I have tried to find out in the different readmes and information sections available, but didn't find an answer, so also a possible trace to where I might be able to find this out would help a lot:
What is the difference between the different java 11 distroless images, and which one is the one that is supposed to be used? They all differ in creation date / amount of security patches inside:
gcr.io/distroless/java:11
gcr.io/distroless/java11-latest
gcr.io/distroless/java11-debian11-latest
There was no article / readme / description available to see the intended / unintended differences in these containers.
Related
I'm trying to create an assignment for students to do that contains the following :
A docker image with issues that have to be scanned and remedied. (using an opensource scanner in kubernetes)
(Maybe) A sample attack scenario that can exploit those vulnerabilities.
The problem arises when I try to find a suitable vulnerable image or create one. I cannot find a base of security issues at all. I really bend my back thinking of a suitable phrase in Google but everything leads merely to some blog posts about how-to scan an image.
I expected a database that might contain multiple sec issues and what causes them. I'd also expect some way to discern which are the most popular ones.
Do you have the source I require ?
Maybe you can just offer me 3-4 common security issues that are good to know and educational when having your first brush with docker ? (And how to create those issues ?)
The whole situation would have been probably easier if I myself would have been an expert in the field, but the thing I do is also my assignment as a student. (So as students we design assignments for each other. )
Looks like you are looking for the Container security hardening and Kubernetes security options maybe.
You can use some tools like
kubesec - Security risk analysis for Kubernetes resources
checkov - Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open-source packages
Trivy - vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
If you are looking for some questions you can set like, this is CKS (Certified Kubernetes Security) exam question
There are a number of pods/container running in the "spectacle" namespace.
Identify and delete the pods which have CRITICAL vulnerabilities.
For this trivy opensource tools comes into the picture to scan the image that you will be using in the deployment of Kubernetes or docker
trivy image --severity CRITICAL nginx:1.16 (Image running in container)
List of few questions you can create lab out of it : https://github.com/moabukar/CKS-Exercises-Certified-Kubernetes-Security-Specialist/tree/main/7-mock-exam-questions
In my application, I would like to use Deeplearning4j. Deeplearning4j has over 120mb of dependencies, which is a lot considering my own code is only 0.5mb.
Is it possible to reduce the dependencies required? Would loading an already-trained network allow me to ship my application with a smaller file size?
There are many ways to reduce the size of your jar depending on what your use case is. We cover this more recently in our docs, but I'll summarize some things to try here:
DL4j is heavily based on javacpp. You can add -Djavacpp.platform=$YOUR_PLATFORM (linux-x86_64, windows-x86_64,..) to your build to reduce the number of native dependencies in there.
If you are using deeplearning4j-core, that includes a lot of extra dependencies you may not need. In this case, you may only need deeplearning4j-nn for the configuration. The same goes for if you are using only samediff, you do not need the dl4j apis. I don't know enough about your use case to confirm what you do and don't need though.
If you are deploying on an embedded platform, we also have the ability to reduce the number of supported operations and data types now as well. This feature is mainly for advanced users right now (involves building from source) but if you think that could also be applicable despite the first 2, please do confirm and I can try to clarify that a bit.
The OpenLiberty Docker Images tagged as full contain a server.xml that only enables the javaee-8.0 feature. Those tagged as microProfile3 only enable microProfile-3.0.
I want both... even better: I'd like to have just all features enabled while I'm developing; I'll optimize for performance when I need it, i.e. maybe not at all.
Is there an easier way than to build another image with both features enabled?
It isn't possible to enable all features at once in Liberty because many of the features intentionally conflict with one another. For example, you can't load two different versions of the same feature at the same time (e.g. servlet-3.1 and servlet-4.0)
You can pretty concisely enable all of the latest JavaEE and MicroProfile features at once by doing this:
<server>
<featureManager>
<feature>javaee-8.0</feature>
<feature>microProfile-3.2</feature>
</featureManager>
</server>
Doing this will give quite a lot of capabilities (more than a single app typically needs). The features not included in these two umbrella features are pretty specialized, such as JCache session persistence (sessionCache-1.0) or event logging (eventLogging-1.0).
