Ubuntu Docker Images

Check that all images generate a manifest via dpkg-query

Bug #1953697 reported by Sergio Durigan Junior
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Docker Images
Fix Released
High
Athos Ribeiro

Bug Description

It has come to my attention that some of our images (specifically those that are not deb-based) don't generate a security manifest through the dpkg-query method. This makes us miss security notifications for the deb packages installed on top of the base image.

We should revisit our images and double check that they're properly generating such manifests.

Related branches

~athos-ribeiro/ubuntu-docker-images/+git/prometheus-alertmanager:0.21-20.04-deb-manifest
Sergio Durigan Junior: Approve
Canonical Server: Pending requested
Diff: 16 lines (+4/-1)
1 file modified
Dockerfile (+4/-1)
~athos-ribeiro/ubuntu-docker-images/+git/prometheus-alertmanager:0.21-21.04-deb-manifest
Sergio Durigan Junior: Approve
Canonical Server: Pending requested
Diff: 16 lines (+4/-1)
1 file modified
Dockerfile (+4/-1)
~athos-ribeiro/ubuntu-docker-images/+git/prometheus-alertmanager:0.22-21.10-deb-manifest
Sergio Durigan Junior: Approve
Canonical Server: Pending requested
Diff: 16 lines (+4/-1)
1 file modified
Dockerfile (+4/-1)
~athos-ribeiro/ubuntu-docker-images/+git/prometheus:2.20-20.04-deb-manifest
Sergio Durigan Junior: Approve
Canonical Server: Pending requested
Diff: 16 lines (+4/-1)
1 file modified
Dockerfile (+4/-1)
~athos-ribeiro/ubuntu-docker-images/+git/prometheus:2.25-21.04-deb-manifest
Sergio Durigan Junior: Approve
Canonical Server: Pending requested
Diff: 16 lines (+4/-1)
1 file modified
Dockerfile (+4/-1)
~athos-ribeiro/ubuntu-docker-images/+git/prometheus:2.28-21.10-deb-manifest
Sergio Durigan Junior: Approve
Canonical Server: Pending requested
Diff: 16 lines (+4/-1)
1 file modified
Dockerfile (+4/-1)
~athos-ribeiro/ubuntu-docker-images/+git/grafana:7.2-20.04-deb-manifest
Sergio Durigan Junior: Approve
Canonical Server: Pending requested
Diff: 15 lines (+3/-1)
1 file modified
Dockerfile (+3/-1)
~athos-ribeiro/ubuntu-docker-images/+git/grafana:7.4-21.04-deb-manifest
Sergio Durigan Junior: Approve
Canonical Server: Pending requested
Diff: 15 lines (+3/-1)
1 file modified
Dockerfile (+3/-1)
~athos-ribeiro/ubuntu-docker-images/+git/grafana:8.1-21.10-deb-manifest
Sergio Durigan Junior: Approve
Canonical Server: Pending requested
Diff: 15 lines (+3/-1)
1 file modified
Dockerfile (+3/-1)
~athos-ribeiro/ubuntu-docker-images/+git/cortex:1.4-20.04-deb-manifest
Sergio Durigan Junior: Approve
Canonical Server: Pending requested
Diff: 14 lines (+3/-1)
1 file modified
oci/Dockerfile.ubuntu (+3/-1)
~athos-ribeiro/ubuntu-docker-images/+git/cortex:1.7-21.04-deb-manifest
Sergio Durigan Junior: Approve
Canonical Server: Pending requested
Diff: 14 lines (+3/-1)
1 file modified
oci/Dockerfile.ubuntu (+3/-1)
~athos-ribeiro/ubuntu-docker-images/+git/cortex:1.10-21.10-deb-manifest
Sergio Durigan Junior: Approve
Canonical Server: Pending requested
Diff: 14 lines (+3/-1)
1 file modified
oci/Dockerfile.ubuntu (+3/-1)
~athos-ribeiro/ubuntu-docker-images/+git/cassandra:4.0-20.04-deb-manifest
Bryce Harrington: Approve
Sergio Durigan Junior: Pending requested
Canonical Server: Pending requested
Diff: 14 lines (+3/-1)
1 file modified
Dockerfile (+3/-1)
~athos-ribeiro/ubuntu-docker-images/+git/cassandra:4.0-21.04-deb-manifest
Bryce Harrington: Approve
Sergio Durigan Junior: Pending requested
Canonical Server: Pending requested
Diff: 14 lines (+3/-1)
1 file modified
Dockerfile (+3/-1)
~athos-ribeiro/ubuntu-docker-images/+git/cassandra:4.0-21.10-deb-manifest
Bryce Harrington: Approve
Sergio Durigan Junior: Pending requested
Canonical Server: Pending requested
Diff: 14 lines (+3/-1)
1 file modified
Dockerfile (+3/-1)
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

The affected images are:

- cassandra
- cortex
- grafana
- prometheus
- prometheus-alertmanager

[1] implements detection of such cases in our test suite.

[1] https://github.com/canonical/server-test-scripts/pull/142

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

The following MPs should sufice to close this bug. We should make sure https://github.com/canonical/server-test-scripts/pull/142 is merged after that.

https://code.launchpad.net/~athos-ribeiro/ubuntu-docker-images/+git/cassandra/+merge/413022
https://code.launchpad.net/~athos-ribeiro/ubuntu-docker-images/+git/cassandra/+merge/413024
https://code.launchpad.net/~athos-ribeiro/ubuntu-docker-images/+git/cassandra/+merge/413025

https://code.launchpad.net/~athos-ribeiro/ubuntu-docker-images/+git/cortex/+merge/413033
https://code.launchpad.net/~athos-ribeiro/ubuntu-docker-images/+git/cortex/+merge/413034
https://code.launchpad.net/~athos-ribeiro/ubuntu-docker-images/+git/cortex/+merge/413035

https://code.launchpad.net/~athos-ribeiro/ubuntu-docker-images/+git/grafana/+merge/413037
https://code.launchpad.net/~athos-ribeiro/ubuntu-docker-images/+git/grafana/+merge/413038
https://code.launchpad.net/~athos-ribeiro/ubuntu-docker-images/+git/grafana/+merge/413039

https://code.launchpad.net/~athos-ribeiro/ubuntu-docker-images/+git/prometheus/+merge/413041
https://code.launchpad.net/~athos-ribeiro/ubuntu-docker-images/+git/prometheus/+merge/413042
https://code.launchpad.net/~athos-ribeiro/ubuntu-docker-images/+git/prometheus/+merge/413043

https://code.launchpad.net/~athos-ribeiro/ubuntu-docker-images/+git/prometheus-alertmanager/+merge/413044
https://code.launchpad.net/~athos-ribeiro/ubuntu-docker-images/+git/prometheus-alertmanager/+merge/413045
https://code.launchpad.net/~athos-ribeiro/ubuntu-docker-images/+git/prometheus-alertmanager/+merge/413046

Changed in ubuntu-docker-images:
assignee: nobody → Athos Ribeiro (athos-ribeiro)
status: Confirmed → In Progress
Athos Ribeiro (athos-ribeiro)
Changed in ubuntu-docker-images:
status: In Progress → Fix Committed
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

All images were rebuilt and tagged. This should be fixed now.

Changed in ubuntu-docker-images:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.