Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: switch promtails base image from debian to ubuntu #15195

Merged
merged 3 commits into from
Dec 2, 2024

Conversation

cstyan
Copy link
Contributor

@cstyan cstyan commented Dec 1, 2024

This PR changes promtails base image from debian:12.8-slim to ubuntu:noble-20241015, noble being ubunutu's most recent lts version. The current debian base image has a lot of security CVEs that won't be updated, while ubuntu updates packages much more regularly.

Just as a quick example, the result of a trivy scan on the promtail image with debian base gives Total: 79 (UNKNOWN: 0, LOW: 59, MEDIUM: 14, HIGH: 5, CRITICAL: 1) while the trivy scan for the promtail image with ubunutu base results in Total: 15 (UNKNOWN: 0, LOW: 7, MEDIUM: 8, HIGH: 0, CRITICAL: 0)

EDIT: Moved to draft until I've confirmed the new image can still grab systemd/journal logs

EDIT: Couldn't trace through the makefile/Dockerfile what needs to be set for the image to build with promtail and cgo locally, but given we publish images that can get logs from journal then the automation should be set up properly. If I enforce CGO_ENABLED=1 for the make promtail-image target locally, I can use that image to get logs via the journal scrape job.

I ran promtail in a docker container with a scrape config like this:

scrape_configs:
- job_name: journal
  journal:
    path: /var/log/journal
    max_age: 12h
    labels:
      job: systemd-journal

I also mounted my machines /var/log/journal directory to the same path on the container, and set --network="host" so that:

clients:
  - url: http://127.0.0.1:3100/loki/api/v1/push

would be able to send to loki running locally on my machine.

Then once both promtail in docker and loki locally are running, I added loki as a datasource to my local grafana as well.

In my journalctl logs I see:
2024-12-01_14-38

and we can see the same in the logs that make it to loki
2024-12-01_14-37
from promtail

@cstyan cstyan requested a review from a team as a code owner December 1, 2024 02:54
reduces CVEs

Signed-off-by: Callum Styan <callumstyan@gmail.com>
Signed-off-by: Callum Styan <callumstyan@gmail.com>
@cstyan cstyan force-pushed the promtail-ubunutu-20241130 branch from 20541d2 to 336d9e9 Compare December 1, 2024 02:56
@pull-request-size pull-request-size bot added size/S and removed size/XS labels Dec 1, 2024
@cstyan cstyan changed the title switch promtails base image from debian to ubuntu chore: switch promtails base image from debian to ubuntu Dec 1, 2024
@cstyan cstyan marked this pull request as draft December 1, 2024 03:34
@cstyan cstyan marked this pull request as ready for review December 1, 2024 22:39
Signed-off-by: Callum Styan <callumstyan@gmail.com>
# Promtail requires debian as the base image to support systemd journal reading
FROM debian:12.8-slim
# Promtail requires debian or ubuntu as the base image to support systemd journal reading
FROM public.ecr.aws/ubuntu/ubuntu:noble
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as for why the image from ecr instead of the official ubuntu docker hub image, see grafana/agent#6612

Copy link
Contributor

@chaudum chaudum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@cstyan cstyan merged commit 4d9c5bb into main Dec 2, 2024
58 checks passed
@cstyan cstyan deleted the promtail-ubunutu-20241130 branch December 2, 2024 18:39
@loki-gh-app
Copy link
Contributor

loki-gh-app bot commented Dec 2, 2024

Hello @cstyan!
Backport pull requests need to be either:

  • Pull requests which address bugs,
  • Urgent fixes which need product approval, in order to get merged,
  • Docs changes.

Please, if the current pull request addresses a bug fix, label it with the type/bug label.
If it already has the product approval, please add the product-approved label. For docs changes, please add the type/docs label.
If the pull request modifies CI behaviour, please add the type/ci label.
If none of the above applies, please consider removing the backport label and target the next major/minor release.
Thanks!

1 similar comment
@loki-gh-app
Copy link
Contributor

loki-gh-app bot commented Dec 2, 2024

Hello @cstyan!
Backport pull requests need to be either:

  • Pull requests which address bugs,
  • Urgent fixes which need product approval, in order to get merged,
  • Docs changes.

Please, if the current pull request addresses a bug fix, label it with the type/bug label.
If it already has the product approval, please add the product-approved label. For docs changes, please add the type/docs label.
If the pull request modifies CI behaviour, please add the type/ci label.
If none of the above applies, please consider removing the backport label and target the next major/minor release.
Thanks!

@loki-gh-app
Copy link
Contributor

loki-gh-app bot commented Dec 2, 2024

Hello @cstyan!
Backport pull requests need to be either:

  • Pull requests which address bugs,
  • Urgent fixes which need product approval, in order to get merged,
  • Docs changes.

Please, if the current pull request addresses a bug fix, label it with the type/bug label.
If it already has the product approval, please add the product-approved label. For docs changes, please add the type/docs label.
If the pull request modifies CI behaviour, please add the type/ci label.
If none of the above applies, please consider removing the backport label and target the next major/minor release.
Thanks!

@loki-gh-app
Copy link
Contributor

loki-gh-app bot commented Dec 2, 2024

The backport to release-3.2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new branch
git switch --create backport-15195-to-release-3.2.x origin/release-3.2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x 4d9c5bb20aba82087d87836d88d2260f7dd913ac

When the conflicts are resolved, stage and commit the changes:

git add . && git cherry-pick --continue

If you have the GitHub CLI installed:

# Push the branch to GitHub:
git push --set-upstream origin backport-15195-to-release-3.2.x
# Create the PR body template
PR_BODY=$(gh pr view 15195 --json body --template 'Backport 4d9c5bb20aba82087d87836d88d2260f7dd913ac from #15195{{ "\n\n---\n\n" }}{{ index . "body" }}')
# Create the PR on GitHub
echo "${PR_BODY}" | gh pr create --title 'chore: switch promtails base image from debian to ubuntu (backport release-3.2.x)' --body-file - --label 'size/S' --label 'type/bug' --label 'backport' --base release-3.2.x --milestone release-3.2.x --web

Or, if you don't have the GitHub CLI installed (we recommend you install it!):

# Push the branch to GitHub:
git push --set-upstream origin backport-15195-to-release-3.2.x

# Create a pull request where the `base` branch is `release-3.2.x` and the `compare`/`head` branch is `backport-15195-to-release-3.2.x`.

# Remove the local backport branch
git switch main
git branch -D backport-15195-to-release-3.2.x

@loki-gh-app
Copy link
Contributor

loki-gh-app bot commented Dec 2, 2024

The backport to release-3.3.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new branch
git switch --create backport-15195-to-release-3.3.x origin/release-3.3.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x 4d9c5bb20aba82087d87836d88d2260f7dd913ac

When the conflicts are resolved, stage and commit the changes:

git add . && git cherry-pick --continue

If you have the GitHub CLI installed:

# Push the branch to GitHub:
git push --set-upstream origin backport-15195-to-release-3.3.x
# Create the PR body template
PR_BODY=$(gh pr view 15195 --json body --template 'Backport 4d9c5bb20aba82087d87836d88d2260f7dd913ac from #15195{{ "\n\n---\n\n" }}{{ index . "body" }}')
# Create the PR on GitHub
echo "${PR_BODY}" | gh pr create --title 'chore: switch promtails base image from debian to ubuntu (backport release-3.3.x)' --body-file - --label 'size/S' --label 'type/bug' --label 'backport' --base release-3.3.x --milestone release-3.3.x --web

Or, if you don't have the GitHub CLI installed (we recommend you install it!):

# Push the branch to GitHub:
git push --set-upstream origin backport-15195-to-release-3.3.x

# Create a pull request where the `base` branch is `release-3.3.x` and the `compare`/`head` branch is `backport-15195-to-release-3.3.x`.

# Remove the local backport branch
git switch main
git branch -D backport-15195-to-release-3.3.x

@loki-gh-app
Copy link
Contributor

loki-gh-app bot commented Dec 2, 2024

The backport to release-2.9.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new branch
git switch --create backport-15195-to-release-2.9.x origin/release-2.9.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x 4d9c5bb20aba82087d87836d88d2260f7dd913ac

When the conflicts are resolved, stage and commit the changes:

git add . && git cherry-pick --continue

If you have the GitHub CLI installed:

# Push the branch to GitHub:
git push --set-upstream origin backport-15195-to-release-2.9.x
# Create the PR body template
PR_BODY=$(gh pr view 15195 --json body --template 'Backport 4d9c5bb20aba82087d87836d88d2260f7dd913ac from #15195{{ "\n\n---\n\n" }}{{ index . "body" }}')
# Create the PR on GitHub
echo "${PR_BODY}" | gh pr create --title 'chore: switch promtails base image from debian to ubuntu (backport release-2.9.x)' --body-file - --label 'size/S' --label 'type/bug' --label 'backport' --base release-2.9.x --milestone release-2.9.x --web

Or, if you don't have the GitHub CLI installed (we recommend you install it!):

# Push the branch to GitHub:
git push --set-upstream origin backport-15195-to-release-2.9.x

# Create a pull request where the `base` branch is `release-2.9.x` and the `compare`/`head` branch is `backport-15195-to-release-2.9.x`.

# Remove the local backport branch
git switch main
git branch -D backport-15195-to-release-2.9.x

cstyan added a commit that referenced this pull request Dec 2, 2024
Signed-off-by: Callum Styan <callumstyan@gmail.com>
(cherry picked from commit 4d9c5bb)
cstyan added a commit that referenced this pull request Dec 2, 2024
Signed-off-by: Callum Styan <callumstyan@gmail.com>
(cherry picked from commit 4d9c5bb)
cstyan added a commit that referenced this pull request Dec 2, 2024
Signed-off-by: Callum Styan <callumstyan@gmail.com>
(cherry picked from commit 4d9c5bb)
@mzs114
Copy link

mzs114 commented Dec 19, 2024

Hi, the Debian image requires a apt-get update && apt-get upgrade -y setup, as this fetches the latest security patches, if any.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants