apache / superset

Apache Superset is a Data Visualization and Data Exploration Platform
https://superset.apache.org/
Apache License 2.0
63.14k stars 13.99k forks source link

superset helm uses dockerize image which is unsupported (last release 7 years ago) and has CVEs #23103

Open tooptoop4 opened 1 year ago

tooptoop4 commented 1 year ago

https://github.com/apache/superset/releases/download/superset-helm-chart-0.8.6/superset-0.8.6.tgz has references to jwilder/dockerize image/commands

https://github.com/jwilder/dockerize shows no new release for many years

following tools/CVEs are found within the dockerize image:

busybox 1.26.2-r4 has CVE-2015-9261 CVE-2017-15873 CVE-2017-16544 CVE-2018-1000500 CVE-2018-1000517 CVE-2018-20679 CVE-2019-5747 CVE-2021-42376 CVE-2021-42378 CVE-2021-42379 CVE-2021-42381 CVE-2021-42382 CVE-2021-42384 CVE-2021-42385 CVE-2021-42386 CVE-2022-28391

musl 1.1.16-r9 has CVE-2017-15650 CVE-2019-14697 CVE-2020-28928

sfirke commented 10 months ago

@tooptoop4 I see https://github.com/jwilder/dockerize has merged PRs into the repo more recently now and its most recent release seems to be in May 2023. Is this still a concern or can this issue be closed?

dpgaspar commented 10 months ago

@tooptoop4 I see https://github.com/jwilder/dockerize has merged PRs into the repo more recently now and its most recent release seems to be in May 2023. Is this still a concern or can this issue be closed?

Still a concern, we should eventually remove this dependency, I think we just use it to test PG and redis availability on helm

rusackas commented 6 months ago

Does anyone here (cc @mistercrunch) know of any viable alternatives?

mistercrunch commented 6 months ago

While working on docker-related things I remember thinking "what does this do!?", and it's something about waiting for services to get up before starting other services. Asking GPT there are drop-in replacements like wait-for-it and dockerize-golang but given our experience with dockerize, I think the best would be to go helm or k8s-native with something like:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: superset
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: superset
    spec:
      initContainers:
      - name: wait-for-db
        image: busybox
        command: ['sh', '-c', 'until nc -z db 5432; do echo waiting for db; sleep 2; done;']
      - name: wait-for-redis
        image: busybox
        command: ['sh', '-c', 'until nc -z redis 6379; do echo waiting for redis; sleep 2; done;']
      containers:
      - name: superset
        image: apache/superset:latest
        ports:
        - containerPort: 8088
villebro commented 6 months ago

@mistercrunch I agree, this would be much cleaner and easier to reason about. Another alternative would be to have a few new scripts (similar to superset_init.sh) for checking metastore/cache readiness, and then just use the superset image to avoid pulling in busybox (after all, it'll already be available). But I don't see busybox going sour or bloating anytime soon, so I think this is a really good approach.

tooptoop4 commented 1 month ago

🦕