[PR] Fixing the vulnerabilities of amazon corretto pinot-base-runtime docker image. [pinot]

Fri, 20 Sep 2024 02:46:33 -0700 


abhioncbr opened a new pull request, #14042:
URL: https://github.com/apache/pinot/pull/14042

   As per https://github.com/apache/pinot/issues/13461, This PR tries to fix 
the vulnerabilities of the Amazon corretto jdk image. Here are some details
   - There are 0 vulnerabilities in the Amazon corretto 
[11-al2023-jdk⁠](https://github.com/corretto/corretto-docker/blob/cdcc44b8859544a47ce8c64ed0b3cc051a8c58c8/11/jdk/al2023/Dockerfile)
 image, however while installing git and several other packages we get around 
50 high vulnerability. The base image is Amazon Linux-based, and all the 
packages are installed from the Amazon repo list. Using the fedora epel repo is 
cumbersome; hence, in this PR, we are switching to an Alpine Linux-based image.
   - Using a based image, reduced the size of the image; it is now close to 
400MB only.
   - With this change, there is only now 1 Medium vulnerability because of curl 
package
   
   ```bash
   docker scout quickview 
   Abhi-Sharma's-MacBook-Pro :: ~/work/pinot ‹13461-fix-amazoncorretto-vuln*› » 
docker scout quickview                                                          
                       (sbx/consumer)
       i New version 1.13.0 available (installed version is 1.11.0) at 
https://github.com/docker/scout-cli
       ✓ Image stored for indexing
       ✓ Indexed 70 packages
   
       i Base image was auto-detected. To get more accurate results, build 
images with max-mode provenance attestations.
         Review docs.docker.com ↗ for more information.
         
     Target             │  
local://apachepinot/pinot-base-runtime:11-amazoncorretto  │    0C     0H     1M 
    0L   
       digest           │  d52984cecc31                                         
     │                              
     Base image         │  amazoncorretto:11-alpine                             
     │    0C     0H     0M     0L   
     Updated base image │  amazoncorretto:22-alpine                             
     │    0C     0H     0M     0L   
                        │                                                       
     │                              
   
   
   ```
   
   Also, I would like to highlight the [PR 
comment](https://github.com/apache/pinot/pull/10422/files#r1136640737) by 
@gortiz, I think we should follow the route suggested in the comment and also 
recommend two sets of Pinot images, one with [distroless image 
](https://github.com/GoogleContainerTools/distroless) and other set with 
various packages installed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org

Reply via email to