Change baseimage to trixie #964
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
approved
|
@BenTheElder objections? |
Dockerfile.in
Outdated
| RUN apt-get -y -qq -o Dpkg::Use-Pty=0 -y upgrade | ||
|
|
||
| RUN apt-get -y -qq -o Dpkg::Use-Pty=0 install --no-install-recommends bash # for the staging scripts and ldd | ||
| # Newer Debian uses symlinks but the stage_binaries tool is kind of dumb. |
There was a problem hiding this comment.
hmm, we should be able to fix that, and we'll probably run into this again?
we have a couple divergent copies, kind, here, kubernetes/release (k/k base images)
There was a problem hiding this comment.
In the meantime - any objection to using Trixie?
There was a problem hiding this comment.
Will the build still have portability with bookworm? My main concern is around compatibility with the GKE debian-base image, which to my understanding is currently still on bookworm
There was a problem hiding this comment.
In the meantime - any objection to using Trixie?
I don't personally, Kubernetes core will be slow to move our base images because of glibc compat with binaries running on the host (IE kubelet) but I don't think git-sync needs to.
There was a problem hiding this comment.
@sdowell - bookworm is so old that CVEs are either not going to be fixed or are taking an especially long time (https://security-tracker.debian.org/tracker/CVE-2025-48384).
I'm not trying to make work, but a build on Bookworm has a 2 month old "HIGH" CVE. This is only going to get worse. I just ran a build on bookworm, knowing that it doesn't fix the CVE, and it DOES build.
There was a problem hiding this comment.
Ack sounds good, we can always tweak the internal git-sync build tooling if needed - but ideally it can build without significant modifications to the upstream tooling. Perhaps an action item can be to follow up with the maintainers of GKE debian-base and see if it can be updated to trixie
k8s-ci-robot
added
size/L
Also delete some more cruft to make the image a bit smaller
|
AFAICT this PR is "done" and ok to review. |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sdowell, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
4 participants
Bookworm is currently "oldstable", Trixie is "stable".
https://security-tracker.debian.org/tracker/CVE-2025-48384 is fixed in Trixie but not Bookworm, and it seems likely that more CVEs will come and fit the same pattern.