Docker Container for prometheus isn't up to date and contains security vulnerabilities

[mrosic]

The docker container with prometheus is not up to date, it uses libssl 1.0.2b-r0 which contains several security vulnerabilities.

Please include
RUN apk update
RUN apk upgrade
at the end of your Dockerfile. This slows down the build process but it guarantees that users will always receive a container that is up to date.

[beorn7]

Paging our local docker expert @discordianfish : I leave it to you to come up with the best course of action here. (Requiring access to the public Debian repo sounds like problematic to me as the default setting.)

[discordianfish]

@beorn7 It's not debian, it's alpine linux.
In general we should make sure the base image is up to date and that is managed by @sdurrheimer. I've created a repo link which should cause prometheus to get rebuild if the base image gets updated.
Maybe it's time to move the base image to the prometheus org so we can easily update it. Let see what @sdurrheimer says.

[mrosic]

Okay, I've looked at that again:
Prometheus doesn't use libssl and /bin/prometheus is the only process running inside the container. It is dynamically linked to
/lib64/ld-linux-x86-64.so.2 (0x7f67f0912000)
libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x7f67f0912000)
libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f67f0912000)

If you were to build prometheus statically you could theoretically ignore most of the stuff in the container (including most of the security vulnerabilities) and never update it.

It wouldn't be pretty but it could be good enough as long as we only use the container like a binary executable.

[discordianfish]

@mrosic That's correct, prometheus shouldn't use all those things so I'd consider this issue low priority. Still, we shouldn't ship vulnerable libraries.
Another option would be to stop using the Dockerfile and build the container 'manually' like this: https://blog.codeship.com/building-minimal-docker-containers-for-go-applications/

[juliusv]

@discordianfish 👍 I really like that approach and we should go towards it IMO as soon as someone finds the time to do it.

[sdurrheimer]

I've triggered manual build of the base image but normally it's all automatic.

[juliusv]

Thanks! Closing this for now. I'm really in favor of only including the statically built Prometheus binaries in the future though.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.