New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bitnami/java:11]: curl has been removed from the latest version #9143
Comments
bitnami/php-fpm is impacted as well:
|
I too am experiencing this. I'm using the postgresl images ( |
Hi, we have been working on removing non-needed dependencies to have more secure containers, reducing the attack surface and the container size. You can use the |
This would then imply I would need to build and maintain my own "custom" container image, whereas currently I'm just running I'm not currently building/pushing my own custom image for that, nor do I really want to. |
In that case, If you are using apiVersion: v1
kind: ConfigMap
metadata:
name: heroes-db-init
labels:
app: heroes-db
application: heroes-service
system: quarkus-super-heroes
data:
get-data.sh: |-
#!/bin/bash
install_packages curl
curl https://raw.githubusercontent.com/quarkusio/quarkus-super-heroes/main/rest-heroes/deploy/db-init/initialize-tables.sql --output /docker-entrypoint-initdb.d/1-init-tables.sql In the same way, as those containers are non-root by default, maybe you will need to change the |
In my situation I can't make any assumptions about what flavor of Kubernetes the pod is running in nor what kind of permissions the current user/service account has, so if that requires elevated permissions to run |
Maybe I could use an init container with a shared volume. The init container could do what I need to do with curl. I'll investigate that. |
@edeandrea is there a psql related use case? |
I am not directly using psql. I'm just using curl to go fetch some data and pull it down into the container to get loaded into the database by the container. The curl drops the file into This capability (the ability to put a script into I understand where you are coming from though - eliminate things you don't need and reduce your attack surface. I get it. I will look at alternative solutions, but those solutions may take me away from using the bitnami images. Building my own custom images that extend this one and maintaining them is not an option in my case. |
@carrodher is it possible to instantiate sidecars containers? i am not familiar but on a glance it appears to be a sidecars job. i couldn't recognize it if there was such a possibility in place. |
It wouldn't be a sidecar I needed. It would be an init container. A sidecar stays running for the duration of the pod's lifecycle, whereas an init container runs before the main container. In my case I could use an init container to run the curl and drop the result on the filesystem, which is shared with the main postgresql container. |
This seems to do what I need it to do ---
apiVersion: v1
kind: Secret
metadata:
labels:
app: heroes-db
application: heroes-service
system: quarkus-super-heroes
name: heroes-db-config
data:
POSTGRES_DB: aGVyb2VzX2RhdGFiYXNl
POSTGRES_USER: c3VwZXJtYW4=
POSTGRES_PASSWORD: c3VwZXJtYW4=
type: Opaque
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app: heroes-db
application: heroes-service
system: quarkus-super-heroes
name: heroes-db-init
data:
get-data.sh: |-
#!/bin/bash
curl https://raw.githubusercontent.com/quarkusio/quarkus-super-heroes/main/rest-heroes/deploy/db-init/initialize-tables.sql --output /docker-entrypoint-initdb.d/1-init-tables.sql
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: heroes-db
application: heroes-service
system: quarkus-super-heroes
app.kubernetes.io/part-of: heroes-service
app.openshift.io/runtime: postgresql
name: heroes-db
spec:
replicas: 1
selector:
matchLabels:
name: heroes-db
template:
metadata:
labels:
name: heroes-db
application: heroes-service
system: quarkus-super-heroes
spec:
initContainers:
- name: get-data
image: registry.access.redhat.com/ubi8-minimal:8.6
workingDir: /docker-entrypoint-preinitdb.d
command:
- 'sh'
- 'get-data.sh'
volumeMounts:
- mountPath: /docker-entrypoint-preinitdb.d
name: heroes-db-init
- mountPath: /docker-entrypoint-initdb.d
name: heroes-db-init-data
containers:
- envFrom:
- secretRef:
name: heroes-db-config
image: bitnami/postgresql:14
name: heroes-db
ports:
- containerPort: 5432
resources:
limits:
memory: 128Mi
requests:
memory: 32Mi
volumeMounts:
- mountPath: /bitnami/postgresql
name: heroes-db-data
- mountPath: /docker-entrypoint-initdb.d
name: heroes-db-init-data
volumes:
- emptyDir: {}
name: heroes-db-data
- emptyDir: {}
name: heroes-db-init-data
- configMap:
name: heroes-db-init
name: heroes-db-init |
I'm all in favor of reducing the attack surface but I think curl is used in a lot of init scripts. Including some of mine which is why I'm writing this. I feel that downloading sql or pgc files is a very common use case which ought to be supported out of the box. |
Find great to do cleanup in the container although it was done in a way that did not decrease size of the container image. Would have been nicer to define a new line of tags for such breaking change ! |
Hi, My advice on this would be to use the bitnami/bitnami-shell image as an init container which downloads the .sql files, putting them in a volume. |
Thanks. I solved it on friday in quarkusio/quarkus-super-heroes#157 |
Thanks for letting us know! |
Do you have a suggestion regarding how to use pgc files with such an approach? |
Name and Version
bitnami/java:11
What steps will reproduce the bug?
What is the expected behavior?
The build should pass successfully.
What do you see instead?
The build will be failed with not found curl command error
Additional information
No response
The text was updated successfully, but these errors were encountered: