Re: Grafana vulnerability - cephadm deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

`main` tells me:

./src/python-common/ceph/cephadm/images.py:    GRAFANA = _create_image('quay.io/ceph/grafana:10.4.16', 'grafana')

The `reef` branch:

./src/cephadm/cephadm.py:DEFAULT_GRAFANA_IMAGE = 'quay.io/ceph/ceph-grafana:9.4.7'

YMMV, but looking at the CVE I’m not panicking - one has to enable a non-default option, and then you’re still only vulnerable to insiders, unless you leave your Grafana endpoint exposed on a non-ACL’d routable address.

9.4.x may be EOL, but it wasn’t when Reef was released.




A quick search on tracker.ceph.com <http://tracker.ceph.com/> does not find a hit for CVE-2023-1387 

I suggest opening an issue, this is a simple one-line fix but it’s not immediately clear to me how to properly open a PR against the reef branch.




TL;DR:

    PROMETHEUS = _create_image('quay.io/prometheus/prometheus:v2.51.0', 'prometheus')
    LOKI = _create_image('docker.io/grafana/loki:3.0.0', 'loki')
    PROMTAIL = _create_image('docker.io/grafana/promtail:3.0.0', 'promtail')
    NODE_EXPORTER = _create_image('quay.io/prometheus/node-exporter:v1.7.0', 'node_exporter')
    ALERTMANAGER = _create_image('quay.io/prometheus/alertmanager:v0.27.0', 'alertmanager')
    GRAFANA = _create_image('quay.io/ceph/grafana:10.4.16', 'grafana')
    HAPROXY = _create_image('quay.io/ceph/haproxy:2.3', 'haproxy')
    KEEPALIVED = _create_image('quay.io/ceph/keepalived:2.2.4', 'keepalived')
    NVMEOF = _create_image('quay.io/ceph/nvmeof:1.5', 'nvmeof')
    SNMP_GATEWAY = _create_image('docker.io/maxwo/snmp-notifier:v1.2.1', 'snmp_gateway')
    ELASTICSEARCH = _create_image('quay.io/omrizeneva/elasticsearch:6.8.23', 'elasticsearch')
    JAEGER_COLLECTOR = _create_image('quay.io/jaegertracing/jaeger-collector:1.29',
                                     'jaeger_collector')
    JAEGER_AGENT = _create_image('quay.io/jaegertracing/jaeger-agent:1.29', 'jaeger_agent')
    JAEGER_QUERY = _create_image('quay.io/jaegertracing/jaeger-query:1.29', 'jaeger_query')
    SAMBA = _create_image('quay.io/samba.org/samba-server:devbuilds-centos-amd64', 'samba')
    SAMBA_METRICS = _create_image('quay.io/samba.org/samba-metrics:latest', 'samba_metrics')
    NGINX = _create_image('quay.io/ceph/nginx:sclorg-nginx-126', 'nginx')
    OAUTH2_PROXY = _create_image('quay.io/oauth2-proxy/oauth2-proxy:v7.6.0', 'oauth2_proxy’)



> On Apr 17, 2025, at 9:40 AM, Wyll Ingersoll <wyllys.ingersoll@xxxxxxxxxxxxxx> wrote:
> 
> ceph-grafana should be upgraded to 10.4 or later because it is not compatible with the latest prometheus alertmanager (0.27 or later) which only support the alertmanager V2 API.
> 
> Is there an issue to track this?
> 
> 
> 
> ________________________________
> From: Sake Ceph <ceph@xxxxxxxxxxx>
> Sent: Thursday, April 17, 2025 9:35 AM
> To: ceph-users@xxxxxxx <ceph-users@xxxxxxx>
> Subject:  Re: Grafana vulnerability - cephadm deployment
> 
> But Grafana 9.4 is EOL for a long time. Shouldn't it be time to upgrade the image?
> 
> Kind regards,
> Sake
>> Op 17-04-2025 09:14 CEST schreef Robert Sander <r.sander@xxxxxxxxxxxxxxxxxxx>:
>> 
>> 
>> Hi,
>> 
>> Am 4/16/25 um 21:11 schrieb Anthony D'Atri:
>>> This is covered in the docs:
>>> 
>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.ceph.com%2Fen%2Freef%2Fcephadm%2Fservices%2Fmonitoring%2F%23using-custom-images&data=05%7C02%7Cwyllys.ingersoll%40keepertech.com%7Cea14dd831bc8452956d908dd7db4df15%7Ca0e92bbdedfc4a2faf16799792ef0c87%7C0%7C0%7C638804939107001287%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=xN0ENm1GGSU8gadc6gqRO4KP21%2F1KHm%2FA3Hn4pcR7jg%3D&reserved=0<https://docs.ceph.com/en/reef/cephadm/services/monitoring/#using-custom-images>
>> 
>> There is a newer Grafana container available at quay.io/ceph/ceph-grafana:9.4.12
>> 
>> You can use it with
>> 
>> # ceph config set mgr mgr/cephadm/container_image_grafana quay.io/ceph/ceph-grafana:9.4.12
>> # ceph orch redeploy grafana
>> 
>> Regards
>> --
>> Robert Sander
>> Linux Consultant
>> 
>> Heinlein Consulting GmbH
>> Schwedter Str. 8/9b, 10119 Berlin
>> 
>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.heinlein-support.de%2F&data=05%7C02%7Cwyllys.ingersoll%40keepertech.com%7Cea14dd831bc8452956d908dd7db4df15%7Ca0e92bbdedfc4a2faf16799792ef0c87%7C0%7C0%7C638804939107047712%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=rCO%2BmKAhv4X7XZUR2uEMAiSr6uLYcPtBLjmesxWnhfE%3D&reserved=0<https://www.heinlein-support.de/>
>> 
>> Tel: +49 30 405051 - 0
>> Fax: +49 30 405051 - 19
>> 
>> Amtsgericht Berlin-Charlottenburg - HRB 220009 B
>> Geschäftsführer: Peer Heinlein - Sitz: Berlin
>> _______________________________________________
>> ceph-users mailing list -- ceph-users@xxxxxxx
>> To unsubscribe send an email to ceph-users-leave@xxxxxxx
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx

_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux