Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DRAFT: MGMT-16765: Mitigation of CVE-2024-25062 #6187

Closed
wants to merge 1 commit into from
Closed

DRAFT: MGMT-16765: Mitigation of CVE-2024-25062 #6187

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
20 changes: 19 additions & 1 deletion Dockerfile.assisted-service
View file
Open in desktop
Expand Up @@ -38,16 +38,33 @@ RUN cd ./cmd/operator && CGO_ENABLED=1 GOFLAGS="" GO111MODULE=on go build -o /bu
RUN cd ./cmd/webadmission && CGO_ENABLED=1 GOFLAGS="" GO111MODULE=on go build -o /build/assisted-service-admission
RUN cd ./cmd/agentbasedinstaller/client && CGO_ENABLED=1 GOFLAGS="" GO111MODULE=on go build -o /build/agent-installer-client

# Build a specific version of libxml2 to mitigate CVE-2024-25062
# Nothing is yet available in Stream9 and looks unlikely to be mitigated soon.
FROM quay.io/centos/centos@sha256:2fa98912f5964b54df6d3cec50874bf56abc98f13077f710b8ea9dc1b41bfeb5 as librarybuilder
RUN dnf groupinstall -y 'Development Tools'
RUN curl -X GET https://ftp.gnu.org/gnu/automake/automake-1.16.3.tar.gz --output ./automake-1.12.5.tar.gz && tar xf automake-1.12.5.tar.gz
RUN cd automake-1.16.3 && ./configure --prefix=/usr/local && make && make install
RUN dnf install -y libtool python3-devel pkg-config -y
RUN curl -X GET https://gitlab.gnome.org/GNOME/libxml2/-/archive/v2.12.6/libxml2-v2.12.6.tar.gz --output ./libxml2-v2.12.6.tar.gz && tar -xvf libxml2-v2.12.6.tar.gz
RUN export ACLOCAL_PATH=/usr/share/aclocal && cd libxml2-v2.12.6 && ./autogen.sh --prefix=/usr --libdir=/usr/lib64 && make && make install

# Create final image
FROM quay.io/centos/centos:stream9

# Update libxml to compiled version
RUN rm /usr/lib64/libxml2* -rf
COPY --from=librarybuilder /usr/lib64/libxml2.la /usr/lib64/libxml2.la
COPY --from=librarybuilder /usr/lib64/libxml2.so.2.12.6 /usr/lib64/libxml2.so.2.12.6
RUN ln -s /usr/lib64/libxml2.so.2.12.6 /usr/lib64/libxml2.so
RUN ln -s /usr/lib64/libxml2.so.2.12.6 /usr/lib64/libxml2.so.2

# multiarch images need it till WRKLDS-222 and https://bugzilla.redhat.com/show_bug.cgi?id=2111537 are fixed
RUN dnf install -y --setopt=install_weak_deps=False skopeo
# openshift-install requires this
RUN dnf install -y libvirt-libs nmstate nmstate-libs &&\
dnf clean all

RUN dnf update libksba libxml2 -y && dnf clean all
RUN dnf update libksba -y && dnf clean all

ARG WORK_DIR=/data

Expand All @@ -60,6 +77,7 @@ COPY --from=builder /build/assisted-service /assisted-service
COPY --from=builder /build/assisted-service-operator /assisted-service-operator
COPY --from=builder /build/assisted-service-admission /assisted-service-admission
COPY --from=builder /build/agent-installer-client /usr/local/bin/agent-installer-client

RUN ln -s /usr/local/bin/agent-installer-client /agent-based-installer-register-cluster-and-infraenv
COPY --from=pybuilder /assisted-service/build/dist/* /clients/
ENV GODEBUG=madvdontneed=1
Expand Down
17 changes: 17 additions & 0 deletions Dockerfile.assisted-service-build
View file
Open in desktop
@@ -1,6 +1,16 @@
FROM registry.ci.openshift.org/openshift/release:golang-1.20 AS golang
RUN chmod g+xw -R /usr/local/go

# Build a specific version of libxml2 to mitigate CVE-2024-25062
# Nothing is yet available in Stream9 and looks unlikely to be mitigated soon.
FROM quay.io/centos/centos@sha256:2fa98912f5964b54df6d3cec50874bf56abc98f13077f710b8ea9dc1b41bfeb5 as librarybuilder
RUN dnf groupinstall -y 'Development Tools'
RUN curl -X GET https://ftp.gnu.org/gnu/automake/automake-1.16.3.tar.gz --output ./automake-1.12.5.tar.gz && tar xf automake-1.12.5.tar.gz
RUN cd automake-1.16.3 && ./configure --prefix=/usr/local && make && make install
RUN dnf install -y libtool python3-devel pkg-config -y
RUN curl -X GET https://gitlab.gnome.org/GNOME/libxml2/-/archive/v2.12.6/libxml2-v2.12.6.tar.gz --output ./libxml2-v2.12.6.tar.gz && tar -xvf libxml2-v2.12.6.tar.gz
RUN export ACLOCAL_PATH=/usr/share/aclocal && cd libxml2-v2.12.6 && ./autogen.sh --prefix=/usr --libdir=/usr/lib64 && make && make install

