Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

base: add iproute package #2164

Closed
wants to merge 1 commit into from
Closed

base: add iproute package #2164

wants to merge 1 commit into from

Conversation

asm0deuz
Copy link

This makes the ip command available.

Fixes:https://bugzilla.redhat.com/show_bug.cgi?id=2245975

@asm0deuz
base: add iproute package
c3fd60b 
This makes the ip command available.

Fixes:https://bugzilla.redhat.com/show_bug.cgi?id=2245975

Signed-off-by: Teoman ONAY <tonay@ibm.com>
@ktdreyer
Copy link
Member

ktdreyer commented Nov 2, 2023

Looks like Rook has worked around this with red-hat-storage/rook#533 instead

@BlaineEXE
Copy link
Collaborator

My experience has been that the upstream quay.io/ceph/ceph images already have ip installed. It seems like that isn't by intent, given that the package isn't installed. From a container security perspective, it would be best to not include ip in the Ceph image because it isn't needed by Ceph. I will make that same change to upstream Rook as well.

@BlaineEXE BlaineEXE mentioned this pull request Nov 2, 2023
Merged
6 tasks
@ktdreyer
Copy link
Member

ktdreyer commented Nov 2, 2023

That's right @BlaineEXE . The iproute package in quay.io/ceph/ceph:v18.2.0 comes preinstalled in the base image, quay.io/centos/centos:stream8.

Once Ceph upstream begins to use quay.io/centos/centos:stream9-minimal as the base image, the iproute package will not be in Ceph. Nothing in Ceph itself uses /usr/sbin/ip, so it's there by "accident".

I agree with you that we should minimize our package list to avoid exposure to future vulnerabilities. I checked iproute-6.4.0-1.fc38 on Fedora, and there are no setuid binaries, but it still helps to keep our package list small if possible.

@ktdreyer
Copy link
Member

ktdreyer commented Nov 3, 2023

@asm0deuz you can close this PR.

@asm0deuz asm0deuz closed this Nov 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@asm0deuz @ktdreyer @BlaineEXE