Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: OpenSearch docker image is based on EOSL amazon image #4573

Closed
Kuckkuck opened this issue Mar 26, 2024 · 5 comments · Fixed by opensearch-project/documentation-website#6637
Closed

[Bug]: OpenSearch docker image is based on EOSL amazon image #4573

Kuckkuck opened this issue Mar 26, 2024 · 5 comments · Fixed by opensearch-project/documentation-website#6637
Assignees
@peterzhuamazon
Labels
bug Something isn't working

Comments

@Kuckkuck
Copy link

Describe the bug

OpenSearch 2.12.0 docker image

amazonBase image EOSLEnd of Support Life Rotten 2023.3.20240312 (Amazon Linux) N/A
The base image has reached End of Support Life and will not receive further security updates. Please consider updating to a supported version of amazon as soon as possible.

The latest 2.12.0 release of OpenSearch has image layers, which are even more rotten, than older releases.

To reproduce

Use a CVE scanner for OpenSearch images.

Expected behavior

No response

Screenshots

If applicable, add screenshots to help explain your problem.

Host / Environment

No response

Additional context

No response

Relevant log output

No response
@Kuckkuck Kuckkuck added bug Something isn't working untriaged Issues that have not yet been triaged labels Mar 26, 2024
@peterzhuamazon
Copy link
Member

peterzhuamazon commented Mar 26, 2024
edited
Loading

The upcoming 2.13 version is having the latest AL2023 (2023.4.20240319):
https://build.ci.opensearch.org/job/docker-scan/3123/artifact/scan_docker_image.txt

The release 2.12 version is having a slightly older (1 month) image at the time of releasing (2023.3.20240312):
https://build.ci.opensearch.org/job/docker-scan/3127/artifact/scan_docker_image.txt

Amazon Linux release 2023.3.20240312 (Amazon Linux)
NAME="Amazon Linux"
VERSION="2023"
ID="amzn"
ID_LIKE="fedora"
VERSION_ID="2023"
PLATFORM_ID="platform:al2023"
PRETTY_NAME="Amazon Linux 2023.3.20240312"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2023"
HOME_URL="https://aws.amazon.com/linux/amazon-linux-2023/"
DOCUMENTATION_URL="https://docs.aws.amazon.com/linux/"
SUPPORT_URL="https://aws.amazon.com/premiumsupport/"
BUG_REPORT_URL="https://github.com/amazonlinux/amazon-linux-2023"
VENDOR_NAME="AWS"
VENDOR_URL="https://aws.amazon.com/"
SUPPORT_END="2028-03-15"
Amazon Linux release 2023.3.20240312 (Amazon Linux)

AL2023 will be eol at 2027, current LTS version:
https://docs.aws.amazon.com/linux/al2023/ug/release-cadence.html

The old AL image should be AL1, will eol at the end of 2023; and AL2, at about 2025:
https://aws.amazon.com/blogs/aws/update-on-amazon-linux-ami-end-of-life/
https://aws.amazon.com/amazon-linux-2/faqs/

Hi @Kuckkuck could you please share the exact cve scanner and commands for us to reproduce this result?

Even in your description it shows as Amazon Linux 2023.3.20240312, which is the latest release at the time.
And could you also let us know what does has image layers, which are even more rotten, than older releases means in the current context?

Thanks.

@gaiksaya gaiksaya removed the untriaged Issues that have not yet been triaged label Mar 26, 2024
@peterzhuamazon peterzhuamazon self-assigned this Mar 27, 2024
@Kuckkuck
Copy link
Author

We use https://trivy.dev/ to scan all our images and this comes back for the 2.12.0 image:

Canonical digest sha256:40a130ec32fa38613761ed3b84fd8d7051f267cda2ab12667b649f58f22e9218
application/vnd.docker.distribution.manifest.v2+json
Protected from garbage collection because of reference in sha256:645d3d9390ad… (Details)

Canonical digest sha256:40a130ec32fa38613761ed3b84fd8d7051f267cda2ab12667b649f58f22e9218
MIME type application/vnd.docker.distribution.manifest.v2+json
Result of last GC Protected from garbage collection because of reference in sha256:645d3d9390ad… ([Details]
Filter vulnerabilities
Affected package/object/file Title Severity Installed version Fixed in version
amazon
Base image
EOSL
End of Support Life
Rotten 2023.3.20240312 (Amazon Linux) N/A
The base image has reached End of Support Life and will not receive further security updates. Please consider updating to a supported version of amazon as soon as possible.

{
"Family": "amazon",
"Name": "2023.3.20240312 (Amazon Linux)",
"EOSL": true
}

Strange, that the older images of OpenSearch are high or critical, but none of them are rotten.

@peterzhuamazon
Copy link
Member

Hi @Kuckkuck we also use trivy and we are not able to see the same result. Very interesting.
Would you share the exact command you run? We run trivy image for scanning of image cves, but not returning the result you are giving.

Also, this seems like an issue with https://github.com/amazonlinux/container-images or https://github.com/amazonlinux/amazon-linux-2023/, as opensearch is just using the existing image provided from them.

1.x and older 2.x images are using AL2, while new images are using AL2023 since 2.10.0.
Thanks.

@electricbrain-code
Copy link

As noted by yourself @peterzhuamazon in #4572 AmazonLinux is not officially supported by OpenSearch
https://opensearch.org/docs/latest/install-and-configure/install-opensearch/index/
"While OpenSearch and OpenSearch Dashboards should work on most Linux distributions, we only test a subset.", and AmazonLinux is not currently supported.

@peterzhuamazon peterzhuamazon mentioned this issue Apr 9, 2024
Merged
1 task
@peterzhuamazon
Copy link
Member

Updated compatibility chart to be more clear on the OSes we tested on.

Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@peterzhuamazon peterzhuamazon

Labels
bug Something isn't working
Projects
OpenSearch Engineering Effectiveness
Status: Done
Milestone
No milestone
4 participants
@Kuckkuck @electricbrain-code @gaiksaya @peterzhuamazon