FROM quay.io/centos/centos:stream9

ENV GOPATH=/go
Expand All @@ -10,6 +20,13 @@ ENV VIRTUAL_ENV=/opt/venv
ENV TOOLS=/tools/
ENV PATH="$VIRTUAL_ENV/bin:$GOROOT/bin:$GOPATH/bin:$TOOLS:$PATH"

# Update libxml to compiled version
RUN rm /usr/lib64/libxml2* -rf
COPY --from=librarybuilder /usr/lib64/libxml2.la /usr/lib64/libxml2.la
COPY --from=librarybuilder /usr/lib64/libxml2.so.2.12.6 /usr/lib64/libxml2.so.2.12.6
RUN ln -s /usr/lib64/libxml2.so.2.12.6 /usr/lib64/libxml2.so
RUN ln -s /usr/lib64/libxml2.so.2.12.6 /usr/lib64/libxml2.so.2

RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /usr/bin v1.53.2
# TODO: Replace with version 0.30.4 once it is released.
#
Expand Down
17 changes: 17 additions & 0 deletions Dockerfile.assisted-service.ocp
View file
Open in desktop
Expand Up @@ -12,13 +12,29 @@ RUN cd ./cmd/operator && CGO_ENABLED=1 GOFLAGS="" GO111MODULE=on go build -o /bu
RUN cd ./cmd/webadmission && CGO_ENABLED=1 GOFLAGS="" GO111MODULE=on go build -o /build/assisted-service-admission
RUN cd ./cmd/agentbasedinstaller/client && CGO_ENABLED=1 GOFLAGS="" GO111MODULE=on go build -o /build/agent-installer-client

# Build a specific version of libxml2 to mitigate CVE-2024-25062
# Nothing is yet available in Stream9 and looks unlikely to be mitigated soon.
FROM quay.io/centos/centos@sha256:2fa98912f5964b54df6d3cec50874bf56abc98f13077f710b8ea9dc1b41bfeb5 as librarybuilder
RUN dnf groupinstall -y 'Development Tools'
RUN curl -X GET https://ftp.gnu.org/gnu/automake/automake-1.16.3.tar.gz --output ./automake-1.12.5.tar.gz && tar xf automake-1.12.5.tar.gz
RUN cd automake-1.16.3 && ./configure --prefix=/usr/local && make && make install
RUN dnf install -y libtool python3-devel pkg-config -y
RUN curl -X GET https://gitlab.gnome.org/GNOME/libxml2/-/archive/v2.12.6/libxml2-v2.12.6.tar.gz --output ./libxml2-v2.12.6.tar.gz && tar -xvf libxml2-v2.12.6.tar.gz
RUN export ACLOCAL_PATH=/usr/share/aclocal && cd libxml2-v2.12.6 && ./autogen.sh --prefix=/usr --libdir=/usr/lib64 && make && make install

FROM registry.ci.openshift.org/ocp/4.15:cli AS oc-image
# Create final image
FROM registry.ci.openshift.org/ocp/4.15:base

LABEL io.openshift.release.operator=true

# Update libxml to compiled version
RUN rm /usr/lib64/libxml2* -rf
COPY --from=librarybuilder /usr/lib64/libxml2.la /usr/lib64/libxml2.la
COPY --from=librarybuilder /usr/lib64/libxml2.so.2.12.6 /usr/lib64/libxml2.so.2.12.6
RUN ln -s /usr/lib64/libxml2.so.2.12.6 /usr/lib64/libxml2.so
RUN ln -s /usr/lib64/libxml2.so.2.12.6 /usr/lib64/libxml2.so.2

# multiarch images need skopeo until WRKLDS-222 and https://bugzilla.redhat.com/show_bug.cgi?id=2111537 are fixed
# ToDo: Replace postgres with SQLite DB
# https://issues.redhat.com/browse/AGENT-223
Expand All @@ -42,6 +58,7 @@ COPY --from=builder /build/assisted-service-operator /assisted-service-operator
COPY --from=builder /build/assisted-service-admission /assisted-service-admission
COPY --from=builder /build/agent-installer-client /usr/local/bin/agent-installer-client
RUN ln -s /usr/local/bin/agent-installer-client /agent-based-installer-register-cluster-and-infraenv

ENV GODEBUG=madvdontneed=1
ENV GOGC=50
CMD ["/assisted-service"]