Skip to content

Dockerfile: bump debian image to bullseye-20210927#13376

Merged
hexfusion merged 1 commit intoetcd-io:mainfrom
hexfusion:bump-base
Oct 1, 2021
Merged

Dockerfile: bump debian image to bullseye-20210927#13376
hexfusion merged 1 commit intoetcd-io:mainfrom
hexfusion:bump-base

Conversation

@hexfusion
Copy link
Copy Markdown
Contributor

@hexfusion hexfusion commented Sep 30, 2021

Debian buster has been replaced with bullseye v11.0 and is getting CVE fixes quicker. This PR moves us from buster to bullseye and also applies a hotfix for openssl to resolve CVE-2021-3711.

We recently moved to k8s.gcr.io/build-image/debian-base for our Debian base images to align with upstream k8s which just recently moved to bullseye[1]. The plan is to move back to this registry once these fixes are addressed. But as we are going to cut a new 3.5 release it seems prudent to improve our security profile now.

fixes: CVE-2021-3711, CVE-2021-35942, CVE-2019-9893

CVE testing was done using trivy[2]

[1] kubernetes/kubernetes@531eb71
[2] https://github.com/aquasecurity/trivy

cc @gyuho @ptabor @hasbro17 @lilic @serathius

@hexfusion hexfusion mentioned this pull request Sep 30, 2021
Closed
5 tasks
mrueg
mrueg reviewed Sep 30, 2021
View reviewed changes
Comment thread Dockerfile-release.amd64
@@ -1,4 +1,5 @@
FROM k8s.gcr.io/build-image/debian-base:buster-v1.4.0
# TODO: move to k8s.gcr.io/build-image/debian-base:bullseye-v1.y.z when patched
FROM debian:bullseye-20210927
Copy link
Copy Markdown
Contributor

@mrueg mrueg Sep 30, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change would switch it to a potentially rate-limited registry (dockerhub), will that impact builds?

Copy link
Copy Markdown
Contributor

@mrueg mrueg Sep 30, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one got a bullseye tag: https://console.cloud.google.com/gcr/images/k8s-staging-build-image/global/debian-base (these are staging images that are not promoted yet)

Copy link
Copy Markdown
Contributor Author

@hexfusion hexfusion Sep 30, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

they do have bullseye-v1.0.0 which is still exposed to CVE-2021-3711. If there is a fix pending promotion we can consider that.

Copy link
Copy Markdown
Contributor

@justaugustus justaugustus Dec 17, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Working on this here: kubernetes/release#2371

Copy link
Copy Markdown
Contributor

@justaugustus justaugustus Dec 17, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated here: #13546

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Sep 30, 2021

Codecov Report

Merging #13376 (1e1f113) into main (97756e3) will decrease coverage by 0.95%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##             main   #13376      +/-   ##
==========================================
- Coverage   71.31%   70.35%   -0.96%     
==========================================
  Files         453      447       -6     
  Lines       38856    38032     -824     
==========================================
- Hits        27709    26759     -950     
- Misses       9114     9247     +133     
+ Partials     2033     2026       -7
Flag Coverage Δ
all 70.35% <ø> (-0.96%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/report/report.go 0.00% <0.00%> (-94.25%) ⬇️
pkg/report/timeseries.go 0.00% <0.00%> (-88.47%) ⬇️
pkg/osutil/interrupt_unix.go 0.00% <0.00%> (-81.49%) ⬇️
pkg/osutil/osutil.go 0.00% <0.00%> (-80.00%) ⬇️
pkg/report/weighted.go 0.00% <0.00%> (-72.00%) ⬇️
pkg/crc/crc.go 45.45% <0.00%> (-54.55%) ⬇️
pkg/httputil/httputil.go 30.00% <0.00%> (-50.00%) ⬇️
pkg/flags/urls.go 0.00% <0.00%> (-45.00%) ⬇️
pkg/flags/strings.go 46.15% <0.00%> (-38.47%) ⬇️
pkg/netutil/netutil.go 34.42% <0.00%> (-33.61%) ⬇️
... and 52 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 97756e3...1e1f113. Read the comment docs.

spzala
spzala reviewed Sep 30, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@spzala spzala left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. The CI errors seems not related but we may want to re-run.
Thank you so much for quickly addressing CVEs @hexfusion

@hexfusion hexfusion merged commit 5703bb2 into etcd-io:main Oct 1, 2021
@hexfusion hexfusion deleted the bump-base branch October 1, 2021 16:44
This was referenced Oct 1, 2021
Merged
Merged
Merged
This was referenced Dec 17, 2021
Merged
Merged
@mrueg mrueg mentioned this pull request Apr 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spzala spzala spzala approved these changes

+3 more reviewers

@mrueg mrueg mrueg left review comments

@justaugustus justaugustus justaugustus left review comments

@ptabor ptabor ptabor approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@hexfusion @codecov-commenter @mrueg @justaugustus @spzala @ptabor