Migrate the base image to bci-busybox
#186
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
snasovich
changed the title
bci-busyboxbci-busybox
|
PR rebased. |
macedogm
reviewed
Aug 12, 2024
kinarashah
previously approved these changes
Sep 10, 2024
There was a problem hiding this comment.
@pjbgf Could you rebase to resolve the conflicts?
The overall changes look good to me, and it appears that most of these utilities aren't being used by rke-tools, so I'm approving the PR. However, I do have some concerns about potential regressions from removing a utility that might be relied on by users, or cases where its usage isn't immediately obvious. This might be something we only catch through QA validation. Would it make sense to hold off until v2.10? That way, we can validate it more thoroughly during testing for new k8s minor version v1.31, as opposed to just a patch release.
|
@kinarashah the push for |
macedogm
previously approved these changes
Sep 11, 2024
snasovich
changed the title
bci-busyboxbci-busybox
snasovich
changed the title
bci-busyboxbci-busybox
pjbgf
force-pushed
the
base-image
branch
2 times, most recently
from
7b1da20 to
cce1029
Compare
The aim of this change is to decrease the long-term number of CVEs this image gets due to the decreased attack surface. As a result, the final image is 40MB lighter and does not contain the following commands: add-shell bbconfig blkdiscard busybox chroot cifsiostat c_rehash crond crontab depmod dumpkmap envsubst fbsplash fc-conflist fc-list fc-match fc-pattern fc-query fc-scan fc-validate fdflush fstrim geoiplookup6 getty halt hwclock ifconfig ifdown ifenslave ifup init inotifyd insmod iostat ipaddr iplink ipneigh iproute iprule kbd_mode link linux32 linux64 logread lsmod modinfo modprobe mountpoint ntpd partprobe printenv raidautorun rdate rdev readahead reboot remove-shell rev rfkill rmmod route swapoff swapon syslogd tapestat traceroute6 tree unlzop watchdog xsltproc Signed-off-by: Paulo Gomes <paulo.gomes@suse.com>
Signed-off-by: Paulo Gomes <paulo.gomes@suse.com>
macedogm
approved these changes
Oct 22, 2024
kinarashah
approved these changes
Oct 22, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues:
rke-toolstobci-busyboxrancher#46099rke-toolstobci-busyboxrancher#46626rke-toolstobci-busyboxrancher#46627The aim of this change is to decrease the long-term number of CVEs this image gets due to the decreased attack surface. As a result, the final image is 40MB lighter and does not contain the following commands:
The list above was generated by comparing a local image with the previous tagged version: