[Bug]: OpenSearch docker image is based on EOSL amazon image

[Kuckkuck]

Describe the bug

OpenSearch 2.12.0 docker image

amazonBase image	EOSLEnd of Support Life	Rotten	2023.3.20240312 (Amazon Linux)	N/A
The base image has reached End of Support Life and will not receive further security updates. Please consider updating to a supported version of amazon as soon as possible.

The latest 2.12.0 release of OpenSearch has image layers, which are even more rotten, than older releases.

To reproduce

Use a CVE scanner for OpenSearch images.

Expected behavior

No response

Screenshots

If applicable, add screenshots to help explain your problem.

Host / Environment

No response

Additional context

No response

Relevant log output

No response

[peterzhuamazon]

The upcoming 2.13 version is having the latest AL2023 (2023.4.20240319):
https://build.ci.opensearch.org/job/docker-scan/3123/artifact/scan_docker_image.txt

The release 2.12 version is having a slightly older (1 month) image at the time of releasing (2023.3.20240312):
https://build.ci.opensearch.org/job/docker-scan/3127/artifact/scan_docker_image.txt

Amazon Linux release 2023.3.20240312 (Amazon Linux)
NAME="Amazon Linux"
VERSION="2023"
ID="amzn"
ID_LIKE="fedora"
VERSION_ID="2023"
PLATFORM_ID="platform:al2023"
PRETTY_NAME="Amazon Linux 2023.3.20240312"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2023"
HOME_URL="https://aws.amazon.com/linux/amazon-linux-2023/"
DOCUMENTATION_URL="https://docs.aws.amazon.com/linux/"
SUPPORT_URL="https://aws.amazon.com/premiumsupport/"
BUG_REPORT_URL="https://github.com/amazonlinux/amazon-linux-2023"
VENDOR_NAME="AWS"
VENDOR_URL="https://aws.amazon.com/"
SUPPORT_END="2028-03-15"
Amazon Linux release 2023.3.20240312 (Amazon Linux)

AL2023 will be eol at 2027, current LTS version:
https://docs.aws.amazon.com/linux/al2023/ug/release-cadence.html

The old AL image should be AL1, will eol at the end of 2023; and AL2, at about 2025:
https://aws.amazon.com/blogs/aws/update-on-amazon-linux-ami-end-of-life/
https://aws.amazon.com/amazon-linux-2/faqs/

Hi @Kuckkuck could you please share the exact cve scanner and commands for us to reproduce this result?

Even in your description it shows as Amazon Linux 2023.3.20240312, which is the latest release at the time.
And could you also let us know what does has image layers, which are even more rotten, than older releases means in the current context?

Thanks.

[Kuckkuck]

We use https://trivy.dev/ to scan all our images and this comes back for the 2.12.0 image:

Canonical digest	sha256:40a130ec32fa38613761ed3b84fd8d7051f267cda2ab12667b649f58f22e9218
application/vnd.docker.distribution.manifest.v2+json
Protected from garbage collection because of reference in sha256:645d3d9390ad… (Details)

Canonical digest sha256:40a130ec32fa38613761ed3b84fd8d7051f267cda2ab12667b649f58f22e9218
MIME type application/vnd.docker.distribution.manifest.v2+json
Result of last GC Protected from garbage collection because of reference in sha256:645d3d9390ad… ([Details]
Filter vulnerabilities
Affected package/object/file Title Severity Installed version Fixed in version
amazon
Base image
EOSL
End of Support Life
Rotten 2023.3.20240312 (Amazon Linux) N/A
The base image has reached End of Support Life and will not receive further security updates. Please consider updating to a supported version of amazon as soon as possible.

{
"Family": "amazon",
"Name": "2023.3.20240312 (Amazon Linux)",
"EOSL": true
}

Strange, that the older images of OpenSearch are high or critical, but none of them are rotten.

[peterzhuamazon]

Hi @Kuckkuck we also use trivy and we are not able to see the same result. Very interesting.
Would you share the exact command you run? We run trivy image for scanning of image cves, but not returning the result you are giving.

Also, this seems like an issue with https://github.com/amazonlinux/container-images or https://github.com/amazonlinux/amazon-linux-2023/, as opensearch is just using the existing image provided from them.

1.x and older 2.x images are using AL2, while new images are using AL2023 since 2.10.0.
Thanks.

[electricbrain-code]

As noted by yourself @peterzhuamazon in #4572 AmazonLinux is not officially supported by OpenSearch
https://opensearch.org/docs/latest/install-and-configure/install-opensearch/index/
"While OpenSearch and OpenSearch Dashboards should work on most Linux distributions, we only test a subset.", and AmazonLinux is not currently supported.

[peterzhuamazon]

Updated compatibility chart to be more clear on the OSes we tested on.

Thanks.