UBI image for 'configure' container?

[planetf1]

The egeria container image is based on the RedHat UBI 8 openjdk base image. See https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image . This is a supported, secure , OCI compliant image that passes container security checks on quay.io

However we also use some other containers to support demos and UI, which are based on lighter images such as alpine, and these may not be as secure.

Full data is available on quay.io by selecting the image under https://quay.io/organization/odpi, for example the egeria base image at https://quay.io/repository/odpi/egeria?tab=tags

We should consider using secure base images for all the container images we build (not just in egeria, but in other projects such as our connectors)

The downside is that newer images may increase the memory footprint - this may in particular be more painful on arm platforms. (the mitigation there may be needing alternate image definitions)

cc: @lpalashevski

[planetf1]

We still have

• a small 'configure' Docker image -- https://catalog.redhat.com/software/containers/ubi8/ubi-minimal/5c359a62bed8bd75a2c3fba8 possible replacement - though it may be we could use this image directly since it's mostly used for scripting tests of availability.

• jupyter - could start with https://catalog.redhat.com/software/containers/ubi8/nginx-118/5f521a6f9dd2d5ca7158e5dc but need to add jupyter

  Still needed:

  • supported base image
  • tested/updated for security vulnarabilities
  • consistent with image used for base egeria
  • hosted on quay.io so will avoid dockerhub pull request limitations (but note that either side could have outages)

[cmgrote]

The small configure image is used in various places where Jupyter is not needed, in particular for parts of setting up the PTS and CTS charts -- so keen we keep that image as its own image (nice and small).

[planetf1]

289 and #311 address updating our UI containers to UBI

Focus here on 'configure'. There is a UBI new micro image. Will review security scans / docs and figure out next step for this container

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.

[planetf1]

I'm thinking that perhaps we can remove this container entirely, and use a regular image (the lightest 'UBI' image ideally as it provides a better security stance).

We only use this image for simple scripts, which can be injected through a volume mount/config map or similar techniques.

This would mean one less image to maintain, scan & allow our process to focus on the egeria specifics

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.

[planetf1]

This image should be harmless, but can likely be replaced with use of a standard, simple image, without any added tools