Proposal #4 also contains:
gcr.io/distroless/static:
ca-certificates
A /etc/passwd entry for a root user
A /tmp directory
tzdata
If exporters require cgo, there is also a version with:
gcr.io/distroless/base:
glibc
libssl
openssl
On 31 Jan 17:32, Ben Kochie wrote:
> That's proposal #4.
>
> On Sun, Jan 31, 2021 at 5:31 PM Gabriel Cavalcante <
> [email protected]> wrote:
>
> > Is it possible to use the scratch image with Prometheus binary inside
> > only? That would reduce the surface entirely.
> >
> > On Sun, 31 Jan 2021 at 13:26 Julien Pivotto <[email protected]>
> > wrote:
> >
> >> Hello,
> >>
> >> From time to time we get users reporting that the docker image we use to
> >> build Prometheus contain a Busybox vulnerability:
> >>
> >> https://github.com/prometheus/node_exporter/issues/1937
> >> https://github.com/prometheus/prometheus/issues/8277
> >> https://github.com/prometheus/prometheus/issues/7794
> >>
> >> We have a few options here:
> >>
> >> 1. ignoring those reports as there is no evidence that this can be used
> >> without first getting shell access into the container.
> >>
> >> 2. removing wget from the container
> >>
> >> 3. switching to a base image that does not contain the fix, e.g. alpine
> >>
> >> 4. only shipping our binaries and a few other files (from scratch or
> >> from distroless-static
> >>
> >> https://github.com/GoogleContainerTools/distroless/blob/master/base/README.md
> >> )
> >>
> >> My thinking:
> >>
> >> 1. This is (was) the current strategy. And clearly, scanners do not care
> >> that Prometheus uses or does not use the said binaries.
> >> However, in security, less attack surface is always positive.
> >>
> >> 2. Even if we remove /bin/wget, it can still be invoked by calling
> >> /bin/busybox wget
> >>
> >> 3. Alpine etc would increase the surface, require rebuild a lot more
> >> often than busybox.
> >>
> >> 4. Distroless static seems to be what we have now (takes certs etc from
> >> debian), without busybox. The advantage here would be that we can simply
> >> stop using prometheus/busybox, and we would have updated upstreams
> >> images all the time.
> >>
> >> So I'd go and investigate distroless base image in the future.
> >>
> >> --
> >> Julien Pivotto
> >> @roidelapluie
> >>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "Prometheus Developers" group.
> >> To unsubscribe from this group and stop receiving emails from it, send an
> >> email to [email protected].
> >> To view this discussion on the web visit
> >> https://groups.google.com/d/msgid/prometheus-developers/20210131162630.GA13747%40oxygen
> >> .
> >>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Prometheus Developers" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > To view this discussion on the web visit
> > https://groups.google.com/d/msgid/prometheus-developers/CAHaDZeRGK49OQUE8NmYCQs4pfdWbOf3DPEYOfJkYUALSzU71qQ%40mail.gmail.com
> > <https://groups.google.com/d/msgid/prometheus-developers/CAHaDZeRGK49OQUE8NmYCQs4pfdWbOf3DPEYOfJkYUALSzU71qQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> > .
> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "Prometheus Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/prometheus-developers/CABbyFmqn5Fr16umtizJzyTqZkRi3u5HyEkhP53scky%2BNsVLDkQ%40mail.gmail.com.
--
Julien Pivotto
@roidelapluie
--
You received this message because you are subscribed to the Google Groups
"Prometheus Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/prometheus-developers/20210131163533.GA28838%40oxygen.
