`noble-chiseled`

[mathieu-benoit]

Moving from alpine to chiseled (i.e. distroless).

Resources:

• https://devblogs.microsoft.com/dotnet/whats-new-for-dotnet-in-ubuntu-2404/
• https://github.com/dotnet/dotnet-docker/blob/main/samples/releasesapi/Dockerfile.ubuntu-chiseled
• https://build.microsoft.com/en-US/sessions/fe58e8ce-6a0d-42d9-911f-9ebfe44d6dad

Todos:

• [X] Test locally Docker --> make compose-test
• [X] Test locally with Kind cluster --> make k8s-test
• [X] Test in my GKE cluster --> humctl score deploy
• [X] Compare differences between before and after for size, number of packages and number of CVEs
• [X] Confirm the use of noble (Ubuntu 24.04) versus jammy (Ubuntu 22.04) --> noble is LTS
• [X] Contribute to the OnlineBoutique sample apps repo with the same approach: https://github.com/GoogleCloudPlatform/microservices-demo/pull/2568
• [X] Confirm the use of nightly container images (for the support of -aot) - -aot are in Preview for now, but I can live with this, because of all the benefits (size, etc.)
• [x] Update my blog posts:
  • [x] https://medium.com/p/c68ba253844a
  • [X] https://medium.com/p/caac35250e0b

Size (+1.5 MB)

• Before: 40.9 MB
• After: 42.4 MB --> +1.5 MB, I can live with this, that's for sure! ;)

Packages (-11 packages)

Note: syft was used.

Before:

✔ Packages                               [17 packages]
   ├── ✔ File digests                    [81 files]
   ├── ✔ File metadata                   [81 locations]
   └── ✔ Executables                     [21 executables]
NAME                    VERSION                 TYPE
alpine-baselayout       3.4.3-r1                apk
alpine-baselayout-data  3.4.3-r1                apk
alpine-keys             2.4-r1                  apk
apk-tools               2.14.0-r2               apk
busybox                 1.36.1-r5               apk
busybox-binsh           1.36.1-r5               apk
ca-certificates-bundle  20230506-r0             apk
libc-utils              0.7.2-r5                apk
libcrypto3              3.1.4-r5                apk
libgcc                  12.2.1_git20220924-r10  apk
libssl3                 3.1.4-r5                apk
libstdc++               12.2.1_git20220924-r10  apk
musl                    1.2.4-r2                apk
musl-utils              1.2.4-r2                apk
scanelf                 1.3.7-r1                apk
ssl_client              1.36.1-r5               apk
zlib                    1.2.13-r1               apk

After:

✔ Packages                               [6 packages]
   └── ✔ Executables                     [30 executables]
NAME             VERSION                TYPE
base-files       13ubuntu10             deb
ca-certificates  20240203               deb
libc6            2.39-0ubuntu8          deb
libgcc-s1        14-20240412-0ubuntu1   deb
libssl3t64       3.0.13-0ubuntu3        deb
zlib1g           1:1.3.dfsg-3.1ubuntu2  deb

CVEs (+2 LOW and -4 MEDIUM)

Note: trivy was used.

Before:

(alpine 3.18.6)

Total: 7 (UNKNOWN: 0, LOW: 2, MEDIUM: 5, HIGH: 0, CRITICAL: 0)

┌───────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├───────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ busybox       │ CVE-2023-42366 │ MEDIUM   │ fixed  │ 1.36.1-r5         │ 1.36.1-r6     │ busybox: A heap-buffer-overflow                           │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42366                │
├───────────────┤                │          │        │                   │               │                                                           │
│ busybox-binsh │                │          │        │                   │               │                                                           │
│               │                │          │        │                   │               │                                                           │
├───────────────┼────────────────┤          │        ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ libcrypto3    │ CVE-2024-4603  │          │        │ 3.1.4-r5          │ 3.1.5-r0      │ openssl: Excessive time spent checking DSA keys and       │
│               │                │          │        │                   │               │ parameters                                                │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4603                 │
│               ├────────────────┼──────────┤        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│               │ CVE-2024-2511  │ LOW      │        │                   │ 3.1.4-r6      │ openssl: Unbounded memory growth with session handling in │
│               │                │          │        │                   │               │ TLSv1.3                                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-2511                 │
├───────────────┼────────────────┼──────────┤        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│ libssl3       │ CVE-2024-4603  │ MEDIUM   │        │                   │ 3.1.5-r0      │ openssl: Excessive time spent checking DSA keys and       │
│               │                │          │        │                   │               │ parameters                                                │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4603                 │
│               ├────────────────┼──────────┤        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│               │ CVE-2024-2511  │ LOW      │        │                   │ 3.1.4-r6      │ openssl: Unbounded memory growth with session handling in │
│               │                │          │        │                   │               │ TLSv1.3                                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-2511                 │
├───────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ ssl_client    │ CVE-2023-42366 │ MEDIUM   │        │ 1.36.1-r5         │ 1.36.1-r6     │ busybox: A heap-buffer-overflow                           │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42366                │
└───────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

