Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

About buildpack builder image, we may need to switch to docker.io instead of gcr.io #404

Closed
xiujuan95 opened this issue Sep 24, 2020 · 3 comments · Fixed by #406
Closed

About buildpack builder image, we may need to switch to docker.io instead of gcr.io #404

xiujuan95 opened this issue Sep 24, 2020 · 3 comments · Fixed by #406

Comments

@xiujuan95
Copy link
Contributor

xiujuan95 commented Sep 24, 2020
edited
Loading

By communicating with paketo guys, they said this one index.docker.io/paketobuildpacks/builder:full is an official one in the future instead of gcr.io/paketo-buildpacks/builder:latest. More details, pls refer to here.

So maybe we should change to index.docker.io/paketobuildpacks/builder:full in our buildstrategy.

But first, we should verify docker.io image works fine for us.
@zhangtbj
Copy link
Contributor

Thanks Zoe, pls help verify the SHA1 value of two images, if they are same and Paketo community says docker.io is official one, then let us provide the PR to switch that one.

Thanks!

@xiujuan95
Copy link
Contributor Author

xiujuan95 commented Sep 24, 2020
edited
Loading

@zhangtbj
I checked, the digest value of docker.io one and gcr.io one is not same.

Digest: sha256:2eb6b620f5a4ae14ad4311082b9e1fcc0f89d01a73d9c3b15b49dd0e615fee68
Status: Downloaded newer image for paketobuildpacks/builder:full
docker.io/paketobuildpacks/builder:full

Digest: sha256:c7912d42ac8df647a1a3d24090bd5fa6a7170df0e297755b2c3c92911396a611
Status: Downloaded newer image for gcr.io/paketo-buildpacks/builder:latest
gcr.io/paketo-buildpacks/builder:latest

And docker.io one is using io.buildpacks.stacks.bionic stack, it's from here and gcr.io one is using org.cloudfoundry.stacks.cflinuxfs3 stack. It's form here. Community guy told me org.cloudfoundry.stacks.cflinuxfs3 will be deprecated in the future.

Also I found docker.io had many OS-level dependencies. I don't compare which package is different included in cflinuxfs3 with bionic. Because it's too many. But I found cflinuxfs3 has 119 packages and bionic for build has 181 packages.

So I assume above difference cause bionic has less vulnerability issues than cflinuxfs3.

For gcr.io/paketo-buildpacks/builder:latest, it has below vulnerability issues:

Vulnerable Packages Found
=========================
Vulnerability ID   Policy Status   Affected Packages   How to Resolve
CVE-2018-1000500   Active          busybox-initramfs   Upgrade busybox-initramfs to >= 1:1.27.2-2ubuntu3.3
To see the details about the fixes for these packages, run the command again with the '--extended' flag.
Configuration Issues Found
==========================
Configuration Issue ID                                 Policy Status   Security Practice                                    How to Resolve
system_configuration:Linux.9-0-a                       Active          SSH server package, openssh-server of version        checking if ssh server is installed
                                                                       1:7.6p1-4ubuntu0.3, found. SSH server package,
                                                                       openssh-sftp-server of version 1:7.6p1-4ubuntu0.3,
                                                                       found.
system_configuration:Linux.20-0-b                      Active          PasswordAuthentication not found in sshd_config.     SSHD password enabled check
                                                                       Default value is yes.
application_configuration:ssh.PasswordAuthentication   Active          Enables or disables password-based authentication.   PasswordAuthentication is not defined in
                                                                                                                            /etc/ssh/sshd_config. Password-based
                                                                                                                            authentication is enabled by default in SSH.
application_configuration:ssh.PermitRootLogin          Active          Enables root login.                                  PermitRootLogin is not defined in
                                                                                                                            /etc/ssh/sshd_config. Root login in SSH is enabled
                                                                                                                            by default.

And for docker.io one index.docker.io/paketobuildpacks/builder:full, it has one vulnerability issue:

The scan results show that 1 ISSUE was found for the image.
Vulnerable Packages Found
=========================
Vulnerability ID   Policy Status   Affected Packages   How to Resolve
CVE-2018-7738      Active          util-linux          Upgrade util-linux to >= 2.31.1-0.4ubuntu3.7

@qu1queee
Copy link
Contributor

@xiujuan95 thanks a lot, this is helpful. I asked one more question to the paketo folks, then I think we can move to the new images.

@HeavyWombat HeavyWombat mentioned this issue Sep 24, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Switch from GCR to DockerHub
3 participants
@qu1queee @zhangtbj @xiujuan95