[Security] Use ubuntu:20.04 base image for Pulsar docker images #11026
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lhotari
requested review from
aahmed-se,
sijie,
merlimat,
eolivelli and
codelipenghui
lhotari
force-pushed
the
lh-change-docker-baseimage
branch
2 times, most recently
from
8af5b5b
to
26ac6ea
Compare
eolivelli
approved these changes
Jun 23, 2021
michaeljmarshall
approved these changes
Jun 23, 2021
There was a problem hiding this comment.
LGTM. This is great change, and it'll decrease the overall size of our pulsar docker images by a good bit. I just pulled these images and here is the basic docker images info:
REPOSITORY TAG IMAGE ID CREATED SIZE
openjdk 11-jdk bd97a328b384 8 hours ago 647MB
adoptopenjdk 11-jdk 20d606fe6719 5 days ago 437MB
lhotari
force-pushed
the
lh-change-docker-baseimage
branch
from
26ac6ea
to
38b9e1e
Compare
The JDK, AdoptOpenJDK itself has moved to Eclipse Foundation and has been renamed to Adoptium. The GitHub organization is adoptium and the transition from AdoptOpenJDK to Adoptium is still in progress. The adoptopenjdk docker images are maintained in 2 locations:
|
|
Another choice for the adoptopenjdk base image would be to use the official ubuntu:20.04 base image and install the openjdk-11-jdk package in the container. This would also resolve the security issues that come from using the Debian based openjdk docker base image. Switching to other than Ubuntu based OS would be more work since current Dockerfiles use apt to install packages and thus work for Debian/Ubuntu. @sijie Please provide advice how to proceed. |
I think this is a better approach. |
- Ubuntu fixes critical and high security vulnerabilities.
- openjdk:11-jdk-slim/openjdk:11-jdk images are based on
Debian 10 which contains a lot of unfixed vulnerabilities.
- this causes the Pulsar docker images to get flagged in Docker image vulnerability
scanning with docker image vulnerability scanning tools such as Clair
lhotari
force-pushed
the
lh-change-docker-baseimage
branch
from
38b9e1e
to
b91b672
Compare
lhotari
changed the title
lhotari
force-pushed
the
lh-change-docker-baseimage
branch
from
43f4407
to
70e02ab
Compare
- JAVA_HOME set by ENV isn't available for RUN commands
sijie
approved these changes
Jul 23, 2021
hangc0276
pushed a commit
that referenced
this pull request
Aug 26, 2021
* [Security] Use ubuntu:20.04 base image for Pulsar docker images
- Ubuntu fixes critical and high security vulnerabilities.
- openjdk:11-jdk-slim/openjdk:11-jdk images are based on
Debian 10 which contains a lot of unfixed vulnerabilities.
- this causes the Pulsar docker images to get flagged in Docker image vulnerability
scanning with docker image vulnerability scanning tools such as Clair
* Install Ubuntu updates
* Set DEBIAN_FRONTEND=noninteractive so that dist-upgrade doesn't wait for input
* Set JAVA_HOME
* Fix configuring networkaddress.cache.ttl
- JAVA_HOME set by ENV isn't available for RUN commands
* Configure networkaddress.cache.ttl after installing OpenJDK
(cherry picked from commit f989512)
|
Due to python3.7 is not available in openjdk:11-jdk image, this build exception is: https://github.com/apache/pulsar/runs/3428234664 So i cherry picked this PR to branch-2.8, and release in Pulsar 2.8.1 to solve docker image build failed problem. |
|
@hangc0276 please advertise this on dev@ This is an important change, we must be sure that the community is up to date |
@eolivelli Ok, I have sent an email to dev@ mail list, Thanks. |
hangc0276
added a commit
that referenced
this pull request
Aug 31, 2021
### Motivation
When build the pulsar-standalone docker image, it throw the following exception
[INFO] + sudo -u postgres /usr/lib/postgresql/11/bin/initdb /data/
[INFO]
[INFO] sudo: /usr/lib/postgresql/11/bin/initdb: command not found
[INFO]
[ERROR] The command '/bin/sh -c /pulsar/django/init-postgres.sh' returned a non-zero code: 1
[WARNING] An attempt failed, will retry 1 more times
org.apache.maven.plugin.MojoExecutionException: Could not build image
at com.spotify.plugin.dockerfile.BuildMojo.buildImage (BuildMojo.java:247)
at com.spotify.plugin.dockerfile.BuildMojo.execute (BuildMojo.java:135)
at com.spotify.plugin.dockerfile.AbstractDockerMojo.tryExecute (AbstractDockerMojo.java:265)
at com.spotify.plugin.dockerfile.AbstractDockerMojo.execute (AbstractDockerMojo.java:254)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
The root cause is when we use ubuntu 20.04 use base docker image instead of openjdk:11-jdk image introduce by #11026 , the ubuntu 20.04 will install postgresql 12 instead of postgresql 11 by default. However, the init and start script has been hard code with postgresql 11 install path, which will lead to command not found exception.
