Skip to content

Commit

Permalink
update(security): Ubuntu to alpine, update go pkgs (kahing#6)
Browse files Browse the repository at this point in the history 
* update(security): Ubuntu to alpine, update go pkgs

The Ubuntu image had some vulnerablities and the easiest way to fix it was to switch to alpine. This results in a smaller image with fewer attack surfaces. Since this is a small image with a single application it makes sense to use a small base.

I've also updated some of the go packages, see the diff.

* update(security): Ubuntu to alpine, update go pkgs

The Ubuntu image had some vulnerablities and the easiest way to fix it was to switch to alpine. This results in a smaller image with fewer attack surfaces. Since this is a small image with a single application it makes sense to use a small base.

I've also updated some of the go packages, see the diff.

* update(Dockerfile): add bash

* update(Dockerfile): add missing packages

* update(Dockerfile): modify symlink

* add apk upgrade to fix alpine cves

Some new CVEs have popped up but adding apk update && apk upgrade to the Dockerfile ensures we are using the latest and most secure packages.

goofys (alpine 3.20.2)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                          │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2024-6119 │ MEDIUM   │ fixed  │ 3.3.1-r3          │ 3.3.2-r0      │ Issue summary: Applications performing certificate name │
│            │               │          │        │                   │               │ checks (e.g., ...                                       │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-6119               │
├────────────┤               │          │        │                   │               │                                                         │
│ libssl3    │               │          │        │                   │               │                                                         │
│            │               │          │        │                   │               │                                                         │
│            │               │          │        │                   │               │                                                         │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

* update(Dockerfile): pin alpine image version to 3.20.3

I've also reverted the script to use bash instead of sh since we installed bash for compatibility reasons.

I've reverted the golang builder containers to use version 1.20.7 since we don't want to introduce new unknown issues.

---------

Co-authored-by: Bryan Paget <bryan.paget@statcan.gc.ca>
  • Loading branch information
@bryanpaget @voyvodov
2 people authored and voyvodov committed Sep 18, 2024
1 parent 2db4141 commit 0cd401d
Show file tree
Hide file tree
Showing 3 changed files with 1,350 additions and 69 deletions.
36 changes: 24 additions & 12 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,29 +1,40 @@
FROM golang:1.20.7 as fusermount3-proxy-builder
FROM golang:1.20.7-alpine AS fusermount3-proxy-builder

# Install required build dependencies
RUN apk update && apk upgrade && apk --no-cache add make gcc g++ libc-dev fuse-dev

WORKDIR /meta-fuse-csi-plugin
ADD ./meta-fuse-csi-plugin .
# Builds the meta-fuse-csi-plugin app
# Build the fusermount3-proxy
RUN make fusermount3-proxy BINDIR=/bin

FROM golang:1.20.7 as goofys-builder
FROM golang:1.20.7-alpine AS goofys-builder

# Install required build dependencies
RUN apk update && apk upgrade && apk --no-cache add git make gcc g++ libc-dev fuse-dev

WORKDIR /goofys
ADD . .
# Builds the goofys app
# Build the goofys app
RUN make build

FROM ubuntu:22.04
# 3.20.3 is the latest as of this commit (September 09 2024)
FROM alpine:3.20.3

RUN apt update && apt upgrade -y
RUN apt install -y ca-certificates wget libfuse2 fuse3
# Install necessary runtime dependencies
RUN apk update && apk upgrade && apk --no-cache add ca-certificates bash wget

# prepare for MinIO
RUN wget https://dl.min.io/client/mc/release/linux-amd64/mc -O /usr/bin/mc && chmod +x /usr/bin/mc
# Download MinIO client (mc)
RUN wget https://dl.min.io/client/mc/release/linux-amd64/mc -O /usr/bin/mc && \
chmod +x /usr/bin/mc && \
apk del wget && rm -rf /var/cache/apk/*

# Copy the test file
COPY <<EOF /test.txt
This is a test file for minio
EOF

# Copy and configure MinIO
COPY <<EOF /configure_minio.sh
#!/bin/bash
set -eux
Expand All @@ -33,8 +44,9 @@ set -eux
EOF
RUN chmod +x /configure_minio.sh

#Get goofys build from first step
# Get goofys build from the build stage
COPY --from=goofys-builder /goofys/goofys .

COPY --from=fusermount3-proxy-builder /bin/fusermount3-proxy /bin/fusermount3
RUN ln -sf /bin/fusermount3 /bin/fusermount
# Get fusermount3-proxy from the build stage and set up symlink
COPY --from=fusermount3-proxy-builder /bin/fusermount3-proxy /usr/bin/fusermount3
RUN ln -sf /usr/bin/fusermount3 /bin/fusermount
16 changes: 9 additions & 7 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ module github.com/StatCan/goofys
go 1.14

require (
cloud.google.com/go/storage v1.14.0
cloud.google.com/go/storage v1.30.1
github.com/Azure/azure-pipeline-go v0.2.3
github.com/Azure/azure-sdk-for-go v61.4.0+incompatible
github.com/Azure/azure-storage-blob-go v0.14.0
Expand All @@ -17,21 +17,23 @@ require (
github.com/aws/aws-sdk-go v1.44.37
github.com/go-ole/go-ole v1.2.5 // indirect
github.com/gofrs/uuid v4.2.0+incompatible
github.com/google/uuid v1.2.0
github.com/google/uuid v1.3.0
github.com/gopherjs/gopherjs v0.0.0-20210413103415-7d3cbed7d026 // indirect
github.com/jacobsa/fuse v0.0.0-20221016084658-a4cd154343d8
github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0
github.com/mitchellh/go-homedir v1.1.0
github.com/satori/go.uuid v1.2.1-0.20181028125025-b2ce2384e17b
github.com/sevlyar/go-daemon v0.1.5
github.com/shirou/gopsutil v0.0.0-20190731134726-d80c43f9c984
github.com/sirupsen/logrus v1.4.3-0.20190807103436-de736cf91b92
github.com/smartystreets/assertions v1.2.0 // indirect
github.com/urfave/cli v1.21.1-0.20190807111034-521735b7608a
golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
golang.org/x/sys v0.2.0
google.golang.org/api v0.43.0
golang.org/x/net v0.23.0 // indirect
golang.org/x/oauth2 v0.10.0
golang.org/x/sync v0.3.0
golang.org/x/sys v0.18.0
google.golang.org/api v0.126.0
google.golang.org/grpc v1.58.3 // indirect
google.golang.org/protobuf v1.33.0 // indirect
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
gopkg.in/ini.v1 v1.51.0
)
Loading

0 comments on commit 0cd401d

Please sign in to comment.