switch worker & server to libc

Makefile

@@ -103,11 +103,11 @@ file-server:
 	docker build -t $(IMAGE_REPOSITORY)/deepfence_file_server_ce:$(DF_IMG_TAG) $(DEEPFENCE_FILE_SERVER_DIR)
 
 .PHONY: server
-server: alpine_builder
+server: debian_builder
 	(cd ./deepfence_server && VERSION=$(VERSION) make image)
 
 .PHONY: worker
-worker: alpine_builder agent-binary-tar
+worker: debian_builder agent-binary-tar
 	(cd ./deepfence_worker && VERSION=$(VERSION) AGENT_BINARY_DIST_RELATIVE=$(AGENT_BINARY_DIST_RELATIVE) make image)
 
 .PHONY: jaeger

deepfence_server/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.18
+FROM debian:12-slim
 MAINTAINER Deepfence Inc
 LABEL deepfence.role=system
 
@@ -9,7 +9,20 @@ ADD deepfence_server/auth /auth
 ADD deepfence_server/cloud_controls /cloud_controls
 COPY deepfence_server/entrypoint.sh /entrypoint.sh
 
-RUN apk add --no-cache --update bash curl libpcap tar kafkacat postgresql15-client
+RUN apt update && \
+    apt install -y \
+    bash \
+    curl \
+    wget \
+    netcat-traditional \
+    libpcap-dev \
+    tar \
+    kafkacat \
+    postgresql-client && \
+    apt clean && \
+    apt autoclean && \
+    apt auto-remove -y && \
+    rm -rf /var/lib/{apt,dpkg,cache,log}/
 
 RUN chmod +x /entrypoint.sh
 

deepfence_server/Makefile

@@ -7,7 +7,7 @@ all: deepfence_server
 local: deepfence_server
 
 image:
-	docker run --rm -i -e VERSION=${VERSION} -e GIT_COMMIT=${GIT_COMMIT} -e BUILD_TIME=${BUILD_TIME} -v $(ROOT_MAKEFILE_DIR):/src:rw -v /tmp/go:/go:rw $(IMAGE_REPOSITORY)/deepfence_builder_ce:$(DF_IMG_TAG) bash -c 'cd /src/deepfence_server && make deepfence_server'
+	docker run --rm -i -e VERSION=${VERSION} -e GIT_COMMIT=${GIT_COMMIT} -e BUILD_TIME=${BUILD_TIME} -v $(ROOT_MAKEFILE_DIR):/src:rw -v /tmp/go:/go:rw $(IMAGE_REPOSITORY)/deepfence_glibc_builder_ce:$(DF_IMG_TAG) bash -c 'cd /src/deepfence_server && make deepfence_server'
 	docker build -f ./Dockerfile -t $(IMAGE_REPOSITORY)/deepfence_server_ce:$(DF_IMG_TAG) ..
 
 vendor: go.mod $(shell find ../deepfence_utils -path ../deepfence_utils/vendor -prune -o -name '*.go')

deepfence_worker/Dockerfile

@@ -4,9 +4,9 @@ ARG IMAGE_REPOSITORY=deepfenceio
 FROM $IMAGE_REPOSITORY/deepfence_package_scanner_ce:$DF_IMG_TAG AS packagescanner
 FROM $IMAGE_REPOSITORY/deepfence_secret_scanner_ce:$DF_IMG_TAG AS secretscanner
 FROM $IMAGE_REPOSITORY/deepfence_malware_scanner_ce:$DF_IMG_TAG AS yarahunter
-FROM $IMAGE_REPOSITORY/deepfence_builder_ce:$DF_IMG_TAG AS builder-yara
+FROM $IMAGE_REPOSITORY/deepfence_glibc_builder_ce:$DF_IMG_TAG AS builder-yara
 
-FROM alpine:3.18 AS final
+FROM debian:12-slim AS final
 
 ARG AGENT_BINARY_DIST_RELATIVE
 
@@ -15,9 +15,36 @@ LABEL deepfence.role=system
 
 ADD deepfence_utils/postgresql/migrate /usr/local/postgresql-migrate
 
-RUN apk add --no-cache curl kafkacat docker-cli openrc bash skopeo jansson-dev \
-        libmagic libstdc++ libx11 libxrender libxext libssl1.1 ca-certificates \
-        fontconfig freetype ttf-droid ttf-freefont ttf-liberation postgresql15-client
+RUN apt-get update && apt install -y curl && \
+    mkdir -p /etc/apt/keyrings && \
+    curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc && \
+    chmod a+r /etc/apt/keyrings/docker.asc && \
+    echo \
+    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
+    $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
+    tee /etc/apt/sources.list.d/docker.list > /dev/null && \
+    apt-get update && \
+    apt-get install docker-ce-cli -y
+
+RUN apt install -y \
+    cron \
+    netcat-traditional \
+    kafkacat \
+    bash \
+    skopeo \
+    libjansson-dev \
+    libmagic-dev \
+    libstdc++6 \
+    libssl3 \
+    ca-certificates \
+    postgresql-client \
+    libvectorscan5 \
+    gdb \
+    strace && \
+    apt clean && \
+    apt autoclean && \
+    apt auto-remove -y && \
+    rm -rf /var/lib/{apt,dpkg,cache,log}/
 
 RUN curl -fsSL https://raw.githubusercontent.com/pressly/goose/master/install.sh | sh
 
@@ -62,4 +89,4 @@ COPY ./${AGENT_BINARY_DIST_RELATIVE}/* /opt/deepfence
 COPY --from=builder-yara /go/bin/asynq /usr/local/bin/asynq
 
 ENTRYPOINT ["/entrypoint.sh"]
-CMD ["/usr/local/bin/deepfence_worker"]
+CMD ["/usr/local/bin/deepfence_worker"]

deepfence_worker/Makefile

@@ -7,15 +7,15 @@ all: deepfence_worker
 local: deepfence_worker
 
 image:
-	docker run --rm -i -e VERSION=${VERSION} -e GIT_COMMIT=${GIT_COMMIT} -e BUILD_TIME=${BUILD_TIME} -v $(ROOT_MAKEFILE_DIR):/src:rw -v /tmp/go:/go:rw $(IMAGE_REPOSITORY)/deepfence_builder_ce:$(DF_IMG_TAG) bash -c 'cd /src/deepfence_worker && make deepfence_worker'
+	docker run --rm -i -e VERSION=${VERSION} -e GIT_COMMIT=${GIT_COMMIT} -e BUILD_TIME=${BUILD_TIME} -v $(ROOT_MAKEFILE_DIR):/src:rw -v /tmp/go:/go:rw $(IMAGE_REPOSITORY)/deepfence_glibc_builder_ce:$(DF_IMG_TAG) bash -c 'cd /src/deepfence_worker && make deepfence_worker'
 	docker build -f ./Dockerfile --build-arg IMAGE_REPOSITORY=$(IMAGE_REPOSITORY) --build-arg DF_IMG_TAG=$(DF_IMG_TAG) --build-arg AGENT_BINARY_DIST_RELATIVE=$(AGENT_BINARY_DIST_RELATIVE) -t $(IMAGE_REPOSITORY)/deepfence_worker_ce:$(DF_IMG_TAG) ..
 
 vendor: go.mod $(shell find ../deepfence_utils -path ../deepfence_utils/vendor -prune -o -name '*.go')
 	go mod tidy -v
 	go mod vendor
 
 deepfence_worker: vendor $(shell find . -path ./vendor -prune -o -name '*.go')
-	CGO_LDFLAGS="-ljansson -lcrypto -lmagic" go build -buildvcs=false -ldflags="-s -w -X github.com/deepfence/ThreatMapper/deepfence_worker/utils.Version=${VERSION} -X github.com/deepfence/ThreatMapper/deepfence_worker/utils.Commit=${GIT_COMMIT} -X github.com/deepfence/ThreatMapper/deepfence_worker/utils.BuildTime=${BUILD_TIME} -extldflags='-static'"
+	CGO_LDFLAGS="-ljansson -lcrypto -lmagic" go build -buildvcs=false -ldflags="-s -w -X github.com/deepfence/ThreatMapper/deepfence_worker/utils.Version=${VERSION} -X github.com/deepfence/ThreatMapper/deepfence_worker/utils.Commit=${GIT_COMMIT} -X github.com/deepfence/ThreatMapper/deepfence_worker/utils.BuildTime=${BUILD_TIME}"
 
 clean:
 	-rm deepfence_worker

deepfence_worker/entrypoint.sh

@@ -49,8 +49,8 @@ if [ "$DEEPFENCE_MODE" == "worker" ]; then
   echo "add cron job to update vulnerability database"
   echo "vulnerability database update url $GRYPE_DB_UPDATE_URL"
   # /usr/local/bin/grype db update
-  echo "0 */2 * * * export GRYPE_DB_UPDATE_URL=${GRYPE_DB_UPDATE_URL} && /usr/local/bin/grype db update" >> /etc/crontabs/root
-  /usr/sbin/crond
+  echo "0 */2 * * * export GRYPE_DB_UPDATE_URL=${GRYPE_DB_UPDATE_URL} && /usr/local/bin/grype db update" >> /etc/cron.d/crontab && chmod 0644 /etc/cron.d/crontab
+  /usr/sbin/cron
 fi
 
 if [[ "${1#-}" != "$1" ]]; then

deployment-scripts/helm-charts/deepfence-console/templates/deepfence-console-config.yaml

