From a696df2cd8930a0f87385b054efd72c1545d97d6 Mon Sep 17 00:00:00 2001 From: "DODDA, PRATEEK" Date: Thu, 18 Jun 2020 16:46:58 -0500 Subject: [PATCH] [Security Fix] Update mysqlclient Utility Container Image Update Python Packages to non-vulnerable as per Claire Scan Change-Id: I5b099b777c8b1413b36ef7c3326b8005483cd89b --- .../templates/bin/_start.sh.tpl | 13 ----- .../Dockerfile.ubuntu_bionic | 48 +++++++++++-------- 2 files changed, 27 insertions(+), 34 deletions(-) diff --git a/charts/mysqlclient-utility/templates/bin/_start.sh.tpl b/charts/mysqlclient-utility/templates/bin/_start.sh.tpl index e17f658d..a36a5b2f 100644 --- a/charts/mysqlclient-utility/templates/bin/_start.sh.tpl +++ b/charts/mysqlclient-utility/templates/bin/_start.sh.tpl @@ -13,20 +13,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} set -ex -# move this into build image v1.0.1 8/13/19 -#sed -i 's/$PrivDropToUser syslog/$PrivDropToUser nobody/' /etc/rsyslog.conf /etc/init.d/rsyslog start # for readiness probe touch /tmp/done - -{{/* -These lines will disable extra handler, extra formatter, extra level to the -root logger by oslo-rootwrap module, imported in _openstack-utility-rootwrap.tpl. -These lines will get rid of duplicate logs, generated because of the formatter -attached by oslo-rootwrap. -*/}} -sed -i "/rootwrap_logger.setLevel/s/.*/#&/" /usr/lib/python3/dist-packages/oslo_rootwrap/wrapper.py -sed -i "/handler.setFormatter/s/.*/#&/" /usr/lib/python3/dist-packages/oslo_rootwrap/wrapper.py -sed -i "/os.path.basename/s/.*/#&/" /usr/lib/python3/dist-packages/oslo_rootwrap/wrapper.py -sed -i "/rootwrap_logger.addHandler/s/.*/#&/" /usr/lib/python3/dist-packages/oslo_rootwrap/wrapper.py diff --git a/images/mysqlclient-utility/Dockerfile.ubuntu_bionic b/images/mysqlclient-utility/Dockerfile.ubuntu_bionic index c8ec9f70..3e94cd85 100644 --- a/images/mysqlclient-utility/Dockerfile.ubuntu_bionic +++ b/images/mysqlclient-utility/Dockerfile.ubuntu_bionic @@ -8,30 +8,36 @@ LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc org.opencontainers.image.vendor='The Airship Authors' \ org.opencontainers.image.licenses='Apache-2.0' -RUN set -xe && \ - export DEBIAN_FRONTEND=noninteractive && \ - sed -i '/nobody/d' /etc/passwd && \ - echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd && \ - apt-get update && \ - apt-get install -y \ - bash \ - moreutils \ - mysql-client \ - python3 \ - python3-pip \ - python3-oslo.rootwrap \ - python3-openstackclient \ - python3-swiftclient \ - curl \ - pwgen \ - sudo \ - rsyslog && \ - sed -i 's/$PrivDropToUser syslog/$PrivDropToUser nobody/' /etc/rsyslog.conf && \ - apt-get clean -y && \ - rm -rf \ +RUN set -xe \ + && export DEBIAN_FRONTEND=noninteractive \ + && sed -i '/nobody/d' /etc/passwd \ + && echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \ + && apt-get update \ + && apt-get install -y \ + bash \ + sudo \ + rsyslog \ + pwgen \ + curl \ + moreutils \ + mysql-client \ + python3.6 \ + python3-pip \ + && pip3 install \ + oslo.rootwrap==5.8.0 \ + python-openstackclient==3.18.1 \ + python-swiftclient \ + && sed -i 's/$PrivDropToUser syslog/$PrivDropToUser nobody/' /etc/rsyslog.conf \ + && apt-get clean -y \ + && rm -rf \ /tmp/* \ /var/cache/debconf/* \ /var/lib/apt/lists/* \ /var/tmp/* +RUN sed -i "/rootwrap_logger.setLevel/s/.*/#&/" /usr/local/lib/python3.6/dist-packages/oslo_rootwrap/wrapper.py \ + && sed -i "/handler.setFormatter/s/.*/#&/" /usr/local/lib/python3.6/dist-packages/oslo_rootwrap/wrapper.py \ + && sed -i "/os.path.basename/s/.*/#&/" /usr/local/lib/python3.6/dist-packages/oslo_rootwrap/wrapper.py \ + && sed -i "/rootwrap_logger.addHandler/s/.*/#&/" /usr/local/lib/python3.6/dist-packages/oslo_rootwrap/wrapper.py + CMD ["/bin/bash"]