madrob commented on code in PR #6: URL: https://github.com/apache/solr-docker/pull/6#discussion_r875264595
########## README.md: ########## @@ -1,49 +1,28 @@ -# NOTE: Not vulnerable to Log4J 2 "Log4shell" - -Some Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2. -But we have mitigated *[supported](https://hub.docker.com/_/solr?tab=tags)* images (and some others) and re-published them. -You may need to re-pull the image you are using. -For those images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. -The Solr maintainers have deemed this adequate based specifically on how Solr uses logging; it won't be adequate for all projects that use Log4J. -canning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. -To validate the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. -As of Solr 9.0.0, Solr is using Log4J 2.17.1. - -References: -* [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr _was_ vulnerable to this. -* [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr _never was_ vulnerable to this. -* [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) - - -# Supported tags and respective `Dockerfile` links - -See [Docker Hub](https://hub.docker.com/_/solr?tab=tags) for a list of image tags available to pull. -Note that the Apache Solr project doesn't actually support any releases older than the current major release series, despite whatever tags are published. - -For more information about this image and its history and all currently supported tags, please see [the relevant manifest file (`library/solr`)](https://github.com/docker-library/official-images/blob/master/library/solr). -This image is updated via pull requests to [the `apache/solr-docker` GitHub repo](https://github.com/apache/solr-docker). -However, the `Dockerfile`s are generated from official Apache Solr releases. See [the `apache/solr` Github repo](https://github.com/apache/solr/tree/main/solr/docker) -for more information on how the Docker image is created, maintained and tested. - # What is Apache Solr™? Apache Solr is highly reliable, scalable and fault tolerant, providing distributed indexing, replication and load-balanced querying, automated failover and recovery, centralized configuration and more. Solr powers the search and navigation features of many of the world's largest internet sites. Learn more on [Solr's homepage](https://solr.apache.org) and in the [Solr Reference Guide](https://solr.apache.org/guide/solr/). - - -# Getting started with the Docker image +# Supported tags and respective `Dockerfile` links -For information on using the tags 9.0.0 and above, please refer to the [Docker section in the Solr reference guide](https://solr.apache.org/guide/solr/latest/deployment-guide/solr-in-docker.html). +See [Docker Hub](https://hub.docker.com/_/solr?tab=tags) for a list of image tags available to pull. +Note that the Apache Solr project doesn't actually support any releases older than the current major release series, despite whatever tags are published. -For information on using tags 8 and before, please refer to the [docker-solr repository](https://github.com/docker-solr/docker-solr). +As of Solr 9.0, the official Dockerfile is released along-side Solr. Review Comment: @ctargett would probably say that we shouldn't qualify this statement with a version. Either it applies to the current side or it doesn't. ########## dev-docs/README.md: ########## @@ -0,0 +1,33 @@ +# Official Solr Dockerfile Management + +In general most interactions with this repository should be done via the Solr Release Wizard, not manually. + +## How an Official Solr Dockerfile is released + +1. In the Solr Release Wizard, an **official** Dockerfile will be created as a part of the release candidate. + The release candidate is tested and voted on, including the Dockerfile. +2. If the vote succeeds: + 1. As a part of the artifact-uploading steps, the Release Wizard will clone this repo (`apache/solr-docker`) locally. + 2. It will then add the successfully voted on `Dockerfile` to the respective folder for the released version (`<major>.<minor>`). + 3. If it is a patch release, the existing `Dockerfile` for that version will be over-written. + 4. It will commit this `Dockerfile`, and push to the `main` branch of this repo. No PR or reviews required. +3. Now that this repo has the new `Dockerfile` committed to main, the [Github Actions Workflow](../.github/workflows/pr-for-official-repo.yml) will kick-off. + 1. It will use [`generate-stackbrew-library.sh`](../generate-stackbrew-library.sh) to build the [Solr metadata](https://github.com/docker-library/official-images/blob/master/library/solr) for the latest `main` branch commit. + 2. After generating a new version of this file, it will create a PR in [docker-library/official-images](https://github.com/docker-library/official-images) to update the official image. + 3. This PR will have to be reviewed and merged by the Docker Official Images team before the release will be available. + 4. Before the PR can be approved, one of the listed Solr maintainers must comment their approval of the PR. +4. The Official Docker image should now be available + +## How does the automated PR work? + +The [Github Actions Workflow](../.github/workflows/pr-for-official-repo.yml) is triggered on commits to the `main` branch that touch the following files: +- `generate-stackbrew-library.sh` +- `*.*/Dockerfile` + +The PR is generated through: +- Creating a branch in the [docker-solr/official-images](https://github.com/docker-solr/official-images). + - We have to use this repo, because Apache does not allow forks in their organization. +- This commit is made by the [@docker-solr-builder](https://github.com/docker-solr-builder), which has credentials saved in this repo. + - These credentials were added by emailing them to the Apache infra-team (`root@`) + - If you need access to this account or credentials, reach out to [@HoustonPutman](https://github.com/HoustonPutman) Review Comment: Can we instruct people to contact them PMC/private list? ########## README.md: ########## @@ -1,49 +1,28 @@ -# NOTE: Not vulnerable to Log4J 2 "Log4shell" - -Some Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2. -But we have mitigated *[supported](https://hub.docker.com/_/solr?tab=tags)* images (and some others) and re-published them. -You may need to re-pull the image you are using. -For those images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. -The Solr maintainers have deemed this adequate based specifically on how Solr uses logging; it won't be adequate for all projects that use Log4J. -canning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. -To validate the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. -As of Solr 9.0.0, Solr is using Log4J 2.17.1. - -References: -* [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr _was_ vulnerable to this. -* [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr _never was_ vulnerable to this. -* [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) - - -# Supported tags and respective `Dockerfile` links - -See [Docker Hub](https://hub.docker.com/_/solr?tab=tags) for a list of image tags available to pull. -Note that the Apache Solr project doesn't actually support any releases older than the current major release series, despite whatever tags are published. - -For more information about this image and its history and all currently supported tags, please see [the relevant manifest file (`library/solr`)](https://github.com/docker-library/official-images/blob/master/library/solr). -This image is updated via pull requests to [the `apache/solr-docker` GitHub repo](https://github.com/apache/solr-docker). -However, the `Dockerfile`s are generated from official Apache Solr releases. See [the `apache/solr` Github repo](https://github.com/apache/solr/tree/main/solr/docker) -for more information on how the Docker image is created, maintained and tested. - # What is Apache Solr™? Apache Solr is highly reliable, scalable and fault tolerant, providing distributed indexing, replication and load-balanced querying, automated failover and recovery, centralized configuration and more. Solr powers the search and navigation features of many of the world's largest internet sites. Learn more on [Solr's homepage](https://solr.apache.org) and in the [Solr Reference Guide](https://solr.apache.org/guide/solr/). - - -# Getting started with the Docker image +# Supported tags and respective `Dockerfile` links -For information on using the tags 9.0.0 and above, please refer to the [Docker section in the Solr reference guide](https://solr.apache.org/guide/solr/latest/deployment-guide/solr-in-docker.html). +See [Docker Hub](https://hub.docker.com/_/solr?tab=tags) for a list of image tags available to pull. +Note that the Apache Solr project doesn't actually support any releases older than the current major release series, despite whatever tags are published. Review Comment: ```suggestion Note that the Apache Solr project does not support any releases older than the current major release series, despite whatever tags are published. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org
