Giters

project-copacetic / copacetic

🧵 CLI tool for directly patching container images using reports from vulnerability scanners

Home Page:https://project-copacetic.github.io/copacetic/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[REQ] Support RPM-based images with valid rpm status but missing tools

ashnamehrotra opened this issue · comments

commented

What kind of request is this?

None

What is your request or suggestion?

copacetic/pkg/pkgmgr/rpm.go

Line 333 in d648155

// TODO: Support RPM-based images with valid rpm status but missing tools. (e.g. calico images > v3.21.0)

Turning copacetic TODO comments into issues from https://docs.google.com/spreadsheets/d/1XwNj1J6e2FrUhlqaIsV10l8_tgov7WodlkvpNZXYZMU/edit#gid=1386834576.

Are you willing to submit PRs to contribute to this feature request?

  • Yes, I am willing to implement it.
commented

I've done some of the initial work required for this feature which is available in my fork of the repo available here.

There are two approaches we can take to this feature, both of which are documented below.

Approach 1 - Reusing The Approach Used For Distroless

This is the approach currently taken in my fork of the repo linked above. While it generally works, there are 2 roadblocks that prevent this from working flawlessly.

  • Missing packages in the CBL mariner package manager repos
  • If all packages do exist in the CBL mariner package manager repos, we will always get the following error after all packages have been downloaded: Error: lstat /var/lib/docker/tmp/buildkit-mount2278373692/var/lib/rpmmanifest: no such file or directory

To fix the first issue, we could add 3rd party yum repos into the CBL mariner tooling image. Deciding on which one should be used and how to handle packages which exist in more than one repo could be a challenge.

The second issue will require further investigation for me to determine why that directory is missing.

Reproducing Above Issues

Clone my git branch (https://github.com/MiahaCybersec/copacetic/tree/valid-rpm-status-no-tools)

With no further changes, using the patch commands below will reproduce the first issue mentioned.

To skip over missing packages in the CBL mariner package manager repos, add --skip-broken to the yumdownloader commands on lines 482 and 490 in rpm.go. This will tell yum that if any packages are broken or missing, simply skip over them and continue executing anyway.

From here, choose an image that is missing RPM tools. There are two images I've been working with below as examples.

patch -r /calico-node-3.23.3-32.json -i docker.io/calico/node:v3.23.3-32-g2b86bba8df1f --debug
patch -r /ubi8-micro8.7.json -i docker.io/redhat/ubi8-micro:8.7 --debug

Once the above changes are made, we can reliably reproduce the second issue.

Approach 2 - Adding a New Function

This approach would allow us to handle images which have a valid RPM status but missing tools differently than a distroless image. While I have started initial work on this locally, I will likely need additional time and help learning LLB and BuildKit.

Due to this approach relying upon the CBL mariner tooling image, we'd still run into the first issue listed under the first approach. It is possible other issues may arise while taking this approach, but those issues are not currently known if they exist.