Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update fleetdm/fleetctl, fleetdm/wix and fleetdm/bomutils docker images #21063

Merged
merged 10 commits into from
Aug 20, 2024
Merged

Update fleetdm/fleetctl, fleetdm/wix and fleetdm/bomutils docker images #21063

merged 10 commits into from
Aug 20, 2024

Conversation

lucasmrod
Copy link
Member

@lucasmrod lucasmrod commented Aug 5, 2024
edited
Loading

#20571

Summary of changes

We have a few moving parts in fleetctl land (fleetdm/wix is used to build msis and fleetdm/bomutils is used to build pkgs, and fleetdm/fleetctl can be used to build packages using docker, no need for fleetctl executable):

graph LR

fleetctl_exec[fleetctl<br>executable];
wix_image[fleetdm/wix<br>docker image];
bomutils_image[fleetdm/bomutils<br>docker image];
fleetctl_image[fleetdm/fleetctl<br>docker image];

fleetctl_exec -- uses --> wix_image;

fleetctl_image -- COPY dependencies<br>FROM --> wix_image;

fleetctl_exec -- uses --> bomutils_image;

fleetctl_image -- COPY dependencies<br>FROM --> bomutils_image;
Loading

So, we'll need to update the three images: fleetdm/bomutils, fleetdm/wix & fleetdm/fleetctl.

  • tools/bomutils-docker/Dockerfile, tools/wix-docker/Dockerfile and tools/fleetctl-docker/Dockerfile: Updating the base image to fix the CRITICAL vulnerabilities.
  • Modified existing+unused .github/workflows/build-and-check-fleetctl-docker-and-deps.yml to run every day to check for CRITICAL vulnerabilities in fleetdm/wix, fleetdm/bomutils and fleetdm/fleetctl.
  • .github/workflows/goreleaser-fleetctl-docker-deps.yaml: fleetdm/bomutils and fleetdm/wix were pushed manually a few years ago (most likely by Zach), so I've added a new action to release them when we have changes to release (like now). It will basically release fleetctl/bomutils and fleetdm/wix when pushing a tag of the form fleetctl-docker-deps-* (we'll need to protect such tag prefix).
  • Changes in .github/workflows/test-native-tooling-packaging.yml to build fleetdm/bomutils and fleetdm/wix for fleetdm/fleetctl to use them instead of the ones in docker hub.

--

Build before upgrading debian:stable-slim:
https://github.com/fleetdm/fleet/actions/runs/10255391418/job/28372231837
Screenshot 2024-08-05 at 5 24 25 PM

Build after upgrading debian:stable-slim: https://github.com/fleetdm/fleet/actions/runs/10255550034

  • Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
    See Changes files for more information.
  • Manual QA for all new/changed functionality

@lucasmrod lucasmrod changed the title Add trivy scan to fleetctl build Add trivy scan to fleetdm/fleetctl image build Aug 5, 2024
lukeheath
lukeheath previously approved these changes Aug 5, 2024
View reviewed changes
Copy link
Member

@lukeheath lukeheath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this, great idea!

@lucasmrod lucasmrod marked this pull request as draft August 7, 2024 21:37
@lucasmrod lucasmrod force-pushed the 20571-update-fleetctl-docker-debian-slim branch from f16003f to 41586c0 Compare August 16, 2024 20:06
@lucasmrod lucasmrod marked this pull request as ready for review August 16, 2024 21:06
@lucasmrod lucasmrod mentioned this pull request Aug 19, 2024
Closed
@lucasmrod lucasmrod changed the title Add trivy scan to fleetdm/fleetctl image build Update fleetdm/fleetctl, fleetdm/wix and fleetdm/bomutils docker images Aug 19, 2024
lukeheath
lukeheath approved these changes Aug 20, 2024
View reviewed changes
Copy link
Member

@lukeheath lukeheath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the thorough PR description and adding the additional workflows. The fleetctl-docker-deps-* tag is now protected.

@lucasmrod lucasmrod merged commit 18f010f into main Aug 20, 2024
6 checks passed
@lucasmrod lucasmrod deleted the 20571-update-fleetctl-docker-debian-slim branch August 20, 2024 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukeheath lukeheath lukeheath approved these changes

@georgekarrv georgekarrv Awaiting requested review from georgekarrv georgekarrv is a code owner

@sharon-fdm sharon-fdm Awaiting requested review from sharon-fdm sharon-fdm is a code owner

@roperzh roperzh Awaiting requested review from roperzh

Assignees

@lukeheath lukeheath

@mostlikelee mostlikelee

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lucasmrod @lukeheath @sharon-fdm @mostlikelee