26-6.el8                                @RHEL-8.5.0-updates-20220420.0-AppStream-1
bind-utils.x86_64                                   32:9.11.26-6.el8                                @RHEL-8.5.0-updates-20220420.0-AppStream-1
brotli.x86_64                                       1.0.6-3.el8                                     @System                                   
bsdtar.x86_64                                       3.3.3-3.el8_5                                   @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
bzip2-libs.x86_64                                   1.0.6-26.el8                                    @System                                   
ca-certificates.noarch                              2021.2.50-80.0.el8_4                            @System                                   
chkconfig.x86_64                                    1.19.1-1.el8                                    @System                                   
cmake.x86_64                                        3.20.2-4.el8                                    @RHEL-8.5.0-updates-20220420.0-AppStream-1
cmake-data.noarch                                   3.20.2-4.el8                                    @RHEL-8.5.0-updates-20220420.0-AppStream-1
cmake-filesystem.x86_64                             3.20.2-4.el8                                    @RHEL-8.5.0-updates-20220420.0-AppStream-1
cmake-rpm-macros.noarch                             3.20.2-4.el8                                    @RHEL-8.5.0-updates-20220420.0-AppStream-1
coreutils-single.x86_64                             8.30-12.el8                                     @System                                   
cracklib.x86_64                                     2.9.6-15.el8                                    @System                                   
cracklib-dicts.x86_64                               2.9.6-15.el8                                    @System                                   
crypto-policies.noarch                              20210617-1.gitc776d3e.el8                       @System                                   
crypto-policies-scripts.noarch                      20210617-1.gitc776d3e.el8                       @System                                   
cryptsetup-libs.x86_64                              2.3.3-4.el8_5.1                                 @System                                   
curl.x86_64                                         7.61.1-22.el8                                   @System                                   
cyrus-sasl-lib.x86_64                               2.1.27-6.el8_5                                  @System                                   
dbus.x86_64                                         1:1.12.8-14.el8                                 @System                                   
dbus-common.noarch                                  1:1.12.8-14.el8                                 @System                                   
dbus-daemon.x86_64                                  1:1.12.8-14.el8                                 @System                                   
dbus-glib.x86_64                                    0.110-2.el8                                     @System                                   
dbus-libs.x86_64                                    1:1.12.8-14.el8                                 @System                                   
dbus-tools.x86_64                                   1:1.12.8-14.el8                                 @System                                   
device-mapper.x86_64                                8:1.02.177-11.el8_5                             @System                                   
device-mapper-libs.x86_64                           8:1.02.177-11.el8_5                             @System                                   
dmidecode.x86_64                                    1:3.2-10.el8                                    @System                                   
dnf.noarch                                          4.7.0-4.el8                                     @System                                   
dnf-data.noarch                                     4.7.0-4.el8                                     @System                                   
dnf-plugin-subscription-manager.x86_64              1.28.21-5.el8_5                                 @System                                   
elfutils-default-yama-scope.noarch                  0.185-1.el8                                     @System                                   
elfutils-libelf.x86_64                              0.185-1.el8                                     @System                                   
elfutils-libs.x86_64                                0.185-1.el8                                     @System                                   
emacs-filesystem.noarch                             1:26.1-7.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
environment-modules.x86_64                          4.5.2-1.el8                                     @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
expat.x86_64                                        2.2.5-4.el8_5.3                                 @System                                   
file-libs.x86_64                                    5.33-20.el8                                     @System                                   
filesystem.x86_64                                   3.8-6.el8                                       @System                                   
findutils.x86_64                                    1:4.6.0-20.el8                                  @System                                   
fstrm.x86_64                                        0.6.1-2.el8                                     @RHEL-8.5.0-updates-20220420.0-AppStream-1
gawk.x86_64                                         4.2.1-2.el8                                     @System                                   
gdb-gdbserver.x86_64                                8.2-16.el8                                      @System                                   
gdbm.x86_64                                         1:1.18-1.el8                                    @System                                   
gdbm-libs.x86_64                                    1:1.18-1.el8                                    @System                                   
geolite2-city.noarch                                20180605-1.el8                                  @RHEL-8.5.0-updates-20220420.0-AppStream-1
geolite2-country.noarch                             20180605-1.el8                                  @RHEL-8.5.0-updates-20220420.0-AppStream-1
gettext.x86_64                                      0.19.8.1-17.el8                                 @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
gettext-libs.x86_64                                 0.19.8.1-17.el8                                 @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
glib2.x86_64                                        2.56.4-156.el8                                  @System                                   
glibc.x86_64                                        2.28-164.el8_5.3                                @System                                   
glibc-common.x86_64                                 2.28-164.el8_5.3                                @System                                   
glibc-langpack-en.x86_64                            2.28-164.el8_5.3                                @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
glibc-locale-source.x86_64                          2.28-164.el8_5.3                                @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
glibc-minimal-langpack.x86_64                       2.28-164.el8_5.3                                @System                                   
gmp.x86_64                                          1:6.1.2-10.el8                                  @System                                   
gnupg2.x86_64                                       2.2.20-2.el8                                    @System                                   
gnutls.x86_64                                       3.6.16-4.el8                                    @System                                   
gobject-introspection.x86_64                        1.56.1-1.el8                                    @System                                   
gpgme.x86_64                                        1.13.1-9.el8                                    @System                                   
grep.x86_64                                         3.1-6.el8                                       @System                                   
groff-base.x86_64                                   1.22.3-18.el8                                   @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
gzip.x86_64                                         1.9-12.el8                                      @System                                   
hostname.x86_64                                     3.20-6.el8                                      @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
ima-evm-utils.x86_64                                1.3.2-12.el8                                    @System                                   
info.x86_64                                         6.5-6.el8                                       @System                                   
json-c.x86_64                                       0.13.1-2.el8                                    @System                                   
json-glib.x86_64                                    1.4.4-1.el8                                     @System                                   
keyutils-libs.x86_64                                1.5.10-9.el8                                    @System                                   
kmod-libs.x86_64                                    25-18.el8                                       @System                                   
krb5-libs.x86_64                                    1.18.2-14.el8                                   @System                                   
langpacks-en.noarch                                 1.0-12.el8                                      @System                                   
less.x86_64                                         530-1.el8                                       @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
libacl.x86_64                                       2.2.53-1.el8                                    @System                                   
libarchive.x86_64                                   3.3.3-3.el8_5                                   @System                                   
libassuan.x86_64                                    2.5.1-3.el8                                     @System                                   
libattr.x86_64                                      2.4.48-3.el8                                    @System                                   
libblkid.x86_64                                     2.32.1-28.el8                                   @System                                   
libcap.x86_64                                       2.26-5.el8                                      @System                                   
libcap-ng.x86_64                                    0.7.11-1.el8                                    @System                                   
libcom_err.x86_64                                   1.45.6-2.el8                                    @System                                   
libcomps.x86_64                                     0.1.16-2.el8                                    @System                                   
libcroco.x86_64                                     0.6.12-4.el8_2.1                                @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
libcurl.x86_64                                      7.61.1-22.el8                                   @System                                   
libdb.x86_64                                        5.3.28-42.el8_4                                 @System                                   
libdb-utils.x86_64                                  5.3.28-42.el8_4                                 @System                                   
libdnf.x86_64                                       0.63.0-3.el8                                    @System                                   
libfdisk.x86_64                                     2.32.1-28.el8                                   @System                                   
libffi.x86_64                                       3.1-22.el8                                      @System                                   
libgcc.x86_64                                       8.5.0-4.el8_5                                   @System                                   
libgcrypt.x86_64                                    1.8.5-6.el8                                     @System                                   
libgomp.x86_64                                      8.5.0-4.el8_5                                   @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
libgpg-error.x86_64                                 1.31-1.el8                                      @System                                   
libidn2.x86_64                                      2.2.0-1.el8                                     @System                                   
libksba.x86_64                                      1.3.5-7.el8                                     @System                                   
libmaxminddb.x86_64                                 1.2.0-10.el8                                    @RHEL-8.5.0-updates-20220420.0-AppStream-1
libmodulemd.x86_64                                  2.13.0-1.el8                                    @System                                   
libmount.x86_64                                     2.32.1-28.el8                                   @System                                   
libnghttp2.x86_64                                   1.33.0-3.el8_2.1                                @System                                   
libnl3.x86_64                                       3.5.0-1.el8                                     @System                                   
libnsl2.x86_64                                      1.2.0-2.20180605git4a062cf.el8                  @System                                   
libpipeline.x86_64                                  1.5.0-2.el8                                     @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
libpkgconf.x86_64                                   1.4.2-1.el8                                     @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
libpsl.x86_64                                       0.20.2-6.el8                                    @System                                   
libpwquality.x86_64                                 1.4.4-3.el8                                     @System                                   
librepo.x86_64                                      1.14.0-2.el8                                    @System                                   
libreport-filesystem.x86_64                         2.9.5-15.el8                                    @System                                   
librhsm.x86_64                                      0.0.3-4.el8                                     @System                                   
libseccomp.x86_64                                   2.5.1-1.el8                                     @System                                   
libselinux.x86_64                                   2.9-5.el8                                       @System                                   
libsemanage.x86_64                                  2.9-6.el8                                       @System                                   
libsepol.x86_64                                     2.9-3.el8                                       @System                                   
libsigsegv.x86_64                                   2.11-5.el8                                      @System                                   
libsmartcols.x86_64                                 2.32.1-28.el8                                   @System                                   
libsolv.x86_64                                      0.7.19-1.el8                                    @System                                   
libssh.x86_64                                       0.9.4-3.el8                                     @System                                   
libssh-config.noarch                                0.9.4-3.el8                                     @System                                   
libstdc++.x86_64                                    8.5.0-4.el8_5                                   @System                                   
libtasn1.x86_64                                     4.13-3.el8                                      @System                                   
libtirpc.x86_64                                     1.1.4-5.el8                                     @System                                   
libunistring.x86_64                                 0.9.9-3.el8                                     @System                                   
libusbx.x86_64                                      1.0.23-4.el8                                    @System                                   
libuser.x86_64                                      0.62-23.el8                                     @System                                   
libutempter.x86_64                                  1.1.6-14.el8                                    @System                                   
libuuid.x86_64                                      2.32.1-28.el8                                   @System                                   
libuv.x86_64                                        1:1.41.1-1.el8_4                                @RHEL-8.5.0-updates-20220420.0-AppStream-1
libverto.x86_64                                     0.3.0-5.el8                                     @System                                   
libxcrypt.x86_64                                    4.1.1-6.el8                                     @System                                   
libxml2.x86_64                                      2.9.7-12.el8_5                                  @System                                   
libyaml.x86_64                                      0.1.7-5.el8                                     @System                                   
libzstd.x86_64                                      1.4.4-1.el8                                     @System                                   
lua-libs.x86_64                                     5.3.4-12.el8                                    @System                                   
lz4-libs.x86_64                                     1.8.3-3.el8_4                                   @System                                   
make.x86_64                                         1:4.2.1-10.el8                                  @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
man-db.x86_64                                       2.7.6.1-18.el8                                  @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
mpfr.x86_64                                         3.1.6-1.el8                                     @System                                   
ncurses.x86_64                                      6.1-9.20180224.el8                              @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
ncurses-base.noarch                                 6.1-9.20180224.el8                              @System                                   
ncurses-libs.x86_64                                 6.1-9.20180224.el8                              @System                                   
nettle.x86_64                                       3.4.1-7.el8                                     @System                                   
nginx.x86_64                                        1:1.20.1-1.module+el8.5.0+13723+ab304644        @RHEL-8.5.0-updates-20220420.0-AppStream-1
nginx-filesystem.noarch                             1:1.20.1-1.module+el8.5.0+13723+ab304644        @RHEL-8.5.0-updates-20220420.0-AppStream-1
nginx-mod-http-perl.x86_64                          1:1.20.1-1.module+el8.5.0+13723+ab304644        @RHEL-8.5.0-updates-20220420.0-AppStream-1
nginx-mod-stream.x86_64                             1:1.20.1-1.module+el8.5.0+13723+ab304644        @RHEL-8.5.0-updates-20220420.0-AppStream-1
npth.x86_64                                         1.5-4.el8                                       @System                                   
nss_wrapper.x86_64                                  1.1.5-3.el8                                     @RHEL-8.5.0-updates-20220420.0-AppStream-1
openldap.x86_64                                     2.4.46-18.el8                                   @System                                   
openssl.x86_64                                      1:1.1.1k-6.el8_5                                @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
openssl-libs.x86_64                                 1:1.1.1k-6.el8_5                                @System                                   
p11-kit.x86_64                                      0.23.22-1.el8                                   @System                                   
p11-kit-trust.x86_64                                0.23.22-1.el8                                   @System                                   
pam.x86_64                                          1.3.1-15.el8                                    @System                                   
passwd.x86_64                                       0.80-3.el8                                      @System                                   
pcre.x86_64                                         8.42-6.el8                                      @System                                   
pcre2.x86_64                                        10.32-2.el8                                     @System                                   
perl-Carp.noarch                                    1.42-396.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Data-Dumper.x86_64                             2.167-399.el8                                   @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Digest.noarch                                  1.17-395.el8                                    @RHEL-8.5.0-updates-20220420.0-AppStream-1
perl-Digest-MD5.x86_64                              2.55-396.el8                                    @RHEL-8.5.0-updates-20220420.0-AppStream-1
perl-Encode.x86_64                                  4:2.97-3.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Errno.x86_64                                   1.28-420.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Exporter.noarch                                5.72-396.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-File-Path.noarch                               2.15-2.el8                                      @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-File-Temp.noarch                               0.230.600-1.el8                                 @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Getopt-Long.noarch                             1:2.50-4.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-HTTP-Tiny.noarch                               0.074-1.el8                                     @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-IO.x86_64                                      1.38-420.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-IO-Socket-IP.noarch                            0.39-5.el8                                      @RHEL-8.5.0-updates-20220420.0-AppStream-1
perl-IO-Socket-SSL.noarch                           2.066-4.module+el8.3.0+6446+594cad75            @RHEL-8.5.0-updates-20220420.0-AppStream-1
perl-MIME-Base64.x86_64                             3.15-396.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Mozilla-CA.noarch                              20160104-7.module+el8.3.0+6498+9eecfe51         @RHEL-8.5.0-updates-20220420.0-AppStream-1
perl-Net-SSLeay.x86_64                              1.88-1.module+el8.3.0+6446+594cad75             @RHEL-8.5.0-updates-20220420.0-AppStream-1
perl-PathTools.x86_64                               3.74-1.el8                                      @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Pod-Escapes.noarch                             1:1.07-395.el8                                  @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Pod-Perldoc.noarch                             3.28-396.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Pod-Simple.noarch                              1:3.35-395.el8                                  @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Pod-Usage.noarch                               4:1.69-395.el8                                  @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Scalar-List-Utils.x86_64                       3:1.49-2.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Socket.x86_64                                  4:2.027-3.el8                                   @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Storable.x86_64                                1:3.11-3.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Term-ANSIColor.noarch                          4.06-396.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Term-Cap.noarch                                1.17-395.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Text-ParseWords.noarch                         3.30-395.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Text-Tabs+Wrap.noarch                          2013.0523-395.el8                               @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-Time-Local.noarch                              1:1.280-1.el8                                   @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-URI.noarch                                     1.73-3.el8                                      @RHEL-8.5.0-updates-20220420.0-AppStream-1
perl-Unicode-Normalize.x86_64                       1.25-396.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-constant.noarch                                1.33-396.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-interpreter.x86_64                             4:5.26.3-420.el8                                @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-libnet.noarch                                  3.11-3.el8                                      @RHEL-8.5.0-updates-20220420.0-AppStream-1
perl-libs.x86_64                                    4:5.26.3-420.el8                                @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-macros.x86_64                                  4:5.26.3-420.el8                                @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-parent.noarch                                  1:0.237-1.el8                                   @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-podlators.noarch                               4.11-1.el8                                      @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-threads.x86_64                                 1:2.21-2.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
perl-threads-shared.x86_64                          1.58-2.el8                                      @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
pkgconf.x86_64                                      1.4.2-1.el8                                     @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
pkgconf-m4.noarch                                   1.4.2-1.el8                                     @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
pkgconf-pkg-config.x86_64                           1.4.2-1.el8                                     @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
platform-python.x86_64                              3.6.8-41.el8                                    @System                                   
platform-python-setuptools.noarch                   39.2.0-6.el8                                    @System                                   
popt.x86_64                                         1.18-1.el8                                      @System                                   
procps-ng.x86_64                                    3.3.15-6.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
protobuf-c.x86_64                                   1.3.0-6.el8                                     @RHEL-8.5.0-updates-20220420.0-AppStream-1
publicsuffix-list-dafsa.noarch                      20180723-1.el8                                  @System                                   
python3-bind.noarch                                 32:9.11.26-6.el8                                @RHEL-8.5.0-updates-20220420.0-AppStream-1
python3-chardet.noarch                              3.0.4-7.el8                                     @System                                   
python3-cloud-what.x86_64                           1.28.21-5.el8_5                                 @System                                   
python3-dateutil.noarch                             1:2.6.1-6.el8                                   @System                                   
python3-dbus.x86_64                                 1.2.4-15.el8                                    @System                                   
python3-decorator.noarch                            4.2.1-2.el8                                     @System                                   
python3-dmidecode.x86_64                            3.12.2-15.el8                                   @System                                   
python3-dnf.noarch                                  4.7.0-4.el8                                     @System                                   
python3-dnf-plugins-core.noarch                     4.0.21-4.el8_5                                  @System                                   
python3-ethtool.x86_64                              0.14-3.el8                                      @System                                   
python3-gobject-base.x86_64                         3.28.3-2.el8                                    @System                                   
