Switch runtime image to Chainguard to eliminate container CVEs#88
Open
Switch runtime image to Chainguard to eliminate container CVEs#88
Conversation
The eks-distro-minimal-base-glibc:latest-al23 runtime image carries inherited AL23 system-level CVEs (e.g. glibc CVE-2026-0915, CVE-2026-0861). Replace it with cgr.dev/chainguard/glibc-dynamic:latest, which is rebuilt daily from source with zero or near-zero known vulnerabilities and contains no shell or package manager. Also upgrades the Go builder from 1.25.5 to 1.25.8 to pick up security fixes in html/template, net/url, and os packages. Key changes: - Runtime: eks-distro-minimal-base-glibc -> chainguard/glibc-dynamic - Go: 1.25.5 -> 1.25.8 (Dockerfile + go.mod) - Library copy paths: /usr/lib64/ -> /usr/lib/ (Wolfi filesystem layout) Builder stages (AL2023 for systemd/DCGM .so extraction) are unchanged since they do not contribute to the final image's vulnerability surface. glibc maintains strong backward ABI compatibility, so libraries compiled against AL2023's glibc work correctly on Chainguard's newer glibc. Signed-off-by: Jaison Paul <paul.jaison@gmail.com>
Chainguard glibc-dynamic runs as nonroot (UID 65532) by default. The agent requires root for chroot operations, host filesystem access, and dbus socket communication. Without this, the agent would fail at runtime despite running in a privileged container. Signed-off-by: Jaison Paul <paul.jaison@gmail.com>
Switch both systemd-builder and dcgm-builder from amazonlinux:2023 to amazonlinux:2023-minimal (~70MB vs ~175MB). The minimal image includes dnf for package installation but ships fewer pre-installed packages, reducing builder layer size and pull time. The go-builder cannot use a slim variant because golang images have no -slim tag, and the Alpine variant uses musl libc which is incompatible with the CGO + libsystemd-dev (glibc) build requirement. Signed-off-by: Jaison Paul <paul.jaison@gmail.com>
Member
|
Thanks for this PR! We won't be able to accept/merge this as is, we have internal policies around distributing software we build from source and not 3rd party images. If you'd still like to build this image yourself, you could parameterize some of the changes as Examples would look like: + ARG BASE_GLIBC_IMG=public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-glibc:latest-al23
- FROM public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-glibc:latest-al23 AS runtime
+ FROM ${BASE_GLIBC_IMG} AS runtime+ ARG LIB_DIR=/usr/lib64
- COPY --from=systemd-builder /usr/lib64/libsystemd.so* /usr/lib64/
+ COPY --from=systemd-builder /usr/lib64/libsystemd.so* ${LIB_DIR}/so you can run |
3 tasks
prasad0896
requested changes
Apr 7, 2026
Contributor
prasad0896
left a comment
prasad0896
left a comment
There was a problem hiding this comment.
As mentioned by Micah previously, we can't merge this PR as we can't use 3rd party images.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
eks-distro-minimal-base-glibc:latest-al23runtime image withcgr.dev/chainguard/glibc-dynamic:latestto eliminate known CVEs in the final container imageamazonlinux:2023toamazonlinux:2023-minimalto reduce builder image size (~70MB vs ~175MB)/usr/lib64/to/usr/lib/to match Chainguard/Wolfi filesystem layoutUSER 0to override Chainguard's nonroot default (agent requires root for chroot, host filesystem access, dbus)Motivation
The current
eks-distro-minimal-base-glibc:latest-al23runtime image inherits AL23 system-level vulnerabilities, including glibc CVEs (e.g. CVE-2026-0915 — stack content leak ingetnetbyaddr, CVE-2026-0861 — heap corruption in memalign). While the image is already minimal, these CVEs are present in the base layer and cannot be mitigated without switching base images.Chainguard's
glibc-dynamicis purpose-built for this use case:Compatibility
.sofiles copied from the AL2023 builder stages work correctly on Chainguard's newer glibc.amazonlinux:2023toamazonlinux:2023-minimal. The minimal image includesdnf,sed, andcoreutils— all dependencies used during the build. These stages only extract.sofiles and do not affect the final image's vulnerability surface./usr/lib/as the standard dynamic linker search path instead of AL23's/usr/lib64/. AllCOPYdestinations updated accordingly.USER 0since the agent requires root for chroot operations, host filesystem access, and dbus socket communication. This matches the previous image's default behavior.libsystemd-dev(glibc). Left as-is.Test plan
docker build -t eks-node-monitoring-agent .docker run --rm eks-node-monitoring-agent --helpLD_DEBUG=libstrivy image,grype, or Amazon Inspector) and confirm reduced CVE count