是否存在最新的带有安全补丁程序的官方centos docker映像?官方docker centos映像似乎仍然存在安全漏洞? https://snyk.io/test/docker/centos%3A7。在docker容器中运行yum upgrade -y可以解决这些问题,但是官方镜像不是已经可以使用安全修复程序进行更新了吗?
在docker生态系统中建议的最佳实践/过程是什么,当发现基本映像漏洞时,docker映像发布者返回并修补其容器?图像发布者是否应该监视基本图像的安全补丁并更新已经发布的图像以反映这些更新?有提供此功能的服务吗?
这个问题-How to automatically update your docker containers, if base-images are updated似乎覆盖了第(2)部分,但我想检查是否有任何最近的服务或自动服务可以提供更好的选择?
12:46 $ docker pull centos:7
7: Pulling from library/centos
Digest: sha256:4a701376d03f6b39b8c2a8f4a8e499441b0d567f9ab9d58e4991de4472fb813c
Status: Image is up to date for centos:7
docker.io/library/centos:7
12:55 $ docker run -it centos:7 bash
[root@8840aa0d7513 /]# yum upgrade -y
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
* base: mirrors.cat.pdx.edu
* extras: repos.lax.layerhost.com
* updates: repo1.sea.innoscale.net
base | 3.6 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/4): base/7/x86_64/group_gz | 165 kB 00:00:00
(2/4): extras/7/x86_64/primary_db | 164 kB 00:00:00
(3/4): updates/7/x86_64/primary_db | 7.5 MB 00:00:00
(4/4): base/7/x86_64/primary_db | 6.0 MB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package binutils.x86_64 0:2.27-41.base.el7 will be updated
---> Package binutils.x86_64 0:2.27-41.base.el7_7.3 will be an update
---> Package ca-certificates.noarch 0:2018.2.22-70.0.el7_5 will be updated
---> Package ca-certificates.noarch 0:2019.2.32-76.el7_7 will be an update
---> Package curl.x86_64 0:7.29.0-54.el7 will be updated
---> Package curl.x86_64 0:7.29.0-54.el7_7.2 will be an update
---> Package device-mapper.x86_64 7:1.02.158-2.el7 will be updated
---> Package device-mapper.x86_64 7:1.02.158-2.el7_7.2 will be an update
---> Package device-mapper-libs.x86_64 7:1.02.158-2.el7 will be updated
---> Package device-mapper-libs.x86_64 7:1.02.158-2.el7_7.2 will be an update
---> Package hostname.x86_64 0:3.13-3.el7 will be updated
---> Package hostname.x86_64 0:3.13-3.el7_7.1 will be an update
---> Package kmod.x86_64 0:20-25.el7 will be updated
---> Package kmod.x86_64 0:20-25.el7_7.1 will be an update
---> Package kmod-libs.x86_64 0:20-25.el7 will be updated
---> Package kmod-libs.x86_64 0:20-25.el7_7.1 will be an update
---> Package libblkid.x86_64 0:2.23.2-61.el7 will be updated
---> Package libblkid.x86_64 0:2.23.2-61.el7_7.1 will be an update
---> Package libcurl.x86_64 0:7.29.0-54.el7 will be updated
---> Package libcurl.x86_64 0:7.29.0-54.el7_7.2 will be an update
---> Package libmount.x86_64 0:2.23.2-61.el7 will be updated
---> Package libmount.x86_64 0:2.23.2-61.el7_7.1 will be an update
---> Package libsmartcols.x86_64 0:2.23.2-61.el7 will be updated
---> Package libsmartcols.x86_64 0:2.23.2-61.el7_7.1 will be an update
---> Package libuuid.x86_64 0:2.23.2-61.el7 will be updated
---> Package libuuid.x86_64 0:2.23.2-61.el7_7.1 will be an update
---> Package nss.x86_64 0:3.44.0-4.el7 will be updated
---> Package nss.x86_64 0:3.44.0-7.el7_7 will be an update
---> Package nss-softokn.x86_64 0:3.44.0-5.el7 will be updated
---> Package nss-softokn.x86_64 0:3.44.0-8.el7_7 will be an update
---> Package nss-softokn-freebl.x86_64 0:3.44.0-5.el7 will be updated
---> Package nss-softokn-freebl.x86_64 0:3.44.0-8.el7_7 will be an update
---> Package nss-sysinit.x86_64 0:3.44.0-4.el7 will be updated
---> Package nss-sysinit.x86_64 0:3.44.0-7.el7_7 will be an update
---> Package nss-tools.x86_64 0:3.44.0-4.el7 will be updated
---> Package nss-tools.x86_64 0:3.44.0-7.el7_7 will be an update
---> Package nss-util.x86_64 0:3.44.0-3.el7 will be updated
---> Package nss-util.x86_64 0:3.44.0-4.el7_7 will be an update
---> Package procps-ng.x86_64 0:3.3.10-26.el7 will be updated
---> Package procps-ng.x86_64 0:3.3.10-26.el7_7.1 will be an update
---> Package sqlite.x86_64 0:3.7.17-8.el7 will be updated
---> Package sqlite.x86_64 0:3.7.17-8.el7_7.1 will be an update
---> Package systemd.x86_64 0:219-67.el7_7.1 will be updated
---> Package systemd.x86_64 0:219-67.el7_7.4 will be an update
---> Package systemd-libs.x86_64 0:219-67.el7_7.1 will be updated
---> Package systemd-libs.x86_64 0:219-67.el7_7.4 will be an update
---> Package tzdata.noarch 0:2019b-1.el7 will be updated
---> Package tzdata.noarch 0:2019c-1.el7 will be an update
---> Package util-linux.x86_64 0:2.23.2-61.el7 will be updated
---> Package util-linux.x86_64 0:2.23.2-61.el7_7.1 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
=================================================================================================================
Package Arch Version Repository Size
=================================================================================================================
Updating:
binutils x86_64 2.27-41.base.el7_7.3 updates 5.9 M
ca-certificates noarch 2019.2.32-76.el7_7 updates 399 k
curl x86_64 7.29.0-54.el7_7.2 updates 270 k
device-mapper x86_64 7:1.02.158-2.el7_7.2 updates 294 k
device-mapper-libs x86_64 7:1.02.158-2.el7_7.2 updates 322 k
hostname x86_64 3.13-3.el7_7.1 updates 17 k
kmod x86_64 20-25.el7_7.1 updates 122 k
kmod-libs x86_64 20-25.el7_7.1 updates 51 k
libblkid x86_64 2.23.2-61.el7_7.1 updates 181 k
libcurl x86_64 7.29.0-54.el7_7.2 updates 223 k
libmount x86_64 2.23.2-61.el7_7.1 updates 183 k
libsmartcols x86_64 2.23.2-61.el7_7.1 updates 141 k
libuuid x86_64 2.23.2-61.el7_7.1 updates 83 k
nss x86_64 3.44.0-7.el7_7 updates 854 k
nss-softokn x86_64 3.44.0-8.el7_7 updates 330 k
nss-softokn-freebl x86_64 3.44.0-8.el7_7 updates 224 k
nss-sysinit x86_64 3.44.0-7.el7_7 updates 65 k
nss-tools x86_64 3.44.0-7.el7_7 updates 528 k
nss-util x86_64 3.44.0-4.el7_7 updates 79 k
procps-ng x86_64 3.3.10-26.el7_7.1 updates 291 k
sqlite x86_64 3.7.17-8.el7_7.1 updates 394 k
systemd x86_64 219-67.el7_7.4 updates 5.1 M
systemd-libs x86_64 219-67.el7_7.4 updates 411 k
tzdata noarch 2019c-1.el7 updates 493 k
util-linux x86_64 2.23.2-61.el7_7.1 updates 2.0 M
Transaction Summary
=================================================================================================================
Upgrade 25 Packages
Total download size: 19 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
warning: /var/cache/yum/x86_64/7/updates/packages/ca-certificates-2019.2.32-76.el7_7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Public key for ca-certificates-2019.2.32-76.el7_7.noarch.rpm is not installed
(1/25): ca-certificates-2019.2.32-76.el7_7.noarch.rpm | 399 kB 00:00:00
(2/25): curl-7.29.0-54.el7_7.2.x86_64.rpm | 270 kB 00:00:00
(3/25): device-mapper-1.02.158-2.el7_7.2.x86_64.rpm | 294 kB 00:00:00
(4/25): device-mapper-libs-1.02.158-2.el7_7.2.x86_64.rpm | 322 kB 00:00:00
(5/25): binutils-2.27-41.base.el7_7.3.x86_64.rpm | 5.9 MB 00:00:00
(6/25): hostname-3.13-3.el7_7.1.x86_64.rpm | 17 kB 00:00:00
(7/25): kmod-20-25.el7_7.1.x86_64.rpm | 122 kB 00:00:00
(8/25): kmod-libs-20-25.el7_7.1.x86_64.rpm | 51 kB 00:00:00
(9/25): libblkid-2.23.2-61.el7_7.1.x86_64.rpm | 181 kB 00:00:00
(10/25): libcurl-7.29.0-54.el7_7.2.x86_64.rpm | 223 kB 00:00:00
(11/25): libmount-2.23.2-61.el7_7.1.x86_64.rpm | 183 kB 00:00:00
(12/25): libsmartcols-2.23.2-61.el7_7.1.x86_64.rpm | 141 kB 00:00:00
(13/25): libuuid-2.23.2-61.el7_7.1.x86_64.rpm | 83 kB 00:00:00
(14/25): nss-softokn-3.44.0-8.el7_7.x86_64.rpm | 330 kB 00:00:00
(15/25): nss-3.44.0-7.el7_7.x86_64.rpm | 854 kB 00:00:00
(16/25): nss-softokn-freebl-3.44.0-8.el7_7.x86_64.rpm | 224 kB 00:00:00
(17/25): nss-sysinit-3.44.0-7.el7_7.x86_64.rpm | 65 kB 00:00:00
(18/25): nss-util-3.44.0-4.el7_7.x86_64.rpm | 79 kB 00:00:00
(19/25): nss-tools-3.44.0-7.el7_7.x86_64.rpm | 528 kB 00:00:00
(20/25): procps-ng-3.3.10-26.el7_7.1.x86_64.rpm | 291 kB 00:00:00
(21/25): sqlite-3.7.17-8.el7_7.1.x86_64.rpm | 394 kB 00:00:00
(22/25): systemd-libs-219-67.el7_7.4.x86_64.rpm | 411 kB 00:00:00
(23/25): tzdata-2019c-1.el7.noarch.rpm | 493 kB 00:00:00
(24/25): systemd-219-67.el7_7.4.x86_64.rpm | 5.1 MB 00:00:00
(25/25): util-linux-2.23.2-61.el7_7.1.x86_64.rpm | 2.0 MB 00:00:00
-----------------------------------------------------------------------------------------------------------------
Total 22 MB/s | 19 MB 00:00:00
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>"
Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
Package : centos-release-7-7.1908.0.el7.centos.x86_64 (@CentOS)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : nss-util-3.44.0-4.el7_7.x86_64 1/50
Updating : systemd-libs-219-67.el7_7.4.x86_64 2/50
Updating : libuuid-2.23.2-61.el7_7.1.x86_6