Move to ubuntu based envoy dockerfiles (#8730)

* Move to ubuntu based envoy dockerfiles * ci: temp remove v for unreleased. Full fix later * Revert "ci: temp remove v for unreleased. Full fix later" This reverts commit 4a66363. * update run-tests.yaml to attempt to pull CI assets * make: Update envoy to released envoy-gloo --------- Co-authored-by: Ben Taussig <ben.taussig@solo.io> Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com>
solo-io · Oct 3, 2023 · e9f6ab6 · e9f6ab6
1 parent c19d54c
commit e9f6ab6
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 6 deletions.
diff --git a/Makefile b/Makefile
@@ -48,7 +48,7 @@ VERSION ?= 1.0.1-dev
 
 SOURCES := $(shell find . -name "*.go" | grep -v test.go)
 
-ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.26.4-patch3
+ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.26.4-patch4
 LDFLAGS := "-X github.com/solo-io/gloo/pkg/version.Version=$(VERSION)"
 GCFLAGS := all="-N -l"
 

diff --git a/changelog/v1.16.0-beta12/envoy-change.yaml b/changelog/v1.16.0-beta12/envoy-change.yaml
@@ -0,0 +1,18 @@
+changelog:
+  - type: FIX
+    issueLink: https://github.com/solo-io/solo-projects/issues/5344
+    resolvesIssue: false
+    description: > 
+      Migrate from alpine to ubuntu for released version. 
+      Backlogged an issue to move fully to distroless on beta branch.
+      Can be found here https://github.com/solo-io/solo-projects/issues/5388
+      Not migrating prior as this may impact some debugging steps.
+      Forced to migrate per glibc being unable to update.
+      https://nvd.nist.gov/vuln/detail/CVE-2022-23218
+      https://nvd.nist.gov/vuln/detail/CVE-2022-23219
+      https://nvd.nist.gov/vuln/detail/CVE-2021-38604
+      https://nvd.nist.gov/vuln/detail/CVE-2021-3998
+      See here for glibc on alpine maintainers
+      https://gitlab.alpinelinux.org/alpine/tsc/-/issues/43#note_306270
+      https://github.com/sgerrand/alpine-pkg-glibc/issues/207#issuecomment-1707209887
+      https://github.com/sgerrand/alpine-pkg-glibc/issues/176
diff --git a/projects/envoyinit/cmd/Dockerfile.envoyinit b/projects/envoyinit/cmd/Dockerfile.envoyinit
@@ -3,8 +3,13 @@ ARG ENVOY_IMAGE
 FROM $ENVOY_IMAGE
 
 ARG GOARCH=amd64
+# eventually may matter for now https://unix.stackexchange.com/a/701288
+# means its not too useful
+ENV DEBIAN_FRONTEND=noninteractive
 
-RUN apk -U upgrade
+RUN apt-get update \
+    && apt-get upgrade -y \
+    && rm -rf  /var/log/*log /var/lib/apt/lists/* /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old
 
 COPY envoyinit-linux-$GOARCH /usr/local/bin/envoyinit
 
@@ -13,5 +18,5 @@ COPY docker-entrypoint.sh /
 
 USER 10101
 
-ENTRYPOINT ["/usr/bin/dumb-init", "--", "/docker-entrypoint.sh"]
+ENTRYPOINT [ "/docker-entrypoint.sh"]
 CMD []
diff --git a/projects/gloo/cmd/Dockerfile b/projects/gloo/cmd/Dockerfile
@@ -3,10 +3,15 @@ ARG ENVOY_IMAGE
 FROM $ENVOY_IMAGE
 
 ARG GOARCH=amd64
+# eventually may matter for now https://unix.stackexchange.com/a/701288
+# means its not too useful
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update \
+    && apt-get upgrade -y \
+    && apt-get install --no-install-recommends -y  ca-certificates \
+    && rm -rf  /var/log/*log /var/lib/apt/lists/* /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old
 
-RUN apk upgrade --update-cache \
-    && apk add ca-certificates \
-    && rm -rf /var/cache/apk/*
 
 COPY gloo-linux-$GOARCH /usr/local/bin/gloo