Skip to content

fix: switch to distroless, fix cves#33

Merged
jojimt merged 3 commits intoNVIDIA:mainfrom
jojimt:ga_distroless
Jan 29, 2026
Merged

fix: switch to distroless, fix cves#33
jojimt merged 3 commits intoNVIDIA:mainfrom
jojimt:ga_distroless

Conversation

@jojimt
Copy link
Copy Markdown
Contributor

@jojimt jojimt commented Jan 27, 2026

Upgrade to new distroless, fix some CVEs.

@jojimt
Copy link
Copy Markdown
Contributor Author

jojimt commented Jan 27, 2026

@zvonkok @cdesiniotis PTAL.

@jojimt
fix: switch to distroless, fix cves
76918e2 
Signed-off-by: Joji Mekkattuparamban <jojim@nvidia.com>
zvonkok
zvonkok reviewed Jan 27, 2026
View reviewed changes
zvonkok
zvonkok reviewed Jan 27, 2026
View reviewed changes
deployments/container/Dockerfile.distroless Outdated
COPY --from=builder /build/gpu-admin-tools /app/gpu-admin-tools

# Copy rm for the preStop hook
COPY --from=stg2 /busybox/rm /bin
Copy link
Copy Markdown
Contributor

@zvonkok zvonkok Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Usually, busybox has symlinks for tools to the busybox binary. Is COPY doing the right thing here?

Copy link
Copy Markdown
Contributor Author

@jojimt jojimt Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is true. Because the busybox is named rm within the container, it just works. Do you see any issue with this approach? If so, I can look at alternatives.

Copy link
Copy Markdown
Contributor

@zvonkok zvonkok Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No was just curious how it is handled in the distroless container. If it works then all good.

Copy link
Copy Markdown
Contributor

@cdesiniotis cdesiniotis Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not following why we are making this change, and how it differs from just using the distroless -dev tag as our base. My understanding is the distroless-dev tags include busybox and the sleep command. If we end up copying the busybox binary to the final image (as is done here), isn't the final SBOM nearly the same?

Please let me know if I am missing something.

Copy link
Copy Markdown
Contributor Author

@jojimt jojimt Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cdesiniotis It does differ because the binary relies on the name to determine its persona (i.e. rm vs ls etc). However, I concluded it might be a security risk and decided to build rm from source instead.

zvonkok
zvonkok reviewed Jan 27, 2026
View reviewed changes
zvonkok
zvonkok reviewed Jan 27, 2026
View reviewed changes
cdesiniotis
cdesiniotis reviewed Jan 28, 2026
View reviewed changes
deployments/container/Dockerfile.distroless Outdated
COPY --from=builder /build/gpu-admin-tools /app/gpu-admin-tools

# Copy rm for the preStop hook
COPY --from=stg2 /busybox/rm /bin
Copy link
Copy Markdown
Contributor

@cdesiniotis cdesiniotis Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not following why we are making this change, and how it differs from just using the distroless -dev tag as our base. My understanding is the distroless-dev tags include busybox and the sleep command. If we end up copying the busybox binary to the final image (as is done here), isn't the final SBOM nearly the same?

Please let me know if I am missing something.

@jojimt
Copy link
Copy Markdown
Contributor Author

jojimt commented Jan 28, 2026

@cdesiniotis yes, I am looking at options to eliminate copying the busybox applet. Will update.

jojimt added 2 commits January 28, 2026 09:00
@jojimt
Build rm binary from source
54da12c 
Signed-off-by: Joji Mekkattuparamban <jojim@nvidia.com>
@jojimt
update dependabot
ff6e627 
Signed-off-by: Joji Mekkattuparamban <jojim@nvidia.com>
zvonkok
zvonkok approved these changes Jan 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@zvonkok zvonkok left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, depends on: NVIDIA/gpu-operator#2075

@jojimt jojimt merged commit 646ee3a into NVIDIA:main Jan 29, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cdesiniotis cdesiniotis cdesiniotis left review comments

@zvonkok zvonkok zvonkok approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jojimt @zvonkok @cdesiniotis