search

GoogleContainerTools / distroless

🥑 Language focused docker images, minus the operating system.
Apache License 2.0
18.91k stars 1.16k forks source link

base - libssl1 and libssl1.1 package metadata #1332

Open sozercan opened 1 year ago

sozercan commented 1 year ago

Describe the bug Latest distroless/base (73deaaf6a207c1a33850257ba74e0f196bc418636cada9943a03d7abea980d6d) adds libssl1.1 package metadata to /var/lib/dpkg/status.d/

File is called libssl1.1 https://explore.ggcr.dev/layers/gcr.io/distroless/base@sha256:559bc54043fc1429f1b9c4e16f52670c7861b7c7fd4125129c29c924b293c2b2/var/lib/dpkg/status.d/ (latest as of this issue creation) 2758d0c3 -rw-r--r-- 0/0 791 2023-05-26 21:30 libssl1.1

This used to be called libssl1 https://explore.ggcr.dev/layers/gcr.io/distroless/base@sha256:5f5bc92abac82e11c02bec33b6583dc5b4388a8a1a54e801d747529954ab08e0/var/lib/dpkg/status.d/ (this is from Jan 2023 digest) e1c83de8 -rw-r--r-- 0/0 793 1970-01-01 00:00 libssl1

This caused issues with images based on distroless/base like distroless-iptables where there's both libssl1 and libssl1.1. This is now fixed, below is from an older v0.1.2 tag. https://explore.ggcr.dev/layers/us.gcr.io/k8s-artifacts-prod/build-image/distroless-iptables@sha256:6e84bc9d77fa4cf90bffa090253ac4837ac4626072387a599f81ef15f1e03336/var/lib/dpkg/status.d/

33905e80 -rw-r--r-- 0/0             791 1970-01-01 00:00 libssl1
33905e80 -rw-r--r-- 0/0            9840 2022-09-23 08:23 libssl1.1

I wanted to confirm if libssl1.1 file name is the expected behavior from distroless/base going forward?

To Reproduce Steps to reproduce the behavior:

Expected behavior A clear and concise description of what you expected to happen.

Console Output If applicable, add information from your container run

Additional context Add any other context about the problem here.

loosebazooka commented 1 year ago

Yeah this probably happened with the switch off of rules_docker.

sozercan commented 7 months ago

Looks like this is an issue for libssl1.1 and libssl3 too. I can't tell if this is an issue with google/distroless or k8s/distroless-iptables since google/distroless doesn't publish tags to be able to correspond to the base of k8s/distroless-iptables.

This image also reports as bookworm, but this might be bullseye, since libssl1.1 does not exist in bookworm.

https://explore.ggcr.dev/layers/registry.k8s.io/build-image/distroless-iptables@sha256:3dd52ab0c572b777eb98214c4e4a4f6d9a94d0a2d0731b3f8980fb5766552b2d/var/lib/dpkg/status.d/

5a75ae4a -rw-r--r-- 0/0             820 2024-01-10 17:29 libssl1.1
5a75ae4a -rw-r--r-- 0/0             557 2023-10-23 17:52 libssl3
5a75ae4a -rw-r--r-- 0/0             681 2023-10-23 17:52 libssl3.md5sums

Seems fixed in the newest versions.

loosebazooka commented 7 months ago

Seems fixed in the newest versions.

not sure what you mean by this, but the latest distroless images on debian12 do not contain libssl1.1. Do you have a link to the build of this image?