Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

noble-chiseled #130

Merged
merged 5 commits into from
May 31, 2024
Merged

noble-chiseled #130

merged 5 commits into from
May 31, 2024

Conversation

mathieu-benoit
Copy link
Owner

@mathieu-benoit mathieu-benoit commented May 30, 2024
edited
Loading

Moving from alpine to chiseled (i.e. distroless).

Resources:

Todos:

Size (+1.5 MB)

  • Before: 40.9 MB
  • After: 42.4 MB --> +1.5 MB, I can live with this, that's for sure! ;)

Packages (-11 packages)

Note: syft was used.

Before:

✔ Packages                               [17 packages]
   ├── ✔ File digests                    [81 files]
   ├── ✔ File metadata                   [81 locations]
   └── ✔ Executables                     [21 executables]
NAME                    VERSION                 TYPE
alpine-baselayout       3.4.3-r1                apk
alpine-baselayout-data  3.4.3-r1                apk
alpine-keys             2.4-r1                  apk
apk-tools               2.14.0-r2               apk
busybox                 1.36.1-r5               apk
busybox-binsh           1.36.1-r5               apk
ca-certificates-bundle  20230506-r0             apk
libc-utils              0.7.2-r5                apk
libcrypto3              3.1.4-r5                apk
libgcc                  12.2.1_git20220924-r10  apk
libssl3                 3.1.4-r5                apk
libstdc++               12.2.1_git20220924-r10  apk
musl                    1.2.4-r2                apk
musl-utils              1.2.4-r2                apk
scanelf                 1.3.7-r1                apk
ssl_client              1.36.1-r5               apk
zlib                    1.2.13-r1               apk

After:

✔ Packages                               [6 packages]
   └── ✔ Executables                     [30 executables]
NAME             VERSION                TYPE
base-files       13ubuntu10             deb
ca-certificates  20240203               deb
libc6            2.39-0ubuntu8          deb
libgcc-s1        14-20240412-0ubuntu1   deb
libssl3t64       3.0.13-0ubuntu3        deb
zlib1g           1:1.3.dfsg-3.1ubuntu2  deb

CVEs (+2 LOW and -4 MEDIUM)

Note: trivy was used.

Before:

(alpine 3.18.6)

Total: 7 (UNKNOWN: 0, LOW: 2, MEDIUM: 5, HIGH: 0, CRITICAL: 0)

┌───────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├───────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ busybox       │ CVE-2023-42366 │ MEDIUM   │ fixed  │ 1.36.1-r5         │ 1.36.1-r6     │ busybox: A heap-buffer-overflow                           │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42366                │
├───────────────┤                │          │        │                   │               │                                                           │
│ busybox-binsh │                │          │        │                   │               │                                                           │
│               │                │          │        │                   │               │                                                           │
├───────────────┼────────────────┤          │        ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ libcrypto3    │ CVE-2024-4603  │          │        │ 3.1.4-r5          │ 3.1.5-r0      │ openssl: Excessive time spent checking DSA keys and       │
│               │                │          │        │                   │               │ parameters                                                │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4603                 │
│               ├────────────────┼──────────┤        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│               │ CVE-2024-2511  │ LOW      │        │                   │ 3.1.4-r6      │ openssl: Unbounded memory growth with session handling in │
│               │                │          │        │                   │               │ TLSv1.3                                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-2511                 │
├───────────────┼────────────────┼──────────┤        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│ libssl3       │ CVE-2024-4603  │ MEDIUM   │        │                   │ 3.1.5-r0      │ openssl: Excessive time spent checking DSA keys and       │
│               │                │          │        │                   │               │ parameters                                                │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4603                 │
│               ├────────────────┼──────────┤        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│               │ CVE-2024-2511  │ LOW      │        │                   │ 3.1.4-r6      │ openssl: Unbounded memory growth with session handling in │
│               │                │          │        │                   │               │ TLSv1.3                                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-2511                 │
├───────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ ssl_client    │ CVE-2023-42366 │ MEDIUM   │        │ 1.36.1-r5         │ 1.36.1-r6     │ busybox: A heap-buffer-overflow                           │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42366                │
└───────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

After:

(ubuntu 24.04)

Total: 5 (UNKNOWN: 0, LOW: 4, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬──────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │  Status  │ Installed Version │  Fixed Version  │                           Title                            │
├────────────┼────────────────┼──────────┼──────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ libc6      │ CVE-2024-2961  │ MEDIUM   │ fixed    │ 2.39-0ubuntu8     │ 2.39-0ubuntu8.1 │ glibc: Out of bounds write in iconv may lead to remote     │
│            │                │          │          │                   │                 │ code...                                                    │
│            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-2961                  │
│            ├────────────────┼──────────┼──────────┤                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│            │ CVE-2016-20013 │ LOW      │ affected │                   │                 │ sha256crypt and sha512crypt through 0.6 allow attackers to │
│            │                │          │          │                   │                 │ cause a denial of...                                       │
│            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2016-20013                 │
├────────────┼────────────────┤          │          ├───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ libssl3t64 │ CVE-2024-2511  │          │          │ 3.0.13-0ubuntu3   │                 │ openssl: Unbounded memory growth with session handling in  │
│            │                │          │          │                   │                 │ TLSv1.3                                                    │
│            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-2511                  │
│            ├────────────────┤          │          │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│            │ CVE-2024-4603  │          │          │                   │                 │ openssl: Excessive time spent checking DSA keys and        │
│            │                │          │          │                   │                 │ parameters                                                 │
│            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-4603                  │
│            ├────────────────┤          │          │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│            │ CVE-2024-4741  │          │          │                   │                 │ openssl: Use After Free with SSL_free_buffers              │
│            │                │          │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-4741                  │
└────────────┴────────────────┴──────────┴──────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

@github-actions GitHub Actions
Copy link

Deployment successfully completed for PR-130! 🎉

View in Humanitec

Deployment ID: 17d4571840236c19

Domains:

my-sample-workload: helloworld-preview.endpoints.mathieu-benoit-gcp.cloud.goog

Deployment diff

Deployment diff:

{
  "modules": {
    "add": null,
    "remove": [],
    "update": {
      "my-sample-workload": [
        {
          "from": "",
          "op": "replace",
          "path": "/spec/containers/my-sample-container/image",
          "value": "us-east4-docker.pkg.dev/mathieu-benoit-gcp/containers/my-sample-app@sha256:eb0c1dfeebe96cb4a4ed523dc9560baecdbf97fecbcc63d65b3e259ccf4392d1"
        },
        {
          "from": "",
          "op": "replace",
          "path": "/spec/annotations/humanitec.io~1workload-source",
          "value": "https://github.com/mathieu-benoit/sail-sharp/blob/noble-chiseled/score/score.yaml"
        }
      ]
    }
  },
  "shared": null
}
Active Resources Usage

Active Resources Usage:


ResType            	Class  	ResID                                     	Usage         	Last referencing deployment	Last referencing deployment created ago
agent              	default	agent                                     	current deploy	17d4571840236c19           	33.200372532s                          
base-env           	default	base-env                                  	current deploy	17d4571840236c19           	33.200375608s                          
k8s-cluster        	default	k8s-cluster                               	current deploy	17d4571840236c19           	33.200377782s                          
k8s-namespace      	default	k8s-namespace                             	current deploy	17d4571840236c19           	33.200379535s                          
logging            	default	logging                                   	current deploy	17d4571840236c19           	33.200381569s                          
k8s-service-account	default	modules.my-sample-workload                	current deploy	17d4571840236c19           	33.200383473s                          
workload           	default	modules.my-sample-workload                	current deploy	17d4571840236c19           	33.200385136s                          
dns                	default	modules.my-sample-workload.externals.dns  	current deploy	17d4571840236c19           	33.200391628s                          
ingress            	default	modules.my-sample-workload.externals.dns  	current deploy	17d4571840236c19           	33.200393672s                          
tls-cert           	default	modules.my-sample-workload.externals.dns  	current deploy	17d4571840236c19           	33.200395485s                          
route              	default	modules.my-sample-workload.externals.route	current deploy	17d4571840236c19           	33.200397248s
Resources Graph

Resources Graph:


strict digraph {

	label="Resource Graph
app: my-sample-app, env: pr-130

green: virtual nodes (environment, workloads), blue: active resources

";

	labelloc="t";

	overlap="false";

	splines="true";


	"bd0ea08dc0e33587a8b56ef08218c5e7a72f4c44" [ color="2", colorscheme="blues3", fillcolor="1", label="id: agent
type: agent
class: default
provision time: 7.703029s", style="filled", tooltip="guresid: bd0ea08dc0e33587a8b56ef08218c5e7a72f4c44",  weight=0 ];

	"9c5cc451a386d6b4a6b264a3fdcd20c0a13d9819" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.route
type: route
class: default
provision time: 7.575169s", style="filled", tooltip="guresid: 9c5cc451a386d6b4a6b264a3fdcd20c0a13d9819",  weight=0 ];

	"ea8b0d24e317d018530a0dde7e09b4fa13b44872" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns
type: tls-cert
class: default
provision time: 537.987ms", style="filled", tooltip="guresid: ea8b0d24e317d018530a0dde7e09b4fa13b44872",  weight=0 ];

	"ea8b0d24e317d018530a0dde7e09b4fa13b44872" -> "9b1023243fcdaa4ad72ceb7c3e2588cc1977835a" [  weight=0 ];

	"a0245904c1f78f069f902742e794955f0fbe7490" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns
type: ingress
class: default
provision time: 5.265074s", style="filled", tooltip="guresid: a0245904c1f78f069f902742e794955f0fbe7490",  weight=0 ];

	"a0245904c1f78f069f902742e794955f0fbe7490" -> "9b1023243fcdaa4ad72ceb7c3e2588cc1977835a" [  weight=0 ];

	"a0245904c1f78f069f902742e794955f0fbe7490" -> "ea8b0d24e317d018530a0dde7e09b4fa13b44872" [  weight=0 ];

	"24b5e6000334e67680c33aff788054aba3a112c2" [ color="2", colorscheme="blues3", fillcolor="1", label="id: base-env
type: base-env
class: default
provision time: 16.09061s", style="filled", tooltip="guresid: 24b5e6000334e67680c33aff788054aba3a112c2",  weight=0 ];

	"24b5e6000334e67680c33aff788054aba3a112c2" -> "bd0ea08dc0e33587a8b56ef08218c5e7a72f4c44" [  weight=0 ];

	"fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload
type: workload
class: default
provision time: 290.309ms", style="filled", tooltip="guresid: fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02",  weight=0 ];

	"fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" -> "9c5cc451a386d6b4a6b264a3fdcd20c0a13d9819" [  weight=0 ];

	"fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" -> "e107aecb05f615f64b28f083531d269f4751d6ed" [  weight=0 ];

	"fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" -> "9b1023243fcdaa4ad72ceb7c3e2588cc1977835a" [  weight=0 ];

	"base" [ color="2", colorscheme="greens3", fillcolor="1", label="base", style="filled",  weight=0 ];

	"base" -> "24b5e6000334e67680c33aff788054aba3a112c2" [  weight=0 ];

	"e107aecb05f615f64b28f083531d269f4751d6ed" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload
type: k8s-service-account
class: default
provision time: 7.826071s", style="filled", tooltip="guresid: e107aecb05f615f64b28f083531d269f4751d6ed",  weight=0 ];

	"my-sample-workload" [ color="2", colorscheme="greens3", fillcolor="1", label="workload.my-sample-workload", style="filled",  weight=0 ];

	"my-sample-workload" -> "base" [  weight=0 ];

	"my-sample-workload" -> "fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" [  weight=0 ];

	"9b1023243fcdaa4ad72ceb7c3e2588cc1977835a" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns
type: dns
class: default
provision time: 7.450157s", style="filled", tooltip="guresid: 9b1023243fcdaa4ad72ceb7c3e2588cc1977835a",  weight=0 ];

}

@mathieu-benoit mathieu-benoit marked this pull request as draft May 30, 2024 18:20
@mathieu-benoit
Copy link
Owner Author

Not merging this for now for 2 reasons:

  • Aot is apparently not supported by noble-chiseled? When adding this RUN apt install -y clang zlib1g-dev in the Dockerfile, getting this error: Unable to locate package clang.
  • The previous size of the container image on disk was 40.9 MB, here it's now 114 MB... too big... I understand that the number of packages (not alpine/buybox based is more secure) but want to keep the size small for now...

@mathieu-benoit
Copy link
Owner Author

mathieu-benoit commented May 30, 2024
edited
Loading

Wow, actually Aot is apparently supported by noble-chiseled, based on this: https://github.com/dotnet/dotnet-docker/blob/main/samples/releasesapi/Dockerfile.ubuntu-chiseled, even if it's in nightly container images. Now the size on disk is 42.4 MB, which is quite similar to the previous one based on alpine.

@github-actions GitHub Actions
Copy link

Deployment successfully completed for PR-130! 🎉

View in Humanitec

Deployment ID: 17d45b3638288ebf

Domains:

my-sample-workload: helloworld-preview.endpoints.mathieu-benoit-gcp.cloud.goog

Deployment diff

Deployment diff:

{
  "modules": {
    "add": null,
    "remove": [],
    "update": {
      "my-sample-workload": [
        {
          "from": "",
          "op": "replace",
          "path": "/spec/containers/my-sample-container/image",
          "value": "us-east4-docker.pkg.dev/mathieu-benoit-gcp/containers/my-sample-app@sha256:0763010615fb3d3c47d84c3384c057d8bf0d0a50478d1a7c9b9f263582976f9c"
        },
        {
          "from": "",
          "op": "replace",
          "path": "/spec/annotations/humanitec.io~1workload-source",
          "value": "https://github.com/mathieu-benoit/sail-sharp/blob/noble-chiseled/score/score.yaml"
        }
      ]
    }
  },
  "shared": null
}
Active Resources Usage

Active Resources Usage:


ResType            	Class  	ResID                                     	Usage         	Last referencing deployment	Last referencing deployment created ago
agent              	default	agent                                     	current deploy	17d45b3638288ebf           	35.571985809s                          
base-env           	default	base-env                                  	current deploy	17d45b3638288ebf           	35.571987562s                          
k8s-cluster        	default	k8s-cluster                               	current deploy	17d45b3638288ebf           	35.571988604s                          
k8s-namespace      	default	k8s-namespace                             	current deploy	17d45b3638288ebf           	35.571989255s                          
logging            	default	logging                                   	current deploy	17d45b3638288ebf           	35.571989947s                          
k8s-service-account	default	modules.my-sample-workload                	current deploy	17d45b3638288ebf           	35.571990628s                          
workload           	default	modules.my-sample-workload                	current deploy	17d45b3638288ebf           	35.571991329s                          
dns                	default	modules.my-sample-workload.externals.dns  	current deploy	17d45b3638288ebf           	35.57199197s                           
ingress            	default	modules.my-sample-workload.externals.dns  	current deploy	17d45b3638288ebf           	35.571992681s                          
tls-cert           	default	modules.my-sample-workload.externals.dns  	current deploy	17d45b3638288ebf           	35.571993303s                          
route              	default	modules.my-sample-workload.externals.route	current deploy	17d45b3638288ebf           	35.571993904s
Resources Graph

Resources Graph:


strict digraph {

	label="Resource Graph
app: my-sample-app, env: pr-130

green: virtual nodes (environment, workloads), blue: active resources

";

	labelloc="t";

	overlap="false";

	splines="true";


	"bd0ea08dc0e33587a8b56ef08218c5e7a72f4c44" [ color="2", colorscheme="blues3", fillcolor="1", label="id: agent
type: agent
class: default
provision time: 8.619857s", style="filled", tooltip="guresid: bd0ea08dc0e33587a8b56ef08218c5e7a72f4c44",  weight=0 ];

