From 73f368269793bd244a83bcd967dd01d8e3c37711 Mon Sep 17 00:00:00 2001 From: Callum Styan Date: Sat, 30 Nov 2024 18:32:13 -0800 Subject: [PATCH 1/3] move promtail base image to latest ubuntu LTS version, significantly reduces CVEs Signed-off-by: Callum Styan --- clients/cmd/promtail/Dockerfile | 4 ++-- clients/cmd/promtail/Dockerfile.arm32 | 4 ++-- clients/cmd/promtail/Dockerfile.cross | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/clients/cmd/promtail/Dockerfile b/clients/cmd/promtail/Dockerfile index 1f1825f1a5563..9f4f8df75e3bf 100644 --- a/clients/cmd/promtail/Dockerfile +++ b/clients/cmd/promtail/Dockerfile @@ -6,8 +6,8 @@ WORKDIR /src/loki RUN apt-get update && apt-get install -qy libsystemd-dev RUN make clean && make BUILD_IN_CONTAINER=false PROMTAIL_JOURNAL_ENABLED=true promtail -# Promtail requires debian as the base image to support systemd journal reading -FROM debian:12.8-slim +# Promtail requires debian or ubuntu as the base image to support systemd journal reading +FROM ubuntu:noble-20241015 # tzdata required for the timestamp stage to work RUN apt-get update && \ apt-get install -qy tzdata ca-certificates libsystemd-dev && \ diff --git a/clients/cmd/promtail/Dockerfile.arm32 b/clients/cmd/promtail/Dockerfile.arm32 index c5d2127d4d54c..3c013577b4e56 100644 --- a/clients/cmd/promtail/Dockerfile.arm32 +++ b/clients/cmd/promtail/Dockerfile.arm32 @@ -5,8 +5,8 @@ WORKDIR /src/loki RUN apt-get update && apt-get install -qy libsystemd-dev RUN make clean && make BUILD_IN_CONTAINER=false PROMTAIL_JOURNAL_ENABLED=true promtail -# Promtail requires debian as the base image to support systemd journal reading -FROM debian:12.8-slim +# Promtail requires debian or ubuntu as the base image to support systemd journal reading +FROM ubuntu:noble-20241015 # tzdata required for the timestamp stage to work RUN apt-get update && \ apt-get install -qy tzdata ca-certificates wget libsystemd-dev && \ diff --git a/clients/cmd/promtail/Dockerfile.cross b/clients/cmd/promtail/Dockerfile.cross index 206bdd665d2e6..990b19c95321e 100644 --- a/clients/cmd/promtail/Dockerfile.cross +++ b/clients/cmd/promtail/Dockerfile.cross @@ -13,8 +13,8 @@ COPY . /src/loki WORKDIR /src/loki RUN make clean && GOARCH=$(cat /goarch) GOARM=$(cat /goarm) make BUILD_IN_CONTAINER=false PROMTAIL_JOURNAL_ENABLED=true promtail -# Promtail requires debian as the base image to support systemd journal reading -FROM debian:12.8-slim +# Promtail requires debian or ubuntu as the base image to support systemd journal reading +FROM ubuntu:noble-20241015 # tzdata required for the timestamp stage to work RUN apt-get update && \ apt-get install -qy tzdata ca-certificates wget libsystemd-dev && \ From 336d9e9efcfe48f4972a8af7421b65d152c839b3 Mon Sep 17 00:00:00 2001 From: Callum Styan Date: Sat, 30 Nov 2024 18:43:48 -0800 Subject: [PATCH 2/3] test promtail image with the snyk make target Signed-off-by: Callum Styan --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index a9977fbbb102f..2c21110493827 100644 --- a/Makefile +++ b/Makefile @@ -865,6 +865,7 @@ trivy: loki-image build-image snyk: loki-image build-image snyk container test $(IMAGE_PREFIX)/loki:$(IMAGE_TAG) --file=cmd/loki/Dockerfile snyk container test $(IMAGE_PREFIX)/loki-build-image:$(IMAGE_TAG) --file=loki-build-image/Dockerfile + snyk container test $(IMAGE_PREFIX)/promtail:$(IMAGE_TAG) --file=clients/cmd/promtail/Dockerfile snyk code test .PHONY: scan-vulnerabilities From 87aa5cff1b905f09f2d279fbc71bef9e07047a75 Mon Sep 17 00:00:00 2001 From: Callum Styan Date: Sun, 1 Dec 2024 14:47:13 -0800 Subject: [PATCH 3/3] use ecr ubuntu image Signed-off-by: Callum Styan --- clients/cmd/promtail/Dockerfile | 9 +++++---- clients/cmd/promtail/Dockerfile.arm32 | 2 +- clients/cmd/promtail/Dockerfile.cross | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/clients/cmd/promtail/Dockerfile b/clients/cmd/promtail/Dockerfile index 9f4f8df75e3bf..3738e16569cf3 100644 --- a/clients/cmd/promtail/Dockerfile +++ b/clients/cmd/promtail/Dockerfile @@ -7,11 +7,12 @@ RUN apt-get update && apt-get install -qy libsystemd-dev RUN make clean && make BUILD_IN_CONTAINER=false PROMTAIL_JOURNAL_ENABLED=true promtail # Promtail requires debian or ubuntu as the base image to support systemd journal reading -FROM ubuntu:noble-20241015 +FROM public.ecr.aws/ubuntu/ubuntu:noble # tzdata required for the timestamp stage to work -RUN apt-get update && \ - apt-get install -qy tzdata ca-certificates libsystemd-dev && \ - rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* +# Install dependencies needed at runtime. +RUN apt-get update \ + && apt-get install -qy libsystemd-dev tzdata ca-certificates \ + && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* COPY --from=build /src/loki/clients/cmd/promtail/promtail /usr/bin/promtail COPY clients/cmd/promtail/promtail-docker-config.yaml /etc/promtail/config.yml ENTRYPOINT ["/usr/bin/promtail"] diff --git a/clients/cmd/promtail/Dockerfile.arm32 b/clients/cmd/promtail/Dockerfile.arm32 index 3c013577b4e56..308cb53f648ee 100644 --- a/clients/cmd/promtail/Dockerfile.arm32 +++ b/clients/cmd/promtail/Dockerfile.arm32 @@ -6,7 +6,7 @@ RUN apt-get update && apt-get install -qy libsystemd-dev RUN make clean && make BUILD_IN_CONTAINER=false PROMTAIL_JOURNAL_ENABLED=true promtail # Promtail requires debian or ubuntu as the base image to support systemd journal reading -FROM ubuntu:noble-20241015 +FROM public.ecr.aws/ubuntu/ubuntu:noble # tzdata required for the timestamp stage to work RUN apt-get update && \ apt-get install -qy tzdata ca-certificates wget libsystemd-dev && \ diff --git a/clients/cmd/promtail/Dockerfile.cross b/clients/cmd/promtail/Dockerfile.cross index 990b19c95321e..73a7dac649b60 100644 --- a/clients/cmd/promtail/Dockerfile.cross +++ b/clients/cmd/promtail/Dockerfile.cross @@ -14,7 +14,7 @@ WORKDIR /src/loki RUN make clean && GOARCH=$(cat /goarch) GOARM=$(cat /goarm) make BUILD_IN_CONTAINER=false PROMTAIL_JOURNAL_ENABLED=true promtail # Promtail requires debian or ubuntu as the base image to support systemd journal reading -FROM ubuntu:noble-20241015 +FROM public.ecr.aws/ubuntu/ubuntu:noble # tzdata required for the timestamp stage to work RUN apt-get update && \ apt-get install -qy tzdata ca-certificates wget libsystemd-dev && \