Skip to content

ROX-10097: Do dnf upgrade in docs container to aid with rpm vulns#1590

Merged
msugakov merged 3 commits intomasterfrom
misha/ROX-10097-dnf-upgrade-docs
May 9, 2022
Merged

ROX-10097: Do dnf upgrade in docs container to aid with rpm vulns#1590
msugakov merged 3 commits intomasterfrom
misha/ROX-10097-dnf-upgrade-docs

Conversation

@msugakov
Copy link
Copy Markdown
Contributor

@msugakov msugakov commented May 6, 2022
edited
Loading

Description

This follows up on #1576

Note that I don't know if this fully addresses ROX-10097 because one needs to see nightly run results. This change should make things better but then I'd leave it to nightly tests to tell us vuln results.

Checklist

  • Investigated and inspected CI test results
  • [ ] Unit test and regression tests added - not for this change.
  • [ ] Evaluated and added CHANGELOG entry if required - not needed.
  • [ ] Determined and documented upgrade steps - not needed.
  • [ ] Documented user facing changes (create PR based on stackrox/openshift-docs and merge into rhacs-docs) - none.

Testing Performed

@msugakov msugakov requested review from janisz and parametalol May 6, 2022 07:10
@msugakov
Copy link
Copy Markdown
Contributor Author

msugakov commented May 6, 2022

The previous build has failed because default nginx user is non-root. See https://app.circleci.com/pipelines/github/stackrox/stackrox/11261/workflows/3ee11cc6-ee49-4f4e-9d02-aa16acc71696/jobs/520583

Step 11/14 : RUN dnf upgrade -y &&     dnf clean all &&     rpm --verbose -e --nodeps $(rpm -qa curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') &&     rm -rf /var/cache/dnf /var/cache/yum
 ---> Running in b9296a76ba22
Not root, Subscription Management repositories not updated

This system is not registered with an entitlement server. You can use subscription-manager to register.

Error: This command has to be run with superuser privileges (under the root user on most systems).

Therefore I made the container flip to root to do rpm stuff.

@ghost
Copy link
Copy Markdown

ghost commented May 6, 2022
edited by ghost
Loading

Tag for build #526749 is 3.70.x-15-g8b6866f6e7.

💻 For deploying this image using the dev scripts, run the following first:

export MAIN_IMAGE_TAG='3.70.x-15-g8b6866f6e7'

🕹️ A roxctl binary can be downloaded from the CircleCI artifacts.

@msugakov msugakov requested review from gavin-stackrox and janisz May 6, 2022 14:21
gavin-stackrox
gavin-stackrox approved these changes May 6, 2022
View reviewed changes
docs/Dockerfile Outdated
# Switch back to the normal user of nginx container and check that we really switch to the original one.
USER 1001:0
RUN echo "If the following command fails, update USER statement to match UID:GID of the user of nginx base container." && \
[ "$(id -u):$(id -g)" = "$(cat /tmp/container-uid)" ] && \
Copy link
Copy Markdown
Contributor

@gavin-stackrox gavin-stackrox May 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe a single = works in sh but it looks wrong to me.

Suggested change
[ "$(id -u):$(id -g)" = "$(cat /tmp/container-uid)" ] && \
[ "$(id -u):$(id -g)" == "$(cat /tmp/container-uid)" ] && \

Copy link
Copy Markdown
Contributor Author

@msugakov msugakov May 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The thing is: I used test ([) external command but not bash built-in [[. I believe, test-s equality check is only =. From man test:

       STRING1 = STRING2
              the strings are equal

I checked that [[ works in that command too, so using now that.

@msugakov msugakov merged commit 6381c28 into master May 9, 2022
@msugakov msugakov deleted the misha/ROX-10097-dnf-upgrade-docs branch May 9, 2022 09:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@parametalol parametalol parametalol approved these changes

@janisz janisz Awaiting requested review from janisz

+1 more reviewer

@gavin-stackrox gavin-stackrox gavin-stackrox approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@msugakov @janisz @parametalol @gavin-stackrox