Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DROP: Upgrade go version to 1.22.2 #20

Merged
merged 1 commit into from
Jun 27, 2024
Merged

DROP: Upgrade go version to 1.22.2 #20

merged 1 commit into from
Jun 27, 2024

Conversation

ChristianZaccaria
Copy link

@ChristianZaccaria ChristianZaccaria commented Jun 26, 2024
edited
Loading

Why are these changes needed?

  • This change is required to resolve CVEs found in older go versions.
  • CVE-2023-45288 affects net/http from the Go standard library in versions below 1.21.9 and below 1.22.2.
  • This upgrade should be propagated to downstream branches rhoai-2.8, rhoai-2.10, and rhoai-2.11.
  • This upgrade will also be made on CPaaS in KubeRay's Dockerfile for each of the mentioned branches above.

Related issue number

Jira: rhoai-2.8 https://issues.redhat.com/browse/RHOAIENG-8674
Jira: rhoai-2.10 https://issues.redhat.com/browse/RHOAIENG-8624
Jira: rhoai-2.11 https://issues.redhat.com/browse/RHOAIENG-8657

CPaaS

2.10: https://gitlab.cee.redhat.com/data-hub/rhods-cpaas-midstream/-/merge_requests/2343
2.8: will do after confirmation
2.11: will do after confirmation

Checks

  • I've made sure the tests are passing.
  • Testing Strategy
    • Unit tests
    • Manual tests
    • This PR is not tested :(

astefanutti
astefanutti reviewed Jun 26, 2024
View reviewed changes
Copy link

@astefanutti astefanutti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a solution in place to update downstream builds already?

@ChristianZaccaria
Copy link
Author

ChristianZaccaria commented Jun 26, 2024
edited
Loading

@astefanutti working on that atm.

Planning on using the same strategy performed for Kueue: https://gitlab.cee.redhat.com/data-hub/rhods-cpaas-midstream/-/merge_requests/2315/diffs

However, I think I'm having an issue with building this odh/kuberay image with go 1.22.2, saying formatting should be 1.22. Checking if this is just my local environment. I think we shouldn't go below 1.22.2 to address the CVEs.

invalid go version '1.22.2': must match format 1.23

@ChristianZaccaria
Copy link
Author

I forgot to update the Dockerfiles of course. - I made the update in this PR just now.

I have ran the RayJob tests on OpenShift:
image

With the last test failing, but that is expected.

astefanutti
astefanutti reviewed Jun 27, 2024
View reviewed changes
Copy link

@astefanutti astefanutti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That looks good overall, just a couple of questions:

  • Why 1.22.2 and not 1.22.3?
  • Should it be a DROP instead of a PATCH?

@ChristianZaccaria
Copy link
Author

ChristianZaccaria commented Jun 27, 2024
edited
Loading

@astefanutti

  1. I believe we are limited to using up-to go 1.22.2 as the image in CPaaS contains 1.22.2 and not 1.22.3
    registry-proxy.engineering.redhat.com/rh-osbs/openshift-golang-builder:v1.22.
    Slack Thread

  2. I think it could be a DROP commit, but made it a PATCH to avoid accidental drops. But, you're right, a DROP commit makes more sense. - Updated

@ChristianZaccaria ChristianZaccaria changed the title PATCH: Upgrade go version to 1.22.2 DROP: Upgrade go version to 1.22.2 Jun 27, 2024
@astefanutti
Copy link

@ChristianZaccaria Thanks.

@astefanutti astefanutti merged commit b0225b3 into opendatahub-io:dev Jun 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sutaakar sutaakar sutaakar approved these changes

@astefanutti astefanutti astefanutti approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ChristianZaccaria @astefanutti @sutaakar