Docker images from scratch
61 views
Skip to first unread message
Julien Pivotto
Jan 31, 2021, 11:26:35 AM1/31/21
to prometheus-developers
Hello,
From time to time we get users reporting that the docker image we use to
build Prometheus contain a Busybox vulnerability:
https://github.com/prometheus/node_exporter/issues/1937
https://github.com/prometheus/prometheus/issues/8277
https://github.com/prometheus/prometheus/issues/7794
We have a few options here:
1. ignoring those reports as there is no evidence that this can be used
without first getting shell access into the container.
2. removing wget from the container
3. switching to a base image that does not contain the fix, e.g. alpine
4. only shipping our binaries and a few other files (from scratch or
from distroless-static
https://github.com/GoogleContainerTools/distroless/blob/master/base/README.md )
My thinking:
1. This is (was) the current strategy. And clearly, scanners do not care
that Prometheus uses or does not use the said binaries.
However, in security, less attack surface is always positive.
2. Even if we remove /bin/wget, it can still be invoked by calling
/bin/busybox wget
3. Alpine etc would increase the surface, require rebuild a lot more
often than busybox.
4. Distroless static seems to be what we have now (takes certs etc from
debian), without busybox. The advantage here would be that we can simply
stop using prometheus/busybox, and we would have updated upstreams
images all the time.
So I'd go and investigate distroless base image in the future.
--
Julien Pivotto
@roidelapluie
From time to time we get users reporting that the docker image we use to
build Prometheus contain a Busybox vulnerability:
https://github.com/prometheus/node_exporter/issues/1937
https://github.com/prometheus/prometheus/issues/8277
https://github.com/prometheus/prometheus/issues/7794
We have a few options here:
1. ignoring those reports as there is no evidence that this can be used
without first getting shell access into the container.
2. removing wget from the container
3. switching to a base image that does not contain the fix, e.g. alpine
4. only shipping our binaries and a few other files (from scratch or
from distroless-static
https://github.com/GoogleContainerTools/distroless/blob/master/base/README.md )
My thinking:
1. This is (was) the current strategy. And clearly, scanners do not care
that Prometheus uses or does not use the said binaries.
However, in security, less attack surface is always positive.
2. Even if we remove /bin/wget, it can still be invoked by calling
/bin/busybox wget
3. Alpine etc would increase the surface, require rebuild a lot more
often than busybox.
4. Distroless static seems to be what we have now (takes certs etc from
debian), without busybox. The advantage here would be that we can simply
stop using prometheus/busybox, and we would have updated upstreams
images all the time.
So I'd go and investigate distroless base image in the future.
--
Julien Pivotto
@roidelapluie
Gabriel Cavalcante
Jan 31, 2021, 11:31:02 AM1/31/21
to prometheus-developers
Is it possible to use the scratch image with Prometheus binary inside only? That would reduce the surface entirely.
--
You received this message because you are subscribed to the Google Groups "Prometheus Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-devel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/20210131162630.GA13747%40oxygen.
Ben Kochie
Jan 31, 2021, 11:32:28 AM1/31/21
to prometheus-developers
Another option is we could fully build our own busybox binary, with the necessary fixes.
I'm somewhat in favor of going distroless. With a large number of users using our container images in Kubernetes, it's less necessary to include busybox, as they can attach userspace sidecar containers.
Ben Kochie
Jan 31, 2021, 11:32:53 AM1/31/21
to Gabriel Cavalcante, prometheus-developers
That's proposal #4.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CAHaDZeRGK49OQUE8NmYCQs4pfdWbOf3DPEYOfJkYUALSzU71qQ%40mail.gmail.com.
Julien Pivotto
Jan 31, 2021, 11:35:37 AM1/31/21
to Ben Kochie, Gabriel Cavalcante, prometheus-developers
Proposal #4 also contains:
gcr.io/distroless/static:
ca-certificates
A /etc/passwd entry for a root user
A /tmp directory
tzdata
If exporters require cgo, there is also a version with:
gcr.io/distroless/base:
glibc
libssl
openssl
> > https://groups.google.com/d/msgid/prometheus-developers/CAHaDZeRGK49OQUE8NmYCQs4pfdWbOf3DPEYOfJkYUALSzU71qQ%40mail.gmail.com
> > <https://groups.google.com/d/msgid/prometheus-developers/CAHaDZeRGK49OQUE8NmYCQs4pfdWbOf3DPEYOfJkYUALSzU71qQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> > .
--
Julien Pivotto
@roidelapluie
gcr.io/distroless/static:
ca-certificates
A /etc/passwd entry for a root user
A /tmp directory
tzdata
If exporters require cgo, there is also a version with:
gcr.io/distroless/base:
glibc
libssl
openssl
> > <https://groups.google.com/d/msgid/prometheus-developers/CAHaDZeRGK49OQUE8NmYCQs4pfdWbOf3DPEYOfJkYUALSzU71qQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> > .
> >
>
> --
> You received this message because you are subscribed to the Google Groups "Prometheus Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-devel...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CABbyFmqn5Fr16umtizJzyTqZkRi3u5HyEkhP53scky%2BNsVLDkQ%40mail.gmail.com.
>
> --
> You received this message because you are subscribed to the Google Groups "Prometheus Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-devel...@googlegroups.com.
--
Julien Pivotto
@roidelapluie
Bjoern Rabenstein
Feb 1, 2021, 9:03:04 AM2/1/21
to Ben Kochie, prometheus-developers
On 31.01.21 17:32, Ben Kochie wrote:
> Another option is we could fully build our own busybox binary, with the
> necessary fixes.
>
> I'm somewhat in favor of going distroless. With a large number of users
> using our container images in Kubernetes, it's less necessary to include
> busybox, as they can attach userspace sidecar containers.
I guess distroless would also simplify the question of how to include
> Another option is we could fully build our own busybox binary, with the
> necessary fixes.
>
> I'm somewhat in favor of going distroless. With a large number of users
> using our container images in Kubernetes, it's less necessary to include
> busybox, as they can attach userspace sidecar containers.
all required licenses, simply by requiring a whole lot less of them.
--
Björn Rabenstein
[PGP-ID] 0x851C3DA17D748D03
[email] bjo...@rabenste.in
Julius Volz
Feb 5, 2021, 6:49:29 AM2/5/21
to Bjoern Rabenstein, Ben Kochie, prometheus-developers
+1 for distroless.
--
You received this message because you are subscribed to the Google Groups "Prometheus Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-devel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/20210201140259.GE3906%40jahnn.
Reply all
Reply to author
Forward
0 new messages