chore!: Remove wget from Promtail docker image
#15101
Merged
+1
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The package has been added to the Docker image with PR #11711 with the intention to support the Docker healthcheck. However, to reduce the attack surface of our Docker images, we want to keep them as slim as possible. The current version of Promtail (3.3.0) for example contains a wget version with vulnerability [CVE-2024-38428](https://security-tracker.debian.org/tracker/CVE-2024-38428). The healthcheck can be achieved by other means, e.g. 1. Extend the `grafana/promtail` base image and add `wget` using `apt install wget` #11590 (comment) 2. Use low-level `/dev/tcp/127.0.0.1:9080` to establish a connection and check the exit code #11590 (comment) Signed-off-by: Christian Haudum <[email protected]>
8 tasks
cstyan
approved these changes
Nov 26, 2024
There was a problem hiding this comment.
LGTM 👍
I'd already pointed out the likelihood of our images being modified to pair down dependencies for security reasons in the original issue that asked for the addition of wget to the promtail image #11590 (comment)
|
I'm in favor of this PR, but think we should update the healthchecks in this file before merging. (Not strictly needed for this PR, but would show consistency) |
The
|
|
This PR must be merged before a backport PR will be created. |
2 similar comments
|
This PR must be merged before a backport PR will be created. |
|
This PR must be merged before a backport PR will be created. |
loki-gh-app bot
pushed a commit
that referenced
this pull request
Nov 27, 2024
The package has been added to the Docker image with PR #11711 with the intention to support the Docker healthcheck. However, to reduce the attack surface of our Docker images, we want to keep them as slim as possible. The current version of Promtail (3.3.0) for example contains a wget version with vulnerability [CVE-2024-38428](https://security-tracker.debian.org/tracker/CVE-2024-38428). The healthcheck can be achieved by other means, e.g. 1. Extend the `grafana/promtail` base image and add `wget` using `apt install wget` #11590 (comment) 3. Use low-level `/dev/tcp/127.0.0.1:9080` to establish a connection and check the exit code #11590 (comment) Original discussion about adding wget #11590 This may break someone's Docker compose installation, when they require on the `wget` powered health check. Signed-off-by: Christian Haudum <[email protected]> (cherry picked from commit 2eea546)
6 tasks
loki-gh-app bot
pushed a commit
that referenced
this pull request
Nov 27, 2024
The package has been added to the Docker image with PR #11711 with the intention to support the Docker healthcheck. However, to reduce the attack surface of our Docker images, we want to keep them as slim as possible. The current version of Promtail (3.3.0) for example contains a wget version with vulnerability [CVE-2024-38428](https://security-tracker.debian.org/tracker/CVE-2024-38428). The healthcheck can be achieved by other means, e.g. 1. Extend the `grafana/promtail` base image and add `wget` using `apt install wget` #11590 (comment) 3. Use low-level `/dev/tcp/127.0.0.1:9080` to establish a connection and check the exit code #11590 (comment) Original discussion about adding wget #11590 This may break someone's Docker compose installation, when they require on the `wget` powered health check. Signed-off-by: Christian Haudum <[email protected]> (cherry picked from commit 2eea546)
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
The package has been added to the Docker image with PR #11711 with the intention to support the Docker healthcheck.
However, to reduce the attack surface of our Docker images, we want to keep them as slim as possible. The current version of Promtail (3.3.0) for example contains a wget version with vulnerability CVE-2024-38428.
The healthcheck can be achieved by other means, e.g.
grafana/promtailbase image and addwgetusingapt install wgetAdd wget to promtail Docker image #11590 (comment)
/dev/tcp/127.0.0.1:9080to establish a connection and check the exit codeAdd wget to promtail Docker image #11590 (comment)
Special notes for your reviewer:
Original discussion about adding wget #11590
This may break someone's Docker compose installation, when they require on the
wgetpowered health check.Checklist
CONTRIBUTING.mdguide (required)featPRs are unlikely to be accepted unless a case can be made for the feature actually being a bug fix to existing behavior.docs/sources/setup/upgrade/_index.mddeprecated-config.yamlanddeleted-config.yamlfiles respectively in thetools/deprecated-config-checkerdirectory. Example PR