Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dockerfile: dumb-init is installed from http without verification #1631

Closed
anguslees opened this issue Oct 31, 2017 · 5 comments · Fixed by #1635
Closed

Dockerfile: dumb-init is installed from http without verification #1631

anguslees opened this issue Oct 31, 2017 · 5 comments · Fixed by #1635

Comments

@anguslees
Copy link
Member

Is this a BUG REPORT or FEATURE REQUEST? (choose one):

If this is a BUG REPORT, please:

NGINX Ingress controller version:
gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.15

What happened:
Dockerfile contains these lines:

RUN curl -sSL -o /tmp/dumb-init.deb http://ftp.us.debian.org/debian/pool/main/d/dumb-init/dumb-init_1.2.0-1_amd64.deb && \
  dpkg -i /tmp/dumb-init.deb && \
  rm /tmp/dumb-init.deb

Note that dumb-init.deb is fetched from insecure http, with no post-download checksum/etc verification.

What you expected to happen:

I expected to see dumb-init downloaded from a secure source, ideally from the same apt repository that is used a few lines above to install diffutils.

Note that this latter requires an nginx-slim based on ubuntu zesty or newer, instead of the current xenial-based image (or it requires adding the zesty repo to apt.conf).
@aledbf
Copy link
Member

aledbf commented Nov 1, 2017

Note that this latter requires an nginx-slim based on ubuntu zesty or newer, instead of the current xenial-based image (or it requires adding the zesty repo to apt.conf).

This is not possible because there's no deb packages for all platforms

@anguslees
Copy link
Member Author

anguslees commented Nov 1, 2017
edited
Loading

This is not possible because there's no deb packages for all platforms

I think this is telling me that there is support across all ubuntu platforms in zesty (and newer).

(Alternatively, perhaps we should switch nginx-slim to Debian (using minideb?) if Ubuntu has poor support for our required architectures/packages. Disclaimer: I'm a Debian Developer, so biased in favour of using the real thing ;)

@komapa
Copy link

komapa commented Nov 1, 2017

You could alternatively switch to tini which has prebuilt packages for most platforms: https://github.com/krallin/tini/releases

@aledbf aledbf mentioned this issue Nov 1, 2017
Merged
@aledbf
Copy link
Member

aledbf commented Nov 1, 2017

I think this is telling me that there is support across all ubuntu platforms in zesty (and newer).

Thank you for this.

@aledbf
Copy link
Member

aledbf commented Nov 1, 2017

You could alternatively switch to tini which has prebuilt packages for most platforms:

We used tini in the past but we found issues reaping the nginx child processes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Install dumb-init using apt-get aledbf/ingress-nginx
3 participants
@komapa @aledbf @anguslees