Is it possible to use the scratch image with Prometheus binary inside only? That would reduce the surface entirely.
On Sun, 31 Jan 2021 at 13:26 Julien Pivotto <[email protected]> wrote: > Hello, > > From time to time we get users reporting that the docker image we use to > build Prometheus contain a Busybox vulnerability: > > https://github.com/prometheus/node_exporter/issues/1937 > https://github.com/prometheus/prometheus/issues/8277 > https://github.com/prometheus/prometheus/issues/7794 > > We have a few options here: > > 1. ignoring those reports as there is no evidence that this can be used > without first getting shell access into the container. > > 2. removing wget from the container > > 3. switching to a base image that does not contain the fix, e.g. alpine > > 4. only shipping our binaries and a few other files (from scratch or > from distroless-static > > https://github.com/GoogleContainerTools/distroless/blob/master/base/README.md > ) > > My thinking: > > 1. This is (was) the current strategy. And clearly, scanners do not care > that Prometheus uses or does not use the said binaries. > However, in security, less attack surface is always positive. > > 2. Even if we remove /bin/wget, it can still be invoked by calling > /bin/busybox wget > > 3. Alpine etc would increase the surface, require rebuild a lot more > often than busybox. > > 4. Distroless static seems to be what we have now (takes certs etc from > debian), without busybox. The advantage here would be that we can simply > stop using prometheus/busybox, and we would have updated upstreams > images all the time. > > So I'd go and investigate distroless base image in the future. > > -- > Julien Pivotto > @roidelapluie > > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-developers/20210131162630.GA13747%40oxygen > . > -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CAHaDZeRGK49OQUE8NmYCQs4pfdWbOf3DPEYOfJkYUALSzU71qQ%40mail.gmail.com.
