-
Task
-
Resolution: Done
-
Critical
-
2.0.0.RC1
All the images on which CRW 2 depends (see CRW-318) are based on Che 7 images upstream.
All the Che 7 images are based on Alpine, because it's the smallest distro around.
However, Alpine is not compatible with RH release process for two reasons:
a) cannot build a non-RHEL based container in Brew/OSBS; cannot implement CVP testing
b) cannot distribute a non-RHEL based container in RHCC; cannot guarantee CVEs are fixed in a timely manner according to product SLAs, and CHI grades remain fresh
Therefore all Che 7 images need to:
- move to use ubi8-minimal or other non-authenticated, free base images, like [these prototypes|httphttps://github.com/nickboldt/containers/] (using registry.access.redhat.com, not registry.redhat.io)
If they do not, then the support burden for maintaining CRW 2 becomes:
- fork the Dockerfiles used to build the 13+ Che 7/ CRW 2 images [currently what I must do for 6 images listed below]
- create a Jenkins job like these jobs to selectively pull new code from upstream without breaking configurations needed for a RHEL based build [required next step if upstream is still on Alpine]
- use automated tooling to updated to newer CVE-fixed base images in CRW, but
- manually apply CVE fixes to alpine dockerfiles, if/when they become available
Bottom line is: staying on Alpine makes the CRW release process harder & more patch-heavy, and loses the ability to easily roll out CVE fixes to Che 7 users.
List of 6 current forked images:
- Che plugin registry -> http://pkgs.devel.redhat.com/cgit/containers/codeready-workspaces-pluginregistry/tree/Dockerfile?h=crw-2.0-rhel-8
- Che devfile registry -> http://pkgs.devel.redhat.com/cgit/containers/codeready-workspaces-devfileregistry/tree/Dockerfile?h=crw-2.0-rhel-8
- Che machine exec -> http://pkgs.devel.redhat.com/cgit/containers/codeready-workspaces-machineexec/tree/Dockerfile?h=crw-2.0-rhel-8
- Che JWT proxy -> http://pkgs.devel.redhat.com/cgit/containers/codeready-workspaces-jwtproxy/tree/Dockerfile?h=crw-2.0-rhel-8
- Che plugin broker init -> http://pkgs.devel.redhat.com/cgit/containers/codeready-workspaces-pluginbrokerinit/tree/Dockerfile?h=crw-2.0-rhel-8
- Che plugin broker unified -> http://pkgs.devel.redhat.com/cgit/containers/codeready-workspaces-pluginbroker/tree/Dockerfile?h=crw-2.0-rhel-8
List of 5+ future images to fork or fix upstream:
- Che Theia Dev
- Che Theia
- Che Theia endpoint runtime
- https://github.com/eclipse/che-theia/tree/master/dockerfiles/remote-plugin-openshift-connector-0.0.21
- https://github.com/eclipse/che-theia/tree/master/dockerfiles/remote-plugin-java8
- https://github.com/eclipse/che-theia/tree/master/dockerfiles/remote-plugin-java11 (stretch goal)
- (more for go, npm, python, etc.?)
- is incorporated by
-
CRW-318 CRW 2.0 container images
-
- Resolved
-
- links to