security: add trivy scan and fix image CVEs

.github/workflows/build-x86-image.yaml

@@ -43,6 +43,15 @@ jobs:
           go get -u github.com/securego/gosec/cmd/gosec
           make release
 
+      - name: Security Scan
+        run: |
+          sudo apt-get install wget apt-transport-https gnupg lsb-release
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+          echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install trivy
+          make scan
+
       - name: Init Kind
         run: |
           sudo make kind-init

Makefile

@@ -85,3 +85,6 @@ e2e:
 
 ut:
 	ginkgo -p --slowSpecThreshold=60 test/unittest
+
+scan:
+	trivy image --exit-code=1 --severity=HIGH --ignore-unfixed kubeovn/kube-ovn:${RELEASE_TAG}

dist/images/Dockerfile

@@ -20,13 +20,15 @@ RUN mkdir /rpms/ && \
 
 FROM centos:8
 
+RUN yum upgrade -y sqlite-libs libarchive systemd && \
+    yum remove -y bind-export-libs
+
 RUN yum install -y  \
-        bind-utils \
         firewalld-filesystem \
         libpcap \
         hostname ethtool \
         iproute nc \
-        unbound unbound-devel \
+        unbound-devel \
         tcpdump ipset && yum clean all
 ARG RPM_ARCH
 RUN rpm -ivh --nodeps https://download-ib01.fedoraproject.org/pub/fedora/linux/releases/30/Everything/${RPM_ARCH}/os/Packages/i/iptables-1.8.0-5.fc30.${RPM_ARCH}.rpm