That's proposal #4. On Sun, Jan 31, 2021 at 5:31 PM Gabriel Cavalcante < [email protected]> wrote:
> Is it possible to use the scratch image with Prometheus binary inside > only? That would reduce the surface entirely. > > On Sun, 31 Jan 2021 at 13:26 Julien Pivotto <[email protected]> > wrote: > >> Hello, >> >> From time to time we get users reporting that the docker image we use to >> build Prometheus contain a Busybox vulnerability: >> >> https://github.com/prometheus/node_exporter/issues/1937 >> https://github.com/prometheus/prometheus/issues/8277 >> https://github.com/prometheus/prometheus/issues/7794 >> >> We have a few options here: >> >> 1. ignoring those reports as there is no evidence that this can be used >> without first getting shell access into the container. >> >> 2. removing wget from the container >> >> 3. switching to a base image that does not contain the fix, e.g. alpine >> >> 4. only shipping our binaries and a few other files (from scratch or >> from distroless-static >> >> https://github.com/GoogleContainerTools/distroless/blob/master/base/README.md >> ) >> >> My thinking: >> >> 1. This is (was) the current strategy. And clearly, scanners do not care >> that Prometheus uses or does not use the said binaries. >> However, in security, less attack surface is always positive. >> >> 2. Even if we remove /bin/wget, it can still be invoked by calling >> /bin/busybox wget >> >> 3. Alpine etc would increase the surface, require rebuild a lot more >> often than busybox. >> >> 4. Distroless static seems to be what we have now (takes certs etc from >> debian), without busybox. The advantage here would be that we can simply >> stop using prometheus/busybox, and we would have updated upstreams >> images all the time. >> >> So I'd go and investigate distroless base image in the future. >> >> -- >> Julien Pivotto >> @roidelapluie >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Prometheus Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/prometheus-developers/20210131162630.GA13747%40oxygen >> . >> > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-developers/CAHaDZeRGK49OQUE8NmYCQs4pfdWbOf3DPEYOfJkYUALSzU71qQ%40mail.gmail.com > <https://groups.google.com/d/msgid/prometheus-developers/CAHaDZeRGK49OQUE8NmYCQs4pfdWbOf3DPEYOfJkYUALSzU71qQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CABbyFmqn5Fr16umtizJzyTqZkRi3u5HyEkhP53scky%2BNsVLDkQ%40mail.gmail.com.
