Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.18] base-images: Use debian-base:v2.1.0 and debian-iptables:v12.1.0 (includes CVE fixes) #90863

Merged
merged 2 commits into from May 20, 2020
Merged

[1.18] base-images: Use debian-base:v2.1.0 and debian-iptables:v12.1.0 (includes CVE fixes) #90863

merged 2 commits into from May 20, 2020

Conversation

justaugustus
Copy link
Member

@justaugustus justaugustus commented May 7, 2020
edited

What type of PR is this?

/kind cleanup
/sig release
/area release-eng dependency security

What this PR does / why we need it:

  • Update dependents to use debian-base:v2.1.0
  • Update dependents to use debian-iptables:v12.1.0

(Selective cherry pick of #90665, #90697, and #90782.)

/assign @dims @BenTheElder
cc: @kubernetes/release-engineering
/priority important-soon

Which issue(s) this PR fixes:

Tracking issue: #58012

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

- base-images: Use debian-base:v2.1.0 (includes CVE fixes)
- base-images: Use debian-iptables:v12.1.0 (includes CVE fixes)

@k8s-ci-robot k8s-ci-robot added the do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. label May 7, 2020
@k8s-ci-robot k8s-ci-robot added this to the v1.18 milestone May 7, 2020
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/release-eng Issues or PRs related to the Release Engineering subproject labels May 7, 2020
@k8s-ci-robot k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels May 7, 2020
@justaugustus justaugustus mentioned this pull request May 7, 2020
Closed
11 tasks
@justaugustus
Copy link
Member Author

Unsurprisingly, bazel is bazel-ing. Keeping track of the commits I have locally:

d2a67a28bc93a9b6e2adf9ed134eb2e630a971f9 (HEAD -> 118-base-images, origin/118-base-images) bazel: Update to repo-infra v0.0.4
2b9ed9278fbca88497cf03b34ff398adef900d67 bazel: Update to 2.2.0
c6463e286649b60cc9577429753ec2bed1859dbc deps: Use debian-base:v2.1.0 and debian-iptables:v12.1.0
3ab7b46a30f89c7dd87cdcd7d496c0605b08eb0c build: Alpha-sort dependencies.yaml
e48260eb08c1a0048df137dfdc52710d2b9c99ab build: Add build-image OWNERS to debian-{base,iptables} and pause dirs

@justaugustus justaugustus force-pushed the 118-base-images branch 2 times, most recently from c6463e2 to 7e718d4 Compare May 8, 2020 00:35
@justaugustus
Copy link
Member Author

/test pull-kubernetes-e2e-kind

@justaugustus
Copy link
Member Author

/test pull-kubernetes-integration

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels May 8, 2020
@justaugustus
Copy link
Member Author

/kind cleanup
/sig release
/area release-eng dependency security
/assign @dims @BenTheElder
cc: @kubernetes/release-engineering
/priority important-soon

@k8s-ci-robot k8s-ci-robot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. sig/release Categorizes an issue or PR as relevant to SIG Release. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels May 8, 2020
@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 12, 2020
@justaugustus justaugustus mentioned this pull request May 13, 2020
Closed
19 tasks
cpanato
cpanato approved these changes May 13, 2020
View reviewed changes
Copy link
Member

@cpanato cpanato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@fejta
Copy link
Contributor

fejta commented May 13, 2020

👍
/uncc

@fejta fejta removed their assignment May 13, 2020
@tpepper
Copy link
Member

tpepper commented May 15, 2020

Since this combines cleanup and image version bumping (CVE fixes), I think it would be good to add something like a "(CVE fixes)" parenthetical to the release note.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 15, 2020
@justaugustus
build: Add build-image OWNERS to debian-{base,iptables} and pause dirs
72728bf 
Signed-off-by: Stephen Augustus <saugustus@vmware.com>
@justaugustus
deps: Use debian-base:v2.1.0 and debian-iptables:v12.1.0
b46c027 
Signed-off-by: Stephen Augustus <saugustus@vmware.com>
@k8s-ci-robot k8s-ci-robot removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels May 18, 2020
@justaugustus justaugustus changed the title [1.18] base-images: Use debian-base:v2.1.0 and debian-iptables:v12.1.0 [1.18] base-images: Use debian-base:v2.1.0 and debian-iptables:v12.1.0 (includes CVE fixes) May 18, 2020
@justaugustus
Copy link
Member Author

Since this combines cleanup and image version bumping (CVE fixes), I think it would be good to add something like a "(CVE fixes)" parenthetical to the release note.

@tpepper -- Done!

