Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore!: Remove wget from Promtail docker image (backport release-3.3.x) #15146

Merged
merged 1 commit into from
Nov 27, 2024

Conversation

loki-gh-app[bot]
Copy link
Contributor

@loki-gh-app loki-gh-app bot commented Nov 27, 2024

Backport 2eea546 from #15101


What this PR does / why we need it:

The package has been added to the Docker image with PR #11711 with the intention to support the Docker healthcheck.

However, to reduce the attack surface of our Docker images, we want to keep them as slim as possible. The current version of Promtail (3.3.0) for example contains a wget version with vulnerability CVE-2024-38428.

The healthcheck can be achieved by other means, e.g.

  1. Extend the grafana/promtail base image and add wget using apt install wget
    Add wget to promtail Docker image #11590 (comment)
  2. Use low-level /dev/tcp/127.0.0.1:9080 to establish a connection and check the exit code
    Add wget to promtail Docker image #11590 (comment)

Special notes for your reviewer:

Original discussion about adding wget #11590

This may break someone's Docker compose installation, when they require on the wget powered health check.

Checklist

  • Reviewed the CONTRIBUTING.md guide (required)
  • Documentation added
  • Tests updated
  • Title matches the required conventional commits format, see here
    • Note that Promtail is considered to be feature complete, and future development for logs collection will be in Grafana Alloy. As such, feat PRs are unlikely to be accepted unless a case can be made for the feature actually being a bug fix to existing behavior.
  • Changes that require user attention or interaction to upgrade are documented in docs/sources/setup/upgrade/_index.md
  • If the change is deprecating or removing a configuration option, update the deprecated-config.yaml and deleted-config.yaml files respectively in the tools/deprecated-config-checker directory. Example PR

The package has been added to the Docker image with PR #11711 with the intention to support the Docker healthcheck.

However, to reduce the attack surface of our Docker images, we want to keep them as slim as possible. The current version of Promtail (3.3.0) for example contains a wget version with vulnerability [CVE-2024-38428](https://security-tracker.debian.org/tracker/CVE-2024-38428).

The healthcheck can be achieved by other means, e.g.

1. Extend the `grafana/promtail` base image and add `wget` using `apt install wget`
   #11590 (comment)
3. Use low-level `/dev/tcp/127.0.0.1:9080` to establish a connection and check the exit code
   #11590 (comment)

Original discussion about adding wget #11590
This may break someone's Docker compose installation, when they require on the `wget` powered health check.

Signed-off-by: Christian Haudum <christian.haudum@gmail.com>
(cherry picked from commit 2eea546)
@chaudum chaudum merged commit 0f5a994 into release-3.3.x Nov 27, 2024
65 checks passed
@chaudum chaudum deleted the backport-15101-to-release-3.3.x branch November 27, 2024 11:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant