Fixing Docker image vulnerabilities (with centos2ol.sh)

You want to run a Docker image but it doesn't pass the vulnerability check? Here is an example on how to deal with, on the YugabyteDB image (Open Source, PostgreSQL-compatible, Distributed SQL database).

Vulnerability detection: docker scan

I'm using Docker scan here to check for vulnerabilities:

docker scan yugabytedb/yugabyte:2.15.1.0-b175

This returns a few critical ones, and I'll focus on CVE-2022-2526

In total:

Tested 252 dependencies for known vulnerabilities, found 1022 vulnerabilities.

That's a lot. This is a YugabyteDB image which is updated frequently, but it is based on CentOS.

Is there a fix? rpm -q --changelog

Let me start a quick shell to look at it:

docker exec -it $(
docker run --rm -d yugabytedb/yugabyte:2.15.1.0-b175 sleep infinity
) bash -c "bash ; pkill -f '^sleep infinity$' "

In this shell, I check the systemd version:

[root@74b21c4194ea yugabyte]# cat /etc/system-release

CentOS Linux release 7.9.2009 (Core)

[root@74b21c4194ea yugabyte]# rpm -q systemd

systemd-219-78.el7_9.5.x86_64

[root@74b21c4194ea yugabyte]# yum info systemd

Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
 * base: pkg.adfinis.com
 * epel: mirror.nl.leaseweb.net
 * extras: pkg.adfinis.com
 * updates: pkg.adfinis.com
Installed Packages
Name        : systemd
Arch        : x86_64
Version     : 219
Release     : 78.el7_9.5
Size        : 23 M
Repo        : installed
From repo   : updates
Summary     : A System and Service Manager
URL         : http://www.freedesktop.org/wiki/Software/systemd
License     : LGPLv2+ and MIT and GPLv2+
Description : systemd is a system and service manager for Linux, compatible with
            : SysV and LSB init scripts. systemd provides aggressive parallelization
            : capabilities, uses socket and D-Bus activation for starting services,
            : offers on-demand starting of daemons, keeps track of processes using
            : Linux cgroups, supports snapshotting and restoring of the system
            : state, maintains mount and automount points and implements an
            : elaborate transactional dependency-based service control logic. It can
            : work as a drop-in replacement for sysvinit.

The image is based on CentOS 7.9 and systemd is version 219release 78.el7_9.5. The scan above says the vulnerability is fixed in release 78.el7_9.5

Unfortunately this CVE is not fixed yet in CentOS:

[root@74b21c4194ea yugabyte]# rpm -q --changelog systemd | head

* Mon Dec 06 2021 systemd maintenance team <systemd-maint@redhat.com> - 219-78.5
- install: fix a potential crash (#1828758)
- acl-util: only set the mask if not present (#2026361)

So... what are the solutions?

If fixed: yum update -y in Dockerfile

If the update was available, I would simply build an image with a yum update:

mkdir -p /var/tmp/build
cd       /var/tmp/build

cat > Dockerfile <<'DOCKERFILE'
FROM  yugabytedb/yugabyte:2.15.1.0-b175
RUN   yum update -y
DOCKERFILE

docker build -t yugabytedb/yugabyte:2.15.1.0-b175-20220831
docker scan     yugabytedb/yugabyte:2.15.1.0-b175-20220831

Unfortunately, as seen above, in my case the vulnerability I'm interested in is not fixed with the latest CentOS update.

Note that all YugabyteDB images are updated each time a new release or build is pushed, so you probably don't need to do this.

However, CentOS lags in fixes. A scan on my new image shows only 3 fixed vulnerabilities since the YugabyteDB image push:

Tested 252 dependencies for known vulnerabilities, found 1019 vulnerabilities.

I need a CentOS compatible distribution with fresh updates.

Oracle to the rescue: centos2ol.sh

Oracle Linux is a free CentOS alternative, with better support. The provide a quick script to move from CentOS to Oracle Linux. The only change I do is disable the GRUB config. Here is my Dockerfile to build the new image:

mkdir -p /var/tmp/build
cd       /var/tmp/build

cat > Dockerfile <<'DOCKERFILE'
FROM  yugabytedb/yugabyte:2.15.1.0-b175
RUN   yum update -y
# https://blogs.oracle.com/scoter/post/switching-from-centos-to-oracle-linux-a-hands-on-example
RUN   curl -O https://raw.githubusercontent.com/oracle/centos2ol/main/centos2ol.sh
# Don't config grub in a container (will get /usr/sbin/grub2-probe: error: failed to get canonical path of `overlay')
RUN sed -e 's/grub2-mkconfig/: &/' -i centos2ol.sh
RUN   bash centos2ol.sh
# already updated, but just in case
RUN yum update

DOCKERFILE

docker build -t yugabytedb/yugabyte:2.15.1.0-b175-ol7 .
docker scan     yugabytedb/yugabyte:2.15.1.0-b175-ol7

This is much better, with most of scanned vulnerabilities fixed:

Tested 275 dependencies for known vulnerabilities, found 81 vulnerabilities.

And my CVE is part of the fixed ones. The only vulnerabilities remaining are on openssl package. I didn't check why they are not fixed. Anyway, your enterprise has probably its own list of vulnerabilities to check.

Here is my quick test, starting yugabyted and check that all is ok:

docker logs -f $(
docker run --rm -d yugabytedb/yugabyte:2.15.1.0-b175-ol7 yugabyted start 
)

Oracle Linux is a free alternative to CentOS, so the above makes it easy to get the latest OS updates for your Docker image.