After:

(ubuntu 24.04)

Total: 5 (UNKNOWN: 0, LOW: 4, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬──────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │  Status  │ Installed Version │  Fixed Version  │                           Title                            │
├────────────┼────────────────┼──────────┼──────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ libc6      │ CVE-2024-2961  │ MEDIUM   │ fixed    │ 2.39-0ubuntu8     │ 2.39-0ubuntu8.1 │ glibc: Out of bounds write in iconv may lead to remote     │
│            │                │          │          │                   │                 │ code...                                                    │
│            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-2961                  │
│            ├────────────────┼──────────┼──────────┤                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│            │ CVE-2016-20013 │ LOW      │ affected │                   │                 │ sha256crypt and sha512crypt through 0.6 allow attackers to │
│            │                │          │          │                   │                 │ cause a denial of...                                       │
│            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2016-20013                 │
├────────────┼────────────────┤          │          ├───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ libssl3t64 │ CVE-2024-2511  │          │          │ 3.0.13-0ubuntu3   │                 │ openssl: Unbounded memory growth with session handling in  │
│            │                │          │          │                   │                 │ TLSv1.3                                                    │
│            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-2511                  │
│            ├────────────────┤          │          │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│            │ CVE-2024-4603  │          │          │                   │                 │ openssl: Excessive time spent checking DSA keys and        │
│            │                │          │          │                   │                 │ parameters                                                 │
│            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-4603                  │
│            ├────────────────┤          │          │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│            │ CVE-2024-4741  │          │          │                   │                 │ openssl: Use After Free with SSL_free_buffers              │
│            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-4741                  │
└────────────┴────────────────┴──────────┴──────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

[github-actions[bot]]

Deployment successfully completed for PR-130! :tada:

View in Humanitec

Deployment ID: 17d4571840236c19

Domains:

my-sample-workload: helloworld-preview.endpoints.mathieu-benoit-gcp.cloud.goog

Deployment diff

### Deployment diff: ```json { "modules": { "add": null, "remove": [], "update": { "my-sample-workload": [ { "from": "", "op": "replace", "path": "/spec/containers/my-sample-container/image", "value": "us-east4-docker.pkg.dev/mathieu-benoit-gcp/containers/my-sample-app@sha256:eb0c1dfeebe96cb4a4ed523dc9560baecdbf97fecbcc63d65b3e259ccf4392d1" }, { "from": "", "op": "replace", "path": "/spec/annotations/humanitec.io~1workload-source", "value": "https://github.com/mathieu-benoit/sail-sharp/blob/noble-chiseled/score/score.yaml" } ] } }, "shared": null } ```

Active Resources Usage

### Active Resources Usage: ```none ResType Class ResID Usage Last referencing deployment Last referencing deployment created ago agent default agent current deploy 17d4571840236c19 33.200372532s base-env default base-env current deploy 17d4571840236c19 33.200375608s k8s-cluster default k8s-cluster current deploy 17d4571840236c19 33.200377782s k8s-namespace default k8s-namespace current deploy 17d4571840236c19 33.200379535s logging default logging current deploy 17d4571840236c19 33.200381569s k8s-service-account default modules.my-sample-workload current deploy 17d4571840236c19 33.200383473s workload default modules.my-sample-workload current deploy 17d4571840236c19 33.200385136s dns default modules.my-sample-workload.externals.dns current deploy 17d4571840236c19 33.200391628s ingress default modules.my-sample-workload.externals.dns current deploy 17d4571840236c19 33.200393672s tls-cert default modules.my-sample-workload.externals.dns current deploy 17d4571840236c19 33.200395485s route default modules.my-sample-workload.externals.route current deploy 17d4571840236c19 33.200397248s ```

