You want to run a Docker image but it doesn't pass the vulnerability check? Here is an example on how to deal with, on the YugabyteDB image (Open Source, PostgreSQL-compatible, Distributed SQL database).
I'm using Docker scan here to check for vulnerabilities:
docker scan yugabytedb/yugabyte:22.214.171.124-b175
This returns a few critical ones, and I'll focus on CVE-2022-2526
Tested 252 dependencies for known vulnerabilities, found 1022 vulnerabilities.
That's a lot. This is a YugabyteDB image which is updated frequently, but it is based on CentOS.
Let me start a quick shell to look at it:
docker exec -it $( docker run --rm -d yugabytedb/yugabyte:126.96.36.199-b175 sleep infinity ) bash -c "bash ; pkill -f '^sleep infinity$' "
In this shell, I check the
[root@74b21c4194ea yugabyte]# cat /etc/system-release CentOS Linux release 7.9.2009 (Core) [root@74b21c4194ea yugabyte]# rpm -q systemd systemd-219-78.el7_9.5.x86_64 [root@74b21c4194ea yugabyte]# yum info systemd Loaded plugins: fastestmirror, ovl Loading mirror speeds from cached hostfile * base: pkg.adfinis.com * epel: mirror.nl.leaseweb.net * extras: pkg.adfinis.com * updates: pkg.adfinis.com Installed Packages Name : systemd Arch : x86_64 Version : 219 Release : 78.el7_9.5 Size : 23 M Repo : installed From repo : updates Summary : A System and Service Manager URL : http://www.freedesktop.org/wiki/Software/systemd License : LGPLv2+ and MIT and GPLv2+ Description : systemd is a system and service manager for Linux, compatible with : SysV and LSB init scripts. systemd provides aggressive parallelization : capabilities, uses socket and D-Bus activation for starting services, : offers on-demand starting of daemons, keeps track of processes using : Linux cgroups, supports snapshotting and restoring of the system : state, maintains mount and automount points and implements an : elaborate transactional dependency-based service control logic. It can : work as a drop-in replacement for sysvinit.
The image is based on CentOS 7.9 and
systemd is version
78.el7_9.5. The scan above says the vulnerability is fixed in release
Unfortunately this CVE is not fixed yet in CentOS:
[root@74b21c4194ea yugabyte]# rpm -q --changelog systemd | head * Mon Dec 06 2021 systemd maintenance team <email@example.com> - 219-78.5 - install: fix a potential crash (#1828758) - acl-util: only set the mask if not present (#2026361)
So... what are the solutions?
If the update was available, I would simply build an image with a
mkdir -p /var/tmp/build cd /var/tmp/build cat > Dockerfile <<'DOCKERFILE' FROM yugabytedb/yugabyte:188.8.131.52-b175 RUN yum update -y DOCKERFILE docker build -t yugabytedb/yugabyte:184.108.40.206-b175-20220831 docker scan yugabytedb/yugabyte:220.127.116.11-b175-20220831
Unfortunately, as seen above, in my case the vulnerability I'm interested in is not fixed with the latest CentOS update.
Note that all YugabyteDB images are updated each time a new release or build is pushed, so you probably don't need to do this.
However, CentOS lags in fixes. A scan on my new image shows only 3 fixed vulnerabilities since the YugabyteDB image push:
Tested 252 dependencies for known vulnerabilities, found 1019 vulnerabilities.
I need a CentOS compatible distribution with fresh updates.
Oracle Linux is a free CentOS alternative, with better support. The provide a quick script to move from CentOS to Oracle Linux. The only change I do is disable the GRUB config. Here is my Dockerfile to build the new image:
mkdir -p /var/tmp/build cd /var/tmp/build cat > Dockerfile <<'DOCKERFILE' FROM yugabytedb/yugabyte:18.104.22.168-b175 RUN yum update -y # https://blogs.oracle.com/scoter/post/switching-from-centos-to-oracle-linux-a-hands-on-example RUN curl -O https://raw.githubusercontent.com/oracle/centos2ol/main/centos2ol.sh # Don't config grub in a container (will get /usr/sbin/grub2-probe: error: failed to get canonical path of `overlay') RUN sed -e 's/grub2-mkconfig/: &/' -i centos2ol.sh RUN bash centos2ol.sh # already updated, but just in case RUN yum update DOCKERFILE docker build -t yugabytedb/yugabyte:22.214.171.124-b175-ol7 . docker scan yugabytedb/yugabyte:126.96.36.199-b175-ol7
This is much better, with most of scanned vulnerabilities fixed:
Tested 275 dependencies for known vulnerabilities, found 81 vulnerabilities.
And my CVE is part of the fixed ones. The only vulnerabilities remaining are on
openssl package. I didn't check why they are not fixed. Anyway, your enterprise has probably its own list of vulnerabilities to check.
Here is my quick test, starting
yugabyted and check that all is ok:
docker logs -f $( docker run --rm -d yugabytedb/yugabyte:188.8.131.52-b175-ol7 yugabyted start )
Oracle Linux is a free alternative to CentOS, so the above makes it easy to get the latest OS updates for your Docker image.