chore: Upgrade base image from UBI 9 to UBI 10.2#191
Open
rpokorny wants to merge 4 commits into
Open
Conversation
Update all Dockerfiles to use registry.access.redhat.com/ubi10/ubi-minimal:10.2 replacing ubi9/ubi-minimal:9.6 (Dockerfile, Dockerfile.slim) and ubi9/ubi-minimal:9.7 (Dockerfile.rh).
RHEL 10 removed the SHA1 subpolicy module. The LEGACY policy provides equivalent SHA1 certificate support.
The LEGACY policy is significantly looser than the old UBI 9 DEFAULT:SHA1 combination — it enables SSH CBC ciphers, RSAES-PKCS1-v1.5, FFDHE-1536, and legacy PKCS12/SMIME algorithms that were not previously allowed. Instead, ship a custom SHA1.pmod that replicates the removed RHEL 10 module exactly, keeping the security posture identical to UBI 9.
This GnuTLS-specific knob is not needed for the Java/JDBC PostgreSQL connection that motivated this workaround.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
This upgrade addresses 12 policy violations currently failing the main branch build in IQ Server (report), including:
tar 2:1.34-11.el9openssl-libs 1:3.5.5-2.el9_8,openssl-fips-provideropenssh 9.9p1-7.el9_8expat 2.5.0-6.el9python3-pip-wheel 21.3.1-2.el9_8glib2 2.68.4-19.el9_8.1pcre2 10.40-6.el9gawk 5.1.0-6.el9These are all RHEL 9 OS-level packages with known vulnerabilities. The branch IQ report on UBI 10.2 shows zero vulnerabilities — the newer base image ships patched versions of these packages.
Changes
ubi9/ubi-minimal:9.6→ubi10/ubi-minimal:10.2ubi9/ubi-minimal:9.7→ubi10/ubi-minimal:10.2ubi9/ubi-minimal:9.6→ubi10/ubi-minimal:10.2SHA1.pmodand useDEFAULT:SHA1instead of the removed RHEL 10 moduleCrypto policy detail
RHEL 10 removed the
SHA1subpolicy module that was used to allow SHA1-signed certificates (needed for Azure PostgreSQL connections — see PR #155). Rather than using theLEGACYpolicy (which enables SSH CBC ciphers, RSAES-PKCS1-v1.5, and other unnecessary relaxations), we ship a customSHA1.pmodthat allows only:hash = SHA1+)sign = ECDSA-SHA1+ RSA-PSS-SHA1+ RSA-SHA1+)This keeps the security posture identical to what we had on UBI 9 with
DEFAULT:SHA1.Testing
All three CI pipelines pass: