New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker: Switch base image to ubuntu:latest from debian:stretch to avoid security issues. #17066
Conversation
.circleci/config.yml
Outdated
@@ -357,7 +357,7 @@ jobs: | |||
- run: docker info | |||
- run: docker run --privileged linuxkit/binfmt:v0.6 | |||
- run: cp dist/grafana-latest.linux-*.tar.gz packaging/docker | |||
- run: cd packaging/docker && ./build.sh --fast "${CIRCLE_SHA1}" | |||
- run: cd packaging/docker && ./build.sh "${CIRCLE_SHA1}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed --fast
so we build arm containers as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. I read a little about the release, trying to figure out when it's going from testing to stable (some time this year) and found this:
Please note that security updates for testing distribution are not yet managed by the security team. Hence, testing does not get security updates in a timely manner. You are encouraged to switch your sources.list entries from testing to stretch for the time being if you need security support.
Not sure how much this affects our decision.
This makes total sense :) The real workaround for this I guess is to rebuild old images, pull security updates from the mirrors and push them to dockerhub. It's not that strange that images we published 8 months ago have security vulnerabilities and fresh alpine does not. Switching from Debian to alpine or any other base would not help us regardless unless we republish old containers. Alpine might have a smaller attack surface which is good. But we still need to republish those containers to get security fixes. |
I could be wrong, but I think part of our problem is that there aren't security fixes for all the issues in stretch. |
As @xlson points out, the security update issue isn't about updating existing installations. It is about there being a lag for security fixes showing up in the repo. I guess the question comes down to: is buster more secure than stretch? My opinion is yes. Right now, buster has fewer known vulnerabilities then stretch. Security updates for buster may not yet be managed by the security team, but they will when it becomes stable and so security should improve. For stretch, security updates are managed by the security team, but they still haven't fixed high severity issues that have be known for a really long time. |
That's a good point. I agree, let's move to buster for now. |
TLDR; Phantomjs does not work on buster out of the box. Copy pasting what @xlson wrote on slack
creating an empty file as To build and package grafana as a docker container... go run build.go build pkg-archive latest sha-dist && \
cp dist/grafana-latest.linux-*.tar.gz packaging/docker && \
./packaging/docker/build.sh --fast fakegitsha && \
docker run --net=host -e GF_LOG_LEVEL=debug grafana/grafana-dev:fakegitsha |
Phantomjs works fine on Results from running https://github.com/knqyf263/trivy/releases/download/v0.1.1/trivy_0.1.1_Linux-64bit.tar.g
tar zxvf trivy_0.1.1_Linux-64bit.tar.gz
make build-docker-dev
./trivy --exit-code 1 --quiet --auto-refresh --format=json grafana/grafana:dev ubuntu:latest
debian:stretch
Since Ubuntu is based on debian I think it shouldn't cause any problems to switch base for the docker image. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ubuntu seems like a good option if that gets us part of the way. How much bigger is the image vs the slim ones from debian?
So I dont think its an issue. |
I think this deserves a longer beta period than we normally do. |
* grafana/master: (58 commits) AppPlugin: Fix load legacy plugin app (grafana#17574) Typescript: A batch of implicit any fixes (grafana#17590) RefreshPicker: Handle empty intervals (grafana#17585) Docker: Switch base to ubuntu:latest (grafana#17066) SQLStore: extend `user.SearchUsers` method (grafana#17514) Explore: Tag and Values for Influx are filtered by the selected measurement (grafana#17539) ldap: makes mocks available for testing. (grafana#17576) Devenv: Add nginx proxy for mac (grafana#17572) Graph: Added new fill gradient option (grafana#17528) Typescript: Reduce implicit any errors (grafana#17550) SinglestatPanel: Manages when getColorForValue() function returns null value. Closes grafana#9747 (grafana#17552) LDAP: refactoring (grafana#17479) Elasticsearch: Fix empty query request to send properly (grafana#17488) SinglestatPanel: fix min/max config in singlestat sparklines (grafana#17543) AuthProxy: Optimistic lock pattern for remote cache Set (grafana#17485) Explore: Includes context parameter when invoking getExploreState() from Prometheus datasource (grafana#17569) Tests: Replaces truth image (grafana#17570) Fix: Fixes merge conflict (grafana#17568) Build: Fix failing e2e tests and implicit any check (grafana#17567) Explore: Fixes implicit any error in AdHocFilterField.test.tsx (grafana#17565) ...
…-mapping-to-field * grafana/master: (75 commits) AppPlugin: Fix load legacy plugin app (grafana#17574) Typescript: A batch of implicit any fixes (grafana#17590) RefreshPicker: Handle empty intervals (grafana#17585) Docker: Switch base to ubuntu:latest (grafana#17066) SQLStore: extend `user.SearchUsers` method (grafana#17514) Explore: Tag and Values for Influx are filtered by the selected measurement (grafana#17539) ldap: makes mocks available for testing. (grafana#17576) Devenv: Add nginx proxy for mac (grafana#17572) Graph: Added new fill gradient option (grafana#17528) Typescript: Reduce implicit any errors (grafana#17550) SinglestatPanel: Manages when getColorForValue() function returns null value. Closes grafana#9747 (grafana#17552) LDAP: refactoring (grafana#17479) Elasticsearch: Fix empty query request to send properly (grafana#17488) SinglestatPanel: fix min/max config in singlestat sparklines (grafana#17543) AuthProxy: Optimistic lock pattern for remote cache Set (grafana#17485) Explore: Includes context parameter when invoking getExploreState() from Prometheus datasource (grafana#17569) Tests: Replaces truth image (grafana#17570) Fix: Fixes merge conflict (grafana#17568) Build: Fix failing e2e tests and implicit any check (grafana#17567) Explore: Fixes implicit any error in AdHocFilterField.test.tsx (grafana#17565) ...
* grafana/master: (73 commits) AppPlugin: Fix load legacy plugin app (grafana#17574) Typescript: A batch of implicit any fixes (grafana#17590) RefreshPicker: Handle empty intervals (grafana#17585) Docker: Switch base to ubuntu:latest (grafana#17066) SQLStore: extend `user.SearchUsers` method (grafana#17514) Explore: Tag and Values for Influx are filtered by the selected measurement (grafana#17539) ldap: makes mocks available for testing. (grafana#17576) Devenv: Add nginx proxy for mac (grafana#17572) Graph: Added new fill gradient option (grafana#17528) Typescript: Reduce implicit any errors (grafana#17550) SinglestatPanel: Manages when getColorForValue() function returns null value. Closes grafana#9747 (grafana#17552) LDAP: refactoring (grafana#17479) Elasticsearch: Fix empty query request to send properly (grafana#17488) SinglestatPanel: fix min/max config in singlestat sparklines (grafana#17543) AuthProxy: Optimistic lock pattern for remote cache Set (grafana#17485) Explore: Includes context parameter when invoking getExploreState() from Prometheus datasource (grafana#17569) Tests: Replaces truth image (grafana#17570) Fix: Fixes merge conflict (grafana#17568) Build: Fix failing e2e tests and implicit any check (grafana#17567) Explore: Fixes implicit any error in AdHocFilterField.test.tsx (grafana#17565) ...
* grafana/master: (70 commits) AppPlugin: Fix load legacy plugin app (grafana#17574) Typescript: A batch of implicit any fixes (grafana#17590) RefreshPicker: Handle empty intervals (grafana#17585) Docker: Switch base to ubuntu:latest (grafana#17066) SQLStore: extend `user.SearchUsers` method (grafana#17514) Explore: Tag and Values for Influx are filtered by the selected measurement (grafana#17539) ldap: makes mocks available for testing. (grafana#17576) Devenv: Add nginx proxy for mac (grafana#17572) Graph: Added new fill gradient option (grafana#17528) Typescript: Reduce implicit any errors (grafana#17550) SinglestatPanel: Manages when getColorForValue() function returns null value. Closes grafana#9747 (grafana#17552) LDAP: refactoring (grafana#17479) Elasticsearch: Fix empty query request to send properly (grafana#17488) SinglestatPanel: fix min/max config in singlestat sparklines (grafana#17543) AuthProxy: Optimistic lock pattern for remote cache Set (grafana#17485) Explore: Includes context parameter when invoking getExploreState() from Prometheus datasource (grafana#17569) Tests: Replaces truth image (grafana#17570) Fix: Fixes merge conflict (grafana#17568) Build: Fix failing e2e tests and implicit any check (grafana#17567) Explore: Fixes implicit any error in AdHocFilterField.test.tsx (grafana#17565) ...
* grafana/master: (75 commits) AppPlugin: Fix load legacy plugin app (grafana#17574) Typescript: A batch of implicit any fixes (grafana#17590) RefreshPicker: Handle empty intervals (grafana#17585) Docker: Switch base to ubuntu:latest (grafana#17066) SQLStore: extend `user.SearchUsers` method (grafana#17514) Explore: Tag and Values for Influx are filtered by the selected measurement (grafana#17539) ldap: makes mocks available for testing. (grafana#17576) Devenv: Add nginx proxy for mac (grafana#17572) Graph: Added new fill gradient option (grafana#17528) Typescript: Reduce implicit any errors (grafana#17550) SinglestatPanel: Manages when getColorForValue() function returns null value. Closes grafana#9747 (grafana#17552) LDAP: refactoring (grafana#17479) Elasticsearch: Fix empty query request to send properly (grafana#17488) SinglestatPanel: fix min/max config in singlestat sparklines (grafana#17543) AuthProxy: Optimistic lock pattern for remote cache Set (grafana#17485) Explore: Includes context parameter when invoking getExploreState() from Prometheus datasource (grafana#17569) Tests: Replaces truth image (grafana#17570) Fix: Fixes merge conflict (grafana#17568) Build: Fix failing e2e tests and implicit any check (grafana#17567) Explore: Fixes implicit any error in AdHocFilterField.test.tsx (grafana#17565) ...
Let's see what the CI pipeline say about it.
ref #14182