	"24b5e6000334e67680c33aff788054aba3a112c2" [ color="2", colorscheme="blues3", fillcolor="1", label="id: base-env
type: base-env
class: default
provision time: 16.075728s", style="filled", tooltip="guresid: 24b5e6000334e67680c33aff788054aba3a112c2",  weight=0 ];

	"24b5e6000334e67680c33aff788054aba3a112c2" -> "bd0ea08dc0e33587a8b56ef08218c5e7a72f4c44" [  weight=0 ];

	"ea8b0d24e317d018530a0dde7e09b4fa13b44872" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns
type: tls-cert
class: default
provision time: 704.768ms", style="filled", tooltip="guresid: ea8b0d24e317d018530a0dde7e09b4fa13b44872",  weight=0 ];

	"ea8b0d24e317d018530a0dde7e09b4fa13b44872" -> "9b1023243fcdaa4ad72ceb7c3e2588cc1977835a" [  weight=0 ];

	"e107aecb05f615f64b28f083531d269f4751d6ed" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload
type: k8s-service-account
class: default
provision time: 8.737589s", style="filled", tooltip="guresid: e107aecb05f615f64b28f083531d269f4751d6ed",  weight=0 ];

	"my-sample-workload" [ color="2", colorscheme="greens3", fillcolor="1", label="workload.my-sample-workload", style="filled",  weight=0 ];

	"my-sample-workload" -> "base" [  weight=0 ];

	"my-sample-workload" -> "fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" [  weight=0 ];

	"a0245904c1f78f069f902742e794955f0fbe7490" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns
type: ingress
class: default
provision time: 4.856889s", style="filled", tooltip="guresid: a0245904c1f78f069f902742e794955f0fbe7490",  weight=0 ];

	"a0245904c1f78f069f902742e794955f0fbe7490" -> "9b1023243fcdaa4ad72ceb7c3e2588cc1977835a" [  weight=0 ];

	"a0245904c1f78f069f902742e794955f0fbe7490" -> "ea8b0d24e317d018530a0dde7e09b4fa13b44872" [  weight=0 ];

	"9c5cc451a386d6b4a6b264a3fdcd20c0a13d9819" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.route
type: route
class: default
provision time: 8.440291s", style="filled", tooltip="guresid: 9c5cc451a386d6b4a6b264a3fdcd20c0a13d9819",  weight=0 ];

	"fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload
type: workload
class: default
provision time: 367.893ms", style="filled", tooltip="guresid: fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02",  weight=0 ];

	"fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" -> "e107aecb05f615f64b28f083531d269f4751d6ed" [  weight=0 ];

	"fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" -> "9c5cc451a386d6b4a6b264a3fdcd20c0a13d9819" [  weight=0 ];

	"fb1a31d754ef2a4b5a4531c74a4d5fcb9d387e02" -> "9b1023243fcdaa4ad72ceb7c3e2588cc1977835a" [  weight=0 ];

	"base" [ color="2", colorscheme="greens3", fillcolor="1", label="base", style="filled",  weight=0 ];

	"base" -> "24b5e6000334e67680c33aff788054aba3a112c2" [  weight=0 ];

	"9b1023243fcdaa4ad72ceb7c3e2588cc1977835a" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns
type: dns
class: default
provision time: 8.211393s", style="filled", tooltip="guresid: 9b1023243fcdaa4ad72ceb7c3e2588cc1977835a",  weight=0 ];

}

@mathieu-benoit mathieu-benoit self-assigned this May 30, 2024
@mathieu-benoit mathieu-benoit mentioned this pull request May 30, 2024
Merged
@mathieu-benoit mathieu-benoit marked this pull request as ready for review May 31, 2024 20:14
@mathieu-benoit mathieu-benoit merged commit 2262f12 into main May 31, 2024
2 checks passed
@mathieu-benoit mathieu-benoit deleted the noble-chiseled branch May 31, 2024 20:14
@mathieu-benoit mathieu-benoit mentioned this pull request Sep 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mathieu-benoit mathieu-benoit

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mathieu-benoit