kepler icon indicating copy to clipboard operation
kepler copied to clipboard

Published 20 hours ago verified publisher icon sustainable-computing-io

feat: move from ubi to ubi-minimal

Open maichouni-mitek opened this issue 1 year ago • 1 comments

This PR should close https://github.com/sustainable-computing-io/kepler/issues/1826. Using a smaller base image has several benefits:

  • Reducing the storage footprint. Quicker deployments (less and/or smaller layers to pull).
  • Reducing the potential attack surface.
  • Reducing the amount of vulnerabilities that will arise between one kepler release and another, simply because there are less items installed.

A picture is worth a thousand words: image image image

The vulnerabilities we see above (as of 2024/10/24, in kepler:release-0.7.12) are inherited from the base image. They are in the python namespace, which is not needed at all in the kepler image, and which is why https://github.com/sustainable-computing-io/kepler/pull/1361 cannot get rid of them.

Thank you.

maichouni-mitek avatar Oct 24 '24 16:10 maichouni-mitek

🤖 SeineSailor

Here is a concise summary of the pull request changes:

Summary: This pull request updates the build/Dockerfile to reduce the attack surface, storage footprint, and potential vulnerabilities by switching to the ubi9/ubi-minimal:latest base image. Key changes include:

  • Replacing yum with microdnf for package installation
  • Removing unnecessary packages
  • Adding microdnf clean all after package installations

Impact: These changes do not affect the external interface or behavior of the code, and no alterations to function signatures, global data structures, or variables are observed. The updated base image and package management approach should improve the overall security and efficiency of the Docker image.

Observation: The changes are well-contained within the build/Dockerfile and do not introduce any apparent risks or side effects. However, it may be beneficial to verify that the updated image still meets all necessary dependencies and requirements for the project.

github-actions[bot] avatar Oct 24 '24 16:10 github-actions[bot]

@sthaha , would you please start the GHAs?

maichouni-mitek avatar Oct 29 '24 11:10 maichouni-mitek

@vimalk78 can you take a look? thanks

rootfs avatar Oct 29 '24 13:10 rootfs

@rootfs, @marceloamaral, @sthaha, can you please help with the image test? Thank you very much.

maichouni-mitek avatar Nov 04 '24 19:11 maichouni-mitek

@SamYuan1990 @maichouni-mitek could you please elaborate what you meant by image-test ?

sthaha avatar Nov 05 '24 00:11 sthaha

@SamYuan1990 @maichouni-mitek could you please elaborate what you meant by image-test ?

@rootfs and I once made a CI job https://github.com/sustainable-computing-io/kepler/actions/workflows/image_pr.yml. The job can build an temp image with a specific PR as code base.

As our PR level testing almost running on GHA VM, which is not a BM instance, at meanwhile, this PR has base image change, to ensure the change does not harmful, we can use this PR level CI to build a PR level image and tested on a BM instance if necessary.

Well, unfortunately I don't have a BM instance which able to support to test...as my laptop is mac without GPU, so ....that's the reason I comment it out as PR review result in previous.

SamYuan1990 avatar Nov 05 '24 06:11 SamYuan1990

LGTM.

built images and pushed

quay.io/vimalkum/kepler:v0.7.12-31-gcb7b058a-linux-amd64-dcgm

quay.io/vimalkum/kepler:v0.7.12-31-gcb7b058a-linux-amd64-habana

vimalk78 avatar Nov 05 '24 14:11 vimalk78