openshiftredhatatomicrhelerrata

RHEL Atomic Image on OpenShift: Installing security updates

I'm working to fix security vulnerability for our app, which is deployed on our customer's OpenShift cluster.

To be specific, we need to install these updates:

RHSA-2018:1062: kernel security, bug fix, and enhancement update (Important)
RHSA-2018:1967: kernel-alt security and bug fix update (Important)
RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)
RHSA-2018:0180: kernel-alt security and bug fix update (Important)
RHSA-2018:0654: kernel-alt security, bug fix, and enhancement update (Important)
RHSA-2018:1374: kernel-alt security and bug fix update (Important)
RHSA-2018:2181: gnupg2 security update (Important)
RHSA-2018:0502: kernel-alt security and bug fix update (Important)

We're trying RHEL 7 Atomic (registry.access.redhat.com/rhel7-atomic:latest) as new base image for this, but I still couldn't find the right commands and configurations to apply the updates.

Here are the sample command results when building app Docker image:

microdnf --enablerepo=rhel-7-server-rpms \ 
--enablerepo=rhel-server-rhscl-7-rpms \
--enablerepo=rhel-7-server-extras-rpms \
--enablerepo=rhel-7-server-optional-rpms update
Downloading metadata...
Downloading metadata...
Downloading metadata...
Downloading metadata...
Nothing to do.

Another attempt:

microdnf --enablerepo=rhel-7-server-rpms \
--enablerepo=rhel-server-rhscl-7-rpms \
--enablerepo=rhel-7-server-extras-rpms \
--enablerepo=rhel-7-server-optional-rpms \
install kernel kernel-alt kernel-aarch64
Downloading metadata...
Downloading metadata...
Downloading metadata...
Downloading metadata...
[91merror: No package matches 'kernel-alt'

Could anyone suggest where to look next? Thanks!

Best regards, Chakrit W.

Solution

  • An application inside a container typically does not need kernel updates because the kernel is not installed in the container. The kernel-headers package could be an exception, but it is only used for building software, not running it, with a few very special exceptions.

    The kernel-alt kernel is not available for the x86-64 architecture, and the channels/RPM repositories you listed does not contain this kernel.

    For the gnupg2 security update RHSA-2018:2181, see Graham Dumpleton's explanation. It is already installed in the current version of the base image:

    # docker run registry.access.redhat.com/rhel7-atomic:latest \
> rpm -q  gnupg2 --changelog | head
* Thu Jun 21 2018 Tomáš Mráz <tmraz@redhat.com> - 2.0.22-5
- fix CVE-2018-12020 - missing sanitization of original filename

* Thu Mar 24 2016 Tomáš Mráz <tmraz@redhat.com> - 2.0.22-4
- allow import of RSA-E and RSA-S keys (patch by Marcel Kolaja) (#1233182)
- do not abort when missing hash algorithm in FIPS mode (#1078962)

* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.0.22-3
- Mass rebuild 2014-01-24