CORENET-5975: Dockerfile: Unpin OVS and consume the latest from FDP. #2525
Conversation
OVN-Kubernetes is always lagging behind on the version of OVS it pins.
This is causing a lot of trouble with keeping up with bug fixes and
especially CVE fixes on older branches, resulting in scanners constantly
flagging this image with poor security grades.
OVS package inside the container is responsible for the following:
1. Command line utilities to talk with OVS from the host.
2. ovsdb-server processes serving OVN databases.
3. ovs-monitor-ipsec script for managing ipsec configuration on
OVN tunnels.
These tools/programs are not changing that much between patch releases,
and bug fix releases in FDP are going through a lot of testing before
becoming available in the repo. So, benefits of timely delivery of bug
and CVE fixes significantly outweighs the small risks that automatic
consumption of new builds incurs. Main OVS is working on the host and
follows FDP for a very long time now, and it's also better to keep
the minor versions between host and container in sync, just to decrease
the amount of variables in the system.
Signed-off-by: Ilya Maximets <[email protected]>
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: igsilya The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test all |
|
/retest |
igsilya
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@igsilya: This pull request references CORENET-5975 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
Cc: @tssurya |
|
/test e2e-aws-ovn-fdp-qe |
|
@igsilya: This pull request references CORENET-5975 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest |
|
Failures do not seem related. |
|
/retest |
|
/retest-required |
|
@igsilya: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
OVN-Kubernetes is always lagging behind on the version of OVS it pins. This is causing a lot of trouble with keeping up with bug fixes and especially CVE fixes on older branches, resulting in scanners constantly flagging this image with poor security grades.
OVS package inside the container is responsible for the following:
These tools/programs are not changing that much between patch releases, and bug fix releases in FDP are going through a lot of testing before becoming available in the repo. So, benefits of timely delivery of bug and CVE fixes significantly outweighs the small risks that automatic consumption of new builds incurs. Main OVS is working on the host and follows FDP for a very long time now, and it's also better to keep the minor versions between host and container in sync, just to decrease the amount of variables in the system.