Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCP: UBI Based images for SGX plugin and operator #852

Closed
4 of 6 tasks
Tracked by #777
chaitanya1731 opened this issue Jan 13, 2022 · 4 comments · Fixed by #897
Closed
4 of 6 tasks
Tracked by #777

OCP: UBI Based images for SGX plugin and operator #852

chaitanya1731 opened this issue Jan 13, 2022 · 4 comments · Fixed by #897

Comments

@chaitanya1731
Copy link
Contributor

chaitanya1731 commented Jan 13, 2022
edited
Loading

According to link we need to release the UBI based SGX plugin and operator container images on the OCP platform.

  • 1. Find proper UBI base image similar to Google's - gcr.io/distroless/static and know about potential security risks
  • 2. How to maintain the related dockerfiles for UBI based images along with other dockerfiles and where to release these UBI based images?
    Notes - PMEM-CSI project are using the RedHat registry to upload their images
    We can also use the same way to release our images
  • 3. Check and understand proper Licenses for UBI
    Notes - UBI is release under under the terms of the UBI End User License Agreement (EULA)
    Refer https://developers.redhat.com/articles/ubi-faq#introduction?source=sso
  • 4. Work out the UBI dockerfiles and images and test them
  • 5. Save/release images on RedHat registry
  • 6. Start Certification process
@mythi
Copy link
Contributor

mythi commented Jan 14, 2022

  1. Find proper UBI base image similar to Google's - gcr.io/distroless/static and know about potential security risks

the smallest possible because we don't depend on the base image. The builder image needs provide Go and toybox build capabilities for the initcontainer(s).

  1. How to maintain the related dockerfiles for UBI based images along with other dockerfiles and where to release these UBI based images?

I guess we want the "build service" to deal with the publishing and we just provide the Dockerfile(s). Have you tried are the existing Dockerfiles suitable for that build service?

@chaitanya1731
Copy link
Contributor Author

As per RedHat -

  • The ubi-micro is the smallest possible UBI image, obtained by excluding a package manager and all of its dependencies
  • This minimizes the attack surface of container images based on the ubi-micro image and is suitable for minimal applications
  • Constructing a container image without the Linux distro’s packaging tools is sometimes referred to as distroless. By this criteria, UBI can be called a distroless container image.
  • Size is 12Mb compressed, 38Mb uncompressed. This is the smallest possible image. So need to use the 'ubi-micro' image

This was referenced Jan 14, 2022
Closed
Closed
@chaitanya1731
Copy link
Contributor Author

I guess we want the "build service" to deal with the publishing and we just provide the Dockerfile(s). Have you tried are the existing Dockerfiles suitable for that build service?

Tried UBI-micro as base images and keeping builder images as it is.. This surely works as tried testing on the RedHat portal for certification. Passes all the test cases. We can just replace the final base image gcr.io/distroless with RedHat ubi-micro and add the required labels and it is good to go

@chaitanya1731
Copy link
Contributor Author

As per the discussion, we keep the same licenses for upstream and downstream. Hence using what upstream team already uses. Apache 2.0

@mythi mythi mentioned this issue Feb 24, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@mythi @chaitanya1731