build: Change base to rockylinux for salt-master

This will avoid CVEs affecting CentOS 7 packages which may not be fixed upstream.
scality · May 31, 2022 · 82fe23a · 82fe23a
1 parent f443899
commit 82fe23a
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 17 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -100,6 +100,10 @@
   `metalk8s-utils` container
   (PR[#3773](https://github.com/scality/metalk8s/pull/3773))
 
+- Change base image from `centos:7.6.1810` to `rockylinux:8.5.20220308` for the
+  `salt-master` container
+  (PR[#3773](https://github.com/scality/metalk8s/pull/3773))
+
 ## Release 2.11.8 (in development)
 
 ## Release 2.11.7

diff --git a/buildchain/buildchain/image.py b/buildchain/buildchain/image.py
@@ -240,7 +240,11 @@ def _local_image(name: str, **kwargs: Any) -> targets.LocalImage:
     ),
     _local_image(
         name="salt-master",
-        build_args={"SALT_VERSION": versions.SALT_VERSION},
+        build_args={
+            "BASE_IMAGE": versions.ROCKY_BASE_IMAGE,
+            "BASE_IMAGE_SHA256": versions.ROCKY_BASE_IMAGE_SHA256,
+            "SALT_VERSION": versions.SALT_VERSION,
+        },
     ),
     _local_image(
         name="metalk8s-ui",

diff --git a/images/salt-master/Dockerfile b/images/salt-master/Dockerfile
@@ -1,32 +1,34 @@
-FROM centos:7.6.1810
+# SHA256 digest of the base image
+ARG BASE_IMAGE_SHA256
+ARG BASE_IMAGE=docker.io/rockylinux
 
-MAINTAINER moonshot-platform <moonshot-platform@scality.com>
+FROM ${BASE_IMAGE}@sha256:${BASE_IMAGE_SHA256}
 
 # Versions to use
 ARG SALT_VERSION
-ENV LC_ALL=en_US.UTF-8
 
-# Install saltstack
+# Install Saltstack and other dependencies
 RUN printf "[saltstack-repo]\n\
 name=SaltStack repo for RHEL/CentOS \$releasever\n\
 baseurl=https://repo.saltproject.io/py3/redhat/\$releasever/\$basearch/archive/%s\n\
 enabled=1\n\
 gpgcheck=1\n\
 gpgkey=https://repo.saltproject.io/py3/redhat/\$releasever/\$basearch/archive/%s/SALTSTACK-GPG-KEY.pub\n" ${SALT_VERSION} ${SALT_VERSION} >/etc/yum.repos.d/saltstack.repo \
- && rpm --import https://repo.saltproject.io/py3/redhat/7/x86_64/archive/${SALT_VERSION}/SALTSTACK-GPG-KEY.pub \
- && yum clean expire-cache \
- && yum install -y epel-release \
- && yum install -y python3-pip \
- && pip3 install pip==20.1 \
+ && rpm --import https://repo.saltproject.io/py3/redhat/8/x86_64/archive/${SALT_VERSION}/SALTSTACK-GPG-KEY.pub \
+ && dnf clean expire-cache \
+ && dnf install -y glibc-all-langpacks langpacks-en \
+ && dnf install -y epel-release \
+ && dnf install -y python3-pip \
+ && pip3 install "pip == 20.1" \
  && pip3 install "protobuf ~= 3.19.4" "etcd3 != 0.11.0" \
- && yum install -y git \
+ && dnf install -y git \
  && pip3 install "git+https://github.com/kubernetes-client/python.git@cef5e9bd10a6d5ca4d9c83da46ccfe2114cdaaf8#egg=kubernetes" \
- && yum remove -y git \
- && pip3 uninstall -y \
-     requests \
-     urllib3 \
- && yum install -y salt-master salt-api salt-ssh openssh-clients \
- && yum clean all
+ && dnf remove -y git \
+ && dnf install -y salt-master salt-api salt-ssh openssh-clients \
+ && dnf clean all
+
+# Set up locale
+ENV LC_ALL=en_US.UTF-8
 
 # Disable host key checking due to a bug in salt-ssh
 # Sees: https://github.com/saltstack/salt/issues/59691

diff --git a/salt/metalk8s/salt/master/files/master-99-metalk8s.conf.j2 b/salt/metalk8s/salt/master/files/master-99-metalk8s.conf.j2
@@ -13,6 +13,13 @@ peer:
 # Enable grains caching on salt-master
 grains_cache: True
 
+# We now run salt-master on Rocky Linux, but it is not yet fully supported by
+# SaltStack 3002, so we emulate it runs on CentOS, as before. This should be
+# removed with SaltStack 3004.
+grains:
+  os_family: RedHat
+  os: CentOS
+
 # We use information from the `metalk8s_node` ext_pillar to match in
 # `pillar/top.sls`, hence we need to load them first.
 ext_pillar_first: true