Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

-azurelinux3.0-distroless-aot #155

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

-azurelinux3.0-distroless-aot #155

wants to merge 3 commits into from

Conversation

mathieu-benoit
Copy link
Owner

@mathieu-benoit mathieu-benoit commented Sep 14, 2024
edited
Loading

Testing, not sure yet.

image size packages cves
noble-chiseled 40.7MB 7 5
azurelinux 50.6MB 10 0

docker images:

REPOSITORY                                          TAG       IMAGE ID       CREATED          SIZE
sail-sharp-my-sample-workload-my-sample-container   latest    200dfcd3321d   31 minutes ago   50.6MB
ghcr.io/mathieu-benoit/my-sample-workload           latest    8841581add41   6 days ago       40.7MB

syft ghcr.io/mathieu-benoit/my-sample-workload (based on noble-chiseled):

 ✔ Loaded image                                                                                                                                                                                                                                      ghcr.io/mathieu-benoit/my-sample-workload:latest
 ✔ Parsed image                                                                                                                                                                                                               sha256:8841581add4133f57ed323a152cb0ca7659de94832ece37dde4e283526caa54c
 ✔ Cataloged contents                                                                                                                                                                                                                6fa1280a4ea7603039914011a67641aadc93e22db420223c7b1ac5450498048d
   ├── ✔ Packages                        [7 packages]  
   ├── ✔ File digests                    [6 files]  
   ├── ✔ File metadata                   [6 locations]  
   └── ✔ Executables                     [29 executables]  
NAME             VERSION               TYPE   
base-files       13ubuntu10            deb     
ca-certificates  20240203              deb     
gcc-14-base      14-20240412-0ubuntu1  deb     
libc6            2.39-0ubuntu8.2       deb     
libgcc-s1        14-20240412-0ubuntu1  deb     
libssl3t64       3.0.13-0ubuntu3.2     deb     
openssl          3.0.13-0ubuntu3.2     deb

syft sail-sharp-my-sample-workload-my-sample-container (based on azure-linux, this PR):

 ✔ Loaded image                                                                                                                                                                                                                              sail-sharp-my-sample-workload-my-sample-container:latest
 ✔ Parsed image                                                                                                                                                                                                               sha256:200dfcd3321d703490e44f2fc2e48c5f38cda3c58f242e97cf9e4fd2c4a06eb9
 ✔ Cataloged contents                                                                                                                                                                                                                16e2099d1a37e0db763a7ec3c4abbdf285248b550ec588546a2f9d3f0415ede0
   ├── ✔ Packages                        [10 packages]  
   ├── ✔ File digests                    [39 files]  
   ├── ✔ File metadata                   [39 locations]  
   └── ✔ Executables                     [43 executables]  
[0001]  WARN unable to parse cpe attributes for elf binary package error=unable to parse Attributes string: failed to parse Attributes="": wfn: unsupported format ""
[0001]  WARN unable to parse cpe attributes for elf binary package error=unable to parse Attributes string: failed to parse Attributes="": wfn: unsupported format ""
NAME                         VERSION               TYPE   
azurelinux-release           3.0-18.azl3           rpm     
distroless-packages-minimal  3.0-5.azl3            rpm     
filesystem                   1.1-21.azl3           rpm     
glibc                        2.38                  rpm     
glibc                        2.38-7.azl3           rpm     
libgcc                       13.2.0-7.azl3         rpm     
openssl                      3.3.0                 rpm     
openssl-libs                 3.3.0-2.azl3          rpm     
prebuilt-ca-certificates     2501981:3.0.0-7.azl3  rpm     
tzdata                       2024a-1.azl3          rpm

trivy image ghcr.io/mathieu-benoit/my-sample-workload:

ghcr.io/mathieu-benoit/my-sample-workload (ubuntu 24.04)
========================================================
Total: 5 (UNKNOWN: 0, LOW: 3, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────────┬─────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │  Status  │ Installed Version │   Fixed Version   │                            Title                            │
├────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────────┼─────────────────────────────────────────────────────────────┤
│ libc6      │ CVE-2016-20013 │ LOW      │ affected │ 2.39-0ubuntu8.2   │                   │ sha256crypt and sha512crypt through 0.6 allow attackers to  │
│            │                │          │          │                   │                   │ cause a denial of...                                        │
│            │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2016-20013                  │
├────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────────┼─────────────────────────────────────────────────────────────┤
│ libssl3t64 │ CVE-2024-6119  │ MEDIUM   │ fixed    │ 3.0.13-0ubuntu3.2 │ 3.0.13-0ubuntu3.4 │ openssl: Possible denial of service in X.509 name checks    │
│            │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-6119                   │
│            ├────────────────┼──────────┼──────────┤                   ├───────────────────┼─────────────────────────────────────────────────────────────┤
│            │ CVE-2024-41996 │ LOW      │ affected │                   │                   │ openssl: remote attackers (from the client side) to trigger │
│            │                │          │          │                   │                   │ unnecessarily expensive server-side...                      │
│            │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-41996                  │
├────────────┼────────────────┼──────────┼──────────┤                   ├───────────────────┼─────────────────────────────────────────────────────────────┤
│ openssl    │ CVE-2024-6119  │ MEDIUM   │ fixed    │                   │ 3.0.13-0ubuntu3.4 │ openssl: Possible denial of service in X.509 name checks    │
│            │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-6119                   │
│            ├────────────────┼──────────┼──────────┤                   ├───────────────────┼─────────────────────────────────────────────────────────────┤
│            │ CVE-2024-41996 │ LOW      │ affected │                   │                   │ openssl: remote attackers (from the client side) to trigger │
│            │                │          │          │                   │                   │ unnecessarily expensive server-side...                      │
│            │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-41996                  │
└────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────────┴─────────────────────────────────────────────────────────────┘

trivy image sail-sharp-my-sample-workload-my-sample-container:

sail-sharp-my-sample-workload-my-sample-container (azurelinux 3.0)
==================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@github-actions GitHub Actions
Copy link

Deployment successfully completed for PR-155! 🎉

View in Humanitec

Deployment ID: 17f4fe385fd0e696

URLs:

my-sample-workload: helloworld-preview.endpoints.mathieu-benoit-gcp.cloud.goog

Deployment diff

Deployment diff:

{
  "modules": {
    "add": null,
    "remove": [],
    "update": {
      "my-sample-workload": [
        {
          "from": "",
          "op": "replace",
          "path": "/spec/containers/my-sample-container/image",
          "value": "us-east4-docker.pkg.dev/mathieu-benoit-gcp/containers/my-sample-workload@sha256:acb59fa8b5ffdd593a59279ced36231c07aa17c1ea86f54ac6ee0abf62d2e8e5"
        },
        {
          "from": "",
          "op": "replace",
          "path": "/spec/annotations/humanitec.io~1workload-source",
          "value": "https://github.com/mathieu-benoit/sail-sharp/blob/azure-linux/score/score.yaml"
        }
      ]
    }
  },
  "shared": null
}
Active Resources Usage

Active Resources Usage:


ResType            	Class  	ResID                                     	Usage         	Last referencing deployment	Last referencing deployment created ago
agent              	default	agent                                     	current deploy	17f4fe385fd0e696           	39.717571338s                          
base-env           	default	base-env                                  	current deploy	17f4fe385fd0e696           	39.717575005s                          
k8s-cluster        	default	k8s-cluster                               	current deploy	17f4fe385fd0e696           	39.717577419s                          
k8s-namespace      	default	k8s-namespace                             	current deploy	17f4fe385fd0e696           	39.717579593s                          
logging            	default	logging                                   	current deploy	17f4fe385fd0e696           	39.717581447s                          
k8s-service-account	default	modules.my-sample-workload                	current deploy	17f4fe385fd0e696           	39.717583s                             
workload           	default	modules.my-sample-workload                	current deploy	17f4fe385fd0e696           	39.717584512s                          
dns                	default	modules.my-sample-workload.externals.dns  	current deploy	17f4fe385fd0e696           	39.717585985s                          
ingress            	default	modules.my-sample-workload.externals.dns  	current deploy	17f4fe385fd0e696           	39.717586987s                          
tls-cert           	default	modules.my-sample-workload.externals.dns  	current deploy	17f4fe385fd0e696           	39.717587909s                          
route              	default	modules.my-sample-workload.externals.route	current deploy	17f4fe385fd0e696           	39.71758872s
Resources Graph