### Modification
1. add postgresql 11 resource address for ubuntu 20.04 and install postgresql 11
gaoran10
added a commit
to gaoran10/pulsar
that referenced
this pull request
Sep 10, 2021
2. Build python client by Python3.8 cherry-pick: 1. apache#11026 2. apache#11623 3. apache#11862
This was referenced Sep 10, 2021
codelipenghui
pushed a commit
that referenced
this pull request
Sep 14, 2021
### Motivation Currently, the docker is from `openjdk:8-jdk-slim `, it has a new release a few days ago and the Linux version was changed to `Impish`, it didn't support install `python3.7` by apt-get tool, the minimum Python version is 3.9, so we need to change the python version or use a different Linux release, I cherry-pick some commits from branch master to build docker image from the `ubuntu:20.04`. Mainly related PRs: 1. #11026 2. #11623 3. #11862 ### Modifications Build docker image from the `ubuntu:20.04`. upgrade pulsar-go-client from `0.2.0` to `0.6.0` and rever #9124 from branch-2.7
bharanic-dev
pushed a commit
to bharanic-dev/pulsar
that referenced
this pull request
Mar 18, 2022
…he#11026) * [Security] Use ubuntu:20.04 base image for Pulsar docker images - Ubuntu fixes critical and high security vulnerabilities. - openjdk:11-jdk-slim/openjdk:11-jdk images are based on Debian 10 which contains a lot of unfixed vulnerabilities. - this causes the Pulsar docker images to get flagged in Docker image vulnerability scanning with docker image vulnerability scanning tools such as Clair * Install Ubuntu updates * Set DEBIAN_FRONTEND=noninteractive so that dist-upgrade doesn't wait for input * Set JAVA_HOME * Fix configuring networkaddress.cache.ttl - JAVA_HOME set by ENV isn't available for RUN commands * Configure networkaddress.cache.ttl after installing OpenJDK
nicoloboschi
pushed a commit
to datastax/pulsar
that referenced
this pull request
Jul 22, 2022
Currently, the docker is from `openjdk:8-jdk-slim `, it has a new release a few days ago and the Linux version was changed to `Impish`, it didn't support install `python3.7` by apt-get tool, the minimum Python version is 3.9, so we need to change the python version or use a different Linux release, I cherry-pick some commits from branch master to build docker image from the `ubuntu:20.04`. Mainly related PRs: 1. apache#11026 2. apache#11623 3. apache#11862 Build docker image from the `ubuntu:20.04`. upgrade pulsar-go-client from `0.2.0` to `0.6.0` and rever apache#9124 from branch-2.7 (cherry picked from commit 259c698)
nicoloboschi
pushed a commit
to datastax/pulsar
that referenced
this pull request
Jul 22, 2022
Currently, the docker is from `openjdk:8-jdk-slim `, it has a new release a few days ago and the Linux version was changed to `Impish`, it didn't support install `python3.7` by apt-get tool, the minimum Python version is 3.9, so we need to change the python version or use a different Linux release, I cherry-pick some commits from branch master to build docker image from the `ubuntu:20.04`. Mainly related PRs: 1. apache#11026 2. apache#11623 3. apache#11862 Build docker image from the `ubuntu:20.04`. upgrade pulsar-go-client from `0.2.0` to `0.6.0` and rever apache#9124 from branch-2.7 (cherry picked from commit 259c698)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
Pulsar docker images currently use openjdk:11-jdk-slim as the base image.
openjdk:11-jdk-slim/openjdk:11-jdk images are based on Debian 10 which contains a lot of unfixed vulnerabilities.
scanning with docker image vulnerability scanning tools such as Clair
Modifications
ubuntu:20.04. Install OpenJDK with apt-get.