@@ -23,6 +23,6 @@ data:
   {{- if .Values.proxy.enabled }}
   http_proxy: {{ .Values.proxy.http_proxy }}
   https_proxy: {{ .Values.proxy.https_proxy }}
-  no_proxy: "127.0.0.1, localhost, {{ include "deepfence-console.fullname" . }}-file-server, {{ include "deepfence-console.fullname" . }}-postgres, {{ include "deepfence-console.fullname" . }}-redis, {{ include "deepfence-console.fullname" . }}-neo4j, {{ include "deepfence-console.fullname" . }}-kafka-broker, {{ include "deepfence-console.fullname" . }}-ui, {{ include "deepfence-console.fullname" . }}-server, {{ include "deepfence-console.fullname" . }}-router, *.{{ .Release.Namespace  }}.svc"
+  no_proxy: "127.0.0.1, localhost, {{ include "deepfence-console.fullname" . }}-file-server, {{ include "deepfence-console.fullname" . }}-postgres, {{ include "deepfence-console.fullname" . }}-redis, {{ include "deepfence-console.fullname" . }}-neo4j, {{ include "deepfence-console.fullname" . }}-kafka-broker, {{ include "deepfence-console.fullname" . }}-ui, {{ include "deepfence-console.fullname" . }}-server, {{ include "deepfence-console.fullname" . }}-router, *.{{ .Release.Namespace  }}.svc, *.{{ .Values.router.cluster_domain }}"
   {{- end }}
 

docker_builders/Dockerfile-debian

@@ -1,7 +1,3 @@
-ARG VECTORSCAN_IMG_TAG=latest
-ARG VECTORSCAN_IMAGE_REPOSITORY=deepfenceio
-FROM $VECTORSCAN_IMAGE_REPOSITORY/deepfence_vectorscan_build:$VECTORSCAN_IMG_TAG AS vectorscan
-
 ARG DF_IMG_TAG=latest
 ARG IMAGE_REPOSITORY=deepfenceio
 
@@ -11,11 +7,37 @@ ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update
 RUN apt-get install -y
 RUN apt-get -qq -y --no-install-recommends install \
-    build-essential automake libtool make gcc pkg-config libssl-dev git protoc-gen-go \
-    bash make git gcc libc-dev lsb-release software-properties-common libz-dev apt-utils\
-    protobuf-compiler ca-certificates libpcap-dev time file shellcheck curl \
-    libjansson-dev libmagic-dev \
-    cmake flex bison libyaml-dev
+    build-essential \
+    automake \
+    libtool \
+    make \
+    gcc \
+    pkg-config \
+    libssl-dev \
+    git \
+    protoc-gen-go \
+    bash \
+    make \
+    gcc \
+    libc-dev \
+    lsb-release \
+    software-properties-common \
+    libz-dev \
+    apt-utils \
+    protobuf-compiler \
+    ca-certificates \
+    libpcap-dev \
+    time \
+    file \
+    shellcheck \
+    curl \
+    libjansson-dev \
+    libmagic-dev \
+    cmake \
+    flex \
+    bison \
+    libyaml-dev \
+    libvectorscan-dev
 
 RUN cd /root  \
     && wget https://github.com/VirusTotal/yara/archive/refs/tags/v4.3.2.tar.gz \
@@ -28,16 +50,19 @@ RUN cd /root  \
     && cd /usr/local/ \
     && tar -czf yara.tar.gz yara
 
-COPY --from=vectorscan /vectorscan.tar.bz2 /
-RUN tar -xjf /vectorscan.tar.bz2 -C / && rm /vectorscan.tar.bz2
-
 RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.32.0
 RUN go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.3.0
 
+ENV LD_LIBRARY_PATH=/usr/local/lib:/usr/local/include/hs/lib:$LD_LIBRARY_PATH \
+    PKG_CONFIG_PATH=/usr/local/yara/lib/pkgconfig:$(PKG_CONFIG_PATH) \
+    GOWORK=off
+
 RUN mkdir /home/deepfence
 COPY deepfence_agent/build_scripts/*.sh /home/deepfence/
 
 ARG DF_AGENT_SRC=/go/src/github.com/deepfence/deepfence_agent
 WORKDIR $DF_AGENT_SRC
 
 ENV GOWORK=off
+
+RUN go install github.com/hibiken/asynq/tools/asynq@latest