As Red Hat's product portfolio of various products expands, we are offering more delivery options and methods to give customers more flexibility in how they use and consume Red Hat products.
Red Hat Enterprise Linux CoreOS (RHCOS) underpins Red Hat OpenShift, the industry’s leading hybrid cloud application platform powered by Kubernetes. RHCOS demonstrates the flexibility that Red Hat delivers to customers by providing a comprehensive, dedicated and container-optimized base operating system.
As part of our Secure Software Development Lifecycle (Secure SDLC) practices, Red Hat provides granular and accessible security metadata, improving security risk identification across the Red Hat portfolio. This article covers some of the recent improvements in the security data for RHCOS.
What is RHCOS?
RHCOS is a dedicated, container-optimized operating system only available and supported as part of OpenShift. RHCOS is the only supported operating system for the OpenShift control plane or master machines. Traditional Red Hat Enterprise Linux (RHEL) can be used on the OpenShift compute nodes, also known as worker machines, but then users lose access to the RHCOS features for these nodes, including things like controlled immutability, rpm-ostree upgrades, updates through the Machine Config Operator and many more.
A full list of RHCOS features can be found in the RHCOS documentation.
OpenShift RHCOS is a pre-created, container-focused operating system image, built on well-tested RHEL RPM packages with an enhanced security posture. It also includes additional OpenShift and Fast Datapath (FDP) RPM packages necessary for this product. For more information on identifying RPM packages in RHCOS and how to find the necessary security data, see the following articles:
- Obtaining package list for RHEL CoreOS or specific image
- RHEL Versions Utilized by RHEL CoreOS and OCP
- CoreOS Kernel Versions in OCP4
RHCOS is sometimes called CoreOS, but it is important to note that CoreOS (CoreOS Container Linux) was an upstream community project that reached end of life on May 26, 2020; it is now superseded and replaced by Fedora CoreOS. Fedora CoreOS is a freely available, community distribution that is the upstream basis for Red Hat Enterprise Linux CoreOS.
RHCOS delivery method
The RHCOS builds are fully managed by OpenShift updates automation. The OpenShift Update Service (OSUS) provides update recommendations for OpenShift, including RHCOS. To better understand the RHCOS installation, and specifically the update process, refer to the Introduction to OpenShift updates documentation.
The easiest way to check the RHCOS version used in the specific OpenShift version, is to use the OpenShift CLI (oc) tool and run the following command:
$ oc adm release info 4.15.0
--registry-config=path_to_the_pull-secret.txt
Version 4.15.0 is the OpenShift version you want to check. The pull secret can be downloaded from https://console.redhat.com/openshift/downloads.
On top of the output, you will see various metadata about the specific OpenShift version. The RHCOS version information is included in the Component Versions
section. For example:
Component Versions:
kubernetes 1.28.6
machine-os 415.92.202402201450-0 Red Hat Enterprise Linux CoreOS
In the list of the default OpenShift images available in the specific release, there is a machine-os-content
container image, which contains a list of RPM packages installed in the RHCOS used in this version of OpenShift. There are instructions about how to get the necessary information in the Obtaining package list for RHEL CoreOS or specific image article.
Starting from OpenShift 4.16.0, the machine-os-content
container image is no longer shipped. Starting from OpenShift 4.12.0, RHCOS is shipped as a container image and can be found under rhel-coreos
(or rhel-coreos-8
, depending on which version of OpenShift you're using) name. By adding the --pullspecs
option to the above command, you can get the full source repository path where the specific RHCOS image can be downloaded.
Dedicated RHCOS security metadata
Because RHCOS is a composition of selected RPM packages taken from a few of Red Hat’s product repositories, it was challenging to match the included components to the correct Red Hat security data. Collecting all of the necessary data for performing the correct security risk assessment process was time consuming, but at the same time it was a necessary step in the correct vulnerability management process.
The Red Hat Product Security team started publishing dedicated RHCOS security metadata in October 2024. RHCOS is treated as another OpenShift component, similar to OpenShift container images. The entire vulnerability management process, including product-level risk assessment, is done for all RHCOS components. This includes all RPM packages, including the kernel. The scope of this security data improvement includes all vulnerabilities directly impacting the RHCOS components, such as vulnerabilities in the kernel, OpenSSL, or cri-o components. Vulnerabilities that have an indirect impact, such as Golang CVEs, are not in scope of the current data enhancement but we plan to add them in later improvements. Increasing the scope of coverage won't impact how RHCOS security metadata is presented to customers.
Security data representation
RHCOS security data is available in two different formats, human-readable and machine-readable.
Human-readable data format
New security data is available in the human-readable format on Red Hat CVE pages. For example, fixed RHCOS vulnerabilities appear as follows:
https://access.redhat.com/security/cve/CVE-2024-26602
The RHCOS security metadata covers all statuses visible on Red Hat CVE pages depending on the following vulnerability lifecycle:
- Affected
- Not affected
- Under investigation
- Fixed
- Will not fix
- Fix deferred
See the following examples of CVEs that impact RHCOS with different security states:
“Fix Deferred” https://access.redhat.com/security/cve/CVE-2024-45310
“Under investigation” https://access.redhat.com/security/cve/CVE-2024-8418
Note: The security state can change over time, based on the vulnerability lifecycle.
Machine-readable data format
The same security metadata are available in machine-readable formats in official Red Hat CSAF and VEX files. For example, the released patch for CVE-2024-26602 is represented as follows:
The VEX file for CVE-2024-26602.
CSAF advisory with the RHCOS security patch RHSA-2024:1765.
When the particular vulnerability is fixed, the VEX and CSAF files contain detailed information about the RHCOS fixed version, including various architectures and a RHCOS digest SHA in a purl
format. In the associated product level, the "product_tree
": {...}
object provides information about the OpenShift version where a patch is included. For all security statuses other than Fixed (based on the CSAF standard and VEX profile), the RHCOS component is represented by a purl
identifier without version details.
To read more about CSAF and VEX files security data and their implementation please see the following articles:
- CSAF VEX documents now generally available
- Vulnerability Exploitability eXchange (VEX) beta files now available
- Red Hat VEX files for CVEs are now generally available
- Red Hat Security Data Guidelines
Red Hat security data updates
We are continuously improving our security metadata by making it more detailed and specific. This applies not only to vulnerability data, but also to other security-related data, such as the software bill of materials (SBOM) or compliance and attestation data. Changes related to the Red Hat Security Data can be found in the Red Hat Security Data Changelog.
Please contact Red Hat Product Security with any questions regarding security data at secalert@redhat.com, or file an issue in the public SECDATA Jira project.
关于作者
Przemysław Roguski is a Security Architect at Red Hat who specializes in Cloud Products security aspects. He contributes security analysis work on Red Hat OpenShift and other OpenShift-related products. He also designs security solutions and processes across Red Hat Product Security. He is focused on the security data improvements (various upstream and downstream security initiatives and projects like CWE, Kubernetes, Red Hat Vulnerability Scanner Certification program) to build better understanding of the security issues and improve client satisfaction.
更多此类内容
产品
工具
试用购买与出售
沟通
关于红帽
我们是世界领先的企业开源解决方案供应商,提供包括 Linux、云、容器和 Kubernetes。我们致力于提供经过安全强化的解决方案,从核心数据中心到网络边缘,让企业能够更轻松地跨平台和环境运营。