From 4b6b082193224deecd384cf5b3c1bdb4e0a8129f Mon Sep 17 00:00:00 2001 From: nfuden Date: Thu, 28 Sep 2023 15:34:57 -0400 Subject: [PATCH 1/5] Move to ubuntu based envoy dockerfiles --- Makefile | 2 +- changelog/v1.16.0-beta12/envoy-change.yaml | 18 ++++++++++++++++++ projects/envoyinit/cmd/Dockerfile.envoyinit | 7 +++++-- projects/gloo/cmd/Dockerfile | 9 ++++++--- 4 files changed, 30 insertions(+), 6 deletions(-) create mode 100644 changelog/v1.16.0-beta12/envoy-change.yaml diff --git a/Makefile b/Makefile index c9614b132b4..2de0607ca58 100644 --- a/Makefile +++ b/Makefile @@ -48,7 +48,7 @@ VERSION ?= 1.0.1-dev SOURCES := $(shell find . -name "*.go" | grep -v test.go) -ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.26.4-patch3 +ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:4a183dc7005c4637be320418831d90e18fa91d32 LDFLAGS := "-X github.com/solo-io/gloo/pkg/version.Version=$(VERSION)" GCFLAGS := all="-N -l" diff --git a/changelog/v1.16.0-beta12/envoy-change.yaml b/changelog/v1.16.0-beta12/envoy-change.yaml new file mode 100644 index 00000000000..7abbadc7518 --- /dev/null +++ b/changelog/v1.16.0-beta12/envoy-change.yaml @@ -0,0 +1,18 @@ +changelog: + - type: FIX + issueLink: https://github.com/solo-io/solo-projects/issues/5344 + resolvesIssue: false + description: > + Migrate from alpine to ubuntu for released version. + Backlogged an issue to move fully to distroless on beta branch. + Can be found here https://github.com/solo-io/solo-projects/issues/5388 + Not migrating prior as this may impact some debugging steps. + Forced to migrate per glibc being unable to update. + https://nvd.nist.gov/vuln/detail/CVE-2022-23218 + https://nvd.nist.gov/vuln/detail/CVE-2022-23219 + https://nvd.nist.gov/vuln/detail/CVE-2021-38604 + https://nvd.nist.gov/vuln/detail/CVE-2021-3998 + See here for glibc on alpine maintainers + https://gitlab.alpinelinux.org/alpine/tsc/-/issues/43#note_306270 + https://github.com/sgerrand/alpine-pkg-glibc/issues/207#issuecomment-1707209887 + https://github.com/sgerrand/alpine-pkg-glibc/issues/176 \ No newline at end of file diff --git a/projects/envoyinit/cmd/Dockerfile.envoyinit b/projects/envoyinit/cmd/Dockerfile.envoyinit index 57b9831996a..6d4e30118ce 100644 --- a/projects/envoyinit/cmd/Dockerfile.envoyinit +++ b/projects/envoyinit/cmd/Dockerfile.envoyinit @@ -3,8 +3,11 @@ ARG ENVOY_IMAGE FROM $ENVOY_IMAGE ARG GOARCH=amd64 +ENV DEBIAN_FRONTEND=noninteractive -RUN apk -U upgrade +RUN apt-get update \ + && apt-get upgrade -y \ + && rm -rf /var/log/*log /var/lib/apt/lists/* /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old COPY envoyinit-linux-$GOARCH /usr/local/bin/envoyinit @@ -13,5 +16,5 @@ COPY docker-entrypoint.sh / USER 10101 -ENTRYPOINT ["/usr/bin/dumb-init", "--", "/docker-entrypoint.sh"] +ENTRYPOINT [ "/docker-entrypoint.sh"] CMD [] \ No newline at end of file diff --git a/projects/gloo/cmd/Dockerfile b/projects/gloo/cmd/Dockerfile index 09bc062cf2c..b7718e3ddd0 100644 --- a/projects/gloo/cmd/Dockerfile +++ b/projects/gloo/cmd/Dockerfile @@ -3,10 +3,13 @@ ARG ENVOY_IMAGE FROM $ENVOY_IMAGE ARG GOARCH=amd64 +ENV DEBIAN_FRONTEND=noninteractive + +RUN apt-get update \ + && apt-get upgrade -y \ + && apt-get install --no-install-recommends -y ca-certificates \ + && rm -rf /var/log/*log /var/lib/apt/lists/* /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old -RUN apk upgrade --update-cache \ - && apk add ca-certificates \ - && rm -rf /var/cache/apk/* COPY gloo-linux-$GOARCH /usr/local/bin/gloo From 4a663633229cb346b0d80c18d431bd7383ad6603 Mon Sep 17 00:00:00 2001 From: nfuden Date: Thu, 28 Sep 2023 16:37:01 -0400 Subject: [PATCH 2/5] ci: temp remove v for unreleased. Full fix later --- ci/cloudbuild/run-tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/cloudbuild/run-tests.yaml b/ci/cloudbuild/run-tests.yaml index bc1b1886bdd..73a092a4eb5 100644 --- a/ci/cloudbuild/run-tests.yaml +++ b/ci/cloudbuild/run-tests.yaml @@ -30,7 +30,7 @@ steps: args: - '-c' - | - ENVOY_VERSION=v$$(make print-ENVOY_GLOO_IMAGE | cut -d: -f2) + ENVOY_VERSION=$$(make print-ENVOY_GLOO_IMAGE | cut -d: -f2) gsutil cp gs://solo-public-artifacts.solo.io/envoy/$$ENVOY_VERSION/envoy.stripped /workspace/envoy chmod +x /workspace/envoy waitFor: From 033128612e557e60b98f6db201d2516f49289c0e Mon Sep 17 00:00:00 2001 From: nfuden Date: Thu, 28 Sep 2023 16:51:51 -0400 Subject: [PATCH 3/5] Revert "ci: temp remove v for unreleased. Full fix later" This reverts commit 4a663633229cb346b0d80c18d431bd7383ad6603. --- ci/cloudbuild/run-tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/cloudbuild/run-tests.yaml b/ci/cloudbuild/run-tests.yaml index 73a092a4eb5..bc1b1886bdd 100644 --- a/ci/cloudbuild/run-tests.yaml +++ b/ci/cloudbuild/run-tests.yaml @@ -30,7 +30,7 @@ steps: args: - '-c' - | - ENVOY_VERSION=$$(make print-ENVOY_GLOO_IMAGE | cut -d: -f2) + ENVOY_VERSION=v$$(make print-ENVOY_GLOO_IMAGE | cut -d: -f2) gsutil cp gs://solo-public-artifacts.solo.io/envoy/$$ENVOY_VERSION/envoy.stripped /workspace/envoy chmod +x /workspace/envoy waitFor: From ca874e4b2bda83ecc0a40c2a770591fc62db22ec Mon Sep 17 00:00:00 2001 From: Ben Taussig Date: Thu, 28 Sep 2023 16:41:13 -0400 Subject: [PATCH 4/5] update run-tests.yaml to attempt to pull CI assets --- ci/cloudbuild/run-tests.yaml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/ci/cloudbuild/run-tests.yaml b/ci/cloudbuild/run-tests.yaml index bc1b1886bdd..9831a355915 100644 --- a/ci/cloudbuild/run-tests.yaml +++ b/ci/cloudbuild/run-tests.yaml @@ -30,9 +30,15 @@ steps: args: - '-c' - | - ENVOY_VERSION=v$$(make print-ENVOY_GLOO_IMAGE | cut -d: -f2) - gsutil cp gs://solo-public-artifacts.solo.io/envoy/$$ENVOY_VERSION/envoy.stripped /workspace/envoy - chmod +x /workspace/envoy + { # try to pull release assets first + ENVOY_VERSION=v$$(make print-ENVOY_GLOO_IMAGE | cut -d: -f2) + gsutil cp gs://solo-public-artifacts.solo.io/envoy/$$ENVOY_VERSION/envoy.stripped /workspace/envoy + chmod +x /workspace/envoy + } || { # if that fails, pull from CI + ENVOY_VERSION=$$(make print-ENVOY_GLOO_IMAGE | cut -d: -f2) + gsutil cp gs://solo-public-artifacts.solo.io/envoy/$$ENVOY_VERSION/envoy /workspace/envoy + chmod +x /workspace/envoy + } waitFor: - 'prepare-workspace' From 6e0625c5bbd7ba7b673395dcab0e4723f0c49148 Mon Sep 17 00:00:00 2001 From: nfuden Date: Mon, 2 Oct 2023 15:09:52 -0400 Subject: [PATCH 5/5] make: Update envoy to released envoy-gloo --- Makefile | 2 +- projects/envoyinit/cmd/Dockerfile.envoyinit | 2 ++ projects/gloo/cmd/Dockerfile | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 2de0607ca58..f1891dd6520 100644 --- a/Makefile +++ b/Makefile @@ -48,7 +48,7 @@ VERSION ?= 1.0.1-dev SOURCES := $(shell find . -name "*.go" | grep -v test.go) -ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:4a183dc7005c4637be320418831d90e18fa91d32 +ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.26.4-patch4 LDFLAGS := "-X github.com/solo-io/gloo/pkg/version.Version=$(VERSION)" GCFLAGS := all="-N -l" diff --git a/projects/envoyinit/cmd/Dockerfile.envoyinit b/projects/envoyinit/cmd/Dockerfile.envoyinit index 6d4e30118ce..9c1243968ce 100644 --- a/projects/envoyinit/cmd/Dockerfile.envoyinit +++ b/projects/envoyinit/cmd/Dockerfile.envoyinit @@ -3,6 +3,8 @@ ARG ENVOY_IMAGE FROM $ENVOY_IMAGE ARG GOARCH=amd64 +# eventually may matter for now https://unix.stackexchange.com/a/701288 +# means its not too useful ENV DEBIAN_FRONTEND=noninteractive RUN apt-get update \ diff --git a/projects/gloo/cmd/Dockerfile b/projects/gloo/cmd/Dockerfile index b7718e3ddd0..53183787b67 100644 --- a/projects/gloo/cmd/Dockerfile +++ b/projects/gloo/cmd/Dockerfile @@ -3,6 +3,8 @@ ARG ENVOY_IMAGE FROM $ENVOY_IMAGE ARG GOARCH=amd64 +# eventually may matter for now https://unix.stackexchange.com/a/701288 +# means its not too useful ENV DEBIAN_FRONTEND=noninteractive RUN apt-get update \