airship/porthole
Code Issues Proposed changes

[images] Decrease images size

Browse Source 
+ update K8s patch version to v1.28.5
+ update percona-toolkit patch version to v3.5.5
+ switch to secure https postgres repository
A bunch of redundant third-party packages are installed inside the images, many with
security vulnerabilities. Implementing best practices should solve both problems.

Change-Id: I2105fe0b6058b64ae49d2977da5f1e8bad976991
This commit is contained in:
astebenkova 2023-12-21 13:23:17 +02:00
parent 5506b6d4bf
commit 3824cae821
10 changed files with 160 additions and 167 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
images/calicoctl-utility/Dockerfile.ubuntu_focal
View File

@ -23,16 +23,16 @@ RUN set -xe \
&& echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \ && echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \
&& apt-get update && apt-get upgrade -y \ && apt-get update && apt-get upgrade -y \
&& apt-get install -y --no-install-recommends \ && apt-get install -y --no-install-recommends \
bash \ bash \
locales \ locales \
moreutils \ moreutils \
sudo \ sudo \
socat \ socat \
python3.8 \ python3.8 \
python3-pip \ python3-pip \
&& pip3 install --upgrade pip \ && pip3 install --no-cache-dir --upgrade pip \
&& pip3 install \ && pip3 install --no-cache-dir \
oslo.rootwrap==6.3.1 \ oslo.rootwrap==6.3.1 \
&& apt-get clean -y \ && apt-get clean -y \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*

0
images/ceph-utility/Dockerfile.ubuntu_bionic Executable file → Normal file
View File

57
images/ceph-utility/Dockerfile.ubuntu_focal Executable file → Normal file
View File

@ -8,10 +8,10 @@ LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc
org.opencontainers.image.vendor='The Airship Authors' \ org.opencontainers.image.vendor='The Airship Authors' \
org.opencontainers.image.licenses='Apache-2.0' org.opencontainers.image.licenses='Apache-2.0'
# Quincy 12.2.5 # Quincy 17.2.6
ARG CEPH_RELEASE=quincy ARG CEPH_RELEASE=quincy
ARG CEPH_RELEASE_TAG=17.2.6-1focal ARG CEPH_RELEASE_TAG=17.2.6-1focal
ARG KUBE_VERSION=1.28.4 ARG KUBE_VERSION=1.28.5
ARG CEPH_REPO=https://mirror.mirantis.com/acicd/ceph-quincy/ ARG CEPH_REPO=https://mirror.mirantis.com/acicd/ceph-quincy/
ARG CEPH_KEY=https://mirror.mirantis.com/acicd/ceph-quincy/release.asc ARG CEPH_KEY=https://mirror.mirantis.com/acicd/ceph-quincy/release.asc
@ -22,38 +22,37 @@ RUN set -xe \
&& sed -i '/nobody/d' /etc/passwd \ && sed -i '/nobody/d' /etc/passwd \
&& echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \ && echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \
&& apt-get update && apt-get upgrade -y \ && apt-get update && apt-get upgrade -y \
&& apt-get install -y wget curl apt-transport-https ca-certificates gnupg \ && apt-get install -y --no-install-recommends curl apt-transport-https ca-certificates gnupg \
&& apt-key add /etc/apt/ceph-${CEPH_RELEASE}.key \ && apt-key add /etc/apt/ceph-${CEPH_RELEASE}.key \
&& rm -f /etc/apt/ceph-${CEPH_RELEASE}.key \ && rm -f /etc/apt/ceph-${CEPH_RELEASE}.key \
&& echo "deb ${CEPH_REPO} focal main" | tee /etc/apt/sources.list.d/ceph.list \ && echo "deb ${CEPH_REPO} focal main" | tee /etc/apt/sources.list.d/ceph.list \
&& apt-get update \ && apt-get update \
&& apt-get install -y \ && apt-get install -y --no-install-recommends \
bash \ bash \
moreutils \ moreutils \
vim \ vim \
sudo \ sudo \
screen \ screen \
ceph=${CEPH_RELEASE_TAG} \ ceph=${CEPH_RELEASE_TAG} \
ceph-common=${CEPH_RELEASE_TAG} \ ceph-common=${CEPH_RELEASE_TAG} \
python3-rbd \ python3-rbd \
radosgw=${CEPH_RELEASE_TAG} \ radosgw=${CEPH_RELEASE_TAG} \
hexedit \ hexedit \
jq \ jq \
s3cmd \ s3cmd \
rsyslog \ rsyslog \
rsync \ rsync \
xz-utils \ xz-utils \
iperf \ iperf \
python3.8 \ python3.8 \
python3-pip \ python3-pip \
&& pip3 install --upgrade pip \ && pip3 install --no-cache-dir --upgrade pip \
&& pip3 install \ && pip3 install --no-cache-dir \
oslo.rootwrap==6.3.1 \ oslo.rootwrap==6.3.1 \
&& apt-get remove --purge -y wget apt-transport-https \
&& apt-get autoremove -y \
&& apt-get clean \
&& curl --silent -L https://dl.k8s.io/v${KUBE_VERSION}/kubernetes-client-linux-amd64.tar.gz \ && curl --silent -L https://dl.k8s.io/v${KUBE_VERSION}/kubernetes-client-linux-amd64.tar.gz \
| tar -zC /usr/bin --strip-components=3 --wildcards -x "*/*/*/kubectl" \ | tar -zC /usr/bin --strip-components=3 --wildcards -x "*/*/*/kubectl" \
&& apt-get purge --autoremove -y apt-transport-https \
&& apt-get clean \
&& rm -rf \ && rm -rf \
/var/lib/apt/lists/* /var/lib/apt/lists/*

0
images/compute-utility/Dockerfile.ubuntu_bionic Executable file → Normal file
View File

54
images/compute-utility/Dockerfile.ubuntu_focal Executable file → Normal file
View File

@ -8,7 +8,7 @@ LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc
org.opencontainers.image.vendor='The Airship Authors' \ org.opencontainers.image.vendor='The Airship Authors' \
org.opencontainers.image.licenses='Apache-2.0' org.opencontainers.image.licenses='Apache-2.0'
ARG KUBE_VERSION=1.28.4 ARG KUBE_VERSION=1.28.5
ARG DEBIAN_FRONTEND=noninteractive ARG DEBIAN_FRONTEND=noninteractive
@ -16,36 +16,32 @@ RUN set -xe \
&& sed -i '/nobody/d' /etc/passwd \ && sed -i '/nobody/d' /etc/passwd \
&& echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \ && echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \
&& apt-get update && apt-get upgrade -y \ && apt-get update && apt-get upgrade -y \
&& apt-get install -y apt-transport-https \ && apt-get install -y --no-install-recommends \
bash \ bash \
ca-certificates \ ca-certificates \
openvswitch-switch \ openvswitch-switch \
curl \ curl \
gnupg \ gnupg \
hexedit \ hexedit \
iperf \ iperf \
iproute2 \ iproute2 \
jq \ jq \
moreutils \ moreutils \
radosgw \ radosgw \
rsyslog \ rsyslog \
s3cmd \ s3cmd \
rsync \ rsync \
sudo \ sudo \
wget \ xz-utils \
xz-utils \ python3.8 \
python3.8 \ python3-pip \
python3-pip \ && pip3 install --no-cache-dir --upgrade pip \
&& pip3 install --upgrade pip \ && pip3 install --no-cache-dir \
&& pip3 install \
oslo.rootwrap==6.3.1 \ oslo.rootwrap==6.3.1 \
&& apt-get remove --purge -y wget apt-transport-https \
&& apt-get autoremove -y \
&& apt-get clean \
&& curl --silent -L https://dl.k8s.io/v${KUBE_VERSION}/kubernetes-client-linux-amd64.tar.gz \ && curl --silent -L https://dl.k8s.io/v${KUBE_VERSION}/kubernetes-client-linux-amd64.tar.gz \
| tar -zC /usr/bin --strip-components=3 --wildcards -x "*/*/*/kubectl" \ | tar -zC /usr/bin --strip-components=3 --wildcards -x "*/*/*/kubectl" \
&& rm -rf \ && apt-get clean \
/var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
RUN PYTHON_LOCATION=$(pip3 show oslo.rootwrap|grep Location|awk '{print $2}') \ RUN PYTHON_LOCATION=$(pip3 show oslo.rootwrap|grep Location|awk '{print $2}') \
&& sed -i "/rootwrap_logger.setLevel/s/.*/#&/" $PYTHON_LOCATION/oslo_rootwrap/wrapper.py \ && sed -i "/rootwrap_logger.setLevel/s/.*/#&/" $PYTHON_LOCATION/oslo_rootwrap/wrapper.py \

47
images/etcdctl-utility/Dockerfile.ubuntu_focal
View File

@ -9,40 +9,39 @@ LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc
org.opencontainers.image.licenses='Apache-2.0' org.opencontainers.image.licenses='Apache-2.0'
ARG ETCDCTL_VERSION=v3.5.11 ARG ETCDCTL_VERSION=v3.5.11
ARG KUBE_VERSION=1.28.4 ARG KUBE_VERSION=1.28.5
ENV GOOGLE_URL=https://storage.googleapis.com/etcd ENV GOOGLE_URL=https://storage.googleapis.com/etcd
ENV GITHUB_URL=https://github.com/etcd-io/etcd/releases/download ENV GITHUB_URL=https://github.com/etcd-io/etcd/releases/download
ENV DOWNLOAD_URL=${GITHUB_URL} ENV DOWNLOAD_URL=${GITHUB_URL}
RUN set -xe \ RUN set -xe \
&& export DEBIAN_FRONTEND=noninteractive \ && export DEBIAN_FRONTEND=noninteractive \
&& sed -i '/nobody/d' /etc/passwd \ && sed -i '/nobody/d' /etc/passwd \
&& echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \ && echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \
&& apt-get update && apt-get upgrade -y \ && apt-get update && apt-get upgrade -y \
&& apt-get install -y \ && apt-get install -y --no-install-recommends \
wget curl \ curl \
locales \ locales \
apt-transport-https \ ca-certificates \
ca-certificates \ gnupg \
gnupg \ bash \
bash \ moreutils \
moreutils \ sudo \
sudo \ rsyslog \
rsyslog \ python3.8 \
python3.8 \ python3-pip \
python3-pip \ jq \
jq \ && pip3 install --no-cache-dir --upgrade pip \
&& pip3 install --upgrade pip \ && pip3 install --no-cache-dir \
&& pip3 install \ munch \
munch \ oslo.rootwrap==6.3.1 \
oslo.rootwrap==6.3.1 \ python-openstackclient==5.8.0 \
python-openstackclient==5.8.0 \ python-swiftclient==3.13.1 \
python-swiftclient==3.13.1 \
&& curl --silent -L "${DOWNLOAD_URL}/${ETCDCTL_VERSION}/etcd-${ETCDCTL_VERSION}-linux-amd64.tar.gz" \ && curl --silent -L "${DOWNLOAD_URL}/${ETCDCTL_VERSION}/etcd-${ETCDCTL_VERSION}-linux-amd64.tar.gz" \
| tar -zC /usr/local/bin --strip-components=1 --wildcards -x "*/etcdctl" \ | tar -zC /usr/local/bin --strip-components=1 --wildcards -x "*/etcdctl" \
&& curl --silent -L https://dl.k8s.io/v${KUBE_VERSION}/kubernetes-client-linux-amd64.tar.gz \ && curl --silent -L https://dl.k8s.io/v${KUBE_VERSION}/kubernetes-client-linux-amd64.tar.gz \
| tar -zC /usr/bin --strip-components=3 --wildcards -x "*/*/*/kubectl" \ | tar -zC /usr/bin --strip-components=3 --wildcards -x "*/*/*/kubectl" \
&& curl -o /tmp/rclone.deb https://downloads.rclone.org/rclone-current-linux-amd64.deb \ && curl -o /tmp/rclone.deb https://downloads.rclone.org/rclone-current-linux-amd64.deb \
&& apt-get install -y --no-install-recommends /tmp/rclone.deb \ && apt-get install -y --no-install-recommends /tmp/rclone.deb \
&& apt-get clean -y \ && apt-get clean -y \

62
images/mysqlclient-utility/Dockerfile.ubuntu_focal
View File

@ -8,53 +8,53 @@ LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc
org.opencontainers.image.vendor='The Airship Authors' \ org.opencontainers.image.vendor='The Airship Authors' \
org.opencontainers.image.licenses='Apache-2.0' org.opencontainers.image.licenses='Apache-2.0'
ARG KUBE_VERSION=1.28.4 ARG KUBE_VERSION=1.28.5
ARG MARIADB_VERSION=10.6
ARG PERCONA_TOOLKIT_VERSION=3.5.5
RUN set -xe \ RUN set -xe \
&& export DEBIAN_FRONTEND=noninteractive \ && export DEBIAN_FRONTEND=noninteractive \
&& sed -i '/nobody/d' /etc/passwd \ && sed -i '/nobody/d' /etc/passwd \
&& echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \ && echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \
&& apt-get update \ && apt-get update \
&& apt-get install -y \ && apt-get install -y --no-install-recommends curl apt-transport-https ca-certificates gnupg \
wget curl \
apt-transport-https ca-certificates gnupg \
&& curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \ && curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
&& bash mariadb_repo_setup --mariadb-server-version=10.6 \ && bash mariadb_repo_setup --mariadb-server-version=${MARIADB_VERSION} \
&& apt-get update \ && apt-get update && apt-get upgrade -y \
&& apt-get upgrade -y \ && apt-get install -y --no-install-recommends \
&& apt-get install -y \ bash \
bash \ sudo \
sudo \ rsyslog \
rsyslog \ pwgen \
pwgen \ curl \
curl \ libdbi-perl \
libdbi-perl \ libdbd-mysql-perl \
libdbd-mysql-perl \ moreutils \
moreutils \ mariadb-client \
mariadb-client \ mariadb-server \
mariadb-server \ python3.8 \
python3.8 \ python3-pip \
python3-pip \ jq \
jq \ && pip3 install --no-cache-dir --upgrade pip \
&& pip3 install --upgrade pip \ && pip3 install --no-cache-dir \
&& pip3 install \
munch \ munch \
oslo.rootwrap==6.3.1 \ oslo.rootwrap==6.3.1 \
python-openstackclient==5.8.0 \ python-openstackclient==5.8.0 \
python-swiftclient==3.13.1 \ python-swiftclient==3.13.1 \
&& sed -i 's/$PrivDropToUser syslog/$PrivDropToUser nobody/' /etc/rsyslog.conf \ && sed -i 's/$PrivDropToUser syslog/$PrivDropToUser nobody/' /etc/rsyslog.conf \
&& apt-get clean -y \
&& curl --silent -L https://dl.k8s.io/v${KUBE_VERSION}/kubernetes-client-linux-amd64.tar.gz \ && curl --silent -L https://dl.k8s.io/v${KUBE_VERSION}/kubernetes-client-linux-amd64.tar.gz \
| tar -zC /usr/bin --strip-components=3 --wildcards -x "*/*/*/kubectl" \ | tar -zC /usr/bin --strip-components=3 --wildcards -x "*/*/*/kubectl" \
&& curl --silent -L https://downloads.percona.com/downloads/percona-toolkit/3.5.1/binary/tarball/percona-toolkit-3.5.1_x86_64.tar.gz \ && curl --silent -L https://downloads.percona.com/downloads/percona-toolkit/${PERCONA_TOOLKIT_VERSION}/binary/tarball/percona-toolkit-${PERCONA_TOOLKIT_VERSION}_$(arch).tar.gz \
| tar -zC /usr/local/bin/ --strip-components=2 --wildcards -x "*/*/pt-show-grants" \ | tar -zC /usr/local/bin/ --strip-components=2 --wildcards -x "*/*/pt-show-grants" \
&& curl -o /tmp/rclone.deb https://downloads.rclone.org/rclone-current-linux-amd64.deb \ && curl -o /tmp/rclone.deb https://downloads.rclone.org/rclone-current-linux-amd64.deb \
&& apt-get install -y --no-install-recommends /tmp/rclone.deb \ && apt-get install -y --no-install-recommends /tmp/rclone.deb \
&& apt-get purge --autoremove -y apt-transport-https \
&& apt-get clean -y \
&& rm -rf \ && rm -rf \
/tmp/* \ /tmp/* \
/var/cache/debconf/* \ /var/cache/debconf/* \
/var/lib/apt/lists/* \ /var/lib/apt/lists/* \
/var/tmp/* /var/tmp/*
RUN PYTHON_LOCATION=$(pip3 show oslo.rootwrap|grep Location|awk '{print $2}') \ RUN PYTHON_LOCATION=$(pip3 show oslo.rootwrap|grep Location|awk '{print $2}') \
&& sed -i "/rootwrap_logger.setLevel/s/.*/#&/" $PYTHON_LOCATION/oslo_rootwrap/wrapper.py \ && sed -i "/rootwrap_logger.setLevel/s/.*/#&/" $PYTHON_LOCATION/oslo_rootwrap/wrapper.py \

0
images/openstack-utility/Dockerfile.ubuntu_bionic Executable file → Normal file
View File

32
images/openstack-utility/Dockerfile.ubuntu_focal Executable file → Normal file
View File

@ -14,22 +14,22 @@ RUN set -xe \
&& sed -i '/nobody/d' /etc/passwd \ && sed -i '/nobody/d' /etc/passwd \
&& echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \ && echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \
&& apt-get update && apt-get upgrade -y \ && apt-get update && apt-get upgrade -y \
&& apt-get install -y \ && apt-get install --no-install-recommends -y \
bash \ bash \
sudo \ sudo \
rsyslog \ rsyslog \
python3.8 \ python3.8 \
python3-pip \ python3-pip \
&& pip3 install --upgrade pip \ && pip3 install --no-cache-dir --upgrade pip \
&& pip3 install \ && pip3 install --no-cache-dir \
munch \ munch \
oslo.rootwrap==6.3.1 \ oslo.rootwrap==6.3.1 \
python-openstackclient==5.8.0 \ python-openstackclient==5.8.0 \
python-glanceclient==3.6.0 \ python-glanceclient==3.6.0 \
python-novaclient==17.7.0 \ python-novaclient==17.7.0 \
python-neutronclient==7.8.0 \ python-neutronclient==7.8.0 \
python-cinderclient==8.3.0 \ python-cinderclient==8.3.0 \
python-heatclient==2.5.1 \ python-heatclient==2.5.1 \
&& apt-get clean -y \ && apt-get clean -y \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*

55
images/postgresql-utility/Dockerfile.ubuntu_focal
View File

@ -8,44 +8,43 @@ LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc
org.opencontainers.image.vendor='The Airship Authors' \ org.opencontainers.image.vendor='The Airship Authors' \
org.opencontainers.image.licenses='Apache-2.0' org.opencontainers.image.licenses='Apache-2.0'
ARG KUBE_VERSION=1.28.4 ARG KUBE_VERSION=1.28.5
RUN set -xe \ RUN set -xe \
&& export DEBIAN_FRONTEND=noninteractive \ && export DEBIAN_FRONTEND=noninteractive \
&& sed -i '/nobody/d' /etc/passwd \ && sed -i '/nobody/d' /etc/passwd \
&& echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \ && echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \
&& apt-get update && apt-get upgrade -y \ && apt-get update && apt-get upgrade -y \
&& apt-get install -y wget curl \ && apt-get install --no-install-recommends -y curl ca-certificates gnupg \
apt-transport-https ca-certificates gnupg \ && echo "deb https://apt.postgresql.org/pub/repos/apt focal-pgdg main" > /etc/apt/sources.list.d/pgdg.list \
&& echo "deb http://apt.postgresql.org/pub/repos/apt focal-pgdg main" > /etc/apt/sources.list.d/pgdg.list \
&& curl -o /etc/apt/trusted.gpg.d/postgresql_release_signing_key.asc 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' \ && curl -o /etc/apt/trusted.gpg.d/postgresql_release_signing_key.asc 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' \
&& apt-get update \ && apt-get update \
&& apt-get install -y \ && apt-get install --no-install-recommends -y \
bash \ bash \
moreutils \ moreutils \
rsyslog \ rsyslog \
screen \ screen \
sudo \ sudo \
postgresql-client \ postgresql-client \
postgresql-common \ postgresql-common \
python3.8 \ python3.8 \
python3-pip \ python3-pip \
jq \ jq \
&& pip3 install --upgrade pip \ && pip3 install --no-cache-dir --upgrade pip \
&& pip3 install \ && pip3 install --no-cache-dir \
munch \ munch \
oslo.rootwrap==6.3.1 \ oslo.rootwrap==6.3.1 \
python-openstackclient==5.8.0 \ python-openstackclient==5.8.0 \
python-swiftclient==3.13.1 \ python-swiftclient==3.13.1 \
&& apt-get clean -y \
&& curl --silent -L https://dl.k8s.io/v${KUBE_VERSION}/kubernetes-client-linux-amd64.tar.gz \ && curl --silent -L https://dl.k8s.io/v${KUBE_VERSION}/kubernetes-client-linux-amd64.tar.gz \
| tar -zC /usr/bin --strip-components=3 --wildcards -x "*/*/*/kubectl" \ | tar -zC /usr/bin --strip-components=3 --wildcards -x "*/*/*/kubectl" \
&& curl -o /tmp/rclone.deb https://downloads.rclone.org/rclone-current-linux-amd64.deb \ && curl -o /tmp/rclone.deb https://downloads.rclone.org/rclone-current-linux-amd64.deb \
&& apt-get install -y --no-install-recommends /tmp/rclone.deb \ && apt-get install -y --no-install-recommends /tmp/rclone.deb \
&& apt-get clean -y \
&& rm -rf \ && rm -rf \
/tmp/* \ /tmp/* \
/var/cache/debconf/* \ /var/cache/debconf/* \
/var/lib/apt/lists/* /var/lib/apt/lists/*
RUN PYTHON_LOCATION=$(pip3 show oslo.rootwrap|grep Location|awk '{print $2}') \ RUN PYTHON_LOCATION=$(pip3 show oslo.rootwrap|grep Location|awk '{print $2}') \
&& sed -i "/rootwrap_logger.setLevel/s/.*/#&/" $PYTHON_LOCATION/oslo_rootwrap/wrapper.py \ && sed -i "/rootwrap_logger.setLevel/s/.*/#&/" $PYTHON_LOCATION/oslo_rootwrap/wrapper.py \