Comments (8)
Thanks for submitting the issue @niakki
For mostly internal purposes, we have a few courses of action here.
Apollo
Based on the official node-slim
image. Recently upgraded in #153. This appears to be using debain-stretch
We could
- Upgrade major versions and see if it breaks anything (14.x.x-> 15.x.x)
- Upgrade minor version and see if it fixes security concerns (14.15.x -> 14.16.x)
- Upgrade to
debian-buster
(#198) - Install node manually in a base image of our choice ie Ubuntu
Server
Based on the official python-3.7-slim
image. This appears to be using debain-buster
already
Consider
Usingalready using busterslim-buster
to designate a newer debian version, not sure what version of debian is running nowUsingwe need glibcalpine
instead of debain- Install python manually in a base image of our choice ie Ubuntu
from server.
Following #198 the Apollo/Server images are on the latest stable version of Debian. We've audited the critical/high CVEs for this version and they do not apply to our use. This version of Debian is widely used and I don't think we'll deviate from it at this time to satisfy external security policies.
@niakki -- You can create custom images that are based on Ubuntu instead if you need to do so to satisfy your requirements. It seems likely that you could just change the base image then install python / node as needed.
from server.
Following #198 the Apollo/Server images are on the latest stable version of Debian. We've audited the critical/high CVEs for this version and they do not apply to our use. This version of Debian is widely used and I don't think we'll deviate from it at this time to satisfy external security policies.
@niakki -- You can create custom images that are based on Ubuntu instead if you need to do so to satisfy your requirements. It seems likely that you could just change the base image then install python / node as needed.
thank you @madkinsz I'll try that.
from server.
Hi, we are in a similar scenario as @niakki and have found CVE (CVE-2019-18276) vulnerabilities on Debian Buster. If you could update to Debian Bullseye as base for Server/Apollo it would be great since these vulnerabilities are resolved there.
from server.
Hi @noemtz -- can you clarify how that CVE is relevant? From the disclosure:
However, binaries running with an effective UID of 0 are unaffected.
There's only a root user in these containers so this CVE does not affect you.
❯ docker run -it prefecthq/server bash
root@80cd93bc5486:/prefect-server# echo $UID
0
root@80cd93bc5486:/prefect-server# echo $EUID
0
from server.
Hi @madkinsz,
It is relevant for us because Azure highlights this vulnerability on it and we are very strict with respect to security, as per Azure Security Policy ("Running containers as root user should be avoided") we need to deploy the container without with a different user than root (for this we need to create an image with this container as base) and also because as per Microsoft Defender for Cloud scanner this image has a high risk vulnerability. Thoughts?
from server.
We will likely update the Debian base image soon, if you open a PR I will review it. Generally I'd recommend building an image that fits your needs directly if you have strict security requirements. This is an open source project and it's difficult for us to assess and address security cases that are beyond our intended uses. Automated scans do not always capture realistic scenarios.
from server.
I totally understand, I can help with the PR. Thanks for the prompt response.
from server.
Related Issues (20)
- Can't use special characters in `--postgres-url` connection string (user name) HOT 3
- Helm default values for env are of incorrect type HOT 1
- prefect 0.15.12 - zombie processes from hasura container HOT 10
- The latest Server release fails to start on M1 even when allocating 8GB RAM HOT 3
- Registering parameterized flows fails on 2022.01.12 HOT 1
- default value for agent.resources.limits is invalid HOT 1
- Maximum size for state payloads is limited to 1 mb HOT 4
- Update Postgres Helm chart template notes to include postgres prefix when setting password value HOT 3
- White flow run bars in the Cloud UI - flow runs created with Version 0 and with no state
- [Helm] Add RBAC support for KubeCluster (dask-kubernetes) HOT 6
- [Helm] Updating helm chart to 2022.03.29 fails HOT 1
- Cloud hooks not working with Microsoft Teams HOT 1
- helm chart (prefect-server) shouldn't contain a dash HOT 2
- Latest Helm chart does not pin versions HOT 1
- Upgrade from Ubuntu 16 CircleCI issues by May 31, 2022
- Backend Server is unable to start properly HOT 4
- Helm dep up failed because Postgresql version
- Malformed imagePullSecrets in Kubernetes agent
- Prefect Server on raspberry pi4 with Ubuntu 20.04 HOT 1
- Duplicated Helm chart
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from server.