Squid is already on 10.4.0 and it looks like it using the default grafana
container images (correct?).
https://github.com/ceph/ceph/blob/squid/src/cephadm/cephadmlib/constants.py
I couldn't find any issues, but the company really doesn't like old software
with know issues :)
> Op 17-04-2025 16:07 CEST schreef Anthony D'Atri <anthony.da...@gmail.com>:
>
>
> `main` tells me:
>
> ./src/python-common/ceph/cephadm/images.py: GRAFANA =
> _create_image('quay.io/ceph/grafana:10.4.16', 'grafana')
>
> The `reef` branch:
>
> ./src/cephadm/cephadm.py:DEFAULT_GRAFANA_IMAGE =
> 'quay.io/ceph/ceph-grafana:9.4.7'
>
> YMMV, but looking at the CVE I’m not panicking - one has to enable a
> non-default option, and then you’re still only vulnerable to insiders, unless
> you leave your Grafana endpoint exposed on a non-ACL’d routable address.
>
> 9.4.x may be EOL, but it wasn’t when Reef was released.
>
>
>
>
> A quick search on tracker.ceph.com <http://tracker.ceph.com/> does not find a
> hit for CVE-2023-1387
>
> I suggest opening an issue, this is a simple one-line fix but it’s not
> immediately clear to me how to properly open a PR against the reef branch.
>
>
>
>
> TL;DR:
>
> PROMETHEUS = _create_image('quay.io/prometheus/prometheus:v2.51.0',
> 'prometheus')
> LOKI = _create_image('docker.io/grafana/loki:3.0.0', 'loki')
> PROMTAIL = _create_image('docker.io/grafana/promtail:3.0.0', 'promtail')
> NODE_EXPORTER = _create_image('quay.io/prometheus/node-exporter:v1.7.0',
> 'node_exporter')
> ALERTMANAGER = _create_image('quay.io/prometheus/alertmanager:v0.27.0',
> 'alertmanager')
> GRAFANA = _create_image('quay.io/ceph/grafana:10.4.16', 'grafana')
> HAPROXY = _create_image('quay.io/ceph/haproxy:2.3', 'haproxy')
> KEEPALIVED = _create_image('quay.io/ceph/keepalived:2.2.4', 'keepalived')
> NVMEOF = _create_image('quay.io/ceph/nvmeof:1.5', 'nvmeof')
> SNMP_GATEWAY = _create_image('docker.io/maxwo/snmp-notifier:v1.2.1',
> 'snmp_gateway')
> ELASTICSEARCH = _create_image('quay.io/omrizeneva/elasticsearch:6.8.23',
> 'elasticsearch')
> JAEGER_COLLECTOR =
> _create_image('quay.io/jaegertracing/jaeger-collector:1.29',
> 'jaeger_collector')
> JAEGER_AGENT = _create_image('quay.io/jaegertracing/jaeger-agent:1.29',
> 'jaeger_agent')
> JAEGER_QUERY = _create_image('quay.io/jaegertracing/jaeger-query:1.29',
> 'jaeger_query')
> SAMBA =
> _create_image('quay.io/samba.org/samba-server:devbuilds-centos-amd64',
> 'samba')
> SAMBA_METRICS = _create_image('quay.io/samba.org/samba-metrics:latest',
> 'samba_metrics')
> NGINX = _create_image('quay.io/ceph/nginx:sclorg-nginx-126', 'nginx')
> OAUTH2_PROXY = _create_image('quay.io/oauth2-proxy/oauth2-proxy:v7.6.0',
> 'oauth2_proxy’)
>
>
>
> > On Apr 17, 2025, at 9:40 AM, Wyll Ingersoll
> > <wyllys.ingers...@keepertech.com> wrote:
> >
> > ceph-grafana should be upgraded to 10.4 or later because it is not
> > compatible with the latest prometheus alertmanager (0.27 or later) which
> > only support the alertmanager V2 API.
> >
> > Is there an issue to track this?
> >
> >
> >
> > ________________________________
> > From: Sake Ceph <c...@paulusma.eu>
> > Sent: Thursday, April 17, 2025 9:35 AM
> > To: ceph-users@ceph.io <ceph-users@ceph.io>
> > Subject: [ceph-users] Re: Grafana vulnerability - cephadm deployment
> >
> > But Grafana 9.4 is EOL for a long time. Shouldn't it be time to upgrade the
> > image?
> >
> > Kind regards,
> > Sake
> >> Op 17-04-2025 09:14 CEST schreef Robert Sander
> >> <r.san...@heinlein-support.de>:
> >>
> >>
> >> Hi,
> >>
> >> Am 4/16/25 um 21:11 schrieb Anthony D'Atri:
> >>> This is covered in the docs:
> >>>
> >>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.ceph.com%2Fen%2Freef%2Fcephadm%2Fservices%2Fmonitoring%2F%23using-custom-images&data=05%7C02%7Cwyllys.ingersoll%40keepertech.com%7Cea14dd831bc8452956d908dd7db4df15%7Ca0e92bbdedfc4a2faf16799792ef0c87%7C0%7C0%7C638804939107001287%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=xN0ENm1GGSU8gadc6gqRO4KP21%2F1KHm%2FA3Hn4pcR7jg%3D&reserved=0<https://docs.ceph.com/en/reef/cephadm/services/monitoring/#using-custom-images>
> >>
> >> There is a newer Grafana container available at
> >> quay.io/ceph/ceph-grafana:9.4.12
> >>
> >> You can use it with
> >>
> >> # ceph config set mgr mgr/cephadm/container_image_grafana
> >> quay.io/ceph/ceph-grafana:9.4.12
> >> # ceph orch redeploy grafana
> >>
> >> Regards
> >> --
> >> Robert Sander
> >> Linux Consultant
> >>
> >> Heinlein Consulting GmbH
> >> Schwedter Str. 8/9b, 10119 Berlin
> >>
> >> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.heinlein-support.de%2F&data=05%7C02%7Cwyllys.ingersoll%40keepertech.com%7Cea14dd831bc8452956d908dd7db4df15%7Ca0e92bbdedfc4a2faf16799792ef0c87%7C0%7C0%7C638804939107047712%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=rCO%2BmKAhv4X7XZUR2uEMAiSr6uLYcPtBLjmesxWnhfE%3D&reserved=0<https://www.heinlein-support.de/>
> >>
> >> Tel: +49 30 405051 - 0
> >> Fax: +49 30 405051 - 19
> >>
> >> Amtsgericht Berlin-Charlottenburg - HRB 220009 B
> >> Geschäftsführer: Peer Heinlein - Sitz: Berlin
> >> _______________________________________________
> >> ceph-users mailing list -- ceph-users@ceph.io
> >> To unsubscribe send an email to ceph-users-le...@ceph.io
> > _______________________________________________
> > ceph-users mailing list -- ceph-users@ceph.io
> > To unsubscribe send an email to ceph-users-le...@ceph.io
> > _______________________________________________
> > ceph-users mailing list -- ceph-users@ceph.io
> > To unsubscribe send an email to ceph-users-le...@ceph.io
>
> _______________________________________________
> ceph-users mailing list -- ceph-users@ceph.io
> To unsubscribe send an email to ceph-users-le...@ceph.io
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
