You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by Andy Lester <an...@petdance.com> on 2021/12/16 14:35:44 UTC
Log4j remediation in the Docker image
> On Dec 16, 2021, at 8:26 AM, Carlos Cueto <cc...@gmail.com> wrote:
>
> Any idea when it will be available on Docker Hub? 8.11.1 tag is still not
> added.
I don’t know, but yesterday I went and changed my build process for our Docker image of Solr to delete the JNDI classes from the jar files as a stopgap until a proper 8.11.1 came out. See https://logging.apache.org/log4j/2.x/security.html for details.
This is how I did it.
To be able to delete the class files, one must use zip, so I had to install that in the container. To install zip in the container, I had to make a fake UserAgent file for apt-get to not get refused by the mirrors.
Here is my Dockerfile:
FROM solr:8.11.0
# https://hub.docker.com/_/solr/
# https://github.com/docker-solr/docker-solr#extending-the-image
# https://solr.apache.org/docs/8_11_0/changes/Changes.html
# The SOLR_xxxx vars override defaults. See /etc/default/solr.in.sh in the container for more.
ENV \
TZ=America/Chicago \
SOLR_TIMEZONE=America/Chicago \
SOLR_HEAP=20g
USER root
RUN \
echo 'Installing additional packages' \
&& echo 'Create new agent to get around apt-get bugs per https://lists.debian.org/debian-user/2019/10/msg00629.html' \
&& echo 'Acquire' > /etc/apt/apt.conf.d/99useragent \
&& echo '{' >> /etc/apt/apt.conf.d/99useragent \
&& echo ' http::User-Agent "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0";' >> /etc/apt/apt.conf.d/99useragent \
&& echo '};' >> /etc/apt/apt.conf.d/99useragent \
&& echo 'Done populating user agent' \
&& echo 'Installing zip' \
&& apt-get update \
&& apt-get install -y zip \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get clean all \
&& echo 'Done installing additional packages' \
&& echo 'Delete JNDI from the log4j files in both Solr and the exporter' \
&& zip -q -d /opt/solr-8.11.0/contrib/prometheus-exporter/lib/log4j-core-2.14.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class \
&& zip -q -d /opt/solr-8.11.0/server/lib/ext/log4j-core-2.14.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class \
&& echo 'Deleted JNDI from jars'
USER solr
I hope this helps someone.
Andy