Resources Graph:

Use a Graphviz viewer for a visual representation.


strict digraph {

	label="Resource Graph
app: my-sample-app, env: pr-155

green: virtual nodes (environment, workloads), blue: active resources

";

	labelloc="t";

	overlap="false";

	splines="true";


	"c59327f8e001313b56a874001d8bc121464c6f2a" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns
type: dns
class: default
provision time: 8.418092s", style="filled", tooltip="guresid: c59327f8e001313b56a874001d8bc121464c6f2a",  weight=0 ];

	"b1ebfb8ad15fba3f2d3417f7fe767fc1af28e829" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload
type: workload
class: default
provision time: 158.532ms", style="filled", tooltip="guresid: b1ebfb8ad15fba3f2d3417f7fe767fc1af28e829",  weight=0 ];

	"b1ebfb8ad15fba3f2d3417f7fe767fc1af28e829" -> "8b4f30c06963f73aca04f86bdc20497f9d34b4ce" [  weight=0 ];

	"b1ebfb8ad15fba3f2d3417f7fe767fc1af28e829" -> "c59327f8e001313b56a874001d8bc121464c6f2a" [  weight=0 ];

	"b1ebfb8ad15fba3f2d3417f7fe767fc1af28e829" -> "2888a3af118281465760421248ae6dad5d84ddae" [  weight=0 ];

	"eea2c9b39516b845359ae69f4594dafbf68a55e0" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns
type: tls-cert
class: default
provision time: 465.393ms", style="filled", tooltip="guresid: eea2c9b39516b845359ae69f4594dafbf68a55e0",  weight=0 ];

	"eea2c9b39516b845359ae69f4594dafbf68a55e0" -> "c59327f8e001313b56a874001d8bc121464c6f2a" [  weight=0 ];

	"8b4f30c06963f73aca04f86bdc20497f9d34b4ce" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.route
type: route
class: default
provision time: 11.511993s", style="filled", tooltip="guresid: 8b4f30c06963f73aca04f86bdc20497f9d34b4ce",  weight=0 ];

	"2888a3af118281465760421248ae6dad5d84ddae" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload
type: k8s-service-account
class: default
provision time: 7.44103s", style="filled", tooltip="guresid: 2888a3af118281465760421248ae6dad5d84ddae",  weight=0 ];

	"65a1ea89c1f867ad4d3b0a75b334349e049f04c3" [ color="2", colorscheme="blues3", fillcolor="1", label="id: base-env
type: base-env
class: default
provision time: 15.434542s", style="filled", tooltip="guresid: 65a1ea89c1f867ad4d3b0a75b334349e049f04c3",  weight=0 ];

	"base" [ color="2", colorscheme="greens3", fillcolor="1", label="base", style="filled",  weight=0 ];

	"base" -> "65a1ea89c1f867ad4d3b0a75b334349e049f04c3" [  weight=0 ];

	"my-sample-workload" [ color="2", colorscheme="greens3", fillcolor="1", label="workload.my-sample-workload", style="filled",  weight=0 ];

	"my-sample-workload" -> "base" [  weight=0 ];

	"my-sample-workload" -> "b1ebfb8ad15fba3f2d3417f7fe767fc1af28e829" [  weight=0 ];

	"6d59e208452024b3e93fbf5ff09a35300fd0ba0c" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns
type: ingress
class: default
provision time: 6.840599s", style="filled", tooltip="guresid: 6d59e208452024b3e93fbf5ff09a35300fd0ba0c",  weight=0 ];

	"6d59e208452024b3e93fbf5ff09a35300fd0ba0c" -> "c59327f8e001313b56a874001d8bc121464c6f2a" [  weight=0 ];

	"6d59e208452024b3e93fbf5ff09a35300fd0ba0c" -> "eea2c9b39516b845359ae69f4594dafbf68a55e0" [  weight=0 ];

}

@mathieu-benoit mathieu-benoit changed the title Update Dockerfile - azurelinux3.0-distroless-aot -azurelinux3.0-distroless-aot Sep 14, 2024
@mathieu-benoit mathieu-benoit marked this pull request as draft October 9, 2024 00:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mathieu-benoit