Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

debian-base: purge libsystemd0 to eliminate CVE false-positives #69995

Merged
merged 2 commits into from
Oct 19, 2018
Merged

debian-base: purge libsystemd0 to eliminate CVE false-positives #69995

merged 2 commits into from
Oct 19, 2018

Conversation

ixdy
Copy link
Member

@ixdy ixdy commented Oct 18, 2018
edited

What type of PR is this?
/kind cleanup

What this PR does / why we need it: we already purge systemd and systemd-sysv from the debian-base container, since we don't use them, but libsystemd0 is still part of the image, which is causing false CVE alerts from the GCR Container Analysis service.

Does this PR introduce a user-facing change?:

Images based on debian-base no longer include the libsystemd0 package. This should have no user-facing impact.
Additionally, the addon-manager image is updated to use kubectl v1.11.3.

I don't expect this change to have any user-facing changes. We'll need to be more cautious once we update debian-iptables and debian-hyperkube-base; there shouldn't be any issues, but hyperkube in particular has surprised me before.

/assign @ihmccreery @awly @tallclair

@k8s-ci-robot k8s-ci-robot added the release-note-none Denotes a PR that doesn't merit a release note. label Oct 18, 2018
@k8s-ci-robot k8s-ci-robot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 18, 2018
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 18, 2018
@awly
Copy link
Contributor

awly commented Oct 18, 2018

/lgtm
Thanks for cleaning this up!

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 18, 2018
@ixdy
Copy link
Member Author

ixdy commented Oct 19, 2018

/sig release

@k8s-ci-robot k8s-ci-robot added sig/release Categorizes an issue or PR as relevant to SIG Release. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 19, 2018
@ixdy
Copy link
Member Author

ixdy commented Oct 19, 2018

/hold

I forgot to add the sig, but I've already promoted the debian-base image, so I'm going to bump the child images in this PR too.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 19, 2018
@ixdy ixdy force-pushed the purge-libsystemd-from-debian-base branch from 566e74a to 68a960a Compare October 19, 2018 16:11
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/testing Categorizes an issue or PR as relevant to SIG Testing. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. approved Indicates a PR has been approved by an approver from all required OWNERS files. release-note-none Denotes a PR that doesn't merit a release note. labels Oct 19, 2018
ixdy
ixdy commented Oct 19, 2018
View reviewed changes
cluster/addons/addon-manager/Makefile Outdated
VERSION=v8.8
KUBECTL_VERSION?=v1.10.7
VERSION=v8.9
KUBECTL_VERSION?=v1.10.9
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MrHohn does this version of kubectl still make sense? or should we bump to 1.11.x?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding me, bumping to 1.11.x sounds good to me.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated to kubectl v1.11.3.

@ixdy
Copy link
Member Author

ixdy commented Oct 19, 2018

pushed a commit bumping the debian-base references, PTAL.

@ixdy
Update to debian-base 0.4.0
7a8696c 
Additionally, update the addon-manager to use kubectl v1.11.3.
@ixdy ixdy force-pushed the purge-libsystemd-from-debian-base branch from 68a960a to 7a8696c Compare October 19, 2018 18:14
awly
awly reviewed Oct 19, 2018
View reviewed changes
build/debian-iptables/Makefile
@@ -16,12 +16,12 @@

REGISTRY?="staging-k8s.gcr.io"
IMAGE=$(REGISTRY)/debian-iptables
TAG?=v10.2
TAG?=v11.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not v10.3 ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I generally reserve the .N bumps for rebases of the existing image. We actually removed a package here.

@awly
Copy link
Contributor

awly commented Oct 19, 2018

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 19, 2018
@ixdy
Copy link
Member Author

ixdy commented Oct 19, 2018

/assign @zmerlynn

for cluster/ approval

@ixdy
Copy link
Member Author

ixdy commented Oct 19, 2018

/retest

@zmerlynn
Copy link
Member

/lgtm
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ixdy, zmerlynn

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 19, 2018
@ixdy
Copy link
Member Author

ixdy commented Oct 19, 2018

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 19, 2018
@k8s-ci-robot k8s-ci-robot merged commit 82cba09 into kubernetes:master Oct 19, 2018
@ixdy ixdy mentioned this pull request Oct 24, 2018
Merged
cdkbot-zz pushed a commit to juju-solutions/kubernetes that referenced this pull request Oct 25, 2018
@k8s-ci-robot
Merge pull request kubernetes#70209 from ixdy/update-images-after-#69995
63e9eca 
Update images after kubernetes#69995
@Random-Liu
Copy link
Member

Random-Liu commented Nov 29, 2018
edited

This actually breaks node-problem-detector. :P kubernetes/node-problem-detector#232

Is there any other way to fix the CVE?

I can install the libsystemd0 back when building node-problem-detector for now.

@ixdy
Copy link
Member Author

ixdy commented Nov 29, 2018

I'd rather not add libsystemd back to the base image, since we don't need it in the core kubernetes images.

If you need it in your image, you should be able to add it back with clean-install.

@Random-Liu Random-Liu mentioned this pull request Nov 29, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@awly awly awly left review comments

@MrHohn MrHohn MrHohn left review comments

@cblecker cblecker Awaiting requested review from cblecker

@jbeda jbeda Awaiting requested review from jbeda

Assignees

@ikehz ikehz

@awly awly

@zmerlynn zmerlynn

@tallclair tallclair

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/release Categorizes an issue or PR as relevant to SIG Release. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@ixdy @awly @zmerlynn @k8s-ci-robot @Random-Liu @MrHohn @ikehz @tallclair