From 38f18f2d1280d7429a7be45b993bb5f166f39134 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Andr=C3=A9?= Date: Thu, 22 Feb 2018 18:34:10 +0100 Subject: [PATCH] Update base image with latest security fixes This ensures freshly built kolla images include the latest security fixes for severity Important and above. This was suggested by Jon Schlueter and based on the code available at https://github.com/brianwcook/happywebserver/blob/master/Dockerfile#L27 Change-Id: Ib14f326a335d9519fb888f5486950275985a788c --- docker/base/Dockerfile.j2 | 9 ++++++--- .../update_rpm_security_fixes-f99a3fa509cb5b3b.yaml | 4 ++++ 2 files changed, 10 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/update_rpm_security_fixes-f99a3fa509cb5b3b.yaml diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2 index 4d6006c20b..c48705dbc1 100644 --- a/docker/base/Dockerfile.j2 +++ b/docker/base/Dockerfile.j2 @@ -145,7 +145,8 @@ RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 rpm --import {{ key }} \ {% endfor -%} {%- if base_centos_yum_repo_keys|customizable('centos_yum_repo_keys')|length == 0 %}RUN {% else %} && {% endif -%} - yum clean all + yum -y update --security --sec-severity=Important --sec-severity=Critical \ + && yum clean all {% endif %} {# Endif for base_distro centos #} @@ -161,11 +162,12 @@ RUN yum -y install \ && yum-config-manager --enable rhel-7-server-optional-rpms \ && yum -y install \ yum-plugin-priorities \ - && yum clean all \ && yum-config-manager --enable rhel-7-server-extras-rpms \ && yum-config-manager --enable rhel-7-server-rhceph-2-osd-rpms \ && yum-config-manager --enable rhel-7-server-rhceph-2-mon-rpms \ - && yum-config-manager --enable rhel-7-server-rhceph-2-tools-rpms + && yum-config-manager --enable rhel-7-server-rhceph-2-tools-rpms \ + && yum -y update --security --sec-severity=Important --sec-severity=Critical \ + && yum clean all {% endblock %} {% endif %} @@ -193,6 +195,7 @@ RUN yum -y install \ && yum-config-manager --enable ol7_optional_latest ol7_addons \ && yum -y install \ yum-plugin-priorities \ + && yum -y update --security --sec-severity=Important --sec-severity=Critical \ && yum clean all {% endblock %} diff --git a/releasenotes/notes/update_rpm_security_fixes-f99a3fa509cb5b3b.yaml b/releasenotes/notes/update_rpm_security_fixes-f99a3fa509cb5b3b.yaml new file mode 100644 index 0000000000..8c1cb65990 --- /dev/null +++ b/releasenotes/notes/update_rpm_security_fixes-f99a3fa509cb5b3b.yaml @@ -0,0 +1,4 @@ +--- +features: + - RPM based container images now include the latest security fixes available + at the time of build.