fn
fn copied to clipboard
fnproject
[security] Update base docker images with necessary upgrades
Description
As a official FDK maintainers we committed ourselves to deliver best tooling for doing serverless with Fn.
One of the first things we need to fix is the security of docker base images for the particular runtimes like Go, Java, Node, Python and Ruby.
Unfortunately, we have obvious problems with our base images because certain packages must be updated ASAP.
Steps to reproduce the issue:
snyk test --docker <fn-runtime-image> --json | docker run --rm -i denismakogon/snyk-filter:0.0.6
replace with any of the following images:
-
fnproject/node:dev -
fnproject/python:3.7.1orfnproject/python:3.7.1-dev -
fnproject/go:dev
Describe the results you received: I'll post here some results of testing our base images here:
- nodejs dev
-----------------------------------------
Final packages to update:
node==8.15.1
busybox==1.26.2-r9
musl==1.1.16-r14
-----------------------------------------
- python 3.7.1 dev
-----------------------------------------
Final packages to update:
glibc/libc-bin==2.24-11+deb9u4
glibc/libc6==2.24-11+deb9u4
glibc/multiarch-support==2.24-11+deb9u4
openssl/libssl1.1==1.1.0j-1~deb9u1
openssl==1.1.0j-1~deb9u1
perl/perl-base==5.24.1-3+deb9u5
systemd/libsystemd0==232-25+deb9u7
systemd/libudev1==232-25+deb9u7
apt/libapt-pkg5.0==1.4.9
apt==1.4.9
-----------------------------------------
and so on...
Describe the results you expected: Well, hard to say, but I'd like to see no issues with packages in base images.
Action items
- [ ] Ask FDK maintainers to start working on base image fixes
- [ ] Turn security check into CI job to prevent issues in future
there's a more pressing issue of actually updating the runtime images, which probably precedes this task. none of them have automatic update in CI on a cron schedule regularly (and few on a master gets updated schedule, too). all that this says is that we don't run apk upgrade, which is easy to fix. I don't disagree about doing this but we should automate it. I could just as easily every monday send an email that says we haven't updated the packages in the runtime images -- the info we're getting here isn't very valuable at least from what I can tell and could be automated away. though it's fine for us to run snyk, at present we don't even have the runtime images set up to update, think that task precedes this or this is just annoying and not telling us anything we don't already know.
thanks for the feedback, however, i don't feel like there's a way to automate fixes for package security issues, because not all problems can be solved only by doing apt-get update, from what I know you'd need to add security package index and basically wait for an update to show up, but again, there art two types of fixes: the one that comes with an upgrade and the one that comes with patch and the patch here is way too complex because you'd need to build packages by yourself.
the tool I've made shows only fixable issues via upgrade, which is kinda can be gated easily by the CI.
First, I'd like to move FDK base images out of dockers repo to FDK repos. Then we can gate the Dockerfiles at every commit with the tool I've made.
moving dockerfiles to fdks is fine. please make sure there is a script for updating them (fnproject/dockers has a script). we need to get a docker hub bot and set up CI to do this chore, too, ideally, it's manual atm. and further, as stated, need to set up cron since the FDKs are updated infrequently but can do that after getting CI bot set up.
First bits of work requiring reviews:
- [ ] https://github.com/fnproject/fdk-python/pull/77
- [ ] https://github.com/fnproject/fdk-node/pull/25
can we cover all FDKs before merging any one of them? I am very much trying to protect against the situation where we update a couple of them with all this fancy build stuff but leave the others to rot, also not to have intermediate patches that we aren't sure about with repos in different states to track. it would be nice to be consistent across everything, for the build stuff as well as this.
reviewing is ok first, to figure out the shape of all this stuff.
Right, at first I'd like to have a complete PR for one of the FDKs (i started with Python) and then just populate the work across the others.
Okay, now both Python and Node FDKs use Anchore to run security checks, which is totally cool because it's free and built-in into Circle CI via orbs. The only thing that is still unclear being described here: https://github.com/anchore/anchore-engine/issues/174