[
https://issues.apache.org/jira/browse/SOLR-15967?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17485758#comment-17485758
]
Martin Häcker edited comment on SOLR-15967 at 2/5/22, 10:32 AM:
----------------------------------------------------------------
[~janhoy] This is quite similar to a solution I am going by, but I would like
to point out that what you are showing here has one very very big security
flaw. That is, it does not give you any guarantees about timely installation of
security patches in the image.
The reason that this is so hard with docker alone and the fact that even senior
developers get this wrong so easily is precisely the reason why I am advocating
for deb/rpm repositories.
I have now chosen roughly this approach:
{code:yaml}
#ansible
- name: useradd solr
user: name=solr
- name: auto export GODEBUG=netdns=go for interactive use
lineinfile:
path: /home/solr/.bash_profile
search_string: GODEBUG=netdns=go
line: export GODEBUG=netdns=go
- name: directory to persist solr data
file:
path: /home/solr/data
state: directory
- name: ensure permissions of solr data directory
command: podman unshare chown -R 8983:8983 /home/solr/data
become: true
become_user: solr
- name: Dockerfile that install security updates
copy:
src: Dockerfile
dest: /home/solr/Dockerfile
owner: solr
group: solr
- name: Systemd unit file to start / update solr
copy:
src: solr.service
dest: /etc/systemd/system/solr.service
notify: reload systemd service files
- name: Start solr
systemd:
enabled: true
state: started
name: solr
- name: Apply solr security udpates nightly
cron:
special_time: daily
name: solr-security-updates
job: systemctl restart solr
{code}
Dockerfile:
{code:java}
FROM solr:8
# apply security updates
USER root
RUN apt-get update && apt-get -y upgrade && apt-get clean
USER solr
{code}
solr.service
{code}
# ansible managed - changes will be overwritten
[Unit]
Description=Apache SOLR search engine
[Service]
Type=simple
User=solr
Restart=always
Environment="GODEBUG=netdns=go"
# Need to remove the container first to build a new image with the same name
ExecStartPre=-/usr/bin/podman container stop solr
ExecStartPre=-/usr/bin/podman container rm solr
# Ensure securiy updates are applied each time solr is restarted
ExecStartPre=/usr/bin/podman build --pull --no-cache -f /home/solr/Dockerfile
-t solr:8-security-updated
ExecStart=/usr/bin/podman run --rm -it -v "/home/solr/data:/var/solr" -p
8983:8983 --name solr solr:8-security-updated
ExecStop=/usr/bin/podman stop solr
[Install]
WantedBy=multi-user.target
{code}
But that is oh so much more complex than just requiring users to
{{yum-config-manager --add-repo $URL ; yum install solr}} - and this is still
missing the monitoring that checks that updates are actually applied.
was (Author: JIRAUSER284534):
[~janhoy] This is quite similar to a solution I am going by, but I would like
to point out that what you are showing here has one very very big security
flaw. That is, it does not give you any guarantees about timely installation of
security patches in the image.
The reason that this is so hard with docker alone and the fact that even senior
developers get this wrong so easily is precisely the reason why I am advocating
for deb/rpm repositories.
I have now chosen roughly this approach:
{code:yaml}
#ansible
- name: useradd solr
user: name=solr
- name: auto export GODEBUG=netdns=go for interactive use
lineinfile:
path: /home/solr/.bash_profile
search_string: GODEBUG=netdns=go
line: export GODEBUG=netdns=go
- name: directory to persist solr data
file:
path: /home/solr/data
state: directory
- name: ensure permissions of solr data directory
command: podman unshare chown -R 8983:8983 /home/solr/data
become: true
become_user: solr
- name: Dockerfile that install security updates
copy:
src: Dockerfile
dest: /home/solr/Dockerfile
owner: solr
group: solr
- name: Systemd unit file to start / update solr
copy:
src: solr.service
dest: /etc/systemd/system/solr.service
notify: reload systemd service files
- name: Start solr
systemd:
enabled: true
state: started
name: solr
- name: Apply solr security udpates nightly
cron:
special_time: daily
name: solr-security-updates
job: systemctl restart solr
{code}
Dockerfile:
{code:java}
FROM solr:8
# apply security updates
USER root
RUN apt-get update && apt-get -y upgrade && apt-get clean
USER solr
{code}
solr.service
{code}
# ansible managed - changes will be overwritten
[Unit]
Description=Apache SOLR search engine
[Service]
Type=simple
User=solr
Restart=always
Environment="GODEBUG=netdns=go"
# Need to remove the container first to build a new image with the same name
ExecStartPre=-/usr/bin/podman container rm solr
# Ensure securiy updates are applied each time solr is restarted
ExecStartPre=/usr/bin/podman build --pull --no-cache -f /home/solr/Dockerfile
-t solr:8-security-updated
ExecStart=/usr/bin/podman run --rm -it -v "/home/solr/data:/var/solr" -p
8983:8983 --name solr solr:8-security-updated
[Install]
WantedBy=multi-user.target
{code}
But that is oh so much more complex than just requiring users to
{{yum-config-manager --add-repo $URL ; yum install solr}} - and this is still
missing the monitoring that checks that updates are actually applied.
> Add rpm repo for red hat based distros
> --------------------------------------
>
> Key: SOLR-15967
> URL: https://issues.apache.org/jira/browse/SOLR-15967
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Components: packages
> Affects Versions: 8.11.1
> Environment: # uname -a
> Linux my.host 3.10.0-1160.53.1.el7.x86_64 #1 SMP Fri Jan 14 13:59:45 UTC 2022
> x86_64 x86_64 x86_64 GNU/Linux
> Reporter: Martin Häcker
> Priority: Major
> Labels: centos, centos7, debian, fedora, ubuntu
> Attachments: Skjermbilde 2022-02-01 kl. 15.17.02.png
>
>
> Hi there,
> it's surprisingly hard to install Solr in a way where I can guarantee to
> automatically get updates, especially security updates in a reliable manner,
> as well as get a documented way to start / run Solr on my distro of choice.
> What I am really looking for is an official rpm repository (and probably a
> deb repo too) that I can add to my package manager and then install a package
> that will give me all the updates I want, as well as starts the database with
> a systemd file that is known good.
> I in particular am looking for a centos 7 repository.
> I think, that this would make installation of Solr so much easier.
> What do you say?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
