I'm working to fix security vulnerability for our app, which is deployed on our customer's OpenShift cluster.
To be specific, we need to install these updates:
RHSA-2018:1062: kernel security, bug fix, and enhancement update (Important)
RHSA-2018:1967: kernel-alt security and bug fix update (Important)
RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)
RHSA-2018:0180: kernel-alt security and bug fix update (Important)
RHSA-2018:0654: kernel-alt security, bug fix, and enhancement update (Important)
RHSA-2018:1374: kernel-alt security and bug fix update (Important)
RHSA-2018:2181: gnupg2 security update (Important)
RHSA-2018:0502: kernel-alt security and bug fix update (Important)
We're trying RHEL 7 Atomic (registry.access.redhat.com/rhel7-atomic:latest
) as new base image for this, but I still couldn't find the right commands and configurations to apply the updates.
Here are the sample command results when building app Docker image:
microdnf --enablerepo=rhel-7-server-rpms \
--enablerepo=rhel-server-rhscl-7-rpms \
--enablerepo=rhel-7-server-extras-rpms \
--enablerepo=rhel-7-server-optional-rpms update
Downloading metadata...
Downloading metadata...
Downloading metadata...
Downloading metadata...
Nothing to do.
Another attempt:
microdnf --enablerepo=rhel-7-server-rpms \
--enablerepo=rhel-server-rhscl-7-rpms \
--enablerepo=rhel-7-server-extras-rpms \
--enablerepo=rhel-7-server-optional-rpms \
install kernel kernel-alt kernel-aarch64
Downloading metadata...
Downloading metadata...
Downloading metadata...
Downloading metadata...
[91merror: No package matches 'kernel-alt'
Could anyone suggest where to look next? Thanks!
Best regards, Chakrit W.
An application inside a container typically does not need kernel updates because the kernel is not installed in the container. The
kernel-headers
package could be an exception, but it is only used for building software, not running it, with a few very special exceptions.The
kernel-alt
kernel is not available for the x86-64 architecture, and the channels/RPM repositories you listed does not contain this kernel.For the
gnupg2
security update RHSA-2018:2181, see Graham Dumpleton's explanation. It is already installed in the current version of the base image: