Page MenuHomePhabricator
Create Task
Maniphest T274254

Check/Rebuild all docker-pkg build docker images running on kubernetes
Closed, ResolvedPublic
Actions

Description

To ensure images are not running as root in kubernetes clusters we need the images to have numeric UIDs rather then user names set in the "USER" instructions (via Dockerfile).

We need to check and potentially rebuild all production-images that are running in our cluster (snapshot as of 2021-02-09):

  • coredns:1.5.2-1 (currently binds to port 53, needs root and is running in kube-system)
  • eventrouter:0.3.0-4
  • tiller:2.16.7-wmf1
  • nutcracker:latest
  • prometheus-statsd-exporter:0.0.5
  • prometheus-statsd-exporter:0.0.7
  • envoy:1.15.1-2

The following ones are only used in api-gateway, so they should be merged and deployed together in https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/664523

  • envoy-future:1.16.0
  • ratelimit:1.5.1
  • fluent-bit:1.5.3-0

What kubernetes basically does for validation is:

docker inspect $IMAGE_ID | jq '.[].Config.User' | { read u; echo $u;  if ! [[ "$u" =~ ^[0-9]+(:[0-9]+)?$ ]]; then echo "Nono"; fi; }

Details

SubjectRepoBranchLines +/-
changeprop(-jobqueue): Don't run nutcracker:latestoperations/deployment-chartsmaster+6 -0
wikifeeds: Switch back to the global tls.image_versionoperations/deployment-chartsmaster+0 -1
Remove deployment local definitions of statsd exporter versionoperations/deployment-chartsmaster+0 -13
deployment_server: Update default prometheus-statsd-exporter image to 0.0.9operations/puppetproduction+2 -1
deployment_server: Update default envoy image to 1.15.1-4operations/puppetproduction+2 -1
wikifeeds: Update envoy to 1.15.1-4 and statsd exporter to 0.0.9operations/deployment-chartsmaster+2 -1
api-gateway: Pin nutcracker version to 0.0.4operations/deployment-chartsmaster+3 -0
api-gateway: Update mutiple sidecar imagesoperations/deployment-chartsmaster+4 -4
nutcracker: Run as user nobodyoperations/docker-images/production-imagesmaster+9 -2
prometheus-statsd-exporter: Run as nobodyoperations/docker-images/production-imagesmaster+7 -1
envoy: Run as user nobodyoperations/docker-images/production-imagesmaster+9 -3
initialize_cluster: Update tiller image to 2.16.7-3operations/deployment-chartsmaster+1 -1
admin: Update tiller image to 2.16.7-3operations/deployment-chartsmaster+1 -1
admin_ng: Update tiller image to 2.16.7-3operations/deployment-chartsmaster+1 -1
eventrouter: Bump image version to 0.3.0-5operations/deployment-chartsmaster+2 -2
ratelimit: Use numeric UIDoperations/docker-images/production-imagesmaster+7 -1
fluent-bit: Use numeric UIDoperations/docker-images/production-imagesmaster+8 -2
eventrouter: Use numeric UIDoperations/docker-images/production-imagesmaster+7 -1
tiller: Run tiller as user nobodyoperations/docker-images/production-imagesmaster+9 -1
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

JMeybohm created this task.Feb 9 2021, 2:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 9 2021, 2:00 PM
JMeybohm updated the task description. (Show Details)Feb 9 2021, 2:54 PM
JMeybohm renamed this task from Check/Rebuild all dpcker-pkg build docker images running on kubernetes to Check/Rebuild all docker-pkg build docker images running on kubernetes.Feb 10 2021, 6:01 PM
JMeybohm triaged this task as High priority.
JMeybohm updated the task description. (Show Details)
gerritbot added a comment.Feb 15 2021, 8:31 AM

Change 664095 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/docker-images/production-images@master] tiller: Run tiller as user nobody

https://gerrit.wikimedia.org/r/664095

gerritbot added a project: Patch-For-Review.Feb 15 2021, 8:31 AM

Change 664096 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/docker-images/production-images@master] eventrouter: Use numeric UID

https://gerrit.wikimedia.org/r/664096

gerritbot added a comment.Feb 15 2021, 8:31 AM

Change 664097 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/docker-images/production-images@master] fluent-bit: Use numeric UID

https://gerrit.wikimedia.org/r/664097

gerritbot added a comment.Feb 15 2021, 8:31 AM

Change 664098 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/docker-images/production-images@master] ratelimit: Use numeric UID

https://gerrit.wikimedia.org/r/664098

JMeybohm updated the task description. (Show Details)Feb 15 2021, 8:32 AM
JMeybohm added a subscriber: Joe.
gerritbot added a comment.Feb 16 2021, 9:27 AM

