8:01 a.m.
Hi all
Not sure this is the best place to ask or not, scenario is as follows: -
building container with podman locally to check it does build - trying it in quay.io and
I'm bumping up against a vulnerability I can't seem to correct which I'm
thinking is something I'm doing.
I'm uploading a Dockerfile (for want of a better file name) to start the build, but it
always finds a vulnerability in kernel-headers for ubi7 which I can't seem to get to
update from the build despite yum -y update - it's the gcc package that it loads up.
Dockerfile looks like this: -
FROM registry.access.redhat.com/ubi7/ubi
RUN yum -y update && yum -y install
https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && yum -y
update && yum -y install python2 && yum -y install make && yum -y
install gcc && yum -y install redhat-rpm-config && yum -y install
zlib-devel && yum -y install bzip2 && yum -y install xz-devel &&
yum -y install python2-devel && yum -y install git && yum -y install
python2-pip && yum -y install wget && yum -y install sudo && yum
-y install bash && yum clean all
CMD ["/bin/bash"]
USER 0
RUN curl -o miniconda.sh
https://repo.continuum.io/miniconda/Miniconda2-latest-Linux-x86_64.sh
RUN bash miniconda.sh -b -p /opt/miniconda
RUN ln -s /opt/miniconda/bin/python /usr/local/bin/python
RUN ln -s /opt/miniconda/bin/pip /usr/local/bin/pip
RUN ln -s /opt/miniconda/bin/conda /usr/local/bin/conda
RUN conda config --add channels defaults
RUN conda config --add channels bioconda
RUN conda config --add channels conda-forge
RUN conda init bash
RUN echo y | conda create -n clairvoyante-conda-env -c bioconda clairvoyante
The quay.io creation is here: -
https://quay.io/repository/bryanhepworth/clairvoyante?tab=tags
Any help most gratefully received.
Bryan
8:55 a.m.
Bryan,
What version of kernel-headers are you seeing in the image. I think
this might be some kind of mistake with the scanning. I have a vague
recollection that some scanners mess up kernel headers. The kernel headers
is just code, so it can't really have vulnerabilities. If I understand the
problem correctly:
1. You don't really have a security vulnerability problem
2.The scanner might be giving you a false positive
3. And/Or, the kernel-headers really might not be getting updated
Best Regards
Scott M
On Sun, Oct 6, 2019 at 9:01 AM <bryan.hepworth(a)gmail.com> wrote:
Hi all
Not sure this is the best place to ask or not, scenario is as follows: -
building container with podman locally to check it does build - trying it
in quay.io and I'm bumping up against a vulnerability I can't seem to
correct which I'm thinking is something I'm doing.
I'm uploading a Dockerfile (for want of a better file name) to start the
build, but it always finds a vulnerability in kernel-headers for ubi7 which
I can't seem to get to update from the build despite yum -y update - it's
the gcc package that it loads up.
Dockerfile looks like this: -
FROM registry.access.redhat.com/ubi7/ubi
RUN yum -y update && yum -y install
https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm &&
yum -y update && yum -y install python2 && yum -y install make &&
yum -y
install gcc && yum -y install redhat-rpm-config && yum -y install
zlib-devel && yum -y install bzip2 && yum -y install xz-devel &&
yum -y
install python2-devel && yum -y install git && yum -y install
python2-pip
&& yum -y install wget && yum -y install sudo && yum -y install
bash && yum
clean all
CMD ["/bin/bash"]
USER 0
RUN curl -o miniconda.sh
https://repo.continuum.io/miniconda/Miniconda2-latest-Linux-x86_64.sh
RUN bash miniconda.sh -b -p /opt/miniconda
RUN ln -s /opt/miniconda/bin/python /usr/local/bin/python
RUN ln -s /opt/miniconda/bin/pip /usr/local/bin/pip
RUN ln -s /opt/miniconda/bin/conda /usr/local/bin/conda
RUN conda config --add channels defaults
RUN conda config --add channels bioconda
RUN conda config --add channels conda-forge
RUN conda init bash
RUN echo y | conda create -n clairvoyante-conda-env -c bioconda
clairvoyante
The quay.io creation is here: -
https://quay.io/repository/bryanhepworth/clairvoyante?tab=tags
Any help most gratefully received.
Bryan
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
--
--
Scott McCarty, RHCA
Product Management - Containers, Red Hat Enterprise Linux & OpenShift
Email: smccarty(a)redhat.com
Phone: 312-660-3535
Cell: 330-807-1043
Web: http://crunchtools.com
Have questions on Red Hat UBI? Check out the official FAQ:
https://red.ht/2yaUcez
9:52 a.m.
On Sun, Oct 6, 2019, 10:08 AM Scott McCarty <smccarty(a)redhat.com> wrote:
Bryan,
What version of kernel-headers are you seeing in the image. I think
this might be some kind of mistake with the scanning. I have a vague
recollection that some scanners mess up kernel headers. The kernel headers
is just code, so it can't really have vulnerabilities. If I understand the
problem correctly:
1. You don't really have a security vulnerability problem
2.The scanner might be giving you a false positive
3. And/Or, the kernel-headers really might not be getting updated
It is also possible the scanner is picking up a low severity CVE that is
actually unfixed still, but as Scott says it's still a false positive.
josh
On Sun, Oct 6, 2019 at 9:01 AM <bryan.hepworth(a)gmail.com> wrote:
> Hi all
>
> Not sure this is the best place to ask or not, scenario is as follows: -
>
> building container with podman locally to check it does build - trying it
> in quay.io and I'm bumping up against a vulnerability I can't seem to
> correct which I'm thinking is something I'm doing.
>
> I'm uploading a Dockerfile (for want of a better file name) to start the
> build, but it always finds a vulnerability in kernel-headers for ubi7 which
> I can't seem to get to update from the build despite yum -y update - it's
> the gcc package that it loads up.
>
> Dockerfile looks like this: -
>
> FROM registry.access.redhat.com/ubi7/ubi
> RUN yum -y update && yum -y install
> https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
> && yum -y update && yum -y install python2 && yum -y install
make && yum -y
> install gcc && yum -y install redhat-rpm-config && yum -y install
> zlib-devel && yum -y install bzip2 && yum -y install xz-devel
&& yum -y
> install python2-devel && yum -y install git && yum -y install
python2-pip
> && yum -y install wget && yum -y install sudo && yum -y
install bash && yum
> clean all
> CMD ["/bin/bash"]
> USER 0
> RUN curl -o miniconda.sh
> https://repo.continuum.io/miniconda/Miniconda2-latest-Linux-x86_64.sh
> RUN bash miniconda.sh -b -p /opt/miniconda
> RUN ln -s /opt/miniconda/bin/python /usr/local/bin/python
> RUN ln -s /opt/miniconda/bin/pip /usr/local/bin/pip
> RUN ln -s /opt/miniconda/bin/conda /usr/local/bin/conda
> RUN conda config --add channels defaults
> RUN conda config --add channels bioconda
> RUN conda config --add channels conda-forge
> RUN conda init bash
> RUN echo y | conda create -n clairvoyante-conda-env -c bioconda
> clairvoyante
>
> The quay.io creation is here: -
>
> https://quay.io/repository/bryanhepworth/clairvoyante?tab=tags
>
> Any help most gratefully received.
>
> Bryan
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
>
--
--
Scott McCarty, RHCA
Product Management - Containers, Red Hat Enterprise Linux & OpenShift
Email: smccarty(a)redhat.com
Phone: 312-660-3535
Cell: 330-807-1043
Web: http://crunchtools.com
Have questions on Red Hat UBI? Check out the official FAQ: https://red.ht/2yaUcez
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
11:54 a.m.
Hi Scott
Thanks for taking the trouble to reply..
The kernel-headers come from the stock repo that ubi7 goes looking for.
(base) [root@c0a87ab25ea0 /]# yum provides kernel-headers
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
kernel-headers-3.10.0-1062.1.2.el7.x86_64 : Header files for the Linux kernel
: for use by glibc
Repo : ubi-7
This is running it locally after a build and querying the container once it's up and
running in a bash shell.
I'm hoping to build a number of containers for the Bioinformatics guys here, so this
is a learning curve for me too!
Thanks once again.
1798
days inactive
1798
days old
3 comments
3 participants
participants (3)
-
bryan.hepworth@gmail.com -
Josh Boyer -
Scott McCarty