Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use minimal base image for linux builds #1233

Merged
merged 1 commit into from
Jun 27, 2022
Merged

Use minimal base image for linux builds #1233

merged 1 commit into from
Jun 27, 2022

Conversation

torredil
Copy link
Member

@torredil torredil commented May 10, 2022
edited
Loading

Signed-off-by: Eddie Torres [email protected]

What is this PR about? / Why do we need it?

  • Most incoming CVEs are not related to the CSI driver binary, but the base AL2 image layer. By using a minimal base image (for linux builds) we can greatly reduce ebs-csi-driver container image attack surface area and size.
  • Addresses: Build production container image from distroless #272

What testing is done?

  • The CSI driver requires the following dependencies in the base image layer:
util-linux
e2fsprogs
xfsprogs
mount
  • The driver uses the following binaries:
blkid
blockdev
dumpe2fs
resize2fs
fsck
fsck.ext4
fsck.ext3
mkfs
mkfs.ext4
mkfs.ext3
mkfs.xfs
xfs_io
xfs_growfs
umount
mount
  • Using docker entrypoint to test binaries in container image:
$ docker run --entrypoint blkid public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest.2
// There is no output, as expected.

$ docker run --entrypoint blockdev public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest.2

Usage:
 blockdev -V
 blockdev --report [devices]
 blockdev [-v|-q] commands devices
...

$ docker run --entrypoint dumpe2fs public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest.2

dumpe2fs 1.42.9 (28-Dec-2013)
Usage: dumpe2fs [-bfhixV] [-o superblock=<num>] [-o blocksize=<num>] device

$ docker run --entrypoint resize2fs public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest.2

resize2fs 1.42.9 (28-Dec-2013)
Usage: resize2fs [-d debug_flags] [-f] [-F] [-M] [-P] [-p] device [new_size]

$ docker run --entrypoint fsck public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest.2

fsck from util-linux 2.30.2

$ docker run --entrypoint fsck.ext4 public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest.2

Usage: fsck.ext4 [-panyrcdfvtDFV] [-b superblock] [-B blocksize]
		[-I inode_buffer_blocks] [-P process_inode_size]
		[-l|-L bad_blocks_file] [-C fd] [-j external_journal]
		[-E extended-options] device
...

$ docker run --entrypoint fsck.ext3 public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest.2

Usage: fsck.ext3 [-panyrcdfvtDFV] [-b superblock] [-B blocksize]
		[-I inode_buffer_blocks] [-P process_inode_size]
		[-l|-L bad_blocks_file] [-C fd] [-j external_journal]
		[-E extended-options] device
...

$ docker run --entrypoint mkfs public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest.2

Usage:
 mkfs [options] [-t <type>] [fs-options] <device> [<size>]

$ docker run --entrypoint mkfs.ext4 public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest.2
Usage: mkfs.ext4 [-c|-l filename] [-b block-size] [-C cluster-size]
...

$ docker run --entrypoint mkfs.ext3 public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest.2
Usage: mkfs.ext3 [-c|-l filename] [-b block-size] [-C cluster-size
...

$ docker run --entrypoint mkfs.xfs public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest.2

no device name given in argument list
Usage: mkfs.xfs
...

$ docker run --entrypoint xfs_io public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest.2

xfs_io> %

$ docker run --entrypoint xfs_growfs public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest.2

Usage: xfs_growfs [options] mountpoint
...

$ docker run --entrypoint umount public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest.2

Usage:
 umount [-hV]
 umount -a [options]
 umount [options] <source> | <directory>
...

$  docker run --entrypoint mount public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest.2

overlay on / type overlay (rw,relatime,lowerdir=/local/docker/overlay2/l/UZSVPV7M3UXLKOOLZFP2JDEZ5Z:/local/docker/overlay2/l/BFJHJQVTOLENYSKV7PTEL5FAU2:/local/docker/overlay2/l/AIP4WHCMJFSDFZLXAUNJ4XQWWG:/local/docker/overlay2/l/TQ66HDDH5DD23TLTLOMIMMXAYS,upperdir=/local/docker/overlay2/d97b29e25c19951d0b3acbc72b06ae3c8eb07bdc15de96d3e84476495664540b/diff,workdir=/local/docker/overlay2/d97b29e25c19951d0b3acbc72b06ae3c8eb07bdc15de96d3e84476495664540b/work)
...
  • Manifest:
$ crane manifest public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest.2

{
   "mediaType": "application/vnd.oci.image.index.v1+json",
   "schemaVersion": 2,
   "manifests": [
      {
         "mediaType": "application/vnd.oci.image.manifest.v1+json",
         "digest": "sha256:01e84b4a8a8d7c52443e202d5758b8cd4aefb23d358cffae7a0f8bb2f4722347",
         "size": 916,
         "platform": {
            "architecture": "amd64",
            "os": "linux"
         }
      },
      {
         "mediaType": "application/vnd.oci.image.manifest.v1+json",
         "digest": "sha256:83188a6846278419dff4644a7a690184876231036f6b79e4f24103b3177d004d",
         "size": 916,
         "platform": {
            "architecture": "arm64",
            "os": "linux"
         }
      }
   ]
}

$ syft packages public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest.2

 ✔ Pulled image
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [25 packages]
NAME                    VERSION                   TYPE
basesystem              10.0-7.amzn2.0.1          rpm
ca-certificates         2021.2.50-72.amzn2.0.3    rpm
e2fsprogs               1.42.9-19.amzn2           rpm
e2fsprogs-libs          1.42.9-19.amzn2           rpm
filesystem              3.2-25.amzn2.0.4          rpm
glibc                   2.26-58.amzn2             rpm
glibc-common            2.26-58.amzn2             rpm
glibc-minimal-langpack  2.26-58.amzn2             rpm
gpg-pubkey              c87f5b1a-593863f8         rpm
libblkid                2.30.2-2.amzn2.0.7        rpm
libcom_err              1.42.9-19.amzn2           rpm
libgcc                  7.3.1-14.amzn2            rpm
libmount                2.30.2-2.amzn2.0.7        rpm
libselinux              2.5-12.amzn2.0.2          rpm
libsepol                2.5-8.1.amzn2.0.2         rpm
libstdc++               7.3.1-14.amzn2            rpm
libuuid                 2.30.2-2.amzn2.0.7        rpm
ncurses-libs            6.0-8.20170212.amzn2.1.3  rpm
pcre                    8.32-17.amzn2.0.2         rpm
readline                6.2-10.amzn2.0.2          rpm
setup                   2.8.71-10.amzn2.0.1       rpm
system-release          1:2-14.amzn2              rpm
tzdata                  2021e-1.amzn2             rpm
util-linux              2.30.2-2.amzn2.0.7        rpm
xfsprogs                4.5.0-18.amzn2.0.1        rpm
  • CI ✅
  • amd64 architecture validation testing ✅
  • arm64 architecture validation testing ✅

aws/eks-distro-build-tooling#398

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 10, 2022
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 10, 2022
@torredil torredil force-pushed the distroless-base-image branch 10 times, most recently from 19fb00d to b2d145e Compare May 11, 2022 14:58
@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 31, 2022
@wmesard
Copy link
Contributor

wmesard commented May 31, 2022

This is minimal, not distroless, as the subject line claims.

@torredil torredil changed the title Use distroless base image for linux builds Use minimal base image for linux builds May 31, 2022
@torredil
Copy link
Member Author

@wmesard Thanks for pointing that out. Just got a new image to test out from the eks-d team and hadn't gotten around to changing the title.

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jun 8, 2022
@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 8, 2022
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 12, 2022
@torredil torredil mentioned this pull request Jun 13, 2022
Closed
@torredil
Copy link
Member Author

torredil commented Jun 13, 2022
edited
Loading

Makefile correctly generates manifests: https://hub.docker.com/r/torredil/aws-ebs-csi-driver/tags

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 15, 2022
@torredil
Copy link
Member Author

torredil commented Jun 15, 2022
edited
Loading

Ready for review.
/hold do not merge until release for 1.8.0 is ready.
cc @gtxu @rdpsin @wmesard

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 15, 2022
@rdpsin
Copy link
Contributor

rdpsin commented Jun 27, 2022

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 27, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MurphyPuppy, rdpsin, torredil

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@torredil torredil removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 27, 2022
@k8s-ci-robot k8s-ci-robot merged commit 7f6c54b into kubernetes-sigs:master Jun 27, 2022
@ialidzhikov ialidzhikov mentioned this pull request Jul 18, 2022
Merged
@ConnorJC3 ConnorJC3 mentioned this pull request Aug 16, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gtxu gtxu Awaiting requested review from gtxu

@rdpsin rdpsin Awaiting requested review from rdpsin

Assignees

@rdpsin rdpsin

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@torredil @k8s-ci-robot @wmesard @rdpsin