Comments (9)
relevant: http://serverfault.com/questions/611082/how-to-handle-security-updates-within-docker-containers
how distro security updates are supposed to make it into Cedarish and possibly downstream images such as Buildstep or even Buildstep derived images. Think about the recent the openssl issue for instance.
If a relevant security patch comes up then it's fine to post here and we'll take a look into it.
shouldn't we set a system so that cedarish or buildstep are rebuild on a regular basis (last cedarish on Docker Hub is from February 16th) or when Ubuntu base images provide security updates?
Ultimately that's a limitation of DockerHub. It doesn't allow you to rebuild if the parent image gets updated, and there's no mechanism to regularly schedule rebuilds every few days. Since I don't have build access on DockerHub, that responsibility rests on @progrium's shoulders to rebuild the image.
from cedarish.
Do we know the base image we're using is getting security updates?
On Mon, Mar 23, 2015 at 2:19 PM, Matthew Fisher [email protected]
wrote:
relevant:
http://serverfault.com/questions/611082/how-to-handle-security-updates-within-docker-containershow distro security updates are supposed to make it into Cedarish and
possibly downstream images such as Buildstep or even Buildstep derived
images. Think about the recent the openssl issue for instance.If a relevant security patch comes up then it's fine to post here and
we'll take a look into it.shouldn't we set a system so that cedarish or buildstep are rebuild on a
regular basis (last cedarish on Docker Hub is from February 16th) or when
Ubuntu base images provide security updates?Ultimately that's a limitation of DockerHub. It doesn't allow you to
rebuild if the parent image gets updated, and there's no mechanism to
regularly schedule rebuilds every few days. Since I don't have build access
on DockerHub, that responsibility rests on @progrium
https://github.com/progrium's shoulders to rebuild the image.β
Reply to this email directly or view it on GitHub
#18 (comment).
Jeff Lindsay
http://progrium.com
from cedarish.
@bacongobbler right thanks for the explanations. Well basically no silver bullet...
I wonder however if for that kind of project we shouldn't try to build tools that would pool Docker hub for updates to trigger rebuilds. I could certainly do something ugly much bellow your project standard that does it. Another option is to wait somebody do something like this cleanly.
But I wonder how long one will be able to run anything critical in production having to rely on somebody to listen on the Cedarish + Buildstep trackers and trigger a rebuild eventually so that eventually you can rebuild your downstream images. I was thinking: I have no warranty at all Cedarish or Buildstep would quickly include a given security update. So what to do: fork these projects and be myself accountable for my own projects? Or do the security updates at the app container level against the good practices? So basically I'm just a bit concerned by the extra delay offered to attackers when this is all a manual process based on somebody looking at a bug tracker.
@progrium I didn't investigate a lot but I found this to scan if some packages have security updates
https://github.com/mafr/docker-update-check
I guess if they have, they are included in the base image, but I have no proof of it either.
from cedarish.
Yeah, this problem isn't specific to Docker, but is certainly a bigger
problem the bigger the attack surface. For example, if you made a container
with just a binary executable, this would not even be an issue. However,
since the container would only be running one process anyway, it's already
a much smaller attack surface than a VM.
Even if this project did something clever to rebuild on upstream changes,
that would not update users using it. So we have several points of
potential delay for updates: upstream, here, and users downstream.
Though like I said, I think in practicality the security updates are not as
important as you think.
On Mon, Mar 23, 2015 at 2:32 PM, RaphaΓ«l Valyi [email protected]
wrote:
@bacongobbler https://github.com/bacongobbler right thanks for the
explanations. Well basically no silver bullet...I wonder however if for that kind of project we shouldn't try to build
tools that would pool Docker hub for updates to trigger rebuilds. I could
certainly do something ugly much bellow your project standard that does it.
Another option is to wait somebody do something like this cleanly.But I wonder how long one will be able to run anything critical in
production having to rely on somebody to listen on the Cedarish + Buildstep
trackers and trigger a rebuild eventually so that eventually you can
rebuild your downstream images. I was thinking: I have no warranty at all
Cedarish or Buildstep would quickly include a given security update. So
what to do: fork these projects and be myself accountable for my own
projects? Or do the security updates at the app container level against the
good practices? So basically I'm just a bit concerned by the extra delay
offered to attackers when this is all a manual process based on somebody
looking at a bug tracker.@progrium https://github.com/progrium I didn't investigate a lot but I
found this to scan if some packages have security updates
https://github.com/mafr/docker-update-check
I guess if they have, they are included in the base image, but I have no
proof of it either.β
Reply to this email directly or view it on GitHub
#18 (comment).
Jeff Lindsay
http://progrium.com
from cedarish.
Hum ok, thank you @progrium for sharing your point of view. I'm closing the issue for now as indeed it's not specific to the project. I still plan to use Docker to deliver a rather complex ERP system that rely on many native libraries and probably offer a non negligible attack surface despite architecurally it's only one single process tree so I hope we will see this problem tackled by Docker in a way or another and we will just pay attention meanwhile.
from cedarish.
@progrium You now have "Repository Links" on Docker Hub to trigger a build if the parent image is updated. The link is on the right of a project in Settings.
from cedarish.
So you can configure cedarish to trigger a build if ubuntu-debootstrap is updated and trigger a build for buildstep if cedarish is updated, in cascade.
from cedarish.
Good tip, thanks.
On Tue, Mar 24, 2015 at 2:43 AM, Vincent Fretin [email protected]
wrote:
So you can configure cedarish to trigger a build if ubuntu-debootstrap is
updated and trigger a build for buildstep if cedarish is updated, in
cascade.β
Reply to this email directly or view it on GitHub
#18 (comment).
Jeff Lindsay
http://progrium.com
from cedarish.
@vincentfretin thanks! I knew in my subconscious I had read something about this... It's amazing how little known is this trick though.
from cedarish.
Related Issues (12)
- Image in the registry is affected by heartbleed HOT 4
- Tag the image on Docker index HOT 12
- add ONBUILD support for pulling in the cedar stack scripts HOT 4
- cedar.sh complains that java command is not found HOT 1
- patch bash to fix shellshock bug HOT 2
- Multi platform support? HOT 4
- Release v3 HOT 2
- Tag cedar14 versions on Dockerhub HOT 1
- Rebuild Docker Hub image when Base Image changes HOT 1
- create a x86_32bit image HOT 3
- Replace ubuntu-debootstrap with docker-alpine? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cedarish.