You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by GitBox <gi...@apache.org> on 2021/07/21 15:23:26 UTC
[GitHub] [solr-operator] HoustonPutman opened a new issue #294: Use a more secure base-image for the Solr Operator docker image
HoustonPutman opened a new issue #294:
URL: https://github.com/apache/solr-operator/issues/294
The security report for the Solr Operator Docker image on it's [ArtifactHub page](https://artifacthub.io/packages/helm/apache-solr/solr-operator) is not very good. This is due mostly to the fact that the base image contains multiple known vulnerabilities.
The current base image is `gcr.io/distroless/base:debug-nonroot`, and the vulnerabilities come from the fact that we are using the `base` image, not because it's a `debug` image. If we instead use `gcr.io/distroless/static:debug-nonroot`, these vulnerabilities go away.
The base image isn't the whole story. Some of the GoLang libraries that the Solr Operator depends on contain vulnerabilities as well, however removing those will require an upgrade of Kubernetes versions which we cannot currently do. Solving the base-image is the first, and larger, step.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr-operator] HoustonPutman commented on issue #294: Use a more secure base-image for the Solr Operator docker image
Posted by GitBox <gi...@apache.org>.
HoustonPutman commented on issue #294:
URL: https://github.com/apache/solr-operator/issues/294#issuecomment-884387080
The difference between `distroless/base` and `distroless/static` is mainly for the purpose of [including `libc`](https://github.com/GoogleContainerTools/distroless/blob/main/base/README.md) for go programs that use `cgo`, [such as through the `net` package](https://pkg.go.dev/net#hdr-Name_Resolution).
Since the Solr Operator is built with `CGO_ENABLED=false`, we do not need `libc`, so we should be find to base our image on `distroless/static`.
Kubebuilder uses `distroless/static` by default, so we should be safe with DNS resolution and Certificates when communicating within Kubernetes.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr-operator] HoustonPutman closed issue #294: Use a more secure base-image for the Solr Operator docker image
Posted by GitBox <gi...@apache.org>.
HoustonPutman closed issue #294:
URL: https://github.com/apache/solr-operator/issues/294
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org