getting Ubuntu security updates? about cedarish HOT 9 CLOSED

relevant: http://serverfault.com/questions/611082/how-to-handle-security-updates-within-docker-containers

how distro security updates are supposed to make it into Cedarish and possibly downstream images such as Buildstep or even Buildstep derived images. Think about the recent the openssl issue for instance.

If a relevant security patch comes up then it's fine to post here and we'll take a look into it.

shouldn't we set a system so that cedarish or buildstep are rebuild on a regular basis (last cedarish on Docker Hub is from February 16th) or when Ubuntu base images provide security updates?

Ultimately that's a limitation of DockerHub. It doesn't allow you to rebuild if the parent image gets updated, and there's no mechanism to regularly schedule rebuilds every few days. Since I don't have build access on DockerHub, that responsibility rests on @progrium's shoulders to rebuild the image.

from cedarish.

Do we know the base image we're using is getting security updates?

On Mon, Mar 23, 2015 at 2:19 PM, Matthew Fisher [email protected]
wrote:

relevant:
http://serverfault.com/questions/611082/how-to-handle-security-updates-within-docker-containers

how distro security updates are supposed to make it into Cedarish and
possibly downstream images such as Buildstep or even Buildstep derived
images. Think about the recent the openssl issue for instance.

If a relevant security patch comes up then it's fine to post here and
we'll take a look into it.

shouldn't we set a system so that cedarish or buildstep are rebuild on a
regular basis (last cedarish on Docker Hub is from February 16th) or when
Ubuntu base images provide security updates?

Ultimately that's a limitation of DockerHub. It doesn't allow you to
rebuild if the parent image gets updated, and there's no mechanism to
regularly schedule rebuilds every few days. Since I don't have build access
on DockerHub, that responsibility rests on @progrium
https://github.com/progrium's shoulders to rebuild the image.

—
Reply to this email directly or view it on GitHub
#18 (comment).

Jeff Lindsay
http://progrium.com

from cedarish.

@bacongobbler right thanks for the explanations. Well basically no silver bullet...

I wonder however if for that kind of project we shouldn't try to build tools that would pool Docker hub for updates to trigger rebuilds. I could certainly do something ugly much bellow your project standard that does it. Another option is to wait somebody do something like this cleanly.

But I wonder how long one will be able to run anything critical in production having to rely on somebody to listen on the Cedarish + Buildstep trackers and trigger a rebuild eventually so that eventually you can rebuild your downstream images. I was thinking: I have no warranty at all Cedarish or Buildstep would quickly include a given security update. So what to do: fork these projects and be myself accountable for my own projects? Or do the security updates at the app container level against the good practices? So basically I'm just a bit concerned by the extra delay offered to attackers when this is all a manual process based on somebody looking at a bug tracker.

@progrium I didn't investigate a lot but I found this to scan if some packages have security updates
https://github.com/mafr/docker-update-check
I guess if they have, they are included in the base image, but I have no proof of it either.

from cedarish.

Yeah, this problem isn't specific to Docker, but is certainly a bigger
problem the bigger the attack surface. For example, if you made a container
with just a binary executable, this would not even be an issue. However,
since the container would only be running one process anyway, it's already
a much smaller attack surface than a VM.

Even if this project did something clever to rebuild on upstream changes,
that would not update users using it. So we have several points of
potential delay for updates: upstream, here, and users downstream.

Though like I said, I think in practicality the security updates are not as
important as you think.

On Mon, Mar 23, 2015 at 2:32 PM, Raphaël Valyi [email protected]
wrote:

@bacongobbler https://github.com/bacongobbler right thanks for the
explanations. Well basically no silver bullet...

I wonder however if for that kind of project we shouldn't try to build
tools that would pool Docker hub for updates to trigger rebuilds. I could
certainly do something ugly much bellow your project standard that does it.
Another option is to wait somebody do something like this cleanly.

But I wonder how long one will be able to run anything critical in
production having to rely on somebody to listen on the Cedarish + Buildstep
trackers and trigger a rebuild eventually so that eventually you can
rebuild your downstream images. I was thinking: I have no warranty at all
Cedarish or Buildstep would quickly include a given security update. So
what to do: fork these projects and be myself accountable for my own
projects? Or do the security updates at the app container level against the
good practices? So basically I'm just a bit concerned by the extra delay
offered to attackers when this is all a manual process based on somebody
looking at a bug tracker.

@progrium https://github.com/progrium I didn't investigate a lot but I
found this to scan if some packages have security updates
https://github.com/mafr/docker-update-check
I guess if they have, they are included in the base image, but I have no
proof of it either.

—
Reply to this email directly or view it on GitHub
#18 (comment).

Jeff Lindsay
http://progrium.com

from cedarish.

Hum ok, thank you @progrium for sharing your point of view. I'm closing the issue for now as indeed it's not specific to the project. I still plan to use Docker to deliver a rather complex ERP system that rely on many native libraries and probably offer a non negligible attack surface despite architecurally it's only one single process tree so I hope we will see this problem tackled by Docker in a way or another and we will just pay attention meanwhile.

from cedarish.

@progrium You now have "Repository Links" on Docker Hub to trigger a build if the parent image is updated. The link is on the right of a project in Settings.

from cedarish.

So you can configure cedarish to trigger a build if ubuntu-debootstrap is updated and trigger a build for buildstep if cedarish is updated, in cascade.

from cedarish.

Good tip, thanks.

On Tue, Mar 24, 2015 at 2:43 AM, Vincent Fretin [email protected]
wrote:

So you can configure cedarish to trigger a build if ubuntu-debootstrap is
updated and trigger a build for buildstep if cedarish is updated, in
cascade.

—
Reply to this email directly or view it on GitHub
#18 (comment).

Jeff Lindsay
http://progrium.com

from cedarish.

@vincentfretin thanks! I knew in my subconscious I had read something about this... It's amazing how little known is this trick though.

from cedarish.