build: Replace CentOS 7 base images with Rocky Linux #3773
Conversation
Hello gdemonet,My role is to assist you with the merge of this Status report is not available. |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list:
|
gdemonet
force-pushed
the
improvement/bump-centos-base-images
branch
from
6b9a30e to
a514e5b
Compare
gdemonet
force-pushed
the
improvement/bump-centos-base-images
branch
from
4d5d863 to
1034c82
Compare
| baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el$CENTOS_VERSION-x86_64 | ||
| baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 |
There was a problem hiding this comment.
Oh, sad, el8 packages are also available on kubernetes-el7... make sense 🙃
| && pip3 install pip==20.1 \ | ||
| && pip3 install "etcd3 != 0.11.0" \ | ||
| && yum install -y git \ | ||
| && dnf install -y git \ | ||
| && pip3 install "git+https://github.com/kubernetes-client/python.git@cef5e9bd10a6d5ca4d9c83da46ccfe2114cdaaf8#egg=kubernetes" \ |
There was a problem hiding this comment.
(not necessarily part of this PR, but I think we can now move to a "real" version of python-kubernetes since we do not really rely on it)
There was a problem hiding this comment.
Will open a ticket then!
For |
gdemonet
force-pushed
the
improvement/bump-centos-base-images
branch
from
1034c82 to
006c3e1
Compare
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list:
|
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list:
|
gdemonet
force-pushed
the
improvement/bump-centos-base-images
branch
4 times, most recently
from
6c537c8 to
563b5a4
Compare
ConflictThere is a conflict between your branch Please resolve the conflict on the feature branch ( git fetch && \
git checkout origin/improvement/bump-centos-base-images && \
git merge origin/development/123.0Resolve merge conflicts and commit git push origin HEAD:improvement/bump-centos-base-images |
gdemonet
force-pushed
the
improvement/bump-centos-base-images
branch
from
563b5a4 to
a63bbc9
Compare
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list:
|
images/salt-master/Dockerfile
Outdated
| && pip3 install pip==20.1 \ | ||
| && pip3 install "etcd3 != 0.11.0" \ |
There was a problem hiding this comment.
nitpick: It's not consistent 😢
| && pip3 install pip==20.1 \ | |
| && pip3 install "etcd3 != 0.11.0" \ | |
| && pip3 install "pip == 20.1" \ | |
| && pip3 install "etcd3 != 0.11.0" \ |
ConflictThere is a conflict between your branch Please resolve the conflict on the feature branch ( git fetch && \
git checkout origin/improvement/bump-centos-base-images && \
git merge origin/development/123.0Resolve merge conflicts and commit git push origin HEAD:improvement/bump-centos-base-images |
gdemonet
force-pushed
the
improvement/bump-centos-base-images
branch
from
3398ee5 to
e59df61
Compare
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list:
|
gdemonet
force-pushed
the
improvement/bump-centos-base-images
branch
from
e59df61 to
f8ef487
Compare
The `images/metalk8s-utils/configure-repos.sh` script was taking a "CENTOS_VERSION" argument, but it appears the repository used for all Red Hat-based distros is always the same, whether it's a 7 or 8 major. So we remove this argument entirely, until this statement changes.
This will reduce the chances of being affected by CVEs on CentOS 7 not being resolved in upstream repos, and ensure a more consistent experience with the more common Red Hat 8 distributions which will be used under MetalK8s. Note that we also remove the `jnettop` tool (which is old, and not available in EPEL 8), and install `iftop` instead.
This will avoid CVEs affecting CentOS 7 packages which may not be fixed upstream.
We are not using CentOS 7 anymore (replaced by Rocky Linux), so let's not keep this variable around.
To get rid of https://nvd.nist.gov/vuln/detail/CVE-2018-25032 in salt-master and metalk8s-utils, and avoid future similar issues, we keep the images updated by issuing a `dnf update` at build-time.
gdemonet
force-pushed
the
improvement/bump-centos-base-images
branch
from
f8ef487 to
e4b7c6c
Compare
|
/approve |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list:
The following options are set: approve |
In the queueThe changeset has received all authorizations and has been added to the The changeset will be merged in:
The following branches will NOT be impacted:
There is no action required on your side. You will be notified here once IMPORTANT Please do not attempt to modify this pull request.
If you need this pull request to be removed from the queue, please contact a The following options are set: approve |
|
I have successfully merged the changeset of this pull request
The following branches have NOT changed:
Please check the status of the associated issue None. Goodbye gdemonet. |
Component: build
Context: There are some CVEs (notably CVE-2018-25032) for which a fix is only available in Red Hat 8 repositories, so we want to take a safer bet by running on a more recent base OS
Summary: The base image for
metalk8s-utilsandsalt-masteris changed fromcentos:7torockylinux:8.5.Acceptance criteria: Everything keeps working as before.