Update Pegleg base image to use Ubuntu 16.04

Currently the Pegleg base image is python:3.6, after a full build of the Pegleg image and pushing it to quay it was discovered that the final image had more than 600 vulnerabilities in the image scan report [0]. When inspecting other Airship projects it became evident that only the Pegleg and Spyglass projects were using python:3.6. The remaining projects use ubuntu:16.04 as their default base image Locally scanning with Clair [1] confirmed that the base image plays a substantial role in the number and severity of vulnerabilities present in the final Pegleg image. By switching from python:3.6 to ubuntu:16.04 the number of vulnerabilities reported by Clair was reduced to 130, none of which were high - from the original 600+ with ~50 high. This patchset makes the following changes with the aim to reduce the vulnerability count and severity in the final Pegleg image by: 1. Updating the Dockerfile for Ubuntu builds to use 16.04 2. Updating the Dockerfile to install necessary packages for Pegleg to run that are not included with the ubuntu:16.04 base image 3. Renaming the Dockerfile to accurately reflect the Ubuntu distribution 4. Updating the docker build jobs in .zuul.yaml to set the distribution to ubuntu_xenial 5. Updating the Makefile to set distribution to ubuntu_xenial 6. Updating the pegleg.sh script to use the correct image tag with the changes to the distribution in (1-5) 7. Updating the documentation to reflect that the Ubuntu base image is 16.04 (Xenial) [0]: https://quay.io/repository/airshipit/pegleg/manifest/sha256:86d47bf777216eb28c4fc3594e57b0f758fd532b7e88a17ab8e5bd4f42dcd44e?tab=vulnerabilities [1]: https://github.com/arminc/clair-scanner Change-Id: I3c5ef761f9ea01b9673f6a2d08c499e8dc409c9d
2019-05-23 14:14:35 -05:00 · 2019-05-23 14:14:35 -05:00 · 7d440b39e9
parent b18c4c0093
commit 7d440b39e9
1 changed files with 27 additions and 1 deletions
--- a/images/pegleg/Dockerfile.ubuntu_xenial
+++ b/images/pegleg/Dockerfile.ubuntu_xenial
@ -1,4 +1,4 @@
-ARG FROM=python:3.6
+ARG FROM=ubuntu:16.04
 FROM ${FROM}
 ARG CFSSLURL=https://pkg.cfssl.org/R1.2/cfssl_linux-amd64

@ -9,6 +9,32 @@ LABEL org.opencontainers.image.source='https://opendev.org/airship/pegleg'
 LABEL org.opencontainers.image.vendor='The Airship Authors'
 LABEL org.opencontainers.image.licenses='Apache-2.0'

+ENV LANG=C.UTF-8
+ENV LC_ALL=C.UTF-8
+
+RUN set -ex \
+    && apt-get update -qq \
+    && apt-get install -y --no-install-recommends \
+         ca-certificates \
+         curl \
+         gcc \
+         git \
+         libssl-dev \
+         netbase \
+         python3-dev \
+         python3-pip \
+         python3-setuptools \
+    && python3 -m pip install -U pip \
+    && apt-get autoremove -yqq --purge \
+    && apt-get clean \
+    && rm -rf \
+         /tmp/* \
+         /usr/share/doc \
+         /usr/share/doc-base \
+         /usr/share/man \
+         /var/lib/apt/lists/* \
+         /var/tmp/*
+
 VOLUME /var/pegleg
 WORKDIR /var/pegleg