python3-gpg.x86_64                                  1.13.1-9.el8                                    @System                                   
python3-hawkey.x86_64                               0.63.0-3.el8                                    @System                                   
python3-idna.noarch                                 2.5-5.el8                                       @System                                   
python3-iniparse.noarch                             0.4-31.el8                                      @System                                   
python3-inotify.noarch                              0.9.6-13.el8                                    @System                                   
python3-libcomps.x86_64                             0.1.16-2.el8                                    @System                                   
python3-libdnf.x86_64                               0.63.0-3.el8                                    @System                                   
python3-librepo.x86_64                              1.14.0-2.el8                                    @System                                   
python3-libs.x86_64                                 3.6.8-41.el8                                    @System                                   
python3-libxml2.x86_64                              2.9.7-12.el8_5                                  @System                                   
python3-pip-wheel.noarch                            9.0.3-20.el8                                    @System                                   
python3-ply.noarch                                  3.9-9.el8                                       @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
python3-pysocks.noarch                              1.6.8-3.el8                                     @System                                   
python3-requests.noarch                             2.20.0-2.1.el8_1                                @System                                   
python3-rpm.x86_64                                  4.14.3-19.el8_5.2                               @System                                   
python3-setuptools-wheel.noarch                     39.2.0-6.el8                                    @System                                   
python3-six.noarch                                  1.11.0-8.el8                                    @System                                   
python3-subscription-manager-rhsm.x86_64            1.28.21-5.el8_5                                 @System                                   
python3-syspurpose.x86_64                           1.28.21-5.el8_5                                 @System                                   
python3-urllib3.noarch                              1.24.2-5.el8                                    @System                                   
readline.x86_64                                     7.0-10.el8                                      @System                                   
redhat-logos-httpd.noarch                           84.5-1.el8                                      @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
redhat-release.x86_64                               8.5-0.8.el8                                     @System                                   
rootfiles.noarch                                    8.1-22.el8                                      @System                                   
rpm.x86_64                                          4.14.3-19.el8_5.2                               @System                                   
rpm-build-libs.x86_64                               4.14.3-19.el8_5.2                               @System                                   
rpm-libs.x86_64                                     4.14.3-19.el8_5.2                               @System                                   
rsync.x86_64                                        3.1.3-12.el8                                    @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
scl-utils.x86_64                                    1:2.0.2-14.el8                                  @RHEL-8.5.0-updates-20220420.0-AppStream-1
sed.x86_64                                          4.5-2.el8                                       @System                                   
setup.noarch                                        2.12.2-6.el8                                    @System                                   
shadow-utils.x86_64                                 2:4.6-14.el8                                    @System                                   
sqlite-libs.x86_64                                  3.26.0-15.el8                                   @System                                   
subscription-manager.x86_64                         1.28.21-5.el8_5                                 @System                                   
subscription-manager-rhsm-certificates.x86_64       1.28.21-5.el8_5                                 @System                                   
systemd.x86_64                                      239-51.el8_5.5                                  @System                                   
systemd-libs.x86_64                                 239-51.el8_5.5                                  @System                                   
systemd-pam.x86_64                                  239-51.el8_5.5                                  @System                                   
tar.x86_64                                          2:1.30-5.el8                                    @System                                   
tcl.x86_64                                          1:8.6.8-2.el8                                   @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
tpm2-tss.x86_64                                     2.3.2-4.el8                                     @System                                   
tzdata.noarch                                       2022a-1.el8                                     @System                                   
unzip.x86_64                                        6.0-45.el8_4                                    @rhel-8-for-x86_64-baseos-rpms            
usermode.x86_64                                     1.113-2.el8                                     @System                                   
util-linux.x86_64                                   2.32.1-28.el8                                   @System                                   
vim-filesystem.noarch                               2:8.0.1763-16.el8_5.13                          @RHEL-8.5.0-updates-20220420.0-AppStream-1
vim-minimal.x86_64                                  2:8.0.1763-16.el8_5.13                          @System                                   
virt-what.x86_64                                    1.18-12.el8                                     @System                                   
which.x86_64                                        2.21-16.el8                                     @System                                   
xz.x86_64                                           5.2.4-3.el8                                     @RHEL-8.5.0-updates-20220420.0-BaseOS-1   
xz-libs.x86_64                                      5.2.4-3.el8                                     @System                                   
yum.noarch                                          4.7.0-4.el8                                     @System                                   
zlib.x86_64                                         1.2.11-17.el8                                   @System

