Update image definitions to track patch files instead of copy of the repo
Closed this issue · 5 comments
Update image definitions to track patch files instead of copy of the repo
Changed image definitions to track patch files instead of copy of the repository.
Implementation stages
The following work items are tracked in this Jira
PR #182
- Remove copy of Kubeflow sources.
- Modify tools to work with patch files.
- Modify README.md to have instructions for patch files handling.
- Add initial patch for Kubeflow (
kubeflow.patch) - Replace image references in Jupyter UI and Jupyter Controller to point to updated images in chramedkubeflow dockerhub
PR #185
- Add image build/scan/publish functionality to
tox.iniusing scripts in image definitions.
The following work items are tracked in this Jira
PR #187
- Replace image references in UI YAML to point to updated images in chramedkubeflow dockerhub
Design
Design is specified in corresponding spec.
Main design points:
- Build on top of image definitions work done in this issue
- Simplifies maintenance by tracking only patches required to make container images secure.
Testing
To test this feature perform all steps outlined in image-definitions/README.md to validate tools and instructions in README.md.
Trivy report.
Tag: v1.6.1
Date: 2023.2.1
CVEs per image:
| IMAGE | BASE | CRITICAL | HIGH | MEDIUM | LOW |
|---|---|---|---|---|---|
| notebook-controller:v1.6.1 | debian:11.6 | 0 | 6 | 2 | 0 |
| jupyter-web-app:v1.6.1 | debian:11.6 | 0 | 1 | 0 | 0 |
| jupyter-tensorflow-cuda-full:v1.6.1 | ubuntu:20.04 | 0 | 0 | 0 | 0 |
| jupyter-tensorflow-full:v1.6.1 | ubuntu:20.04 | 0 | 6 | 98 | 4 |
| jupyter-tensorflow-cuda:v1.6.1 | ubuntu:20.04 | 0 | 0 | 0 | 0 |
| jupyter-tensorflow:v1.6.1 | ubuntu:20.04 | 0 | 6 | 98 | 4 |
| jupyter-pytorch-cuda-full:v1.6.1 | ubuntu:20.04 | 1 | 0 | 0 | 0 |
| jupyter-pytorch-full:v1.6.1 | ubuntu:20.04 | 1 | 0 | 0 | 0 |
| jupyter-pytorch-cuda:v1.6.1 | ubuntu:20.04 | 1 | 0 | 0 | 0 |
| jupyter-pytorch:v1.6.1 | ubuntu:20.04 | 1 | 0 | 0 | 0 |
| jupyter-scipy:v1.6.1 | ubuntu:20.04 | 0 | 1 | 0 | 0 |
| jupyter:v1.6.1 | ubuntu:20.04 | 0 | 0 | 0 | 0 |
| base:v1.6.1 | ubuntu:20.04 | 0 | 0 | 0 | 0 |
| ubuntu:20.04 | ubuntu:20.04 | 0 | 0 | 0 | 0 |
| gcr.io/distroless/base:debug | debian:11.6 | 0 | 0 | 0 | 0 |
| python:3.7-slim-bullseye | debian:11.6 | 0 | 1 | 0 | 0 |
| golang:1.19 | debian:11.6 | 7 | 12 | 11 | 0 |
| node:12-bullseye-slim | debian:11.3 | 9 | 17 | 3 | 1 |
| Totals: | 20 | 50 | 212 | 9 |
Images are published to docker hub.
To use new image specify URL in “Custom Image” field when creating notebook.
- registry.hub.docker.com/charmedkubeflow/jupyter-scipy:v1.6.1
- registry.hub.docker.com/charmedkubeflow/jupyter-pytorch-full:v1.6.1
- registry.hub.docker.com/charmedkubeflow/jupyter-pytorch-cuda-full:v1.6.1
- registry.hub.docker.com/charmedkubeflow/jupyter-tensorflow-full:v1.6.1
- registry.hub.docker.com/charmedkubeflow//jupyter-tensorflow-cuda-full:v1.6.1
Validated images by running ML Workflow demo using updated registry.hub.docker.com/charmedkubeflow/jupyter-tensorflow-full:v1.6.1
Jupyter UI contains update image references:
All items are implemented and merged.