Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BMO & Ironic & Ironic-Inspector fail Clair scans for high risk vulnerabilities #558

Closed
eak13 opened this issue Jun 3, 2021 · 7 comments
Closed

BMO & Ironic & Ironic-Inspector fail Clair scans for high risk vulnerabilities #558

eak13 opened this issue Jun 3, 2021 · 7 comments
Assignees
@SirishaGopigiri
Labels
6-upstream/metal3-io Requires changes to upstream project, metal3-io bug Something isn't working size s
Milestone
v2.1

Comments

@eak13
Copy link

eak13 commented Jun 3, 2021

Describe the bug
Clair scans have identified several high risk vulnerabilities in BMO, Ironic-Inspector & Ironic. See attached for details.
This is being tracked via metal3-io/ironic-image#266.
This is a tracking issue to ensure that the images used by Airshipctl are updated once the vulnerabilities have been resolved.

Steps To Reproduce
Run Clair scan against the images.

Expected behavior
No high risk security vulnerabilities are found.

ironic-inspector-2e2774c-2021-05-31_15-55-34.txt
baremetal-operator-3871acb-2021-05-31_15-58-59.txt
ironic-a69281a-2021-05-31_15-58-24.txt
@eak13 eak13 added bug Something isn't working triage Needs evaluation by project members labels Jun 3, 2021
@jezogwza jezogwza added this to the v2.2 milestone Jun 9, 2021
@jezogwza jezogwza added 6-upstream/metal3-io Requires changes to upstream project, metal3-io and removed triage Needs evaluation by project members labels Jun 9, 2021
@sshiba
Copy link

sshiba commented Jul 2, 2021

Hi Andrew, assign this issue to me. Thanks.

@sshiba
Copy link

sshiba commented Jul 2, 2021

The metal3-io/ironic-inspector:latest image still didn't pass the test.
See https://jenkins-nc.wnv2b.cci.att.com/job/images/job/open-images/1415/console

The quay.io registry also detected vulnerabilities. See https://quay.io/repository/metal3-io/ironic-inspector/manifest/sha256:7bb3423b81f8d316463727af25ec70591bf8e984b5cf93634c98657aeb214e6e?tab=vulnerabilities

The metal3-io/ironic:latest image still didn't pass the test.
See https://jenkins-nc.wnv2b.cci.att.com/job/images/job/open-images/1414/console

The quay.io registry also detected vulnerabilities. See https://quay.io/repository/metal3-io/ironic/manifest/sha256:ac4ab57f937dbef11c0fb317b7005d63a534c8b3ef4efd0407d5bf6f868b8c13?tab=vulnerabilities

The metal3-io/baremetal-operator:latest image has passed the test. See https://jenkins-nc.wnv2b.cci.att.com/job/images/job/open-images/1413/console

@jezogwza jezogwza modified the milestones: v2.2, v2.1 Jul 7, 2021
@eak13 eak13 mentioned this issue Jul 9, 2021
Closed
@lb4368 lb4368 added the size s label Jul 12, 2021
@eak13 eak13 assigned jgu17 and unassigned sshiba and jgu17 Aug 16, 2021
@eak13
Copy link
Author

eak13 commented Aug 17, 2021

@SirishaGopigiri can you please also comment here so I can update assignment? Thanks!

@SirishaGopigiri
Copy link
Contributor

Please assign this to me, thank you!

@SirishaGopigiri
Copy link
Contributor

The quay.io/metal3-io/baremetal-operator:capm3-v0.5.0 image is passing the clair scan and the manifests are updated to use it as part of capi and capm3 uplift #518
Other images are still failing with vulnerability issues, needs to be fixed from upstream metal3 community.

@mattmceuen
Copy link
Contributor

I left a note in PS 804834, but bringing it up here so it doesn't get lost: I think we need to build an update ironic-python-agent (ipa) image, to match the version of ironic that we're updating to. However the patchset appears to also be adding an additional image for the same thing, so I think we need to sort out 1) why did we build that image ourselves, 2) do we want to keep building it, 3) if so, we need to build an updated one to match the new BMO/Ironic.

We may have built our own as an alternative to pinning to to a moving :master tag.

airshipbot pushed a commit that referenced this issue Oct 14, 2021
@SirishaGopigiri @raliev12
CAPM3, BMO and Ironic manifests
c7e5c76 
The below PS has manifests files related to
capm3, bmo and ironic for v0.5.0 versions.

Relates-To: #518 #558 #560
Change-Id: Id9240320bc8dec32d5e5384c39e26ba04f55f9bd
@eak13
Copy link
Author

eak13 commented Oct 27, 2021

Closing as https://review.opendev.org/c/airship/airshipctl/+/804834 has merged which should resolve the CVE issues. If we need to do something different with the IPA image, then we can open a separate issue for it.

@eak13 eak13 closed this as completed Oct 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SirishaGopigiri SirishaGopigiri

Labels
6-upstream/metal3-io Requires changes to upstream project, metal3-io bug Something isn't working size s
Projects
None yet
Milestone
v2.1
Development

No branches or pull requests
7 participants
@lb4368 @sshiba @eak13 @mattmceuen @jezogwza @jgu17 @SirishaGopigiri