Comments (10)
@robertd We had not been updating the base image was because support for gdal-java
has been dropped in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947960. GeoServer still relies on it https://docs.geoserver.org/stable/en/user/data/raster/gdal.html#linux-packages-and-setup but you are welcome to do a PR
from docker-geoserver.
@NyakudyaA It's getting harder and harder to run kartoza/geoserver
in any of our environments due to the security scans flagging containers vulnerabilities.
@robertd We had not been updating the base image was because support for gdal-java has been dropped in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947960. GeoServer still relies on it https://docs.geoserver.org/stable/en/user/data/raster/gdal.html#linux-packages-and-setup but you are welcome to do a PR
How does one even start addressing this? Perhaps it's maybe time to drop gdal-java
support for the sake of security? Thoughts?
from docker-geoserver.
@NyakudyaA It's getting harder and harder to run
kartoza/geoserver
in any of our environments due to the security scans flagging containers vulnerabilities.@robertd We had not been updating the base image was because support for gdal-java has been dropped in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947960. GeoServer still relies on it https://docs.geoserver.org/stable/en/user/data/raster/gdal.html#linux-packages-and-setup but you are welcome to do a PR
How does one even start addressing this? Perhaps it's maybe time to drop
gdal-java
support for the sake of security? Thoughts?
@robertd I am not sure what security is being flagged, currently we have the following generated by trivy
And this has no relation to gdal. I think a better option would be to invest in building an image/latest with gdal-java and also taking into consideration that GeoServer doesn't use the very latest of tomcat as per the documentation
from docker-geoserver.
@NyakudyaA Our security team is using Acunetix for scanning. Here are the sanitized version of our latest reports.
![image](https://private-user-images.githubusercontent.com/31543/344485164-502c4356-e060-41eb-816e-cb8f7f6ad623.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjEzMzQzODgsIm5iZiI6MTcyMTMzNDA4OCwicGF0aCI6Ii8zMTU0My8zNDQ0ODUxNjQtNTAyYzQzNTYtZTA2MC00MWViLTgxNmUtY2I4ZjdmNmFkNjIzLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE4VDIwMjEyOFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWU2MGQ3NDRiZWU3ZTZmNmYzOWUyM2YyZGRmNTZiYzRlMzZmMzc0NGFjOTRlNTVjZWU0YTNmOWU1N2JlMzNhNTImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.mDEQbT9Z_BlyONqxBi0nsFixotncNz7SvZr1daQ3lCA)
![image](https://private-user-images.githubusercontent.com/31543/344485262-ad4ea8e7-bd91-422a-8b0d-ecbc1e3dde0f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjEzMzQzODgsIm5iZiI6MTcyMTMzNDA4OCwicGF0aCI6Ii8zMTU0My8zNDQ0ODUyNjItYWQ0ZWE4ZTctYmQ5MS00MjJhLThiMGQtZWNiYzFlM2RkZTBmLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE4VDIwMjEyOFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTNhYjBlY2UxNDBhMjMxMThhMWIyZDUxMTlmMzM2ZDBkY2RhMWEyOTIwMGVmN2YwMzg5NGE1YzYzNWYxZDM4MDkmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.W-ZcrYtVspPlVxmIGkBM8mXJ6nl2wDfoScrCugMk21Y)
I think a better option would be to invest in building an image/latest with gdal-java and also taking into consideration that GeoServer doesn't use the very latest of tomcat as per the documentation
Do you mind linking the GeoServer docs stating the tomcat version requirement? TIA.
from docker-geoserver.
@robertd The officially supported tomcat version is 11 while 17 also works but there is no guarantee that it will work.
If you do not need the gdal plugin to publish supported raster data, can you try to build using the latest tomcat and give us feedback. The only option to support this would be to introduce a new build Arg i.e ACTIVATE_GDAL=TRUE
which will control whether to install gdal-java and the rest of the image will work with or without gdal depending on the build Arg . If you feel this is a better option we can try this. Unfortunately Acunetix doesn't seem to be easily configurable to run with github action and hence we cannot use it unless if I didn't research enough
from docker-geoserver.
@robertd #669 should fix running this with a new version of base image tomcat:$IMAGE_VERSION
from docker-geoserver.
Thanks @NyakudyaA, I'll give it a try.
from docker-geoserver.
@NyakudyaA I think that this solves only part of our problem. It's worth mentioning that most of our high
vulnerabilities come from tomcat itself through 9.0.89-jdk11-temurin-focal
. Since GeoServer doesn't work with tomcat:10.x
(and most likely neither with tomcat:11.x
too), I wonder if at least switching to 9.0.91-jdk11-temurin-focal
or 9.0.91-jdk11-temurin-jammy
would be compatible (or even worthwhile)... even though both of those versions have med
vulnerabilities too.
Current: Focal - Ubuntu 20.04 LTS - 9.0.89-jdk11-temurin-focal
Focal - Ubuntu 20.04 LTS - 9.0.91-jdk11-temurin-focal
Jammy - 22.04 LTS - 9.0.91-jdk11-temurin-jammy
Also, just curious, can you tell my why is temurin
base image being used over a standard (non-temurin) one?
from docker-geoserver.
@robertd With that PR you should be able to build the image locally with 9.0.91-jdk11-temurin-jammy
because of the gdal plugin issue and we don't want to break compatibility for other users, but for the builds within this image I suggest we upgrade to 9.0.91-jdk11-temurin-focal
, if you can do the PR, I will merge it.
What is the difference between temurin and an image without? If there is one better than the other to getting GeoServer to work, we should switch to that
from docker-geoserver.
if you can do the PR, I will merge it
What is the difference between temurin and an image without? If there is one better than the other to getting GeoServer to work, we should switch to that
I'm not a Java developer or anything :) , but I was just curious on why temurin
was present.
from docker-geoserver.
Related Issues (20)
- Dockerfile STABLE_EXTENSION gdal error ->Plugin URL does not exist:: https://sourceforge.net/projects/geoserver/files/GeoServer/2.24.1/extensions/geoserver-2.24.1-gdal.zip HOT 1
- gdal stable extension support needed. HOT 5
- XFRAME_OPTIONS does not work as expected. HOT 1
- [geoserver.monitor] - Request Dumper exiting due to :Permission denied
- crash at start on arm64 HOT 1
- After crashing I couldn't run again HOT 2
- Write a security policy / nominate security contacts HOT 5
- validate_url and download_extension request every URL twice, and don't re-use connections, making builds really slow HOT 3
- Update base image to new image HOT 4
- GWC error "Problem communicating with GeoServer" HOT 13
- Broken WMS due to libjpeg-turbo errors in 2.25.0 HOT 10
- Custom Vector Dimensions don't work in 2.25.0 HOT 2
- JDBCconfig and JDBCstore configuration settings via ENV variables HOT 15
- libjpegturbo broken in wms request HOT 1
- Clearing users.xml while creating user HOT 4
- Please add a tag on Github matching each releases on DockerHub to diff code change between releases HOT 7
- Lost options ACTIVATE_ALL_STABLE_EXTENSIONS and ACTIVATE_ALL_COMMUNITY_EXTENSIONS HOT 6
- The plugin 'libjpeg-turbo' for geoserver2.25.2 doesn't work HOT 1
- Import ECW file HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-geoserver.