From 29484bfaa9d7ddc6705197700913bfbfab4e9e7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Andr=C3=A9?= <m.andre@redhat.com>
Date: Thu, 22 Feb 2018 18:34:10 +0100
Subject: [PATCH] Update base image with latest security fixes

This ensures freshly built kolla images include the latest security
fixes for severity Important and above.

This was suggested by Jon Schlueter and based on the code available at
https://github.com/brianwcook/happywebserver/blob/master/Dockerfile#L27

Change-Id: Ib14f326a335d9519fb888f5486950275985a788c
(cherry picked from commit 38f18f2d1280d7429a7be45b993bb5f166f39134)
---
 docker/base/Dockerfile.j2                                | 9 ++++++---
 .../update_rpm_security_fixes-f99a3fa509cb5b3b.yaml      | 4 ++++
 2 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/update_rpm_security_fixes-f99a3fa509cb5b3b.yaml

diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2
index 9a156fa69b..b01a7122b0 100644
--- a/docker/base/Dockerfile.j2
+++ b/docker/base/Dockerfile.j2
@@ -166,7 +166,8 @@ RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
     rpm --import {{ key }} \
 {% endfor -%}
 {%- if base_centos_yum_repo_keys|customizable('centos_yum_repo_keys')|length == 0 %}RUN {% else %}    && {% endif -%}
-    yum clean all
+    yum -y update --security --sec-severity=Important --sec-severity=Critical \
+    && yum clean all
 
     {% endif %}
     {# Endif for base_distro centos #}
@@ -182,11 +183,12 @@ RUN yum -y install \
     && yum-config-manager --enable rhel-7-server-optional-rpms \
     && yum -y install \
            yum-plugin-priorities \
-    && yum clean all \
     && yum-config-manager --enable rhel-7-server-extras-rpms \
     && yum-config-manager --enable rhel-7-server-rhceph-2-osd-rpms \
     && yum-config-manager --enable rhel-7-server-rhceph-2-mon-rpms \
-    && yum-config-manager --enable rhel-7-server-rhceph-2-tools-rpms
+    && yum-config-manager --enable rhel-7-server-rhceph-2-tools-rpms \
+    && yum -y update --security --sec-severity=Important --sec-severity=Critical \
+    && yum clean all
 {% endblock %}
 
     {% endif %}
@@ -216,6 +218,7 @@ RUN yum -y install \
     && yum-config-manager --enable ol7_optional_latest ol7_addons \
     && yum -y install \
            yum-plugin-priorities \
+    && yum -y update --security --sec-severity=Important --sec-severity=Critical \
     && yum clean all
 {% endblock %}
 
diff --git a/releasenotes/notes/update_rpm_security_fixes-f99a3fa509cb5b3b.yaml b/releasenotes/notes/update_rpm_security_fixes-f99a3fa509cb5b3b.yaml
new file mode 100644
index 0000000000..8c1cb65990
--- /dev/null
+++ b/releasenotes/notes/update_rpm_security_fixes-f99a3fa509cb5b3b.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - RPM based container images now include the latest security fixes available
+    at the time of build.