Needs re-lgtm after rebasing in the kube-cross bump.

@justaugustus
Copy link
Member Author

Apt package diffs:

$ container-diff diff us.gcr.io/k8s-artifacts-prod/build-image/debian-base-amd64:v2.0.0 us.gcr.io/k8s-artifacts-prod/build-image/debian-base-amd64:v2.1.0 --type=apt 

-----Apt-----

Packages found only in us.gcr.io/k8s-artifacts-prod/build-image/debian-base-amd64:v2.0.0: None

Packages found only in us.gcr.io/k8s-artifacts-prod/build-image/debian-base-amd64:v2.1.0: None

Version differences:
PACKAGE             IMAGE1 (us.gcr.io/k8s-artifacts-prod/build-image/debian-base-amd64:v2.0.0)        IMAGE2 (us.gcr.io/k8s-artifacts-prod/build-image/debian-base-amd64:v2.1.0)
-base-files         10.3 deb10u1, 340K                                                                10.3 deb10u3, 340K
-libgnutls30        3.6.7-4, 2.6M                                                                     3.6.7-4 deb10u3, 2.6M
-libidn2-0          2.0.5-1, 279K                                                                     2.0.5-1 deb10u1, 280K
-libsystemd0        241-7~deb10u1, 767K                                                               241-7~deb10u3, 767K
-libudev1           241-7~deb10u1, 258K                                                               241-7~deb10u3, 258K

$ container-diff diff us.gcr.io/k8s-artifacts-prod/build-image/debian-iptables-amd64:v12.0.1 us.gcr.io/k8s-artifacts-prod/build-image/debian-iptables-amd64:v12.1.0 --type=apt 

-----Apt-----

Packages found only in us.gcr.io/k8s-artifacts-prod/build-image/debian-iptables-amd64:v12.0.1: None

Packages found only in us.gcr.io/k8s-artifacts-prod/build-image/debian-iptables-amd64:v12.1.0: None

Version differences:
PACKAGE             IMAGE1 (us.gcr.io/k8s-artifacts-prod/build-image/debian-iptables-amd64:v12.0.1)        IMAGE2 (us.gcr.io/k8s-artifacts-prod/build-image/debian-iptables-amd64:v12.1.0)
-base-files         10.3 deb10u1, 340K                                                                     10.3 deb10u3, 340K
-libgnutls30        3.6.7-4, 2.6M                                                                          3.6.7-4 deb10u3, 2.6M
-libidn2-0          2.0.5-1, 279K                                                                          2.0.5-1 deb10u1, 280K
-libnftnl11         1.1.4-1~bpo10 1, 217K                                                                  1.1.5-1~bpo10 1, 221K
-libssl1.1          1.1.1d-0 deb10u2, 4M                                                                   1.1.1d-0 deb10u3, 4M
-libsystemd0        241-7~deb10u1, 767K                                                                    241-7~deb10u3, 767K
-libudev1           241-7~deb10u1, 258K                                                                    241-7~deb10u3, 258K

@tpepper
Copy link
Member

tpepper commented May 19, 2020

Ahead of expected OWNERS lgtm/approve's marking as cherry-pick-approved so the set of merge requirements hopefully come together a little faster and we get back to being build-ready.

@tpepper tpepper added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label May 19, 2020
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. label May 19, 2020
hasheddan
hasheddan approved these changes May 19, 2020
View reviewed changes
Copy link
Contributor

@hasheddan hasheddan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 19, 2020
saschagrunert
saschagrunert approved these changes May 19, 2020
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@justaugustus
Copy link
Member Author

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 19, 2020
@justaugustus
Copy link
Member Author

/retest

1 similar comment
@justaugustus
Copy link
Member Author

/retest

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@k8s-ci-robot k8s-ci-robot merged commit d6e40f4 into kubernetes:release-1.18 May 20, 2020
@github-actions github-actions bot mentioned this pull request May 27, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saschagrunert saschagrunert saschagrunert approved these changes

@cpanato cpanato cpanato approved these changes

@hasheddan hasheddan hasheddan approved these changes

@BenTheElder BenTheElder Awaiting requested review from BenTheElder

@bowei bowei Awaiting requested review from bowei

Assignees

@dims dims

@saschagrunert saschagrunert

@BenTheElder BenTheElder

@cblecker cblecker

@cpanato cpanato

@hasheddan hasheddan

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/dependency Issues or PRs related to dependency changes area/release-eng Issues or PRs related to the Release Engineering subproject area/security cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/release Categorizes an issue or PR as relevant to SIG Release. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.18
Development

Successfully merging this pull request may close these issues.

None yet