Resources Graph

### Resources Graph: ```none strict digraph { label="Resource Graph app: my-sample-app, env: pr-130 green: virtual nodes (environment, workloads), blue: active resources "; labelloc="t"; overlap="false"; splines="true"; "bd0ea08dc0e33587a8b56ef08218c5e7a72f4c44" [ color="2", colorscheme="blues3", fillcolor="1", label="id: agent type: agent class: default provision time: 7.703029s", style="filled", tooltip="guresid: bd0ea08dc0e33587a8b56ef08218c5e7a72f4c44", weight=0 ]; "9c5cc451a386d6b4a6b264a3fdcd20c0a13d9819" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.route type: route class: default provision time: 7.575169s", style="filled", tooltip="guresid: 9c5cc451a386d6b4a6b264a3fdcd20c0a13d9819", weight=0 ]; "ea8b0d24e317d018530a0dde7e09b4fa13b44872" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns type: tls-cert class: default provision time: 537.987ms", style="filled", tooltip="guresid: ea8b0d24e317d018530a0dde7e09b4fa13b44872", weight=0 ]; "ea8b0d24e317d018530a0dde7e09b4fa13b44872" -> "9b1023243fcdaa4ad72ceb7c3e2588cc1977835a" [ weight=0 ]; "a0245904c1f78f069f902742e794955f0fbe7490" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns type: ingress class: default provision time: 5.265074s", style="filled", tooltip="guresid: a0245904c1f78f069f902742e794955f0fbe7490", weight=0 ]; "a0245904c1f78f069f902742e794955f0fbe7490" -> "9b1023243fcdaa4ad72ceb7c3e2588cc1977835a" [ weight=0 ]; "a0245904c1f78f069f902742e794955f0fbe7490" -> "ea8b0d24e317d018530a0dde7e09b4fa13b44872" [ weight=0 ]; "24b5e6000334e67680c33aff788054aba3a112c2" [ color="2", colorscheme="blues3", fillcolor="1", label="id: base-env type: base-env class: default provision time: 16.09061s", style="filled", tooltip="guresid: 24b5e6000334e67680c33aff788054aba3a112c2", weight=0 ]; "24b5e6000334e67680c33aff788054aba3a112c2" -> "bd0ea08dc0e33587a8b56ef08218c5e7a72f4c44" [ weight=0 ]; "fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload type: workload class: default provision time: 290.309ms", style="filled", tooltip="guresid: fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02", weight=0 ]; "fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" -> "9c5cc451a386d6b4a6b264a3fdcd20c0a13d9819" [ weight=0 ]; "fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" -> "e107aecb05f615f64b28f083531d269f4751d6ed" [ weight=0 ]; "fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" -> "9b1023243fcdaa4ad72ceb7c3e2588cc1977835a" [ weight=0 ]; "base" [ color="2", colorscheme="greens3", fillcolor="1", label="base", style="filled", weight=0 ]; "base" -> "24b5e6000334e67680c33aff788054aba3a112c2" [ weight=0 ]; "e107aecb05f615f64b28f083531d269f4751d6ed" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload type: k8s-service-account class: default provision time: 7.826071s", style="filled", tooltip="guresid: e107aecb05f615f64b28f083531d269f4751d6ed", weight=0 ]; "my-sample-workload" [ color="2", colorscheme="greens3", fillcolor="1", label="workload.my-sample-workload", style="filled", weight=0 ]; "my-sample-workload" -> "base" [ weight=0 ]; "my-sample-workload" -> "fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" [ weight=0 ]; "9b1023243fcdaa4ad72ceb7c3e2588cc1977835a" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns type: dns class: default provision time: 7.450157s", style="filled", tooltip="guresid: 9b1023243fcdaa4ad72ceb7c3e2588cc1977835a", weight=0 ]; } ```

[mathieu-benoit]

Not merging this for now for 2 reasons:

• Aot is apparently not supported by noble-chiseled? When adding this RUN apt install -y clang zlib1g-dev in the Dockerfile, getting this error: Unable to locate package clang.
• The previous size of the container image on disk was 40.9 MB, here it's now 114 MB... too big... I understand that the number of packages (not alpine/buybox based is more secure) but want to keep the size small for now...

[mathieu-benoit]

Wow, actually Aot is apparently supported by noble-chiseled, based on this: https://github.com/dotnet/dotnet-docker/blob/main/samples/releasesapi/Dockerfile.ubuntu-chiseled, even if it's in nightly container images. Now the size on disk is 42.4 MB, which is quite similar to the previous one based on alpine.

[github-actions[bot]]

Deployment successfully completed for PR-130! :tada:

View in Humanitec

Deployment ID: 17d45b3638288ebf

Domains:

my-sample-workload: helloworld-preview.endpoints.mathieu-benoit-gcp.cloud.goog

Deployment diff

### Deployment diff: ```json { "modules": { "add": null, "remove": [], "update": { "my-sample-workload": [ { "from": "", "op": "replace", "path": "/spec/containers/my-sample-container/image", "value": "us-east4-docker.pkg.dev/mathieu-benoit-gcp/containers/my-sample-app@sha256:0763010615fb3d3c47d84c3384c057d8bf0d0a50478d1a7c9b9f263582976f9c" }, { "from": "", "op": "replace", "path": "/spec/annotations/humanitec.io~1workload-source", "value": "https://github.com/mathieu-benoit/sail-sharp/blob/noble-chiseled/score/score.yaml" } ] } }, "shared": null } ```

Active Resources Usage

### Active Resources Usage: ```none ResType Class ResID Usage Last referencing deployment Last referencing deployment created ago agent default agent current deploy 17d45b3638288ebf 35.571985809s base-env default base-env current deploy 17d45b3638288ebf 35.571987562s k8s-cluster default k8s-cluster current deploy 17d45b3638288ebf 35.571988604s k8s-namespace default k8s-namespace current deploy 17d45b3638288ebf 35.571989255s logging default logging current deploy 17d45b3638288ebf 35.571989947s k8s-service-account default modules.my-sample-workload current deploy 17d45b3638288ebf 35.571990628s workload default modules.my-sample-workload current deploy 17d45b3638288ebf 35.571991329s dns default modules.my-sample-workload.externals.dns current deploy 17d45b3638288ebf 35.57199197s ingress default modules.my-sample-workload.externals.dns current deploy 17d45b3638288ebf 35.571992681s tls-cert default modules.my-sample-workload.externals.dns current deploy 17d45b3638288ebf 35.571993303s route default modules.my-sample-workload.externals.route current deploy 17d45b3638288ebf 35.571993904s ```

Resources Graph

### Resources Graph: ```none strict digraph { label="Resource Graph app: my-sample-app, env: pr-130 green: virtual nodes (environment, workloads), blue: active resources "; labelloc="t"; overlap="false"; splines="true"; "bd0ea08dc0e33587a8b56ef08218c5e7a72f4c44" [ color="2", colorscheme="blues3", fillcolor="1", label="id: agent type: agent class: default provision time: 8.619857s", style="filled", tooltip="guresid: bd0ea08dc0e33587a8b56ef08218c5e7a72f4c44", weight=0 ]; "24b5e6000334e67680c33aff788054aba3a112c2" [ color="2", colorscheme="blues3", fillcolor="1", label="id: base-env type: base-env class: default provision time: 16.075728s", style="filled", tooltip="guresid: 24b5e6000334e67680c33aff788054aba3a112c2", weight=0 ]; "24b5e6000334e67680c33aff788054aba3a112c2" -> "bd0ea08dc0e33587a8b56ef08218c5e7a72f4c44" [ weight=0 ]; "ea8b0d24e317d018530a0dde7e09b4fa13b44872" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns type: tls-cert class: default provision time: 704.768ms", style="filled", tooltip="guresid: ea8b0d24e317d018530a0dde7e09b4fa13b44872", weight=0 ]; "ea8b0d24e317d018530a0dde7e09b4fa13b44872" -> "9b1023243fcdaa4ad72ceb7c3e2588cc1977835a" [ weight=0 ]; "e107aecb05f615f64b28f083531d269f4751d6ed" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload type: k8s-service-account class: default provision time: 8.737589s", style="filled", tooltip="guresid: e107aecb05f615f64b28f083531d269f4751d6ed", weight=0 ]; "my-sample-workload" [ color="2", colorscheme="greens3", fillcolor="1", label="workload.my-sample-workload", style="filled", weight=0 ]; "my-sample-workload" -> "base" [ weight=0 ]; "my-sample-workload" -> "fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" [ weight=0 ]; "a0245904c1f78f069f902742e794955f0fbe7490" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns type: ingress class: default provision time: 4.856889s", style="filled", tooltip="guresid: a0245904c1f78f069f902742e794955f0fbe7490", weight=0 ]; "a0245904c1f78f069f902742e794955f0fbe7490" -> "9b1023243fcdaa4ad72ceb7c3e2588cc1977835a" [ weight=0 ]; "a0245904c1f78f069f902742e794955f0fbe7490" -> "ea8b0d24e317d018530a0dde7e09b4fa13b44872" [ weight=0 ]; "9c5cc451a386d6b4a6b264a3fdcd20c0a13d9819" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.route type: route class: default provision time: 8.440291s", style="filled", tooltip="guresid: 9c5cc451a386d6b4a6b264a3fdcd20c0a13d9819", weight=0 ]; "fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload type: workload class: default provision time: 367.893ms", style="filled", tooltip="guresid: fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02", weight=0 ]; "fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" -> "e107aecb05f615f64b28f083531d269f4751d6ed" [ weight=0 ]; "fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" -> "9c5cc451a386d6b4a6b264a3fdcd20c0a13d9819" [ weight=0 ]; "fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" -> "9b1023243fcdaa4ad72ceb7c3e2588cc1977835a" [ weight=0 ]; "base" [ color="2", colorscheme="greens3", fillcolor="1", label="base", style="filled", weight=0 ]; "base" -> "24b5e6000334e67680c33aff788054aba3a112c2" [ weight=0 ]; "9b1023243fcdaa4ad72ceb7c3e2588cc1977835a" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns type: dns class: default provision time: 8.211393s", style="filled", tooltip="guresid: 9b1023243fcdaa4ad72ceb7c3e2588cc1977835a", weight=0 ]; } ```