Add the package util-linux to the base image

[siegfriedweber]

Sometimes it is necessary to override the command of a stacklet with a custom script, or it is convenient to use the Stackable image for a custom Job. This is easier if more "standard" tools are installed, e.g. the util-linux package.

In a concrete case, a customer wanted a side-car container in the OPA pod which forwards the decision logs to a SIEM tool via syslog. A proper solution would be to configure the Vector aggregator accordingly, but on the one hand, the extra step with the aggregator was not desired, and on the other hand, Vector does not yet support syslog sinks (vectordev/vector#6863). So the implemented solution was to use the logger command to forward these logs. Unfortunately, this command is not available in the OPA image because the util-linux package is not installed. Therefore, a custom image had to be built.

Suggested change:

RUN microdnf install \
    # util-linux contains the command logger which allows to enter messages into the system log.
    # cpe:2.3:a:kernel:util-linux:*:*:*:*:*:*:*:*
    # https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3Akernel%3Autil-linux%3A*%3A*%3A*%3A*%3A*%3A*%3A*%3A
    util-linux

[lfrancke]

util-linux contains su and a few other binaries that I'd prefer not to include. If this is only about the logger command we can at least narrow this down to the util-linux-core package I believe.

And could you please explain to me the exact chain of how logs have been moved? I don't fully understand it yet.

[siegfriedweber]

If this is only about the logger command we can at least narrow this down to the util-linux-core package I believe.

util-linux-core would be sufficient.

And could you please explain to me the exact chain of how logs have been moved? I don't fully understand it yet.

The logs of OPA are written as JSON into the log volume at /stackable/log/opa/current. The log entries which contain the property logger: decision should be forwarded to a SIEM solution, in this case Logpoint. Logpoint uses a syslog connector to collect the logs. So the logs must be read from the log file, filtered and sent via syslog. This is achieved by creating a sidecar container to the OPA pod which reads the logs, filters them and sends them with the logger command:

---
apiVersion: opa.stackable.tech/v1alpha1
kind: OpaCluster
spec:
  servers:
    podOverrides:
      spec:
        containers:
          - name: syslog
            image: <image containing the logger command>
            command:
              - /bin/sh
              - -c
            args:
              - >-
                tail
                --follow=name
                --retry
                /stackable/log/opa/current
                | grep '"logger"\s*:\s*"decision"'
                | logger
                --udp
                --server syslog-udp.siem.svc.cluster.local
                --port 5410
                --size 4096
                --priority authpriv.info
                --rfc5424
            volumeMounts:
              - mountPath: /stackable/log
                name: log

Actually, the OPA image was used for the sidecar container. This worked until we started to remove packages from all images to reduce the number of CVEs. This made the images more secure but also made it more uncomfortable to customize the deployment. With re-adding util-linux or util-linux-core to the image, I hope to get a little bit of comfort back.