Consider using ubi9/python-311 as a base image

[apodhrad]

Currently, there is

FROM quay.io/fedora/python-311:latest

I suggest to change it to

registry.access.redhat.com/ubi9/python-311:latest

[ogajduse]

We have moved from the UBI images, see #85. The change was done at a time when there was no UBI Python 3.11 image. What is the benefit of using the UBI image?

[apodhrad]

Hi @ogajduse, the biggest benefit of using redhat UBI is security.

[ogajduse]

@apodhrad Can you please elaborate more? Security is a wide term. What are the specific security concerns here?

[apodhrad]

I'm not any security expert but these 2 things come to my mind

• Fedora image might contain a CVE which could allow escaping the container
• Python distribution might also contain a CVE which could cause a damage (in case of cloudwash, it could reveal aws creds or delete aws resources we want to keep, etc)

These risks are the reason why we should use the most security options (like redhat UBI) in all tools we use. We should always keep the security in mind - no matter if is a product or infrastructure.

[frenzymadness]

@apodhrad could you please point me to an article or something describing the CVEs you've mentioned? If there are such critical issues in Fedora container images, I think we should dedicate some time and effort to fixing them. Also, Fedora usually gets CVE fixes sooner than RHEL/Centos stream so when it comes to CVEs in RPMs, Fedora might be even better. The disadvantage is a shorter lifecycle and updates to the newest versions of components with some potential for breaking changes. We produce Fedora Python images to test new Pythons we then usually make available in RHEL/UBI where they get longer support. For example, Fedora 38 is the last one with Python 3.11 as the main Python which means that it will be EOL one month after the release of Fedora 40.

[apodhrad]

I'm not aware of any such CVEs and I hope they are not in any distribution. But it is a potential risk. This task is not about describing such risks - I have mentioned that as an example.

I find it beneficial to use RedHat UBI - the security was one of the reason. It is publicly available so I don't see any reason not to use it.

[ogajduse]

We can switch to UBI images. There is no issue with that. The only thing that I think would make us switch back to Fedora would be the need for running cloudwash on a new Python version that will not be present in RHEL at the moment.

@apodhrad Feel free to make the switch. I do not have a strong opinion.

@frenzymadness Thanks for chiming in!

[jyejare]

@apodhrad @ogajduse @frenzymadness Nice discussions!

BTW we did see some vulnerabilities in the past with cloudwash container images but not sure its related to Fedora image.

Today we have pushed a new release and container image in the quay and it shows everything green meaning no vulnerabilities in the image.

So for now everything seems to be good with fedora image and agree with the point fedora always provides the latest image faster when available.

[jyejare]

@apodhrad I will still keep the issue open and if we see any issues in the feature we can rethink about your proposal , or else close it !

[ogajduse]

I just want to clear up the uncertainty here. These vulnerabilities that @jyejare is talking about were coming from wrapanapi which had its requirements fixed to unpatched versions of dependencies or its dependencies did not release a fix for these CVEs last time we checked the security scan on Quay. If we want to keep this issue open, I would like to hear what the specific security concerns about the Fedora image are and what could be the driving factor for the switch to the UBI image.