Change 664095 merged by JMeybohm:
[operations/docker-images/production-images@master] tiller: Run tiller as user nobody

https://gerrit.wikimedia.org/r/664095

gerritbot added a comment.Feb 16 2021, 9:27 AM

Change 664097 merged by JMeybohm:
[operations/docker-images/production-images@master] fluent-bit: Use numeric UID

https://gerrit.wikimedia.org/r/664097

gerritbot added a comment.Feb 16 2021, 9:27 AM

Change 664096 merged by JMeybohm:
[operations/docker-images/production-images@master] eventrouter: Use numeric UID

https://gerrit.wikimedia.org/r/664096

gerritbot added a comment.Feb 16 2021, 9:27 AM

Change 664098 merged by JMeybohm:
[operations/docker-images/production-images@master] ratelimit: Use numeric UID

https://gerrit.wikimedia.org/r/664098

Maintenance_bot removed a project: Patch-For-Review.Feb 16 2021, 10:10 AM
gerritbot added a comment.Feb 16 2021, 10:20 AM

Change 664522 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] eventrouter: Bump image version to 0.3.0-5

https://gerrit.wikimedia.org/r/664522

gerritbot added a project: Patch-For-Review.Feb 16 2021, 10:20 AM

Change 664523 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] api-gateway: Update fluent-bit and ratelimit images

https://gerrit.wikimedia.org/r/664523

gerritbot added a comment.Feb 16 2021, 10:20 AM

Change 664525 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] admin_ng: Update tiller image to 2.16.7-3

https://gerrit.wikimedia.org/r/664525

gerritbot added a comment.Feb 16 2021, 10:20 AM

Change 664526 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] admin: Update tiller image to 2.16.7-3

https://gerrit.wikimedia.org/r/664526

gerritbot added a comment.Feb 16 2021, 11:27 AM

Change 664522 merged by jenkins-bot:
[operations/deployment-charts@master] eventrouter: Bump image version to 0.3.0-5

https://gerrit.wikimedia.org/r/664522

gerritbot added a comment.Feb 16 2021, 12:40 PM

Change 664525 merged by JMeybohm:
[operations/deployment-charts@master] admin_ng: Update tiller image to 2.16.7-3

https://gerrit.wikimedia.org/r/664525

JMeybohm updated the task description. (Show Details)Feb 16 2021, 3:51 PM
gerritbot added a comment.Feb 17 2021, 1:08 PM

Change 664526 merged by JMeybohm:
[operations/deployment-charts@master] admin: Update tiller image to 2.16.7-3

https://gerrit.wikimedia.org/r/664526

gerritbot added a comment.Feb 17 2021, 1:25 PM

Change 664818 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] initialize_cluster: Update tiller image to 2.16.7-3

https://gerrit.wikimedia.org/r/664818

JMeybohm updated the task description. (Show Details)Feb 17 2021, 2:09 PM
gerritbot added a comment.Feb 17 2021, 2:11 PM

Change 664818 merged by jenkins-bot:
[operations/deployment-charts@master] initialize_cluster: Update tiller image to 2.16.7-3

https://gerrit.wikimedia.org/r/664818

gerritbot added a comment.Feb 17 2021, 4:46 PM

Change 664853 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/docker-images/production-images@master] envoy: Run as user nobody

https://gerrit.wikimedia.org/r/664853

JMeybohm updated the task description. (Show Details)Feb 17 2021, 4:57 PM
JMeybohm updated the task description. (Show Details)Feb 17 2021, 5:03 PM
gerritbot added a comment.Feb 17 2021, 5:28 PM

Change 664864 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/docker-images/production-images@master] prometheus-statsd-exporter: Run as nobody

https://gerrit.wikimedia.org/r/664864

gerritbot added a comment.Feb 17 2021, 5:28 PM

Change 664865 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/docker-images/production-images@master] nutcracker: Run as user nobody

https://gerrit.wikimedia.org/r/664865

gerritbot added a comment.Feb 22 2021, 1:45 PM

Change 666116 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/puppet@production] deployment_server: Update default envoy image to 1.15.1-4

https://gerrit.wikimedia.org/r/666116

gerritbot added a comment.Feb 22 2021, 1:45 PM

Change 666117 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/puppet@production] deployment_server: Update default prometheus-statsd-exporter image to 0.0.9

