Comments (10)
I'm not aware of any such CVEs and I hope they are not in any distribution. But it is a potential risk. This task is not about describing such risks - I have mentioned that as an example.
I find it beneficial to use RedHat UBI - the security was one of the reason. It is publicly available so I don't see any reason not to use it.
from cloudwash.
We can switch to UBI images. There is no issue with that. The only thing that I think would make us switch back to Fedora would be the need for running cloudwash on a new Python version that will not be present in RHEL at the moment.
@apodhrad Feel free to make the switch. I do not have a strong opinion.
@frenzymadness Thanks for chiming in!
from cloudwash.
We have moved from the UBI images, see #85. The change was done at a time when there was no UBI Python 3.11 image.
What is the benefit of using the UBI image?
from cloudwash.
Hi @ogajduse, the biggest benefit of using redhat UBI is security.
from cloudwash.
@apodhrad Can you please elaborate more? Security is a wide term. What are the specific security concerns here?
from cloudwash.
I'm not any security expert but these 2 things come to my mind
- Fedora image might contain a CVE which could allow escaping the container
- Python distribution might also contain a CVE which could cause a damage (in case of cloudwash, it could reveal aws creds or delete aws resources we want to keep, etc)
These risks are the reason why we should use the most security options (like redhat UBI) in all tools we use. We should always keep the security in mind - no matter if is a product or infrastructure.
from cloudwash.
@apodhrad could you please point me to an article or something describing the CVEs you've mentioned? If there are such critical issues in Fedora container images, I think we should dedicate some time and effort to fixing them.
Also, Fedora usually gets CVE fixes sooner than RHEL/Centos stream so when it comes to CVEs in RPMs, Fedora might be even better. The disadvantage is a shorter lifecycle and updates to the newest versions of components with some potential for breaking changes. We produce Fedora Python images to test new Pythons we then usually make available in RHEL/UBI where they get longer support. For example, Fedora 38 is the last one with Python 3.11 as the main Python which means that it will be EOL one month after the release of Fedora 40.
from cloudwash.
@apodhrad @ogajduse @frenzymadness Nice discussions!
BTW we did see some vulnerabilities in the past with cloudwash container images but not sure its related to Fedora image.
Today we have pushed a new release and container image in the quay and it shows everything green meaning no vulnerabilities in the image.
So for now everything seems to be good with fedora image and agree with the point fedora always provides the latest image faster when available.
from cloudwash.
@apodhrad I will still keep the issue open and if we see any issues in the feature we can rethink about your proposal , or else close it !
from cloudwash.
I just want to clear up the uncertainty here. These vulnerabilities that @jyejare is talking about were coming from wrapanapi which had its requirements fixed to unpatched versions of dependencies or its dependencies did not release a fix for these CVEs last time we checked the security scan on Quay.
If we want to keep this issue open, I would like to hear what the specific security concerns about the Fedora image are and what could be the driving factor for the switch to the UBI image.
from cloudwash.
Related Issues (20)
- PoC for refactoring based on Pulumi HOT 1
- Delete Pattern based on names should be regex based
- Add contribution documentation for future contributors to the project
- Update README with table showing supported types and cloud providers HOT 9
- Cloudwash needs more detailed logging. HOT 3
- For Azure resources, an AttributeError occurs due to a missing attribute in the settings configuration
- Simplify settings file for users to select resource type per cloud provider HOT 2
- Cloudwash not working on Google Cloud HOT 2
- Future warning for AWS HOT 4
- Dedicated Settings files contains wrong keys for Azure and AWS
- Opt-in retention of cloud resources HOT 2
- Support for VMWare cloud HOT 5
- Add an option to filter by tag HOT 2
- Support for deleting all resource groups in Azure HOT 9
- Create a Cloudwash service to store information about users account resources in centralised DB
- Support deleting Route53 zones and records
- Support deleting S3 buckets
- Support deleting VPC's HOT 1
- Support deleting Users
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudwash.