Log4j cleanup on Blazegraph and FITS #332
Conversation
Clean out ancient log4j and replace with patched version
noahwsmith
changed the title
|
Updated to include cleanup on FITS and Solr as well as Blazegraph. @misilot has offered to test. |
|
The built test images are available as: |
noahwsmith
changed the title
|
Backing out of Solr - not necessary https://github.com/apache/solr-docker/blob/main/9.5/Dockerfile |
|
@noahwsmith it looks like it might be still be part of a couple of layers :( Path : /var/lib/docker/overlay2/bfee10e74d13452ab0bb6c93123be38cea006ec7d705911b6db71d53c4e339c1/diff/opt/tomcat/webapps/bigdata/WEB-INF/lib/log4j-1.2.17.jar Path : /var/lib/docker/overlay2/e9f42b9942914e758fa4c1e32cd87794de5c3274a1e70a56a5f901d742747176/diff/opt/tomcat/webapps/bigdata/WEB-INF/lib/log4j-1.2.17.jar |
blazegraph/Dockerfile
Outdated
| --sha256 "${LOG4J_FILE_SHA256}" \ | ||
| && \ | ||
| ## Remove the outmoded log4j-* files that come with blazegraph | ||
| rm -f "/opt/tomcat/webapps/bigdata/WEB-INF/lib/log4j-1.2.17.jar" && \ |
There was a problem hiding this comment.
This line specifically removes /opt/tomcat/webapps/bigdata/WEB-INF/lib/log4j-1.2.17.jar
There was a problem hiding this comment.
@misilot The way this PR works is simply that we scrub that out after it is initially brought in by the Blazegraph install. So it's not surprising to me that the file is in an earlier layer but it is not in the final image.
There was a problem hiding this comment.
I think Line 11/16 is adding it. The two RUN commands I think need to be combined, so there isn't a layer where the log4j*.jar exists.
There was a problem hiding this comment.
Good idea - I'll try that...
There was a problem hiding this comment.
Ok, building now. I brought the RM back up to the first RUN...
|
Thanks @noahwsmith this PR seems to work great, and we are no longer getting the log4j hits on our scans. |
|
@joecorall How do you feel about this? Any objections to merging? |
Clean out ancient log4j and replace with patched version.