docker run nginx:alpine apk -vv info|sort
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.15/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.15/community: No such file or directory
alpine-baselayout-3.2.0-r18 - Alpine base dir structure and init scripts
alpine-keys-2.4-r1 - Public keys for Alpine Linux packages
apk-tools-2.12.7-r3 - Alpine Package Keeper - package manager for alpine
brotli-libs-1.0.9-r5 - Generic lossless compressor (libraries)
busybox-1.34.1-r5 - Size optimized toolbox of many common UNIX utilities
ca-certificates-20211220-r0 - Common CA certificates PEM files from Mozilla
ca-certificates-bundle-20211220-r0 - Pre generated bundle of Mozilla certificates
curl-7.80.0-r0 - URL retrival utility and library
freetype-2.11.1-r0 - TrueType font rendering library
geoip-1.6.12-r2 - Lookup countries by IP addresses
libbz2-1.0.8-r1 - Shared library for bz2
libcrypto1.1-1.1.1n-r0 - Crypto library from openssl
libcurl-7.80.0-r0 - The multiprotocol file transfer library
libc-utils-0.7.2-r3 - Meta package to pull in correct libc
libedit-20210910.3.1-r0 - BSD line editing library
libgcrypt-1.9.4-r0 - General purpose crypto library based on the code used in GnuPG
libgd-2.3.2-r1 - Library for the dynamic creation of images by programmers (libraries)
libgpg-error-1.42-r1 - Support library for libgcrypt
libintl-0.21-r0 - GNU gettext runtime library
libjpeg-turbo-2.1.2-r0 - Accelerated baseline JPEG compression and decompression library
libpng-1.6.37-r1 - Portable Network Graphics library
libretls-3.3.4-r3 - port of libtls from libressl to openssl
libssl1.1-1.1.1n-r0 - SSL shared libraries
libwebp-1.2.2-r0 - Libraries for working with WebP images
libxml2-2.9.13-r0 - XML parsing library, version 2
libxslt-1.1.35-r0 - XML stylesheet transformation library
musl-1.2.2-r7 - the musl c library (libc) implementation
musl-utils-1.2.2-r7 - the musl c library (libc) implementation
ncurses-libs-6.3_p20211120-r0 - Ncurses libraries
ncurses-terminfo-base-6.3_p20211120-r0 - Descriptions of common terminals
nghttp2-libs-1.46.0-r0 - Experimental HTTP/2 client, server and proxy (libraries)
nginx-1.21.6-r1 - High performance web server
nginx-module-geoip-1.21.6-r1 - nginx GeoIP dynamic modules
nginx-module-image-filter-1.21.6-r1 - nginx image filter dynamic module
nginx-module-njs-1.21.6.0.7.2-r1 - nginx njs dynamic modules
nginx-module-xslt-1.21.6-r1 - nginx xslt dynamic module
pcre2-10.39-r0 - Perl-compatible regular expression library
scanelf-1.3.3-r0 - Scan ELF binaries for stuff
ssl_client-1.34.1-r5 - EXternal ssl_client for busybox wget
tzdata-2022a-r0 - Timezone data
xz-libs-5.2.5-r0 - Library and CLI tools for XZ and LZMA compressed files (libraries)
zlib-1.2.12-r0 - A compression/decompression Library

@msugakov Do we need emacs, perl and python? Recent vulnerabilities were reported in one of the python libs and that's why we move to ubi minimal (#1054) or micro (#1220)
As @0x656b694d mentioned maybe we don't need a server at all. If that's possible it will be best to ship tarball with static website files.

https://quay.io/repository/rhacs-eng/docs/manifest/sha256:c1b72210d1ca84b9087ca1883b4a9fb2c4ba822a8c33e135ba29ac8c3a98b404?tab=packages

ghost · 2022-05-05T15:12:10Z

Tag for build #517332 is 3.70.x-5-g338b33e7dc.

💻 For deploying this image using the dev scripts, run the following first:

export MAIN_IMAGE_TAG='3.70.x-5-g338b33e7dc'

🕹️ A roxctl binary can be downloaded from the CircleCI artifacts.

msugakov · 2022-05-05T16:30:09Z

First things first, here's a link to a Slack thread with the context https://srox.slack.com/archives/C0321S70YK1/p1651168113744619
Here's a Slack thread about why shipping docs as tarball should better be discussed with PMs https://srox.slack.com/archives/CELUQKESC/p1650976966100689

Secondly, if the problem that we're solving is vulnerabilities in the docs image, we can try address by adding dnf upgrade -y, just like how it was done for scanner images. See here
https://github.com/stackrox/scanner/blob/28fbde2c5304640da6dd1ff08371ff102b605513/image/scanner/rhel/Dockerfile#L27

The spell looks like this

RUN dnf upgrade -y && \
    dnf clean all && \
    rpm --verbose -e --nodeps $(rpm -qa curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
    rm -rf /var/cache/dnf /var/cache/yum

