Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Update container images to latest UBI baseimage #4227

Closed
bencourliss opened this issue Jan 13, 2025 · 3 comments · Fixed by #4228 or #4238
Closed

Feature Request: Update container images to latest UBI baseimage #4227

bencourliss opened this issue Jan 13, 2025 · 3 comments · Fixed by #4228 or #4238
Assignees
@omordyk
Labels
enhancement

Comments

@bencourliss
Copy link
Member

Is your feature request related to a problem? Please describe.

We should update all container images to UBI 9.5 to pull in security fixes and other updates.

Describe the solution you'd like.

Currently we are using UBI 9.2. There is a newer version, 9.5 available for all architectures (amd64, arm64, ppc64le, s390x). The Dockerfiles should change to FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5

Additionally, some work should be done to see if we can support ubi-micro instead of ubi-minimal to reduce the threat surface attack area.

relates to #3852

Describe alternatives you've considered

No response

Additional context.

No response
@bencourliss bencourliss mentioned this issue Jan 13, 2025
Open
@naphelps
Copy link
Member

The Exchange uses registry.access.redhat.com/ubi9-minimal:latest as its base image. The packages are always up to date at the time of creating a container. The addition size shrinkage from going to the micro variant is moot presently for the mgmt hub, but this may be useful for storage constrained IoT devices in the field running an agent(Anax). Alternatively, project Ocre (https://lf-edge.atlassian.net/wiki/spaces/LE/pages/15832446/Project+Ocre) achieves this goal of space constrained devices better.

omordyk added a commit that referenced this issue Jan 15, 2025
@omordyk
#4227 Replace ubi9-minimal on ubi9-micro for docker build image
74001c0 
Use ubi-micro instead of ubi-minimal to reduce the threat surface attack area.

Signed-off-by: Oleksandr Mordyk <[email protected]>
@omordyk omordyk self-assigned this Jan 15, 2025
@omordyk omordyk mentioned this issue Jan 15, 2025
Merged
12 tasks
@omordyk omordyk linked a pull request Jan 15, 2025 that will close this issue
Use ubi-micro instead of ubi-minimal to reduce the threat surface attack area. #4228
Merged
12 tasks
omordyk added a commit that referenced this issue Jan 15, 2025
@omordyk
#4227 Replace ubi9-minimal on ubi9-micro for docker build image
f5084d0 
Use ubi-micro instead of ubi-minimal to reduce the threat surface attack area.

Signed-off-by: Oleksandr Mordyk <[email protected]>
omordyk added a commit that referenced this issue Jan 29, 2025
@omordyk
#4227 Replace ubi9-minimal on ubi9-micro for docker build image
348a3d6 
Use ubi-micro instead of ubi-minimal to reduce the threat surface attack area.

Signed-off-by: Oleksandr Mordyk <[email protected]>
omordyk added a commit that referenced this issue Jan 29, 2025
@omordyk
#4227 Replace ubi9-minimal on ubi9-micro for docker build image
0987901 
Use ubi-micro instead of ubi-minimal to reduce the threat surface attack area.

Signed-off-by: Oleksandr Mordyk <[email protected]>
LiilyZhang pushed a commit that referenced this issue Jan 29, 2025
@omordyk @LiilyZhang
#4227 Replace ubi9-minimal on ubi9-micro for docker build image
b34bbf6 
Use ubi-micro instead of ubi-minimal to reduce the threat surface attack area.

Signed-off-by: Oleksandr Mordyk <[email protected]>
omordyk added a commit that referenced this issue Feb 3, 2025
@omordyk
Issue #4227 - Update container images to latest UBI baseimage
4335f0d 
Signed-off-by: Oleksandr Mordyk <[email protected]>
@omordyk omordyk mentioned this issue Feb 3, 2025
Merged
12 tasks
@omordyk omordyk linked a pull request Feb 3, 2025 that will close this issue
Issue #4227 - Update container images to latest UBI base image #4238
Merged
12 tasks
LiilyZhang added a commit that referenced this issue Feb 3, 2025
@LiilyZhang
Merge pull request #4238 from open-horizon/security_4227
26ad7ab 
Issue #4227 - Update container images to latest UBI base image
@johnwalicki
Copy link
Member

I've never been a fan of using :latest containers. Its non-deterministic and you can't necessarily rebuild a specific anax container image and get the same bit for bit results if the underlying :latest has changed. If I want to go back in time and recreate/respin a specific version of Open Horizon, :latest makes that impossible.

IMHO, this should be reverted to use the whatever is most current, ubi-minimal:9.5 , for this anax release. Then, when you bump to the next anax release, move to the then current ubi-minimal:x.y

@johnwalicki
Copy link
Member

Another consideration.... When you need to do a security scan, you'll get a bunch of CVEs against the anax container contents. This might be a CVE list since :latest at the time of the build/release, but you won't actually know which :latest that was. If these containers are pinned to a ubi-minimal:9.x base, you can compare the Red Hat CVE list and know exactly what package updates are. Its a lot more transparent than nebulous :latest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@omordyk omordyk

Labels
enhancement
Projects
None yet
Milestone
No milestone
4 participants
@bencourliss @johnwalicki @naphelps @omordyk