Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[chore] Make all images distroless #189

Draft
wants to merge 66 commits into
base: main
Choose a base branch
from
Draft

[chore] Make all images distroless #189

wants to merge 66 commits into from

Conversation

Ranger-X
Copy link
Contributor

@Ranger-X Ranger-X commented Oct 18, 2024
edited
Loading

Description

Make all images distroless and build it via werf for security improvements.

Why do we need it, and what problem does it solve?

Less image size and improve security of images.

What is the expected result?

Distroless images.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Images distroless status

Legend:
✅ - fully distroless image (images based on scratch)
✔️ - partially distroless image (most of images based on ALTLinux)
⛔ - not a distroless image for now

Image name Status Distro Comments
drbd
drbd-reactor ✔️ ALTLinux We need some additional packages like libkeyutils, kmod
linstor-affinity-controller
linstor-csi ✔️ Actually fully distroless (based on scratch image) but some binaries extracted from Ubuntu's one .DEB-packages
linstor-drbd-wait
linstor-scheduler-admission
linstor-scheduler-extender
linstor-server ✔️ ALTLinux We need some additional packages like JRE and Python3
linstor-wait-until
metadata-backup ✔️ ALTLinux We need Python3
sds-replicated-volume-controller
semver
service-scripts
spaas ✔️ ALTLinux We need gcc, make and some other build tools to build kernel patches for DRBD
webhooks

Trivy checks

Trivy checks with HIGH and CRITICAL severities (for future PRs with fixes):

Image / file Library Severity Comments
webhooks stdlib HIGH fixed in 1.22.7, 1.23.1
linstor-scheduler-extender golang.org/x/net HIGH https://avd.aquasec.com/nvd/cve-2023-39325
linstor-scheduler-extender google.golang.org/grpc HIGH fixed in 1.56.3, 1.57.1, 1.58.3
linstor-scheduler-extender k8s.io/kubernetes HIGH fixed in 1.28.1, 1.27.5, 1.26.8, 1.25.13, 1.24.17
linstor-affinity-controller golang.org/x/net HIGH fixed in 0.17.0
linstor-affinity-controller google.golang.org/grpc HIGH fixed in 1.56.3, 1.57.1, 1.58.3
linstor-scheduler-admission golang.org/x/net HIGH fixed in 0.17.0
linstor-server logback-classic-1.3.8.jar HIGH fixed in 1.3.12, 1.4.12, 1.2.13
linstor-server protobuf-java-3.23.3.jar HIGH fixed in 3.25.5, 4.27.5, 4.28.2
linstor-server h2-1.4.197.jar CRITICAL fixed in 2.0.206
linstor-server grpc-protobuf-1.50.0.jar HIGH fixed in 1.53.0
linstor-server netty-codec-http2-4.1.79.Final.jar HIGH fixed in 4.1.100.Final
linstor-server postgresql-42.5.4.jar CRITICAL fixed in 42.2.28, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2
linstor-server ion-java-1.0.2.jar HIGH fixed in 1.10.5
linstor-server setuptools HIGH fixed in 70.0.0
linstor-server usr/bin/k8s-await-election golang.org/x/net HIGH fixed in 0.0.0-20220906165146-f3363e06e74c
linstor-server usr/bin/k8s-await-election golang.org/x/text HIGH fixed in 0.3.7
linstor-server usr/bin/k8s-await-election gopkg.in/yaml.v3 HIGH fixed in 3.0.0-20220521103104-8f96da9f5d5e

@Ranger-X Ranger-X self-assigned this Oct 21, 2024
@Ranger-X
[drbd-reactor] WIP
0100b23 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[drbd-reactor] WIP
9026a24 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[drbd-reactor] WIP
3665f1b 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[drbd-reactor] WIP
4204ab9 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[drbd-reactor] WIP
7a5f458 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[drbd-reactor] WIP
8682817 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[drbd-reactor] WIP: move deb2distroless script to images/
921cc28 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[drbd-reactor] now distroless
ef57e7e 
[linstor-affinity-controller] now distroless

Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-csi] WIP
f02f45e 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
Merge branch 'main' into i-makeev/distroless
acfec54
@Ranger-X
[linstor-csi] WIP
7451391 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-csi] WIP
310e5a3 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-drbd-wait] WIP
b44190b 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-scheduler-admission] WIP
a9291ed 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-scheduler-extender] WIP
b96e0ac 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-server] WIP
753e594 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-server] WIP
3b07218 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-server] WIP
e85e17c 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-server] WIP
6667759 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-server] WIP
306a760 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-client] WIP
3ed1c32 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-server] WIP
b6c63ca 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-server] WIP
dd1e61d 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-server] WIP: try to build RPM - not success :-(
680d495 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-server] WIP: migrate build artifacts to AltLinux
34db16c 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-server] WIP: migrate build artifacts to AltLinux
e9c265c 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[metadata-backup] ALTLinux image done
ea24e82 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
WIP: refactoring
bca9418 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
* Werf refactoring
a4b9ac3 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
* remove TODO line from dockerfiles
d723367 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[utils:build-rpm-pkg] fix error when removing non-existent debuginfo …
1f16919 
…packages

Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-server] fix: java-11-openjre-headless replaced with `java-…
e77ceff 
…11-openjdk-headless` because `java-11-openjre-headless` does not exists

Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
* try fix linstor-server building
0aa3ebd 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
* try fix linstor-server building
9d001b5 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
* try fix linstor-server building
17fd2c9 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
* try fix linstor-server building
3844f3d 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
* try fix linstor-server building
25ee23d 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
* fixed linstor-server building
225b17a 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
* finally (I hope) fixed linstor-server building
19e1a3d 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
Merge branch 'main' into i-makeev/distroless
ccb263f
@Ranger-X
fix linstor-node daemonset init-container spec
661eec4 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
fix linstor-node daemonset init-container spec
bc1fa89 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-drbd-wait] debug
44a4f4b 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-resources-cleaner] fix `ModuleNotFoundError: No module named…
31b3af5 
… 'distutils'`

Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-satellite] fix `/usr/bin/piraeus-entry.sh: line 37: openssl:…
e351f8e 
… command not found`

Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-server] fix `bash: warning: setlocale: LC_ALL: cannot change…
f1ab7ed 
… locale (C.UTF-8)`

Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-server] fix `bash: warning: setlocale: LC_ALL: cannot change…
bca6d65 
… locale (C.UTF-8)`

Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-server] add OPTIONAL_DEPS
09791f1 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[client-wrapper.sh] fix `fgrep: warning: fgrep is obsolescent; using …
9084764 
…grep -F`

Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
* bump BASE_GOLANG_1_22 to 1.22.7 (was 1.22.6)
bd9fd39 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
fix: do not check for /patches/*.patch file existsence and fail when …
8dbbbb8 
…git apply failed

Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
fix python-dependencies image to rebuild if lib/python/requirements.t…
601990c 
…xt changed (and remove redundant fromCacheVersion)

Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
* add libudev-devel as deps
dd9f931 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
* fix /etc/lvm/lvm.conf
01de48e 
Signed-off-by: Ivan.Makeev <[email protected]>
@Ranger-X
[linstor-csi] add /bin/mount
4e6892f 
Signed-off-by: Ivan.Makeev <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@Ranger-X Ranger-X

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Ranger-X