distroless icon indicating copy to clipboard operation
distroless copied to clipboard
verified publisher icon GoogleContainerTools

base - libssl1 and libssl1.1 package metadata

Open sozercan opened this issue 2 years ago • 3 comments

Describe the bug Latest distroless/base (73deaaf6a207c1a33850257ba74e0f196bc418636cada9943a03d7abea980d6d) adds libssl1.1 package metadata to /var/lib/dpkg/status.d/

File is called libssl1.1 https://explore.ggcr.dev/layers/gcr.io/distroless/base@sha256:559bc54043fc1429f1b9c4e16f52670c7861b7c7fd4125129c29c924b293c2b2/var/lib/dpkg/status.d/ (latest as of this issue creation) 2758d0c3 -rw-r--r-- 0/0 791 2023-05-26 21:30 libssl1.1

This used to be called libssl1 https://explore.ggcr.dev/layers/gcr.io/distroless/base@sha256:5f5bc92abac82e11c02bec33b6583dc5b4388a8a1a54e801d747529954ab08e0/var/lib/dpkg/status.d/ (this is from Jan 2023 digest) e1c83de8 -rw-r--r-- 0/0 793 1970-01-01 00:00 libssl1

This caused issues with images based on distroless/base like distroless-iptables where there's both libssl1 and libssl1.1. This is now fixed, below is from an older v0.1.2 tag. https://explore.ggcr.dev/layers/us.gcr.io/k8s-artifacts-prod/build-image/distroless-iptables@sha256:6e84bc9d77fa4cf90bffa090253ac4837ac4626072387a599f81ef15f1e03336/var/lib/dpkg/status.d/

33905e80 -rw-r--r-- 0/0             791 1970-01-01 00:00 libssl1
33905e80 -rw-r--r-- 0/0            9840 2022-09-23 08:23 libssl1.1

I wanted to confirm if libssl1.1 file name is the expected behavior from distroless/base going forward?

To Reproduce Steps to reproduce the behavior:

Expected behavior A clear and concise description of what you expected to happen.

Console Output If applicable, add information from your container run

Additional context Add any other context about the problem here.

sozercan avatar Jun 07 '23 16:06 sozercan

Yeah this probably happened with the switch off of rules_docker.

loosebazooka avatar Jun 26 '23 19:06 loosebazooka

Looks like this is an issue for libssl1.1 and libssl3 too. I can't tell if this is an issue with google/distroless or k8s/distroless-iptables since google/distroless doesn't publish tags to be able to correspond to the base of k8s/distroless-iptables.

This image also reports as bookworm, but this might be bullseye, since libssl1.1 does not exist in bookworm.

https://explore.ggcr.dev/layers/registry.k8s.io/build-image/distroless-iptables@sha256:3dd52ab0c572b777eb98214c4e4a4f6d9a94d0a2d0731b3f8980fb5766552b2d/var/lib/dpkg/status.d/

5a75ae4a -rw-r--r-- 0/0             820 2024-01-10 17:29 libssl1.1
5a75ae4a -rw-r--r-- 0/0             557 2023-10-23 17:52 libssl3
5a75ae4a -rw-r--r-- 0/0             681 2023-10-23 17:52 libssl3.md5sums

Seems fixed in the newest versions.

sozercan avatar Mar 15 '24 18:03 sozercan

Seems fixed in the newest versions.

not sure what you mean by this, but the latest distroless images on debian12 do not contain libssl1.1. Do you have a link to the build of this image?

loosebazooka avatar Mar 18 '24 13:03 loosebazooka