CVE -> Docker image rebuild mapping

Nick Coghlan ncoghlan at
Tue Oct 7 06:17:54 UTC 2014

I pinged Stano Ochotnicky to find out his current recommendations for
tracking the contents of Docker images, since he's been looking into
that on the Red Hat side of things. I've forwarded his full reply to
Vaclav, but can't post the whole thing here since it includes some Red
Hat internal details.

However, one key point is that Stano is actually looking at the image
build and package/image mapping problem as two *different* problems:

* base images
* layered images

That's a useful distinction, since base images share a lot of
similarities with existing VM images, while layered images are a new
kind of thing.

For base images, Stano's suggestion is to pursue a Koji based solution.
It already has all of the necessary details (even if they're not
necessarily exposed in the most convenient way), and base images will
need rebuilding in similar circumstances to when VM images need to be
rebuilt. That's more Base WG territory than it is Env & Stacks, though.

For layered images, the field is a lot more open. Since they don't align
neatly with an existing concept the way base images do, it's less clear
how best to handle them.

In a separate discussion, Clayton Coleman pointed out that there's an
"all in one" OpenShift v3 binary available for experimentation:

I haven't tried it myself, but that may be away to start experimenting
with the v3 image building capabilities.


Nick Coghlan
Red Hat Hosted & Shared Services
Software Engineering & Development, Brisbane

HSS Provisioning Architect

More information about the env-and-stacks mailing list