Incorrect/insecure Go version used for operator-certification base image
Description
Environment
None
Release Notes Description
None
Activity
Show:
CB robot April 19, 2023 at 1:02 PM
Build cbdeps::zstd-cpp-1.5.0-3 contains build-tools commit 22de8d2 with commit message:
: Pass GO_VERSION to 'docker build' step also
CB robot April 15, 2023 at 7:12 AM
Build cbdeps::protoc-gen-go-1.2.5-5 contains build-tools commit 22de8d2 with commit message:
: Pass GO_VERSION to 'docker build' step also
CB robot April 14, 2023 at 3:00 PM
Build cbdeps::libuv-1.20.3-23 contains build-tools commit 22de8d2 with commit message:
: Pass GO_VERSION to 'docker build' step also
CB robot April 14, 2023 at 2:57 PM
Build cbdeps::liburing-0.6-3 contains build-tools commit 22de8d2 with commit message:
: Pass GO_VERSION to 'docker build' step also
CB robot April 14, 2023 at 2:50 PM
Build cbdeps::libsodium-1.0.18-5 contains build-tools commit 22de8d2 with commit message:
: Pass GO_VERSION to 'docker build' step also
Fixed
Pinned fields
Click on the next to a field label to start pinning.
Details
Assignee
Reporter
Chris Hillery
Chris HilleryStory Points
1
Time tracking
2h logged
Components
Sprint
None
Priority
Critical
Instabug
Open Instabug
PagerDuty
PagerDuty Incident
PagerDuty Incident
Sentry
Linked Issues
Linked Issues
Zendesk Support
Linked Tickets
Linked Tickets
Created August 16, 2022 at 9:54 AM
Updated April 19, 2023 at 1:02 PM
Resolved September 10, 2022 at 9:17 AM
Instabug
We recently fixed up the handling of Go versions when invoking the build step ("make dist") for the K8S family products - see . However, this only corrects the build step. There's a separate step to create the Docker images from the artifacts in the "image" file which is created by the build step, as documented here: https://hub.internal.couchbase.com/confluence/display/CR/Grand+Unified+Build+and+Release+Process+for+Operator
This step expects the "image" file to be completely self-contained, which means that no
--build-arg
arguments are passed to the "docker build" command. So any ARGs will be built with their default values.The operator-certification Dockerfiles have an ARG GO_VERSION, and the base image is determined by that ARG. That GO_VERSION is not currently related to the Go version from the manifest which is used to build the binaries, which could lead to strange runtime behaviour. Also, right now GO_VERSION is 1.17.6, which is an EOL version - the corresponding base Docker images may not even be receiving security updates, which could lead to shipping images with known security vulnerabilities.