Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dockerfile multistage with bci-micro #166

Merged
merged 7 commits into from
Dec 7, 2023
Merged

Dockerfile multistage with bci-micro #166

merged 7 commits into from
Dec 7, 2023

Conversation

andypitcher
Copy link
Contributor

@andypitcher andypitcher commented Sep 29, 2023
edited
Loading

Parent issue: https://github.com/rancher/security-team/issues/387

This PR covers the following:

  • Have a multi-stage approach
  • Use bci-micro as final image and remove unused packages.

Tested with RKE2, the scan is working and delivers the same results:

image

Note: The final image size can't be smaller than ~280MB even if we're using bci-micro here. Indeed, the number of binaries and their dependencies increases it. This said here are some advantages using micro here:

  1. It reduces the attack surface, for example in bci-base zypper is here by default. This might help an attacker to install other artifacts onto the container.
  2. It reduces the number of potential vulnerabilities. After the build, the number of binaries in /usr/bin is equal to 403 when using bci-base and 354 when using bci-micro.

@andypitcher
Implement multistage
ad49abe 
Use bci-minal as final image
Buil/Copy binaries from builder to final
@andypitcher
1. Build the final image by chrooting in micro and installing the req…
5082a67 
…uired packages with zypper

2. Use micro image as final image
@andypitcher
Add gzip command to final image
8d27452 
Resolves the following error in run_sonobuoy_plugin.sh
+ tar -czf kb.tar.gz controlplane.json error.log etcd.json master.json node.json policies.json
/bin/sh: gzip: command not found
@andypitcher
Add curl to handle in run_sonobuoy_plugin.sh
8135964
pjbgf
pjbgf previously approved these changes Sep 29, 2023
View reviewed changes
@pjbgf
Copy link
Member

pjbgf commented Sep 29, 2023

Diving in rancher/security-scan:v0.2.13, the binaries we download are around 150mb:
image

We could potentially go to registry.suse.com/bci/bci-busybox:15.5 which is ~12mb. So in total, we should be able to get to sub 200MB.

macedogm
macedogm requested changes Oct 2, 2023
View reviewed changes
package/Dockerfile Show resolved Hide resolved
@andypitcher andypitcher marked this pull request as ready for review October 2, 2023 14:34
pjbgf
pjbgf previously approved these changes Oct 2, 2023
View reviewed changes
macedogm
macedogm previously approved these changes Oct 2, 2023
View reviewed changes
@rayandas
Copy link
Contributor

rayandas commented Nov 7, 2023

@andypitcher Could you please resolve the conflicts?

@andypitcher andypitcher mentioned this pull request Nov 9, 2023
Closed
@andypitcher andypitcher dismissed stale reviews from macedogm and pjbgf via 2288621 November 22, 2023 18:44
@andypitcher andypitcher requested a review from a team as a code owner November 22, 2023 18:44
@andypitcher
Copy link
Contributor Author

@andypitcher Could you please resolve the conflicts?

Done. also replaced kubectl download URL from storage.googleapis.com to dl.k8s.io as per kubernetes/k8s.io#2396

macedogm
macedogm previously approved these changes Nov 23, 2023
View reviewed changes
pjbgf
pjbgf reviewed Nov 24, 2023
View reviewed changes
package/Dockerfile
zypper --installroot /chroot clean -a && \
rm -rf /chroot/var/cache/zypp/* /chroot/var/log/zypp/*

# Main stage using bco-mirco as the base image
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

Suggested change
# Main stage using bco-mirco as the base image
# Main stage using bco-micro as the base image

pjbgf
pjbgf previously approved these changes Nov 24, 2023
View reviewed changes
@andypitcher andypitcher dismissed stale reviews from pjbgf and macedogm via e296452 December 7, 2023 16:10
@andypitcher andypitcher merged commit bdbab54 into rancher:master Dec 7, 2023
1 check passed
@MKlimuszka MKlimuszka added this to the v2.8.3 milestone Jan 9, 2024
@MKlimuszka
Copy link

Infracloud is testing this.

@MKlimuszka MKlimuszka modified the milestones: v2.8.3, v2.8-Next1 Jan 22, 2024
@pjbgf
Copy link
Member

pjbgf commented Jan 26, 2024

@MKlimuszka it may be worth testing this together with rancher/cis-operator#232.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pjbgf pjbgf pjbgf approved these changes

@macedogm macedogm macedogm left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.8-Next1
Development

Successfully merging this pull request may close these issues.
5 participants
@andypitcher @pjbgf @rayandas @MKlimuszka @macedogm