diff --git a/kubernetes/linux/Dockerfile.multiarch b/kubernetes/linux/Dockerfile.multiarch index d564c27f4..f340fe385 100644 --- a/kubernetes/linux/Dockerfile.multiarch +++ b/kubernetes/linux/Dockerfile.multiarch @@ -1,7 +1,7 @@ # Default base images. If you update them don't forgot to update variables in our build pipelines. Default values can be found in internal wiki. External can use ubuntu 18.04 and golang 1.18.3 ARG GOLANG_BASE_IMAGE= -ARG MARINER_BASE_IMAGE=mcr.microsoft.com/cbl-mariner/base/core:2.0 -ARG MARINER_DISTROLESS_IMAGE=mcr.microsoft.com/cbl-mariner/distroless/base:2.0 +ARG MARINER_BASE_IMAGE=mcr.microsoft.com/azurelinux/base/core:3.0 +ARG MARINER_DISTROLESS_IMAGE=mcr.microsoft.com/azurelinux/distroless/base:3.0 FROM --platform=$BUILDPLATFORM ${GOLANG_BASE_IMAGE} AS golang-builder ARG TARGETOS TARGETARCH @@ -11,7 +11,6 @@ COPY build /src/build COPY source /src/source RUN cd /src/build/linux && make arch=${TARGETARCH} - FROM ${MARINER_BASE_IMAGE} AS builder ARG TARGETOS TARGETARCH LABEL maintainer="OMSContainers@microsoft.com" @@ -43,7 +42,7 @@ RUN mkdir /busybin && busybox --install /busybin COPY --from=golang-builder /src/kubernetes/linux/Linux_ULINUX_1.0_*_64_Release/docker-cimprov-*.*.*-*.*.sh $tmpdir/ COPY kubernetes/linux/setup.sh kubernetes/linux/main.sh kubernetes/linux/defaultpromenvvariables kubernetes/linux/defaultpromenvvariables-rs kubernetes/linux/defaultpromenvvariables-sidecar kubernetes/linux/mdsd.xml kubernetes/linux/envmdsd kubernetes/linux/logrotate.conf $tmpdir/ -COPY kubernetes/linux/mariner-official-extras.repo /etc/yum.repos.d/ +COPY kubernetes/linux/azure-official-extras.repo /etc/yum.repos.d/ WORKDIR ${tmpdir} @@ -65,7 +64,7 @@ ENV HOST_VAR /hostfs/var ENV AZMON_COLLECT_ENV False ENV KUBE_CLIENT_BACKOFF_BASE 1 ENV KUBE_CLIENT_BACKOFF_DURATION 0 -ENV RUBY_GC_HEAP_OLDOBJECT_LIMIT_FACTOR 0.9 +ENV RUBY_GC_HEAP_OLDOBJECT_LIMIT_FACTOR 1.0 # default value will be overwritten by pipeline ARG IMAGE_TAG=3.1.26 @@ -105,32 +104,28 @@ COPY --from=builder /usr/share/pki/ca-trust-source /usr/share/pki/ca-trust-sourc COPY --from=builder /usr/share/p11-kit/ /usr/share/p11-kit/ # bash dependencies -COPY --from=builder /lib/libreadline.so.8 /lib/ -COPY --from=builder /usr/lib/libncursesw.so.6 /usr/lib/libtinfo.so.6 /usr/lib/ -# inotifywait dependencies -COPY --from=builder /lib/libinotifytools.so.0 /lib/ -COPY --from=builder /lib/libc.so.6 /lib/ -# crond dependencies -COPY --from=builder /lib/libselinux.so.1 /lib/libpam.so.0 /lib/libc.so.6 /lib/libpcre.so.1 /lib/libaudit.so.1 /lib/libcap-ng.so.0/ /lib/ +COPY --from=builder /usr/lib/libreadline.so.8 /usr/lib/libc.so.6 /usr/lib/libncursesw.so.6 /usr/lib/libtinfo.so.6 /usr/lib/ +# inotifywait dependencies +COPY --from=builder /usr/lib/libinotifytools.so.0 /usr/lib/libstdc++.so.6 /usr/lib/libgcc_s.so.1 /usr/lib/libc.so.6 /usr/lib/libm.so.6 /usr/lib/ +# crond dependencies +COPY --from=builder /usr/lib/libselinux.so.1 /usr/lib/libpam.so.0 /usr/lib/libc.so.6 /usr/lib/ # ruby dependencies -COPY --from=builder /usr/lib/libruby.so.3.1 /usr/lib/libz.so.1 /usr/lib/libgmp.so.10 /usr/lib/libcrypt.so.1 /usr/lib/libm.so.6 /usr/lib/libc.so.6 /usr/lib/ +COPY --from=builder /usr/lib/libruby.so.3.3 /usr/lib/libc.so.6 /usr/lib/libz.so.1 /usr/lib/libgmp.so.10 /usr/lib/libcrypt.so.1 /usr/lib/libm.so.6 /usr/lib/ # fluent-bit dependencies -# libssl.so.1.1 & libcrypto.so.1.1 are already available with openssl in distroless and copying them over causes FIPS HMAC verification failures -COPY --from=builder /lib/libyaml-0.so.2 /lib/libsystemd.so.0 /lib/libm.so.6 /lib/libgcc_s.so.1 /lib/libc.so.6 /lib/liblzma.so.5 /lib/liblz4.so.1 /lib/libcap.so.2 /lib/libgcrypt.so.20 /lib/libgpg-error.so.0 /lib/libsasl2.so.3 /lib/ +# libssl.so.3 & libcrypto.so.3 are already available with openssl in distroless and copying them over causes FIPS HMAC verification failures +COPY --from=builder /usr/lib/libluajit-5.1.so.2 /usr/lib/libyaml-0.so.2 /usr/lib/libsystemd.so.0 /usr/lib/libcurl.so.4 /usr/lib/libz.so.1 /usr/lib/libzstd.so.1 /usr/lib/libsasl2.so.3 /usr/lib/libm.so.6 /usr/lib/libgcc_s.so.1 /usr/lib/libc.so.6 /usr/lib/libcap.so.2 /usr/lib/liblz4.so.1 /usr/lib/liblzma.so.5 /usr/lib/libnghttp2.so.14 /usr/lib/libssh2.so.1 /usr/lib/libgssapi_krb5.so.2 /usr/lib/libresolv.so.2 /usr/lib/libkrb5.so.3 /usr/lib/libk5crypto.so.3 /usr/lib/libcom_err.so.2 /usr/lib/libkrb5support.so.0 /usr/lib/ # telegraf dependencies -COPY --from=builder /lib/libresolv.so.2 /lib/libc.so.6 /lib/ +COPY --from=builder /usr/lib/libresolv.so.2 /usr/lib/libc.so.6 /usr/lib/ # mdsd dependencies -COPY --from=builder /usr/lib/libdl.so.2 /usr/lib/librt.so.1 /usr/lib/libpthread.so.0 /usr/lib/libm.so.6 /usr/lib/libstdc++.so.6 /usr/lib/libgcc_s.so.1 /usr/lib/ +COPY --from=builder /usr/sbin/../lib/libpthread.so.0 /usr/sbin/../lib/libdl.so.2 /usr/sbin/../lib/libsymcrypt.so.103 /usr/sbin/../lib/librt.so.1 /usr/sbin/../lib/libm.so.6 /usr/sbin/../lib/libc.so.6 /usr/sbin/../lib/libstdc++.so.6 /usr/sbin/../lib/libgcc_s.so.1 /usr/sbin/../lib/ COPY --from=builder /opt/microsoft/azure-mdsd/lib/libtcmalloc_minimal.so.4 /opt/microsoft/azure-mdsd/lib/ -COPY --from=builder /opt/microsoft/azure-mdsd/lib/libsymcrypt.so.103 /opt/microsoft/azure-mdsd/lib/ -# logrotate dependencies -COPY --from=builder /lib/libselinux.so.1 /lib/libpopt.so.0 /lib/libc.so.6 /lib/libpcre.so.1 /lib/ +# logrotate dependencies +COPY --from=builder /usr/lib/libpopt.so.0 /usr/lib/libc.so.6 /usr/lib/ # curl dependencies # libssl.so.1.1 & libcrypto.so.1.1 are already available with openssl in distroless and copying them over causes FIPS HMAC verification failures -COPY --from=builder /lib/libcurl.so.4 /lib/libz.so.1 /lib/libc.so.6 /lib/libnghttp2.so.14 /lib/libssh2.so.1 /lib/libgssapi_krb5.so.2 /lib/libzstd.so.1 /lib/ -COPY --from=builder /usr/lib/libkrb5.so.3 /usr/lib/libk5crypto.so.3 /usr/lib/libcom_err.so.2 /usr/lib/libkrb5support.so.0 /usr/lib/libresolv.so.2 /usr/lib/ +COPY --from=builder /usr/lib/libcurl.so.4 /usr/lib/libz.so.1 /usr/lib/libc.so.6 /usr/lib/libnghttp2.so.14 /usr/lib/libssh2.so.1 /usr/lib/libgssapi_krb5.so.2 /usr/lib/libzstd.so.1 /usr/lib/libkrb5.so.3 /usr/lib/libk5crypto.so.3 /usr/lib/libcom_err.so.2 /usr/lib/libkrb5support.so.0 /usr/lib/libresolv.so.2 /usr/lib/ # jq dependencies -COPY --from=builder /lib/libjq.so.1 /lib/libc.so.6 /lib/libm.so.6 /lib/libonig.so.5 /lib/ +COPY --from=builder /usr/lib/libjq.so.1 /usr/lib/libc.so.6 /usr/lib/libm.so.6 /usr/lib/libonig.so.5 /usr/lib/ # update-ca-trust dependencies COPY --from=builder /lib/libp11-kit.so.0 /lib/libffi.so.8 /lib/libtasn1.so.6 /lib/ COPY --from=builder /lib/pkcs11/p11-kit-trust.so /lib/pkcs11/ diff --git a/kubernetes/linux/azure-official-extras.repo b/kubernetes/linux/azure-official-extras.repo new file mode 100644 index 000000000..e72b3deb6 --- /dev/null +++ b/kubernetes/linux/azure-official-extras.repo @@ -0,0 +1,9 @@ +[azurelinux-official-extras] +name=Azure-Linux Official extras +baseurl=https://packages.microsoft.com/azurelinux/3.0/prod/ms-non-oss/x86_64/ https://packages.microsoft.com/azurelinux/3.0/prod/ms-oss/x86_64/ +gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY file:///etc/pki/rpm-gpg/MICROSOFT-METADATA-GPG-KEY +gpgcheck=1 +repo_gpgcheck=1 +enabled=1 +skip_if_unavailable=True +sslverify=1 \ No newline at end of file diff --git a/kubernetes/linux/mariner-official-extras.repo b/kubernetes/linux/mariner-official-extras.repo deleted file mode 100644 index 181d74f24..000000000 --- a/kubernetes/linux/mariner-official-extras.repo +++ /dev/null @@ -1,9 +0,0 @@ -[mariner-official-extras] -name=CBL-Mariner Official Extras -baseurl=https://packages.microsoft.com/cbl-mariner/2.0/prod/extras/x86_64/ -gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY file:///etc/pki/rpm-gpg/MICROSOFT-METADATA-GPG-KEY -gpgcheck=1 -repo_gpgcheck=1 -enabled=1 -skip_if_unavailable=True -sslverify=1 \ No newline at end of file diff --git a/kubernetes/linux/setup.sh b/kubernetes/linux/setup.sh index 548eda87a..75c0156ce 100644 --- a/kubernetes/linux/setup.sh +++ b/kubernetes/linux/setup.sh @@ -12,47 +12,43 @@ fi sudo tdnf install ca-certificates-microsoft -y sudo update-ca-trust -# sudo tdnf install ruby-3.1.3 -y if [ "$ARCH" == "arm64" ]; then - sudo tdnf install ruby-3.1.3-1.cm2.aarch64 -y + sudo tdnf install ruby-3.3.5-1.azl3.aarch64 -y else tdnf install -y gcc patch bzip2 openssl-devel libyaml-devel libffi-devel readline-devel zlib-devel gdbm-devel ncurses-devel - wget https://github.com/rbenv/ruby-build/archive/refs/tags/v20230330.tar.gz -O ruby-build.tar.gz + wget https://github.com/rbenv/ruby-build/archive/refs/tags/v20250409.tar.gz -O ruby-build.tar.gz tar -xzf ruby-build.tar.gz PREFIX=/usr/local ./ruby-build-*/install.sh - ruby-build 3.1.3 /usr + ruby-build 3.3.8 /usr -v + + rm ruby-build.tar.gz fi # clean up the ruby-build files -rm ruby-build.tar.gz rm -rf ruby-build-* # remove unused default gem openssl, find as they have some known vulns -rm /usr/lib/ruby/gems/3.1.0/specifications/default/openssl-3.0.1.gemspec -rm -rf /usr/lib/ruby/gems/3.1.0/gems/openssl-3.0.1 -rm /usr/lib/ruby/gems/3.1.0/specifications/default/find-0.1.1.gemspec -rm -rf /usr/lib/ruby/gems/3.1.0/gems/find-0.1.1 -rm /usr/lib/ruby/gems/3.1.0/specifications/default/rdoc-6.4.0.gemspec -rm -rf /usr/lib/ruby/gems/3.1.0/gems/rdoc-6.4.0 +rm /usr/lib/ruby/gems/3.3.0/specifications/default/openssl-3.2.0.gemspec +rm -rf /usr/lib/ruby/gems/3.3.0/gems/openssl-3.2.0 +rm /usr/lib/ruby/gems/3.3.0/specifications/default/find-0.2.0.gemspec +rm -rf /usr/lib/ruby/gems/3.3.0/gems/find-0.2.0 +rm /usr/lib/ruby/gems/3.3.0/specifications/default/rdoc-6.6.3.1.gemspec +rm -rf /usr/lib/ruby/gems/3.3.0/gems/rdoc-6.6.3.1 # update the time and uri package to tackle the vulnerabilities in these gems -gem update time --default -gem update uri --default -gem update stringio --default -gem