Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unpin glibc #3359

Merged
merged 1 commit into from
Nov 16, 2023
Merged

Unpin glibc #3359

merged 1 commit into from
Nov 16, 2023

Conversation

dhruvkb
Copy link
Member

@dhruvkb dhruvkb commented Nov 15, 2023

This reverts commit a1d0cc8.

Fixes

Fixes #3157 by @stacimc

Description

This PR unpins glibc that was pinned in #3154 as a security patch. With an updated python3.11-slim image containing the patched version of glibc, this is no longer necessary.

Testing Instructions

  1. Check the glibc version in the current web image (ldd --version shows this info).
  2. Check out this PR and build the web image again.
  3. Check that the glibc version does not change.

Checklist

  • My pull request has a descriptive title (not a vague title likeUpdate index.md).
  • My pull request targets the default branch of the repository (main) or a parent feature branch.
  • My commit messages follow best practices.
  • My code follows the established code style of the repository.
  • I added or updated tests for the changes I made (if applicable).
  • I added or updated documentation (if applicable).
  • I tried running the project locally and verified that there are no visible errors.
  • I ran the DAG documentation generator (if applicable).

Developer Certificate of Origin

Developer Certificate of Origin 
Developer Certificate of Origin
Version 1.1

Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
1 Letterman Drive
Suite D4700
San Francisco, CA, 94129

Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.


Developer's Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or

(b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or

(c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.

(d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.

@dhruvkb
Unpin glibc pinned in #3154
49fc13c 
This reverts commit a1d0cc8.
@dhruvkb dhruvkb requested review from a team as code owners November 15, 2023 09:37
@github-actions github-actions bot added 🧱 stack: api Related to the Django API 🧱 stack: catalog Related to the catalog and Airflow DAGs 🧱 stack: ingestion server Related to the ingestion/data refresh server labels Nov 15, 2023
@openverse-bot openverse-bot added 🟧 priority: high Stalls work on the project or its dependents 💻 aspect: code Concerns the software code in the repository 🧰 goal: internal improvement Improvement that benefits maintainers, not users labels Nov 15, 2023
obulat
obulat approved these changes Nov 15, 2023
View reviewed changes
Copy link
Contributor

@obulat obulat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@AetherUnbound AetherUnbound changed the title Unpin glibc pinned in #3154 Unpin glibc Nov 15, 2023
AetherUnbound
AetherUnbound requested changes Nov 15, 2023
View reviewed changes
Copy link
Collaborator

@AetherUnbound AetherUnbound left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately the upstream_db image (postgres:13.10) has not been updated (taken from this comment after running just build && just up):

$ for x in 'web' 'webserver' 'ingestion_server' 'upstream_db'; do echo "($x)" && j exec $x ldd --version | grep 'ldd' ; done
(web)
just dc exec -u root  web ldd --version
env COMPOSE_PROFILES="api,ingestion_server,frontend,catalog" docker-compose -f docker-compose.yml exec -u root web ldd --version
ldd (Debian GLIBC 2.36-9+deb12u3) 2.36
(webserver)
just dc exec -u root  webserver ldd --version
env COMPOSE_PROFILES="api,ingestion_server,frontend,catalog" docker-compose -f docker-compose.yml exec -u root webserver ldd --version
ldd (Debian GLIBC 2.31-13+deb11u7) 2.31
(ingestion_server)
just dc exec -u root  ingestion_server ldd --version
env COMPOSE_PROFILES="api,ingestion_server,frontend,catalog" docker-compose -f docker-compose.yml exec -u root ingestion_server ldd --version
ldd (Debian GLIBC 2.36-9+deb12u3) 2.36
(upstream_db)
just dc exec -u root  upstream_db ldd --version
env COMPOSE_PROFILES="api,ingestion_server,frontend,catalog" docker-compose -f docker-compose.yml exec -u root upstream_db ldd --version
ldd (Debian GLIBC 2.31-13+deb11u6) 2.31

Note that the last version is 11u6 and not 11u7. We'll either need to leave that piece in for upstream_db or bump the version to 13.13 (which appears to be the current latest) and see if that includes the patched library.

@dhruvkb
Copy link
Member Author

dhruvkb commented Nov 15, 2023
edited
Loading

@AetherUnbound I can look into updates for the postgres images tomorrow, but I have a question. This is only for the local dev environment, we don't use Docker to host the production databases so is using an unpatched image for the DB even a risk at all?

AetherUnbound
AetherUnbound approved these changes Nov 15, 2023
View reviewed changes
Copy link
Collaborator

@AetherUnbound AetherUnbound left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤦‍♀️ that's right, thanks for correcting me on that! No need to do anything specific for the upstream DB then since all the others are patched!

@dhruvkb dhruvkb merged commit cdee828 into main Nov 16, 2023
63 checks passed
@dhruvkb dhruvkb deleted the unpin_glibc branch November 16, 2023 05:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@obulat obulat obulat approved these changes

@AetherUnbound AetherUnbound AetherUnbound approved these changes

@sarayourfriend sarayourfriend Awaiting requested review from sarayourfriend sarayourfriend is a code owner automatically assigned from WordPress/openverse-maintainers

Assignees
No one assigned
Labels
💻 aspect: code Concerns the software code in the repository 🧰 goal: internal improvement Improvement that benefits maintainers, not users 🟧 priority: high Stalls work on the project or its dependents 🧱 stack: api Related to the Django API 🧱 stack: catalog Related to the catalog and Airflow DAGs 🧱 stack: ingestion server Related to the ingestion/data refresh server
Projects
Openverse PRs
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove pinned glibc update once docker images are updated
4 participants
@dhruvkb @AetherUnbound @obulat @openverse-bot