Docker - centos:7 kernel-header 3.10.0 vulnerabilities -> what to do? - docker

My client uses a Docker images that has a base image of centos:7 from DockerHub. I noticed that Google Cloud Container registry flagged my latest built images with 17 vulnerabilities that all target the kernel-headers package from CentOs, version 3.10.0.
What are my options ?
Can I just upgrade this package or the kernel while staying on CentOs 7 or do I need to upgrade to version 8 ?
With an upgrade to version 8, are there specific breaking updates I should keep an eye on ?
Thank you guys
Update : We are using hdf5, hdf5-devel, devtoolset-7-gcc-c++ and openmpi packages to run some simulations. Removing the kernel-headers tries to remove devtoolset-7-gcc, glibc-devel and glibc-headers packages. I will do some testing without those packages.

yum install -y kernel-headers --enablerepo=centos-kernel

Related

Electron builder - Define linux version

Im using electron which has already a production env running. For the last months I've been publishing normally with Electron-builder in my ci.yml file:
release-linux:
stage: release
image: electronuserland/builder:14
before_script:
- export ARCH="x64"
- export BUILD_SCRIPT="build:linux"
- apt-get update && apt-get install -y build-essential cmake
- apt install -y libusb-1.0-0-dev libudev-dev
After running the - apt-get update && apt-get install -y build-essential cmake line there is the libc6 package installed which installs with latest (2.35).
My production environment is running on Ubuntu 20.04 LTS. I assume the docker image in which the release is made, is running on a newer version (asuming latest).
The problem is that I have some hardware devices which works correctly with libc6=2.31-0ubuntu9.2 (which is the version that was automatically installed previously by the docker image). Now, for some reason I don't know, the image is pulling the latest version of libc6 and my hardware devices stoped working.
Is there any way to force electron-builder to use a specific Linux/Ubuntu version?
Or maybe use the latest version of ubuntu but downgrading the libc6 version (tried this one but failed). Any instructions on how to do this are apreciated.
Updating Ubuntu's version at production is not an option right now, so I think the solution should be working out with this package/library version.
The problem solved out on its own randomly, but after some research, it was a electron-builder change which was causing the problem.
In this commit changes log we can see that buildpack-deps was changed from buildpack-deps:22.04-curl (not working) to buildpack-deps:focal-curl (working).
That give us a clue to where to look at. Here the official supported tags for Dockerfiles. Here we can see that focal-curl points to 20.04-curl which I suppose have a different output than 20.04 by its own.
Then, looking at the gitlab jobs running with this ci configs, the libc6 dependency worked with different versions in each case.
Our hardware works correctly with libc6=2.31 which is used when focal-curl is set by electron-builder dockerfile, but not with libc6=2.35 which is used by 20.04.
This is not a solution, but it's the cause of the problem. Now working on how to setup the project to use only the correct configuration of electron-builder. Currently accepted to work with same config but being careful when releasing by watching which libc6 version is working with.

Installing Specific Docker Version via Puppet

While deploying docker using puppet, I encounter an interesting issue.
docker installs fine if I use: version => latest
docker install fails if I use: version => '20.10.16'
My setup is as follows:
puppet master is Ubuntu 20.04.
puppet agent is Ubuntu 22.04 (on which I am trying to install docker).
I believe puppet docker module supports this setup.
The version lines I tried:
version => '20.10.16'
version => '20.10.16~3-0~ubuntu'
version => '20.10.16~3-0~ubuntu-jammy'
The error I get when I specify a specific version is as follows:
Error: Could not update: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold --force-yes install docker-ce=20.10.16' returned 100: Reading package lists...
Building dependency tree...
Reading state information...
Package docker-ce is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
docker-ce-cli
Anyone has any idea what can be done so that it installs specific version of docker instead of the latest one?
When running apt-cache madison docker-ce it appears that the version number is 5:20.10.16~3-0~ubuntu-jammy.
Running apt install docker-ce=20.10.16~3-0~ubuntu-jammy returns the same error as yours, but apt install docker-ce=5:20.10.16~3-0~ubuntu-jammy works.
I suggest trying with the 5: in front of the version number.

can't find OpenCV package on RHEL 8

Some sites say OpenCV could be installed on RHEL from the system repository:
sudo yum install opencv opencv-devel opencv-python
I run RHEL UBI container redhat/ubi8 and tried to install OpenCV - package is not found.
Then I install EPEL repos from https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm, same result. The only opencv-related package is libfreenect-opencv.
I understand I could compile OpenCV from the scratch, but I'd like to go with already compiled package.
You need to enable CodeReady Linux Builder Repository on RHEL 8:
subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms

How to update glibc in docker image

I am currently using docker, and I require glibc 2.28 on it. However, node:latest only gives me 2.24 on my ARM device. I have tried running update/upgrade, but it has not helped. What is the best way to continue? Should I look for a different image and install node manually?
FROM node:latest
WORKDIR /code
RUN apt update
RUN apt upgrade -y
Upgrading very core libraries like libc can be challenging. It's better to find a newer distribution if you can.
If you look at the Docker Hub node image page, you'll notice that the "latest" image is also "15-stretch"; there is also a "15-buster". These are the names of Debian GNU/Linux releases. "Stretch" is an older release, and "buster" is the current stable Debian release. If you further look at the Debian package page for the libc6 package you'll see that in fact "buster" has GNU libc 2.28, where "stretch" only has libc 2.24.
So the easiest way to get the newer version of libc is to explicitly request the newer version of Debian as the base for the Node installation:
FROM node:current-buster
Recently ran into the same issue with sharp, and I noticed that the bullseye release has glibc version 2.31 which should pass the requirements. See: https://packages.debian.org/bullseye/libc6
The easy solution would be to use FROM node:16-bullseye-slim.
Full list of images at: https://hub.docker.com/_/node

DataStax Enterprise 4.5 on RHEL / CentOS 7 won't fully install cqlsh

When trying to install DataStax Enterprise from the yum repository, cqlsh won't actually install because it depends on python 2.6 while RHEL/CentOS now ships with python 2.7 and removed 2.6.
It seems it should also be able to accept python 2.7, as far as I know, it is compatible. I just used the CentOS 7 system python 2.7 to install pip and then pip install cqlsh and it all seems to be good.
Hm... yes, that's tricky. The target path for site files is in the package, so one would need different packages for different versions of python (I believe). I filed a ticket, we will look into this.

Resources