That's proposal #4. On Sun, Jan 31, 2021 at 5:31 PM Gabriel Cavalcante < gabriel.cavalcant...@gmail.com> wrote:
> Is it possible to use the scratch image with Prometheus binary inside > only? That would reduce the surface entirely. > > On Sun, 31 Jan 2021 at 13:26 Julien Pivotto <roidelapl...@prometheus.io> > wrote: > >> Hello, >> >> From time to time we get users reporting that the docker image we use to >> build Prometheus contain a Busybox vulnerability: >> >> https://github.com/prometheus/node_exporter/issues/1937 >> https://github.com/prometheus/prometheus/issues/8277 >> https://github.com/prometheus/prometheus/issues/7794 >> >> We have a few options here: >> >> 1. ignoring those reports as there is no evidence that this can be used >> without first getting shell access into the container. >> >> 2. removing wget from the container >> >> 3. switching to a base image that does not contain the fix, e.g. alpine >> >> 4. only shipping our binaries and a few other files (from scratch or >> from distroless-static >> >> https://github.com/GoogleContainerTools/distroless/blob/master/base/README.md >> ) >> >> My thinking: >> >> 1. This is (was) the current strategy. And clearly, scanners do not care >> that Prometheus uses or does not use the said binaries. >> However, in security, less attack surface is always positive. >> >> 2. Even if we remove /bin/wget, it can still be invoked by calling >> /bin/busybox wget >> >> 3. Alpine etc would increase the surface, require rebuild a lot more >> often than busybox. >> >> 4. Distroless static seems to be what we have now (takes certs etc from >> debian), without busybox. The advantage here would be that we can simply >> stop using prometheus/busybox, and we would have updated upstreams >> images all the time. >> >> So I'd go and investigate distroless base image in the future. >> >> -- >> Julien Pivotto >> @roidelapluie >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Prometheus Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to prometheus-developers+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/prometheus-developers/20210131162630.GA13747%40oxygen >> . >> > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to prometheus-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-developers/CAHaDZeRGK49OQUE8NmYCQs4pfdWbOf3DPEYOfJkYUALSzU71qQ%40mail.gmail.com > <https://groups.google.com/d/msgid/prometheus-developers/CAHaDZeRGK49OQUE8NmYCQs4pfdWbOf3DPEYOfJkYUALSzU71qQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CABbyFmqn5Fr16umtizJzyTqZkRi3u5HyEkhP53scky%2BNsVLDkQ%40mail.gmail.com.