You can think of the tags as indicators for what features are included in the image more so than what's enabled by default. In other words, 'full' has all the features available and can be enabled without the need for install, whereas 'microProfile3' only has the microProfile-3 features installed. Note that some packages, like javaee8, have more than just the single feature included as it also provides other features that users may need to use alongside that single feature (though only that one feature is enabled by default). You can see the breakdown of features to package here
Andy's answer explains why you can't enable all the features at once (conflicts). Regarding whether there's an easy way to build with both features enabled, I'd recommend starting with 'full' and updating the Dockerfile to COPY the server.xml with both features (plus any other ones you'd like) to /config. Like you alluded to in your question, this is fine for development, but you would not want to do it for production as it would included a lot of extra features that you're not using. For production, you'd want to use the opposite approach and start with the smallest image (perhaps kernel) and add only the features that your application/server needs, ensuring a fit-for-purpose runtime.
I have need to get z3 building on Solaris 8. I took a look at the file scoped_timer.cpp, which is the only place that uses -D_LINUX_, and figure I can get the right code in there for Solaris, guarding it with -D_SOLARIS_. Also, src/util/hwf.cpp would need to be changed to provide definitions of fma() and nearbyint(), which aren't defined on Solaris 8. That can be done too, by defining fma(x, y, z) to be x*y + z, but then there would be two roundings instead of one, which is required by IEEE 754. Would this pose a problem for the purposes of z3? I would also need to change mk_util.py to set up compile and link options for Solaris. This also seems rather feasible as we are using g++ on Solaris, so the compile options would be similar. The link options probably would require additional libraries. I am willing to do some of the legwork, but I may need help along the way. Would anyone be willing to work with me, and would this be an welcome addition?
would this be an welcome addition?
I guess we can take a pull request when it is ready (and not obscuring other settings) and there are at least two users for this.
The usual conditions apply for taking pull requests https://github.com/Z3Prover/z3/wiki/Contribution-Guidelines.
Of course you can have your own forks without merging changes back.
The other issue may be that the endianness on your machines and the
constraints on memory alignment may expose further portability problems.
You should be able to find issues by running the regression tests under z3test repository (as well as the unit tests). We recently fixed some endianness related problems for ARM/PowerPC.
I've been doing web programming for some time now, and don't consider myself so much of a total newbie but I still don't understand what "/path/to" is. People use that code a lot, and I used to think it's just a way to refer to main path. But I started wondering why so many people use that syntax so uniformly, because it's confusing if it's meant to be NOT taken literally. Most people would actually type in "/path/to".
So I tried searching for "/path/to" on google, but this is something that's hard to search on a generic search engine, so no luck. So I decided to ask here. Is "/path/to" some kind of jargon that people use to refer to something? If yes, what does it exactly refer to? If no, then how does it work internally?
This is just a placeholder for an actual path in your environment. I usually use it when I want to abstract from the path in question. It does not matter and the reader/user of my code will likely have it different. So I prefer to clearly indicate what places he should amend.
Other examples of this sort:
GET http://example.com
ssh username#host
/path/to/project and similar constructs are used in documentation and blog posts to abstract away details that vary on different machines and for different people. For example, I might be working on a project on my Linux machine that is at /home/code-apprentice/src/my-cool-ruby-project. At the same time, you are working on a project on your Windows machine that you put at C:\Users\Vlad\Projects\MyEvenBetterRubyProject. We both are reading the same blog article to implement a feature. The detail of the exact path where we each store our project doesn't matter for the particular part of Ruby on Rails that we are using. The notation /path/to/project is just a convenient and concise placeholder to describe the root of the project that varies between our machines.