Fix the security of the notebook containers #235

harshad16 · 2023-10-04T14:44:47Z

Quay security scan,

Check on the fixes that can be made for notebook images to fix the security issue.
https://quay.io/repository/opendatahub/workbench-images?tab=tags

Page shows the vulnerability: https://quay.io/repository/opendatahub/workbench-images/manifest/sha256:08ca15319061594adab1663e2db15c588197d3ebb6e33eb854411102c947b3e6?tab=vulnerabilities

Acceptance criteria

Check what package change has increased the vulnerability and create a report.
Reduce the number of reported vulnerabilities on quay.
Make sure the update of the package and binaries don't break the images.
make a report for the vulnerabilities reduced in a google sheet or docs.

rkpattnaik780 · 2023-10-16T13:05:06Z

I have compiled a list of vulnerabilities found by the Quay security scan in Python dependencies of the workbenches. Some immediate action items to be made:

Upgrade tensorflow from 2.11.0 to 2.11.1 for habana-jupyter-1.9.0-ubi8 notebook.
Upgrade versions of grpcio and cryptography in codeflare SDK.

Cc @harshad16

rkpattnaik780 · 2023-10-20T11:30:43Z

Reported issue in codeflare-sdk#385.

harshad16 · 2023-10-27T20:07:20Z

Thanks for the amazing report and for making the request upstream.
Marking this as complete.

…-io#235) * Update codeflare-sdk version on imagestreams annotations * fix kfp version in the annotation for tensorflow Co-authored-by: Jan Stourac <[email protected]>

These changes shouldn't have any functional impact. [fix] CI for the images checks based on recent updates [fix] This fixes an inconsistency with the kustomize params Inconsistency for codeserver notebook parameters. There was upstream change recently that probably not got properly backported to downstream, see [1,2]. * [1] opendatahub-io#524 * [2] red-hat-data-services@ceb3dc8 Set the rstudio builds with the branch rhoai-2.10 Signed-off-by: Harshad Reddy Nalla <[email protected]> Update image commits for release N via digest-updater-9215094498 GitHub action Update images for release N via digest-updater-9215094498 GitHub action Update file via digest-updater-9213110410 GitHub action Allow runtime script to cp the package from bin to Rpackage default path Update codeflare-sdk version on imagestreams annotations (opendatahub-io#235) * Update codeflare-sdk version on imagestreams annotations * fix kfp version in the annotation for tensorflow Co-authored-by: Jan Stourac <[email protected]> Update images for release N and N-1 with 2024a commit db8bd76 Update file via digest-updater-8806399693 GitHub action Update annotations for kfp (opendatahub-io#229) Update image commits for release N via digest-updater-8665769109 GitHub action Update images for release N via digest-updater-8665769109 GitHub action Update manifest for code-freeze 2.9 Signed-off-by: Harshad Reddy Nalla <[email protected]> Update image commits for release N-1 via digest-updater-8581586298 GitHub action Update images for release N-1 via digest-updater-8581586298 GitHub action Update image commits for release N via digest-updater-8581586298 GitHub action Update images for release N via digest-updater-8581586298 GitHub action Update file via digest-updater-8577545330 GitHub action Fix the runtime updater github action branch 2024a Signed-off-by: Harshad Reddy Nalla <[email protected]> Fix the runtime updater github action Signed-off-by: Harshad Reddy Nalla <[email protected]> Remove the intel based image from the overlay as its ODH only - Fix the typo in the datascience notebook Signed-off-by: Harshad Reddy Nalla <[email protected]> Revert nginx version to 1.22 since 1.24 is not available on rhel yet update cuda layer for RHEL to 12.1 Add runtimes workflow updater Update digest updater workflow Fix check-params-env test with the new changes (opendatahub-io#196) Update Imagesteam for habana 1.13 Update runtime images with e1aee40 build commit Update the manifests to retain old image in shadow state Signed-off-by: Harshad Reddy Nalla <[email protected]> Update image commits for release N via digest-updater-8319475892 GitHub action Update images for release N via digest-updater-8319475892 GitHub action Update Codeserver ImageStream for the 2024a release inclusion (opendatahub-io#173) * Update Codeserver imagestream with the 2024a release Co-authored-by: Harshad Reddy Nalla <[email protected]> Fix test file for the trustyai image I don't really understand how and why this file was broken by this commit aac0662 . Our CI check notifies that something is broken in the file. Update Imagestreams with in favor of the new release 2024.1 (opendatahub-io#175) Co-authored-by: Harshad Reddy Nalla <[email protected]> Update digest updater workflow in favor 2024a release Remove opendatahub.io/dashboard: 'true' label from rstudio ImageSteams Create sync workflow for the release-2024a Format yaml and json files to statisfy code-quality - Fix validation of the params-env Signed-off-by: Harshad Reddy Nalla <[email protected]> Update RStudio-server Dockefile for RHEL version Fix library path version on rsession.conf file hot fix: bump cuda resources HotFix: Remove the annotation notebook-images=true from RStudio imagestreams Signed-off-by: Harshad Reddy Nalla <[email protected]> Fix user R library path version Update image commits for release N via digest-updater-7846262944 GitHub action Update images for release N via digest-updater-7846262944 GitHub action Remove the R-package install from workbench Co-authored-by: Diamond Bryant <[email protected]> Signed-off-by: Harshad Reddy Nalla <[email protected]> Fix naming for RStudio Server on rhel flavor Increase build resources for R Studio buildconfigs Mount the secret on the buildConfig instead of using ENVs to avoid their expose on the logs Adjust the imagestream annotation for codeflare-sdk upgrade Signed-off-by: Harshad Reddy Nalla <[email protected]> Update image commits for release N via digest-updater-7761501425 GitHub action Update images for release N via digest-updater-7761501425 GitHub action Add optional: true option for the base and server url envs Add BuildConfiguration objects to build RStudio and CUDA RStudio images on OCP cluster Fixes on the CUDA Dockerfile setup r-studio based with rhel9 base image (opendatahub-io#125) * Content of R Studio switched to the rhel based image. Add rhel9 base image [Fix] typo in logging of the `notebook-digest-updater.yaml` Update image commits for release N via digest-updater-7533330854 GitHub action Update images for release N-1 via digest-updater-7533330854 GitHub action Update images for release N via digest-updater-7533330854 GitHub action Fix: update the code-server and annotation Signed-off-by: Harshad Reddy Nalla <[email protected]> Co-authored-by: aTheo <[email protected]> Incorporate VSCode on Downstream (opendatahub-io#105) Co-authored-by: Harshad Reddy Nalla <[email protected]> hot-fix: Fix the tensorflow imagestream by removing the trailing space Signed-off-by: Harshad Reddy Nalla <[email protected]> hot-fix: Fix the imagestream minimal-cuda sha Signed-off-by: Harshad Reddy Nalla <[email protected]> hot-fix: Fixed imagestream with CVE 44487 changes Signed-off-by: Harshad Reddy Nalla <[email protected]> hot-fix: update the base ubi9 images for cve 44487 fix Signed-off-by: Harshad Reddy Nalla <[email protected]> hot-fix: CVE 44487 fix with libnghttp2 Signed-off-by: Harshad Reddy Nalla <[email protected]> Update the pipfile.lock via the weekly workflow action chores: Update the runtime image with the commit: 8bda2fa Signed-off-by: Harshad Reddy Nalla <[email protected]> Patch the imagestream by removing habana 1.11.0 Signed-off-by: Harshad Reddy Nalla <[email protected]> Update the runtime image with the commit: 8bda2fa on main Update images for release N via digest-updater-6655629712 GitHub action Fix the annotation and additional recommended-true Signed-off-by: Harshad Reddy Nalla <[email protected]> Patch the imagestream to have same name as in odh-manifests Signed-off-by: Harshad Reddy Nalla <[email protected]> Fix digest updater from failing if there are no updates on the image streams Fix the path to the params.env file Several fixes Upgrade the notebook images with 2023b and 2023a images Signed-off-by: Harshad Reddy Nalla <[email protected]> Include only sync github workflow on the main branch Signed-off-by: Harshad Reddy Nalla <[email protected]>

harshad16 mentioned this issue Oct 4, 2023

[EPIC] Prepare 2023b release version #163

Closed

15 tasks

github-project-automation bot added this to ODH IDE Planning Oct 4, 2023

github-project-automation bot moved this to 📋 Backlog in ODH IDE Planning Oct 4, 2023

harshad16 added this to ODH Feature Tracking Oct 4, 2023

harshad16 moved this from 📋 Backlog to 🔖Todo in ODH IDE Planning Oct 6, 2023

harshad16 assigned rkpattnaik780 Oct 6, 2023

openshift-ai-project-manager bot added this to Internal tracking Oct 27, 2023

harshad16 closed this as completed Oct 27, 2023

github-project-automation bot moved this to Done in Internal tracking Oct 27, 2023

github-project-automation bot moved this from 🔖Todo to ✅Done in ODH IDE Planning Oct 27, 2023

harshad16 added kind/feature New feature or request priority/normal An issue with the product; fix when possible labels Oct 27, 2023

harshad16 mentioned this issue Oct 31, 2023

Fix security vulnerabilities in images. #303

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix the security of the notebook containers #235

Fix the security of the notebook containers #235

harshad16 commented Oct 4, 2023 •

edited

Loading

rkpattnaik780 commented Oct 16, 2023

rkpattnaik780 commented Oct 20, 2023

harshad16 commented Oct 27, 2023

Fix the security of the notebook containers #235

Fix the security of the notebook containers #235

Comments

harshad16 commented Oct 4, 2023 • edited Loading

rkpattnaik780 commented Oct 16, 2023

rkpattnaik780 commented Oct 20, 2023

harshad16 commented Oct 27, 2023

harshad16 commented Oct 4, 2023 •

edited

Loading