evanasse opened a new pull request, #29792: URL: https://github.com/apache/airflow/pull/29792
<!-- Thank you for contributing! Please make sure that your code changes are covered with tests. And in case of new features or big changes remember to adjust the documentation. Feel free to ping committers for the review! In case of an existing issue, reference it using one of the following: closes: #ISSUE related: #ISSUE How to write a good git commit message: http://chris.beams.io/posts/git-commit/ --> This PR brings the pgbouncer and pgbouncer-exporter images to more recent versions. pgbouncer: 1.16.1 pgbouncer: 0.14.0 It's not the most recent pgbouncer version, though. pgbouncer is limited to 1.16.1 since [pgbouncer-exporter](https://github.com/jbub/pgbouncer_exporter) does not support 1.18.0. I was not able to build from a more recent version of alpine than 3.14. It returns the following error when building with alpine >= 3.15: <details><summary>docker build TLS error output</summary> ``` In file included from lib/usual/tls/tls.c:18: lib/usual/tls/tls_compat.h:33: warning: "NID_kx_ecdhe" redefined 33 | #define NID_kx_ecdhe (-90) | In file included from /usr/include/openssl/objects.h:65, from /usr/include/openssl/evp.h:86, from /usr/include/openssl/hmac.h:67, from /usr/include/openssl/ssl.h:150, from lib/usual/tls/tls_compat.h:14: /usr/include/openssl/obj_mac.h:4465: note: this is the location of the previous definition 4465 | #define NID_kx_ecdhe 960 | lib/usual/tls/tls_compat.h:34: warning: "NID_kx_dhe" redefined 34 | #define NID_kx_dhe (-91) | /usr/include/openssl/obj_mac.h:4469: note: this is the location of the previous definition 4469 | #define NID_kx_dhe 961 | lib/usual/tls/tls_compat.h:47:28: error: static declaration of 'X509_OBJECT_new' follows non-static declaration 47 | static inline X509_OBJECT *X509_OBJECT_new(void) | ^~~~~~~~~~~~~~~ In file included from /usr/include/openssl/x509.h:389, from /usr/include/openssl/pem.h:71, from /usr/include/openssl/ssl.h:151: /usr/include/openssl/x509_vfy.h:273:14: note: previous declaration of 'X509_OBJECT_new' with type 'X509_OBJECT *(void)' {aka 'struct x509_object_st *(void)'} 273 | X509_OBJECT *X509_OBJECT_new(void); | ^~~~~~~~~~~~~~~ In file included from /usr/include/openssl/bio.h:69, from /usr/include/openssl/evp.h:67: lib/usual/tls/tls_compat.h: In function 'X509_OBJECT_new': lib/usual/tls/tls_compat.h:49:49: error: invalid application of 'sizeof' to incomplete type 'X509_OBJECT' {aka 'struct x509_object_st'} 49 | X509_OBJECT *obj = OPENSSL_malloc(sizeof(*obj)); | ^ lib/usual/tls/tls_compat.h:51:38: error: invalid application of 'sizeof' to incomplete type 'X509_OBJECT' {aka 'struct x509_object_st'} 51 | memset(obj, 0, sizeof(*obj)); | ^ lib/usual/tls/tls_compat.h: At top level: lib/usual/tls/tls_compat.h:58:20: error: static declaration of 'X509_OBJECT_free' follows non-static declaration 58 | static inline void X509_OBJECT_free(X509_OBJECT *obj) | ^~~~~~~~~~~~~~~~ /usr/include/openssl/x509_vfy.h:274:6: note: previous declaration of 'X509_OBJECT_free' with type 'void(X509_OBJECT *)' {aka 'void(struct x509_object_st *)'} 274 | void X509_OBJECT_free(X509_OBJECT *a); | ^~~~~~~~~~~~~~~~ lib/usual/tls/tls_compat.h: In function 'X509_OBJECT_free': lib/usual/tls/tls_compat.h:61:24: error: invalid use of incomplete typedef 'X509_OBJECT' {aka 'struct x509_object_st'} 61 | if (obj->type == X509_LU_X509) { | ^~ lib/usual/tls/tls_compat.h:62:38: error: invalid use of incomplete typedef 'X509_OBJECT' {aka 'struct x509_object_st'} 62 | X509_free(obj->data.x509); | ^~ lib/usual/tls/tls_compat.h:63:31: error: invalid use of incomplete typedef 'X509_OBJECT' {aka 'struct x509_object_st'} 63 | } else if (obj->type == X509_LU_CRL) { | ^~ lib/usual/tls/tls_compat.h:64:42: error: invalid use of incomplete typedef 'X509_OBJECT' {aka 'struct x509_object_st'} 64 | X509_CRL_free(obj->data.crl); | ^~ lib/usual/tls/tls_compat.h: At top level: lib/usual/tls/tls_compat.h:70:28: error: conflicting types for 'X509_STORE_CTX_get_obj_by_subject'; have 'X509_OBJECT *(X509_STORE_CTX *, int, X509_NAME *)' {aka 'struct x509_object_st *(struct x509_store_ctx_st *, int, struct X509_name_st *)'} 70 | static inline X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *ctx, int lookup, X509_NAME *name) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/x509_vfy.h:341:14: note: previous declaration of 'X509_STORE_CTX_get_obj_by_subject' with type 'X509_OBJECT *(X509_STORE_CTX *, X509_LOOKUP_TYPE, X509_NAME *)' {aka 'struct x509_object_st *(struct x509_store_ctx_st *, X509_LOOKUP_TYPE, struct X509_name_st *)'} 341 | X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ lib/usual/tls/tls.c: In function 'tls_configure_ssl': lib/usual/tls/tls_compat.h:38:47: error: invalid use of incomplete typedef 'SSL_CTX' {aka 'struct ssl_ctx_st'} 38 | #define SSL_CTX_get0_param(ssl_ctx) ((ssl_ctx)->param) | ^~ lib/usual/tls/tls.c:442:42: note: in expansion of macro 'SSL_CTX_get0_param' 442 | X509_VERIFY_PARAM *vfp = SSL_CTX_get0_param(ctx->ssl_ctx); | ^~~~~~~~~~~~~~~~~~ make: *** [/pgbouncer-1.16.1/lib/mk/antimake.mk:1230: .objs/pgbouncer/lib/usual/tls/tls.o] Error 1 ``` </details> It builds successfully when using `openssl` instead of `libressl`, but the container was crashing soon after launch with a seg fault (SIGSEGV, exit code 139). With `libressl` the container runs fine. I added user "nobody" to prevent the image to be root by default. The `openssl` addition in pgbouncer-exporter Dockerfile is to fix a vulnerability. These changes work fine for my use case (which was purely aimed at removing vulnerabilities). Let me know if somethings needs to change to match others. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
