Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

container base image needs to be updated #41390

Closed
kannanlakshmi opened this issue Oct 7, 2019 · 12 comments · Fixed by #49593
Closed

container base image needs to be updated #41390

kannanlakshmi opened this issue Oct 7, 2019 · 12 comments · Fixed by #49593
Labels
A-orchestration Relating to orchestration systems like Kubernetes A-security

Comments

@kannanlakshmi
Copy link
Contributor

@keith-mcclellan is working on putting CRDB container image back on the Redhat registry as this is required for any partnership between Redhat and Cockroach Labs. We appear to be using some stale base images for our containers https://github.com/cockroachdb/cockroach/blob/2168fe87d168520989488859e88ee39301f8bb6b/build/builder/Dockerfile
Base images tend to have security vulnerabilities and this will need to addressed before he can proceed with the Redhat marketplace.

cc @keith-mcclellan for more information as he found the older images

cc @kenliu for triage
@kannanlakshmi kannanlakshmi added the A-orchestration Relating to orchestration systems like Kubernetes label Oct 7, 2019
@keith-mcclellan
Copy link
Contributor

keith-mcclellan commented Oct 7, 2019
edited
Loading

I found at least two spots where we're pinning ourselves to old base images:

https://github.com/cockroachdb/cockroach/blob/2168fe87d168520989488859e88ee39301f8bb6b/build/deploy/Dockerfile

FROM debian:9.8-slim should be the latest LTS which would be stretch-slim (currently maps to 9.11-slim)

https://github.com/cockroachdb/cockroach/blob/2168fe87d168520989488859e88ee39301f8bb6b/build/builder/Dockerfile

FROM ubuntu:xenial-20170915 should at a minimum be FROM ubuntu:xenial but better bionic (latest LTS)

@keith-mcclellan
Copy link
Contributor

Red Hat is specifically asking us to support a version of the database on their UBI though, where they manage the security patching for the underlying dependencies

@kenliu
Copy link

kenliu commented Oct 31, 2019

@bobvawter FYI I'm adding this to the backlog

@kenliu
Copy link

kenliu commented Nov 12, 2019

@bobvawter can look at this as part of revving the go version

@kenliu
Copy link

kenliu commented Jan 28, 2020

we're going to work on this in the next week or two

@bobvawter
Copy link
Member

Related: #44905

@kenliu
Copy link

kenliu commented Feb 25, 2020

@bobvawter any update on this issue?

@bobvawter bobvawter mentioned this issue Feb 27, 2020
Closed
@bobvawter
Copy link
Member

Per discussion with release team, the consensus is to hold until the 20.1 release goes out, since the changing the base image will impact testing. Also coordinating with @aaron-crl viz security requirements. Will update this ticket with notes from that chat.

@bobvawter
Copy link
Member

Now that the release is out, will get back to this after landing the updated TeamCity agent OS image.

@bobvawter bobvawter mentioned this issue May 27, 2020
Merged
@bobvawter bobvawter removed their assignment May 27, 2020
@bobvawter bobvawter mentioned this issue May 28, 2020
Closed
craig bot pushed a commit that referenced this issue Jun 1, 2020
@bobvawter
Merge #49593
2f77a6d 
49593: build: Upgrade base image to deployment dockerfile r=bobvawter a=bobvawter

This change updates the deployment base image from Debian 9.8 to 9.12.

Fixes: #41390

Release note (build change): Release Docker images are now built on
Debian 9.12.

Co-authored-by: Bob Vawter <bob@vawter.org>
@craig craig bot closed this as completed in a1a1866 Jun 1, 2020
jlinder pushed a commit to jlinder/cockroach that referenced this issue Jun 22, 2020
@bobvawter @jlinder
build: Upgrade base image to deployment dockerfile
c17e35f 
This change updates the deployment base image from Debian 9.8 to 9.12.

Fixes: cockroachdb#41390

Release note (build change): Release Docker images are now built on
Debian 9.12.
@jlinder jlinder mentioned this issue Jun 22, 2020
Merged
jlinder pushed a commit to jlinder/cockroach that referenced this issue Jun 22, 2020
@bobvawter @jlinder
build: Upgrade base image to deployment dockerfile
2cec55c 
This change updates the deployment base image from Debian 9.8 to 9.12.

Fixes: cockroachdb#41390

Release note (build change): Release Docker images are now built on
Debian 9.12.
@jlinder jlinder mentioned this issue Jun 22, 2020
Merged
jlinder pushed a commit to jlinder/cockroach that referenced this issue Jun 22, 2020
@bobvawter @jlinder
build: Upgrade base image to deployment dockerfile
9e35650 
This change updates the deployment base image from Debian 9.8 to 9.12.

Fixes: cockroachdb#41390

Release note (build change): Release Docker images are now built on
Debian 9.12.
@jlinder jlinder mentioned this issue Jun 22, 2020
Merged
@kenliu
Copy link

kenliu commented Aug 25, 2020

Reopening this because we hadn't yet updated the base image to use the latest redhat UBI

@jlinder jlinder reopened this Aug 25, 2020
@kenliu
Copy link

kenliu commented Aug 25, 2020

Before we close out this issue, we need to follow up with Keith to understand better what the release process is for distributing to the RedHat marketplace.

https://marketplace.redhat.com/en-us/products/cockroachdb-operator

@jlinder
Copy link
Collaborator

jlinder commented Nov 10, 2020

Current status:

  • For 20.2.0 and forward, we are using the ubi8/ubi-minimal image as the base image for our docker images
  • We met with Keith to get the process for publishing docker images to the Red Hat Marketplace. We've pushed images for the 20.1.7, 20.1.8 and 20.2.0 builds. We will handle pushing images for new builds going forward. We have yet to automate the process and are tracking that as a separate task.

With that, we can close this issue.

@jlinder jlinder closed this as completed Nov 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-orchestration Relating to orchestration systems like Kubernetes A-security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build: Upgrade base image to deployment dockerfile
5 participants
@kenliu @jlinder @bobvawter @keith-mcclellan @kannanlakshmi