WDYT @janisz

msugakov · 2022-05-05T16:32:59Z

Finally, you may want to link this PR to https://issues.redhat.com/browse/ROX-10097 @janisz

msugakov · 2022-05-05T16:37:56Z

Also, I don't know why is there such a concern about ubi8/nginx-120 image. It looks like there's only one vulnerability, with gzip, that is updated if you run dnf upgrade.
https://catalog.redhat.com/software/containers/ubi8/nginx-120/6156abfac739c0a4123a86fd?container-tabs=security

janisz · 2022-05-05T17:43:27Z

We used to have dnf upgrade in main image and it does not solve vulns we had so we switched to ubi-mini in #1054.
My point is to use minimal possible image to minimize vulnerability surface.
What are the benefits of using registry.access.redhat.com/ubi8/nginx-120:latest over nginx:alpine?

msugakov · 2022-05-05T20:14:16Z

The main point for me to stick with the Red Hat images is consistency. We also use ubi/nginx from Red Hat registry downstream (although that one wasn't updated 1.18->1.20). Having smaller difference between upstream and downstream dockerfiles saves mental overhead when adapting changes and allows detecting issues during normal CI.

To the example you are providing, vulnerabilities are temporal. I am 100% sure that if you'd stay with just-ubi longer, dnf upgrade would solve all issues. There is a problem with how security updates are published, and anomalies happen in the process due to which the vulnerability was already classified as fixable but the RPM package remained unavailable.
I think that nginx-120 with dnf upgrade today wouldn't have vulns. Moreover, you can do some package removals for redundant stuff if you don't like language runtimes.

janisz requested review from msugakov and parametalol May 5, 2022 12:49

Use official nginx image for docs

5061a58

janisz force-pushed the tj/use_offical_nginx_image branch from 5218564 to 5061a58 Compare May 5, 2022 12:50

msugakov requested changes May 5, 2022

View reviewed changes

janisz marked this pull request as draft May 5, 2022 14:25

Use well known location

4c7c72a

github-actions bot added the area/helm label May 5, 2022

Remove unused packages

338b33e

janisz closed this May 5, 2022

janisz deleted the tj/use_offical_nginx_image branch May 5, 2022 22:17

msugakov mentioned this pull request May 6, 2022

ROX-10097: Do dnf upgrade in docs container to aid with rpm vulns #1590

Merged

1 task

janisz requested a review from stehessel May 11, 2022 12:13

janisz changed the title ~~Use official nginx image for docs~~ ROX-10097: Use official nginx image for docs May 18, 2022

openshift-ci bot added the do-not-merge/work-in-progress label May 18, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ROX-10097: Use official nginx image for docs#1576

ROX-10097: Use official nginx image for docs#1576
janisz wants to merge 3 commits intomasterfrom
tj/use_offical_nginx_image

janisz commented May 5, 2022 •

edited

Loading

Uh oh!

msugakov left a comment

Uh oh!

parametalol commented May 5, 2022

Uh oh!

janisz commented May 5, 2022 •

edited

Loading

Uh oh!

ghost commented May 5, 2022 •

edited by ghost

Loading

Uh oh!

msugakov commented May 5, 2022

Uh oh!

msugakov commented May 5, 2022 •

edited

Loading

Uh oh!

msugakov commented May 5, 2022

Uh oh!

janisz commented May 5, 2022

Uh oh!

msugakov commented May 5, 2022 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

janisz commented May 5, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Testing Performed

Uh oh!

msugakov left a comment

Choose a reason for hiding this comment

Uh oh!

parametalol commented May 5, 2022

Uh oh!

janisz commented May 5, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ghost commented May 5, 2022 • edited by ghost Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

msugakov commented May 5, 2022

Uh oh!

msugakov commented May 5, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

msugakov commented May 5, 2022

Uh oh!

janisz commented May 5, 2022

Uh oh!

msugakov commented May 5, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

janisz commented May 5, 2022 •

edited

Loading

janisz commented May 5, 2022 •

edited

Loading

ghost commented May 5, 2022 •

edited by ghost

Loading

msugakov commented May 5, 2022 •

edited

Loading

msugakov commented May 5, 2022 •

edited

Loading