update rexml --default -gem update webrick --default -mv /usr/lib/ruby/gems/3.1.0/specifications/default/time-0.2.0.gemspec /usr/lib/ruby/gems/3.1.0/specifications/default/.. -mv /usr/lib/ruby/gems/3.1.0/specifications/default/uri-0.11.0.gemspec /usr/lib/ruby/gems/3.1.0/specifications/default/.. -mv /usr/lib/ruby/gems/3.1.0/specifications/default/stringio-3.0.1.gemspec /usr/lib/ruby/gems/3.1.0/specifications/default/.. -mv /usr/lib/ruby/gems/3.1.0/specifications/default/rexml-3.2.5.gemspec /usr/lib/ruby/gems/3.1.0/specifications/default/.. -mv /usr/lib/ruby/gems/3.1.0/specifications/webrick-1.8.1.gemspec /usr/lib/ruby/gems/3.1.0/specifications/.. -gem uninstall time --version 0.2.0 -gem uninstall uri --version 0.11.0 -gem uninstall stringio --version 3.0.1 -gem uninstall rexml --version 3.2.5 -gem uninstall webrick --version 1.8.1 - -sudo tdnf install -y azure-mdsd-1.31.4 +gem update time --default --no-document +gem update uri --default --no-document +gem update stringio --default --no-document + +mv /usr/lib/ruby/gems/3.3.0/specifications/default/time-0.3.0.gemspec /usr/lib/ruby/gems/3.3.0/specifications/default/.. +mv /usr/lib/ruby/gems/3.3.0/specifications/default/uri-0.13.2.gemspec /usr/lib/ruby/gems/3.3.0/specifications/default/.. +mv /usr/lib/ruby/gems/3.3.0/specifications/default/stringio-3.1.1.gemspec /usr/lib/ruby/gems/3.3.0/specifications/default/.. + +gem uninstall time --version 0.3.0 +gem uninstall uri --version 0.13.2 +gem uninstall stringio --version 3.1.1 + +sudo tdnf install -y azure-mdsd-1.33.3 cp -f $TMPDIR/mdsd.xml /etc/mdsd.d cp -f $TMPDIR/envmdsd /etc/mdsd.d rm /usr/sbin/telegraf @@ -69,12 +65,12 @@ sudo tdnf install inotify-tools -y #used to parse response of kubelet apis #ref: https://packages.ubuntu.com/search?keywords=jq -sudo tdnf install jq-1.6-1.cm2 -y +sudo tdnf install jq-1.7.1-1.azl3 -y #used to setcaps for ruby process to read /proc/env sudo tdnf install libcap -y -sudo tdnf install telegraf-1.29.4 -y +sudo tdnf install telegraf-1.31.0 -y telegraf_version=$(sudo tdnf list installed | grep telegraf | awk '{print $2}') echo "telegraf $telegraf_version" >> packages_version.txt mv /usr/bin/telegraf /opt/telegraf @@ -85,16 +81,16 @@ docker_cimprov_version=$(sudo tdnf list installed | grep docker-cimprov | awk '{ echo "DOCKER_CIMPROV_VERSION=$docker_cimprov_version" >> packages_version.txt #install fluent-bit -sudo tdnf install fluent-bit-3.0.6 -y +sudo tdnf install fluent-bit-3.1.9 -y echo "$(fluent-bit --version)" >> packages_version.txt # install fluentd using the mariner package -# sudo tdnf install rubygem-fluentd-1.14.6 -y -fluentd_version="1.16.3" +# sudo tdnf install rubygem-fluentd -y +fluentd_version="1.18.0" gem install fluentd -v $fluentd_version --no-document # remove the test directory from fluentd -rm -rf /usr/lib/ruby/gems/3.1.0/gems/fluentd-$fluentd_version/test/ +rm -rf /usr/lib/ruby/gems/3.3.0/gems/fluentd-$fluentd_version/test/ echo "$(fluentd --version)" >> packages_version.txt fluentd --setup ./fluent @@ -103,6 +99,7 @@ gem install gyoku iso8601 bigdecimal --no-doc gem install tomlrb -v "2.0.1" --no-document gem install ipaddress --no-document gem install jwt -v "2.7.1" --no-document +gem install racc --no-document rm -f $TMPDIR/docker-cimprov*.sh rm -f $TMPDIR/mdsd.xml