Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add minimal ubi8 container #61

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

elezar
Copy link
Member

@elezar elezar commented Jul 5, 2024

This change adds tooling to produce a minimal container image.

The redhat/ubi8-minimal image is queried for a list of packages and the nvidia/cuda:12.5.0-base-ubi8 image is updated to match the packages in the minimal image.

This is done by:

  • removing the cuda-* packages and repositories
  • installing microdnf
  • removing dnf and python packages
  • removing packages that are not in the list of minimal packages

Running docker scout we see:



## Overview

                    │       Analyzed Image         
────────────────────┼──────────────────────────────
  Target            │  devel:latest                
    digest          │  e937ec035f9c                
    platform        │ linux/amd64                  
    vulnerabilities │    0C     4H     0M     0L   
    size            │ 186 MB                       
    packages        │ 126                          


## Packages and Vulnerabilities

   0C     2H     0M     0L  nghttp2 1.33.0-6.el8_10.1
pkg:rpm/redhatlinux/[email protected]_10.1?os_name=redhatlinux&os_version=8

    ✗ HIGH CVE-2024-28182 [Uncontrolled Resource Consumption]
      https://scout.docker.com/v/CVE-2024-28182?s=redhat&n=nghttp2&ns=redhatlinux&t=rpm&osn=redhatlinux&osv=8&vr=%3E%3D0
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  
    
    ✗ HIGH CVE-2024-27316 [Uncontrolled Resource Consumption]
      https://scout.docker.com/v/CVE-2024-27316?s=redhat&n=nghttp2&ns=redhatlinux&t=rpm&osn=redhatlinux&osv=8&vr=%3E%3D0
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  
    

   0C     1H     0M     0L  glibc 2.28-251.el8_10.2
pkg:rpm/redhatlinux/[email protected]_10.2?os_name=redhatlinux&os_version=8

    ✗ HIGH CVE-2024-2961 [Out-of-bounds Write]
      https://scout.docker.com/v/CVE-2024-2961?s=redhat&n=glibc&ns=redhatlinux&t=rpm&osn=redhatlinux&osv=8&vr=%3E%3D0
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 8.8                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  
    

   0C     1H     0M     0L  openssl 1:1.1.1k-12.el8_9
pkg:rpm/redhatlinux/openssl@1:1.1.1k-12.el8_9?os_name=redhatlinux&os_version=8

    ✗ HIGH CVE-2024-4741 [Use After Free]
      https://scout.docker.com/v/CVE-2024-4741?s=redhat&n=openssl&ns=redhatlinux&t=rpm&osn=redhatlinux&osv=8&vr=%3E%3D0
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 8.1                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H  
    


4 vulnerabilities found in 3 packages
  LOW       0  
  MEDIUM    0  
  HIGH      4  
  CRITICAL  0  


What's next:
    View base image update recommendations → docker scout recommendations devel:latest

Which matches the output for redhat/uib8-minimal

For comparison, the nvidia/cuda:12.5.0-base-ubi8 images has the following report:



## Overview

                    │         Analyzed Image          
────────────────────┼─────────────────────────────────
  Target            │  nvidia/cuda:12.5.0-base-ubi8   
    digest          │  67b36854acea                   
    platform        │ linux/amd64                     
    vulnerabilities │    0C     6H     0M     0L      
    size            │ 139 MB                          
    packages        │ 259                             


## Packages and Vulnerabilities

   0C     2H     0M     0L  nghttp2 1.33.0-5.el8_9
pkg:rpm/redhatlinux/[email protected]_9?os_name=redhatlinux&os_version=8

    ✗ HIGH CVE-2024-28182 [Uncontrolled Resource Consumption]
      https://scout.docker.com/v/CVE-2024-28182?s=redhat&n=nghttp2&ns=redhatlinux&t=rpm&osn=redhatlinux&osv=8&vr=%3E%3D0
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  
    
    ✗ HIGH CVE-2024-27316 [Uncontrolled Resource Consumption]
      https://scout.docker.com/v/CVE-2024-27316?s=redhat&n=nghttp2&ns=redhatlinux&t=rpm&osn=redhatlinux&osv=8&vr=%3E%3D0
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  
    

   0C     1H     0M     0L  urllib3 1.24.2
pkg:pypi/[email protected]

    ✗ HIGH CVE-2021-33503
      https://scout.docker.com/v/CVE-2021-33503?s=pypa&n=urllib3&t=pypi&vr=%3C1.26.5
      Affected range : <1.26.5  
      Fixed version  : 1.26.5   
    

   0C     1H     0M     0L  setuptools 39.2.0
pkg:pypi/[email protected]

    ✗ HIGH CVE-2022-40897 [Inefficient Regular Expression Complexity]
      https://scout.docker.com/v/CVE-2022-40897?s=github&n=setuptools&t=pypi&vr=%3C65.5.1
      Affected range : <65.5.1                                       
      Fixed version  : 65.5.1                                        
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  
    

   0C     1H     0M     0L  glibc 2.28-251.el8_10.2
pkg:rpm/redhatlinux/[email protected]_10.2?os_name=redhatlinux&os_version=8

    ✗ HIGH CVE-2024-2961 [Out-of-bounds Write]
      https://scout.docker.com/v/CVE-2024-2961?s=redhat&n=glibc&ns=redhatlinux&t=rpm&osn=redhatlinux&osv=8&vr=%3E%3D0
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 8.8                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  
    

   0C     1H     0M     0L  openssl 1:1.1.1k-12.el8_9
pkg:rpm/redhatlinux/openssl@1:1.1.1k-12.el8_9?os_name=redhatlinux&os_version=8

    ✗ HIGH CVE-2024-4741 [Use After Free]
      https://scout.docker.com/v/CVE-2024-4741?s=redhat&n=openssl&ns=redhatlinux&t=rpm&osn=redhatlinux&osv=8&vr=%3E%3D0
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 8.1                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H  
    


6 vulnerabilities found in 5 packages
  LOW       0  
  MEDIUM    0  
  HIGH      6  
  CRITICAL  0  


What's next:
    View base image update recommendations → docker scout recommendations nvidia/cuda:12.5.0-base-ubi8

@elezar elezar requested review from cdesiniotis and shivamerla July 5, 2024 13:17
@elezar elezar self-assigned this Jul 5, 2024
@elezar elezar force-pushed the add-container-base-image branch from 23e137c to 3b184e2 Compare July 9, 2024 15:31
deployments/container/Dockerfile.ubi8 Outdated Show resolved Hide resolved
deployments/container/Dockerfile.ubi8 Outdated Show resolved Hide resolved
deployments/container/Dockerfile.ubi8 Outdated Show resolved Hide resolved
@elezar elezar force-pushed the add-container-base-image branch 2 times, most recently from d626e53 to 1fdf538 Compare July 11, 2024 11:32
@elezar elezar requested a review from tariq1890 July 11, 2024 13:28
python* \
dnf*

microdnf remove \

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this ensure there are no broken dependencies? i.e remaining packages in the cuda:12.5.0-base-ubi8 might have dependencies on packages removed with the minimal list as a reference?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my testing, microdnf still respects package dependencies, meaning that if x depends on y, one cannot remove y.

For example, let's say we want to remove openssl we see the following in the image:

$ microdnf remove openssl*
error: Could not depsolve transaction; 1 problem detected:
 Problem: package curl-7.61.1-34.el8.x86_64 from @System requires libcrypto.so.1.1()(64bit), but none of the providers can be installed
  - package curl-7.61.1-34.el8.x86_64 from @System requires libssl.so.1.1()(64bit), but none of the providers can be installed
  - conflicting requests
  - problem with installed package curl-7.61.1-34.el8.x86_64

Signed-off-by: Evan Lezar <[email protected]>
@elezar elezar force-pushed the add-container-base-image branch from 1fdf538 to f78ed87 Compare July 15, 2024 14:29
@elezar elezar marked this pull request as draft August 27, 2024 18:43
@elezar
Copy link
Member Author

elezar commented Aug 27, 2024

I have created NVIDIA/k8s-device-plugin#813 with a POC for this work. Let's keep this open while we iterate on that change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants