From d01aebebae6aed1167f25d3407cbf0640444124d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Thu, 5 Aug 2021 19:58:24 +0200
Subject: [PATCH] kata-deploy: Ensure the system is up-to-date
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In order to avoid providing an image with security issues, let's ensure
we run `yum update` as part of our image build process.  This is needed
as even with the latest CentOS images there may be fix provided by some
CVE that's already part of the updates but not yet part of the image.

In our case, it's even more needed as the `centos/systemd` image has not
been updated for 3 years or so and those are the vulnerabilities found
in the current images:
https://quay.io/repository/kata-containers/kata-deploy?tab=tags

Fixes: #2303

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
---
 tools/packaging/kata-deploy/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/packaging/kata-deploy/Dockerfile b/tools/packaging/kata-deploy/Dockerfile
index 28840afab0..29bfcd9052 100644
--- a/tools/packaging/kata-deploy/Dockerfile
+++ b/tools/packaging/kata-deploy/Dockerfile
@@ -10,6 +10,7 @@ ARG DESTINATION=/opt/kata-artifacts
 COPY ${KATA_ARTIFACTS} .
 
 RUN \
+yum -y update && \
 yum install -y epel-release && \
 yum install -y bzip2 jq && \
 mkdir -p ${DESTINATION} && \