The docker way of updating containers is to build a new image with the updated binaries and files, which creates a security concern.

The docker way is not anymore running "zypper update" in the containment but to update the whole image in the image registry (hub docker if we are talking about public registry) and then pull the image update from there, stop the outdated containments and replace them by starting new containments based on the new image.

This process breaks our current security update workflow since our workflow is based on running "zypper update" at the host, or in this case, in the containment.

Thus, what we need is a way to update the images in the registry when there are new RPM updates.

When we talk about updating RPMs, we have to make a distinction of 2 cases:

  • The RPM is in the base image
  • The RPM is in a layer above the image

The idea of the project is to make use of the "Remote Build Trigger" feature in the public registry "Docker Hub" [1] to trigger automatic builds of containers which need to be rebuilt.

[1] https://docs.docker.com/docker-hub/builds/

Looking for mad skills in:

docker security

This project is part of:

Hack Week 12

Activity

  • over 4 years ago: kpimenov liked updating rpms in docker containers
  • over 4 years ago: jordimassaguerpla added keyword "security" to updating rpms in docker containers
  • over 4 years ago: jordimassaguerpla added keyword "docker" to updating rpms in docker containers
  • over 4 years ago: jordimassaguerpla started updating rpms in docker containers
  • over 4 years ago: jordimassaguerpla originated updating rpms in docker containers
  • Show History

    Comments

    • jordimassaguerpla
      over 4 years ago by jordimassaguerpla | Reply

      The design on how to solve this is:

      1- add a layer in the docker image which updates the packages, thus "zypper up" command in the Dockerfile.

      2- get a list of RPMs installed on the docker image

      3- get metadata from the update repo

      4- based on the information from 2 and 3, decide to trigger a rebuild

    • jordimassaguerpla
      over 4 years ago by jordimassaguerpla | Reply

      I'll start by doing 1 and 2 manually, that is, editing the Dockerfile on a docker example and running "rpm -qa" on that docker example. Thus I'll focus on 3 and 4.

    • jordimassaguerpla
      over 4 years ago by jordimassaguerpla | Reply

      after talking to Flavio, I'll redesign it as:

      1- add a layer in docker image which applies patches: "zypper ref && zypper patch" 2- run "docker run --rm IMAGE zypper list-patches" 3- if 2 returns a list of patches, trigger a rebuild

    • jordimassaguerpla
      over 4 years ago by jordimassaguerpla | Reply

      1- add a layer in docker image which applies patches: "zypper ref && zypper patch"

      2- run "docker run --rm IMAGE zypper list-patches"

      3- if 2 returns a list of patches, trigger a rebuild

    • lnussel
      over 4 years ago by lnussel | Reply

      can't you build the docker image using kiwi in obs? obs will automatically trigger a rebuild if depending packages changed.

    • jordimassaguerpla
      over 4 years ago by jordimassaguerpla | Reply

      Yes I could do that but that wouldn't update existing images in docker hub.

    • jordimassaguerpla
      over 4 years ago by jordimassaguerpla | Reply

      https://github.com/jordimassaguerpla/dc-update

    • jordimassaguerpla
      over 4 years ago by jordimassaguerpla | Reply

      dc-update is a shell script that pulls the image from a registry (i.e. docker hub), checks if there are pending updates, and if so, adds a layer with the updated packages (by running "zypper patch" and commiting afterwards), and finally pushes the image back to the registry (i.e. docker hub).

      It also works with fedora.

    • jordimassaguerpla
      over 4 years ago by jordimassaguerpla | Reply

      Let's work on a web interface now :-) !

    • jordimassaguerpla
      over 4 years ago by jordimassaguerpla | Reply

      Web interface:

      https://github.com/jordimassaguerpla/dc-update-web

      It has no yet multiuser support and it requires the dockercfg file to be in the home directory of the user running the web. Adding multiuser support will be the next step.

    • jordimassaguerpla
      over 4 years ago by jordimassaguerpla | Reply

      It requires the dcupdate to be in the path. I am going to create an RPM with the dcupdate.

    • jordimassaguerpla
      over 4 years ago by jordimassaguerpla | Reply

      It has support for multiple users. Authentication is with github. RPM for dc-update:

      http://download.opensuse.org/repositories/home:/jordimassaguerpla:/dc-update

    • jordimassaguerpla
      over 4 years ago by jordimassaguerpla | Reply

      and here there is a screenshot

      https://github.com/jordimassaguerpla/dc-update-web/blob/master/screenshots/hackweek12.png

    • jordimassaguerpla
      over 4 years ago by jordimassaguerpla | Reply

      I had presented the project in the docker meetup group in Barcelona last wednesday. People found it interesting and pointed out a problem if the image had been built with a DockerFile and, after updating it with the dc-update script, you try to rebuild it again based on the DockerFile.

      This script can be used for updating base images which won't get new code and so no rebuilds or it could be changed to trigger a rebuild based on the DockerFile instead of adding a layer with "zypper/yum update".

      In anyway, I've get to practice with docker and rails and have learn a lot, thus it has been worth doing this project :-) .

    Similar Projects

    Make "salt-toaster" available to be used outside SUSE by PSuarezHernandez

    The salt-toaster (https://github.com/openSUSE...


    Convert the Docker Compose setup of OBS to Kubernetes Resources by dmarcoux

    Throughout this project, I will learn about Kub...


    libpathrs by cyphar

    The plan is to implement a safe path resolution...