Updated image security content

cloud-native-toolkit / planning

The is the planning repo to manage the cross project Epics and Issues. Tasks and Bugs

3 stars 1 forks source link

Updated image security content #729

Open bwoolf1 opened 3 years ago

bwoolf1 commented 3 years ago

Red Hat components in the container image cannot contain any critical or important vulnerabilities, as defined at https://access.redhat.com/security/updates/classification

Red Hat Container Certification requires that an image must have the latest security patches available at the time it was built. This is accomplished by running this command:

yum -y update-minimal --security --sec-severity=Important --sec-severity=Critical

bwoolf1 commented 3 years ago

To do this in a Dockerfile, add this:

USER root
RUN yum -y update-minimal --security --sec-severity=Important --sec-severity=Critical && yum clean all
USER default

Sean Sundberg explains:

The one thing to be aware of is yum must be run as root . The UBI image switches to a user called default so you will need to switch users in between commands.

bwoolf1 commented 3 years ago

Learned today that the minimal UBIs don't have yum built in. We're supposed to use microdnf instead. USING RED HAT UNIVERSAL BASE IMAGES (STANDARD, MINIMAL, AND RUNTIMES)