random start-up crash about docker-geoserver HOT 10 OPEN

@robertd We had not been updating the base image was because support for gdal-java has been dropped in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947960. GeoServer still relies on it https://docs.geoserver.org/stable/en/user/data/raster/gdal.html#linux-packages-and-setup but you are welcome to do a PR

from docker-geoserver.

@NyakudyaA It's getting harder and harder to run kartoza/geoserver in any of our environments due to the security scans flagging containers vulnerabilities.

@robertd We had not been updating the base image was because support for gdal-java has been dropped in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947960. GeoServer still relies on it https://docs.geoserver.org/stable/en/user/data/raster/gdal.html#linux-packages-and-setup but you are welcome to do a PR

How does one even start addressing this? Perhaps it's maybe time to drop gdal-java support for the sake of security? Thoughts?

from docker-geoserver.

@NyakudyaA It's getting harder and harder to run kartoza/geoserver in any of our environments due to the security scans flagging containers vulnerabilities.

@robertd We had not been updating the base image was because support for gdal-java has been dropped in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947960. GeoServer still relies on it https://docs.geoserver.org/stable/en/user/data/raster/gdal.html#linux-packages-and-setup but you are welcome to do a PR

How does one even start addressing this? Perhaps it's maybe time to drop gdal-java support for the sake of security? Thoughts?

@robertd I am not sure what security is being flagged, currently we have the following generated by trivy

And this has no relation to gdal. I think a better option would be to invest in building an image/latest with gdal-java and also taking into consideration that GeoServer doesn't use the very latest of tomcat as per the documentation

from docker-geoserver.

@NyakudyaA Our security team is using Acunetix for scanning. Here are the sanitized version of our latest reports.

I think a better option would be to invest in building an image/latest with gdal-java and also taking into consideration that GeoServer doesn't use the very latest of tomcat as per the documentation

Do you mind linking the GeoServer docs stating the tomcat version requirement? TIA.

from docker-geoserver.

@robertd The officially supported tomcat version is 11 while 17 also works but there is no guarantee that it will work.

If you do not need the gdal plugin to publish supported raster data, can you try to build using the latest tomcat and give us feedback. The only option to support this would be to introduce a new build Arg i.e ACTIVATE_GDAL=TRUE

which will control whether to install gdal-java and the rest of the image will work with or without gdal depending on the build Arg . If you feel this is a better option we can try this. Unfortunately Acunetix doesn't seem to be easily configurable to run with github action and hence we cannot use it unless if I didn't research enough

from docker-geoserver.

@robertd #669 should fix running this with a new version of base image tomcat:$IMAGE_VERSION

from docker-geoserver.

Thanks @NyakudyaA, I'll give it a try.

from docker-geoserver.

@NyakudyaA I think that this solves only part of our problem. It's worth mentioning that most of our high vulnerabilities come from tomcat itself through 9.0.89-jdk11-temurin-focal. Since GeoServer doesn't work with tomcat:10.x (and most likely neither with tomcat:11.x too), I wonder if at least switching to 9.0.91-jdk11-temurin-focal or 9.0.91-jdk11-temurin-jammy would be compatible (or even worthwhile)... even though both of those versions have med vulnerabilities too.

Current: Focal - Ubuntu 20.04 LTS - 9.0.89-jdk11-temurin-focal

Focal - Ubuntu 20.04 LTS - 9.0.91-jdk11-temurin-focal

Jammy - 22.04 LTS - 9.0.91-jdk11-temurin-jammy

Also, just curious, can you tell my why is temurin base image being used over a standard (non-temurin) one?

from docker-geoserver.

@robertd With that PR you should be able to build the image locally with 9.0.91-jdk11-temurin-jammy because of the gdal plugin issue and we don't want to break compatibility for other users, but for the builds within this image I suggest we upgrade to 9.0.91-jdk11-temurin-focal, if you can do the PR, I will merge it.

What is the difference between temurin and an image without? If there is one better than the other to getting GeoServer to work, we should switch to that

from docker-geoserver.

if you can do the PR, I will merge it

#671

What is the difference between temurin and an image without? If there is one better than the other to getting GeoServer to work, we should switch to that

I'm not a Java developer or anything :) , but I was just curious on why temurin was present.

from docker-geoserver.