https://gerrit.wikimedia.org/r/666117

gerritbot added a comment.Feb 22 2021, 2:01 PM

Change 666122 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] wikifeeds: Update envoy to 1.15.1-4 and statsd exporter to 0.0.9

https://gerrit.wikimedia.org/r/666122

gerritbot added a comment.Feb 22 2021, 2:01 PM

Change 666123 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] Remove deployment local definitions of statsd exporter version

https://gerrit.wikimedia.org/r/666123

gerritbot added a comment.Feb 22 2021, 2:13 PM

Change 666124 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] wikifeeds: Switch back to the global tls.image_version

https://gerrit.wikimedia.org/r/666124

gerritbot added a comment.Feb 22 2021, 3:12 PM

Change 664853 merged by JMeybohm:
[operations/docker-images/production-images@master] envoy: Run as user nobody

https://gerrit.wikimedia.org/r/664853

gerritbot added a comment.Feb 22 2021, 3:12 PM

Change 664864 merged by JMeybohm:
[operations/docker-images/production-images@master] prometheus-statsd-exporter: Run as nobody

https://gerrit.wikimedia.org/r/664864

gerritbot added a comment.Feb 22 2021, 3:12 PM

Change 664865 merged by JMeybohm:
[operations/docker-images/production-images@master] nutcracker: Run as user nobody

https://gerrit.wikimedia.org/r/664865

gerritbot added a comment.Feb 22 2021, 3:31 PM

Change 664523 merged by jenkins-bot:
[operations/deployment-charts@master] api-gateway: Update mutiple sidecar images

https://gerrit.wikimedia.org/r/664523

gerritbot added a comment.Feb 22 2021, 3:39 PM

Change 666148 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] api-gateway: Pin nutcracker version to 0.0.4

https://gerrit.wikimedia.org/r/666148

gerritbot added a comment.Feb 22 2021, 3:47 PM

Change 666148 merged by jenkins-bot:
[operations/deployment-charts@master] api-gateway: Pin nutcracker version to 0.0.4

https://gerrit.wikimedia.org/r/666148

gerritbot added a comment.Feb 23 2021, 8:46 AM

Change 666122 merged by jenkins-bot:
[operations/deployment-charts@master] wikifeeds: Update envoy to 1.15.1-4 and statsd exporter to 0.0.9

https://gerrit.wikimedia.org/r/666122

JMeybohm updated the task description. (Show Details)Feb 23 2021, 9:24 AM
JMeybohm added a comment.Feb 23 2021, 9:27 AM

All images build.
api-gateway is running updated envoy-future, nutcracker, ratelimit, fluent-bit and statsd-exporter since yesterday.
wikifeeds is running updated envoy and statsd-exporter since ~ 10 minutes.

Will keep it that way for now and switch the default later today or tomorrow morning (followed by a deploy of all services).

gerritbot added a comment.Feb 23 2021, 12:11 PM

Change 666116 merged by JMeybohm:
[operations/puppet@production] deployment_server: Update default envoy image to 1.15.1-4

https://gerrit.wikimedia.org/r/666116

gerritbot added a comment.Feb 23 2021, 12:11 PM

Change 666117 merged by JMeybohm:
[operations/puppet@production] deployment_server: Update default prometheus-statsd-exporter image to 0.0.9

https://gerrit.wikimedia.org/r/666117

gerritbot added a comment.Feb 23 2021, 12:14 PM

Change 666123 merged by jenkins-bot:
[operations/deployment-charts@master] Remove deployment local definitions of statsd exporter version

https://gerrit.wikimedia.org/r/666123

gerritbot added a comment.Feb 23 2021, 12:14 PM

Change 666124 merged by jenkins-bot:
[operations/deployment-charts@master] wikifeeds: Switch back to the global tls.image_version

https://gerrit.wikimedia.org/r/666124

gerritbot added a comment.Feb 24 2021, 12:09 PM

Change 666612 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] changeprop(-jobqueue): Don't run nutcracker:latest

https://gerrit.wikimedia.org/r/666612

gerritbot added a comment.Feb 24 2021, 12:13 PM

Change 666612 merged by jenkins-bot:
[operations/deployment-charts@master] changeprop(-jobqueue): Don't run nutcracker:latest

https://gerrit.wikimedia.org/r/666612

JMeybohm closed this task as Resolved.Feb 24 2021, 1:02 PM

Updated images have been rolled out to all clusters as of today.

JMeybohm closed subtask T274852: Refactor users in production-images as Resolved.Mar 23 2021, 4:13 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL