yum install -devel in dockerfile #368
Comments
|
I don't think we can. They are not built at the same time/ use case: https://github.com/aws/aws-for-fluent-bit/blob/mainline/Makefile#L18-L24 |
|
@zhonghui12 what I mean is in the Dockerfile, lines 16, 25, 26 and 28 are installations of yum packages that are "-devel" version. We don't want those versions of the packages in our production environment. Could the line 15 to 32 of the Dockerfile be like that ? RUN yum install -y That way, no -devel packages would be in the Release version. But they will still be there in the Debug version. |
|
@jonathanlebrasseur-qc I believe the devel/developer packages are needed to compile Fluent Bit. They should not be in the final image because we have a multi-stage build where the final stage starts here: https://github.com/aws/aws-for-fluent-bit/blob/mainline/Dockerfile#L100 And then we copy the built binary into it. My understanding is that the devel packages include the raw header files for dependencies which are needed if you are compiling Fluent Bit from source. At runtime, the devel packages might not be needed. We may be should remove the devel packages from the final stage: https://github.com/aws/aws-for-fluent-bit/blob/mainline/Dockerfile#L103 Let me try that out... |
@jonathanlebrasseur-qc What is your concern with devel packages in prod? I totally agree that if they aren't needed, we shouldn't have the devel versions in our public image. But forgive me if I am very clueless here, does this pose a risk to your prod- is fixing this ASAP something necessary for you to use Fluent Bit? |
|
@PettitWesley The -devel packages are also pulling some dependencies that are sometimes flagged by Inspector as vulnerable. We then need to check if the vulnerabilities have a real impact or not, which consumes time and effort if we need to produce our own image. This is what happened a couple of weeks ago. It would be better if packages that are not needed are left out of the final image. |
I see- you're saying that the devel packages give you a lot more than what the non-devel versions have, so you there's a higher surface area for issues to be picked up by the scan. Makes sense. We do ECR image scanning in our release pipeline and if it fails we block the release. So at release time all our images have all their contents validated. That being said, I think it makes sense to remove the devel packages from the final stage of the build, we have added this to our ops backlog. |
Instead use official public ECR golang images. Also remove unecessary "-devel" packages in build and release images. Fixes #368
Instead use official public ECR golang images. Also remove unecessary "-devel" packages in build and release images. Fixes #368
Instead use official public ECR golang images. Also remove unecessary "-devel" packages in build and release images. Fixes #368
Instead use official public ECR golang images. Also remove unecessary "-devel" packages in build and release images. Fixes #368
|
Re-opened as the commit resolving this had undetected issues and needs to be reverted. Given the above-mentioned considerations, this is not an active security risk, though we will still work to root-cause the issue with the fix commit. |
#871) * Revert "Remove 'gimme' tool and -devel packages from build toolchain (#868)" This reverts commit d78beaf. * Add make and integ test steps to the PR template * Fix local testing link in PR template and README * Re-release 2.32.3 (no-op) Adding this change so the commit history clearly indicates the contents of 2.32.3 --------- Co-authored-by: Swapneil Singh <[email protected]>
Instead use official public ECR golang images. Also remove unecessary "-devel" packages in main-release image. Fixes #368
In your projet, you have a Dockerfile that includes -devel packages installation from yum.
Since those -devel packages are present in the Dockerfile.debug, is it possible to remove them from the main Dockerfile ?
The text was updated successfully, but these errors were encountered: