From 30f3b4213657f9d5994654a4b7aedc65c9da8e54 Mon Sep 17 00:00:00 2001 From: Nathan Fudenberg Date: Mon, 2 Oct 2023 14:28:58 -0400 Subject: [PATCH] =?UTF-8?q?1.26=20ci:=20Update=20the=20intermediate=20imag?= =?UTF-8?q?e=20that=20gets=20emitted=20to=20no=20longer=20rely=E2=80=A6=20?= =?UTF-8?q?(#273)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * ci: Update the intermediate image that gets emitted to no longer rely on alpine due to glibc issues * changelog: move * ci: Update docs in docker file and make it mimic upstream --- .../v1.26.4-patch4/updatebuild-image.yaml | 18 +++++++++++++ ci/Dockerfile | 25 +++++++++++++------ 2 files changed, 35 insertions(+), 8 deletions(-) create mode 100644 changelog/v1.26.4-patch4/updatebuild-image.yaml diff --git a/changelog/v1.26.4-patch4/updatebuild-image.yaml b/changelog/v1.26.4-patch4/updatebuild-image.yaml new file mode 100644 index 00000000..7abbadc7 --- /dev/null +++ b/changelog/v1.26.4-patch4/updatebuild-image.yaml @@ -0,0 +1,18 @@ +changelog: + - type: FIX + issueLink: https://github.com/solo-io/solo-projects/issues/5344 + resolvesIssue: false + description: > + Migrate from alpine to ubuntu for released version. + Backlogged an issue to move fully to distroless on beta branch. + Can be found here https://github.com/solo-io/solo-projects/issues/5388 + Not migrating prior as this may impact some debugging steps. + Forced to migrate per glibc being unable to update. + https://nvd.nist.gov/vuln/detail/CVE-2022-23218 + https://nvd.nist.gov/vuln/detail/CVE-2022-23219 + https://nvd.nist.gov/vuln/detail/CVE-2021-38604 + https://nvd.nist.gov/vuln/detail/CVE-2021-3998 + See here for glibc on alpine maintainers + https://gitlab.alpinelinux.org/alpine/tsc/-/issues/43#note_306270 + https://github.com/sgerrand/alpine-pkg-glibc/issues/207#issuecomment-1707209887 + https://github.com/sgerrand/alpine-pkg-glibc/issues/176 \ No newline at end of file diff --git a/ci/Dockerfile b/ci/Dockerfile index 71053c0a..9d00c6f8 100644 --- a/ci/Dockerfile +++ b/ci/Dockerfile @@ -1,17 +1,26 @@ -# This file was inspired by envoy Dockerfile: -# https://github.com/envoyproxy/envoy/blob/445a67344ffda0c8828c8e438e463fcaa7878434/ci/Dockerfile-envoy-alpine - -FROM frolvlad/alpine-glibc:alpine-3.17_glibc-2.34 +# This file was inspired by a combination of the following: +# Istio and platform's mesh derivative approach +# Uses upstream envoy's ubuntu versioning +# Consuemd by edge to buld gateway-proxy and gloo pods +# May be used as is or as a builder intermediate (e.g. for distroless) +# ON_MINOR_UPDATE: Pull from https://github.com/envoyproxy/envoy/blob/4d46da0bba54dfb849d8bf68b600e53d87310a1a/ci/Dockerfile-envoy#L1-L2 +FROM ubuntu:focal ENV loglevel=info -RUN apk upgrade --update-cache \ - && apk add dumb-init ca-certificates \ - && rm -rf /var/cache/apk/* +ENV DEBIAN_FRONTEND=noninteractive + +# hadolint ignore=DL3005,DL3008 +RUN apt-get update && \ + apt-get install --no-install-recommends -y \ + ca-certificates \ + && apt-get upgrade -y \ + && apt-get clean \ + && rm -rf /var/log/*log /var/lib/apt/lists/* /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old RUN mkdir -p /etc/envoy ADD envoy.stripped /usr/local/bin/envoy -ENTRYPOINT ["/usr/bin/dumb-init", "--", "/usr/local/bin/envoy"] +ENTRYPOINT ["/usr/local/bin/envoy"] CMD ["-c", "/etc/envoy/envoy.yaml"]