0

I'm working to fix security vulnerability for our app, which is deployed on our customer's OpenShift cluster.

To be specific, we need to install these updates:

RHSA-2018:1062: kernel security, bug fix, and enhancement update (Important)
RHSA-2018:1967: kernel-alt security and bug fix update (Important)
RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)
RHSA-2018:0180: kernel-alt security and bug fix update (Important)
RHSA-2018:0654: kernel-alt security, bug fix, and enhancement update (Important)
RHSA-2018:1374: kernel-alt security and bug fix update (Important)
RHSA-2018:2181: gnupg2 security update (Important)
RHSA-2018:0502: kernel-alt security and bug fix update (Important)

We're trying RHEL 7 Atomic (registry.access.redhat.com/rhel7-atomic:latest) as new base image for this, but I still couldn't find the right commands and configurations to apply the updates.

Here are the sample command results when building app Docker image:

microdnf --enablerepo=rhel-7-server-rpms \ 
--enablerepo=rhel-server-rhscl-7-rpms \
--enablerepo=rhel-7-server-extras-rpms \
--enablerepo=rhel-7-server-optional-rpms update
Downloading metadata...
Downloading metadata...
Downloading metadata...
Downloading metadata...
Nothing to do.

Another attempt:

microdnf --enablerepo=rhel-7-server-rpms \
--enablerepo=rhel-server-rhscl-7-rpms \
--enablerepo=rhel-7-server-extras-rpms \
--enablerepo=rhel-7-server-optional-rpms \
install kernel kernel-alt kernel-aarch64
Downloading metadata...
Downloading metadata...
Downloading metadata...
Downloading metadata...
[91merror: No package matches 'kernel-alt'

Could anyone suggest where to look next? Thanks!

Best regards, Chakrit W.

Chakrit W
  • 322
  • 3
  • 11
  • If they have a RHEL subscription, security updates for the base image would usually be provided by way of an updated version of the base image from Red Hat. So via their subscription, they would pull down newer image and you would rebuild based on that. They should work with their support channel to find out what is needed to be done. – Graham Dumpleton Jul 20 '18 at 05:37

1 Answers1

0

An application inside a container typically does not need kernel updates because the kernel is not installed in the container. The kernel-headers package could be an exception, but it is only used for building software, not running it, with a few very special exceptions.

The kernel-alt kernel is not available for the x86-64 architecture, and the channels/RPM repositories you listed does not contain this kernel.

For the gnupg2 security update RHSA-2018:2181, see Graham Dumpleton's explanation. It is already installed in the current version of the base image:

# docker run registry.access.redhat.com/rhel7-atomic:latest \
> rpm -q  gnupg2 --changelog | head
* Thu Jun 21 2018 Tomáš Mráz <tmraz@redhat.com> - 2.0.22-5
- fix CVE-2018-12020 - missing sanitization of original filename

* Thu Mar 24 2016 Tomáš Mráz <tmraz@redhat.com> - 2.0.22-4
- allow import of RSA-E and RSA-S keys (patch by Marcel Kolaja) (#1233182)
- do not abort when missing hash algorithm in FIPS mode (#1078962)

* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.0.22-3
- Mass rebuild 2014-01-24
Florian Weimer
  • 32,022
  • 3
  • 48
  • 92