The update/upgrade command in dnf has flags --security and `--secse…

…verity=Moderate`. Since `microdnf` does not have this sophisticated handling, and installing full `dnf` is by itself increasing the cve exposure surface significantly, we need to do with some restrictive set of flags of `microdnf` to make it update what it can, but no more. What's in the commit is stolen from https://stackoverflow.com/questions/61662403/microdnf-update-command-installs-new-packages-instead-of-just-updating-existing.
jiridanek · Feb 6, 2024 · 97f1d8d · 97f1d8d
1 parent ff2d63c
commit 97f1d8d
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/Containerfile b/Containerfile
@@ -19,6 +19,11 @@
 
 FROM registry.access.redhat.com/ubi9/ubi-minimal:latest as builder
 
+# upgrade first to avoid fixable vulnerabilities
+# do this in builder as well as in buildee, so builder does not have different pkg versions from buildee image
+RUN microdnf -y upgrade --refresh --best --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \
+ && microdnf clean all -y
+
 RUN microdnf -y --setopt=install_weak_deps=0 --setopt=tsflags=nodocs install \
     rpm-build \
     gcc gcc-c++ make cmake pkgconfig \
@@ -46,6 +51,10 @@ RUN tar zxpf /qpid-proton-image.tar.gz --one-top-level=/image && tar zxpf /skupp
 
 FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 
+# upgrade first to avoid fixable vulnerabilities
+RUN microdnf -y upgrade --refresh --best --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \
+ && microdnf clean all -y
+
 RUN microdnf -y --setopt=install_weak_deps=0 --setopt=tsflags=nodocs install \
     glibc \
     cyrus-sasl-lib cyrus-sasl-plain cyrus-sasl-gssapi openssl \