We deprecated [1] the use of quay.io/ceph/*ceph-grafana* images from squid onwards due to the pain of building and maintaining those images by ourselves. The main reason we were building a custom grafana image was to bundle the grafana dashboards and plugins inside the official grafana image.
But with https://github.com/ceph/ceph/pull/55615, we offloaded that to cephadm at runtime which removed the burden of building and maintaining it which is why we are using the quay.io/ceph/*grafana *image and its simply a mirror from the docker registry. And we are upgrading the grafana to 11.x in tentacle which is in progress by @Afreen Misbah <afrah...@redhat.com> here: https://github.com/ceph/ceph/pull/62827. We have two options for reef since we are still supporting reef actively. 1. we can try and see if backporting that PR is possible, last time I couldn't because of cephadm binary differences but I could look again 2. Just tag and continue to build a newer ceph-grafana:10.4.x image in quay. Once the image is there anyone can just go ahead and use it by updating the container image config. Will check both of them next week after the holidays. [1] https://docs.ceph.com/en/latest/releases/squid/#monitoring Regards, Nizam On Thu, Apr 17, 2025 at 7:43 PM Sake Ceph <c...@paulusma.eu> wrote: > Squid is already on 10.4.0 and it looks like it using the default grafana > container images (correct?). > https://github.com/ceph/ceph/blob/squid/src/cephadm/cephadmlib/constants.py > > I couldn't find any issues, but the company really doesn't like old > software with know issues :) > > > Op 17-04-2025 16:07 CEST schreef Anthony D'Atri <anthony.da...@gmail.com > >: > > > > > > `main` tells me: > > > > ./src/python-common/ceph/cephadm/images.py: GRAFANA = _create_image(' > quay.io/ceph/grafana:10.4.16', 'grafana') > > > > The `reef` branch: > > > > ./src/cephadm/cephadm.py:DEFAULT_GRAFANA_IMAGE = ' > quay.io/ceph/ceph-grafana:9.4.7' > > > > YMMV, but looking at the CVE I’m not panicking - one has to enable a > non-default option, and then you’re still only vulnerable to insiders, > unless you leave your Grafana endpoint exposed on a non-ACL’d routable > address. > > > > 9.4.x may be EOL, but it wasn’t when Reef was released. > > > > > > > > > > A quick search on tracker.ceph.com <http://tracker.ceph.com/> does not > find a hit for CVE-2023-1387 > > > > I suggest opening an issue, this is a simple one-line fix but it’s not > immediately clear to me how to properly open a PR against the reef branch. > > > > > > > > > > TL;DR: > > > > PROMETHEUS = _create_image('quay.io/prometheus/prometheus:v2.51.0', > 'prometheus') > > LOKI = _create_image('docker.io/grafana/loki:3.0.0', 'loki') > > PROMTAIL = _create_image('docker.io/grafana/promtail:3.0.0', > 'promtail') > > NODE_EXPORTER = _create_image(' > quay.io/prometheus/node-exporter:v1.7.0', 'node_exporter') > > ALERTMANAGER = _create_image(' > quay.io/prometheus/alertmanager:v0.27.0', 'alertmanager') > > GRAFANA = _create_image('quay.io/ceph/grafana:10.4.16', 'grafana') > > HAPROXY = _create_image('quay.io/ceph/haproxy:2.3', 'haproxy') > > KEEPALIVED = _create_image('quay.io/ceph/keepalived:2.2.4', > 'keepalived') > > NVMEOF = _create_image('quay.io/ceph/nvmeof:1.5', 'nvmeof') > > SNMP_GATEWAY = _create_image('docker.io/maxwo/snmp-notifier:v1.2.1', > 'snmp_gateway') > > ELASTICSEARCH = _create_image(' > quay.io/omrizeneva/elasticsearch:6.8.23', 'elasticsearch') > > JAEGER_COLLECTOR = _create_image(' > quay.io/jaegertracing/jaeger-collector:1.29', > > 'jaeger_collector') > > JAEGER_AGENT = _create_image(' > quay.io/jaegertracing/jaeger-agent:1.29', 'jaeger_agent') > > JAEGER_QUERY = _create_image(' > quay.io/jaegertracing/jaeger-query:1.29', 'jaeger_query') > > SAMBA = _create_image(' > quay.io/samba.org/samba-server:devbuilds-centos-amd64', 'samba') > > SAMBA_METRICS = _create_image(' > quay.io/samba.org/samba-metrics:latest', 'samba_metrics') > > NGINX = _create_image('quay.io/ceph/nginx:sclorg-nginx-126', > 'nginx') > > OAUTH2_PROXY = _create_image(' > quay.io/oauth2-proxy/oauth2-proxy:v7.6.0', 'oauth2_proxy’) > > > > > > > > > On Apr 17, 2025, at 9:40 AM, Wyll Ingersoll < > wyllys.ingers...@keepertech.com> wrote: > > > > > > ceph-grafana should be upgraded to 10.4 or later because it is not > compatible with the latest prometheus alertmanager (0.27 or later) which > only support the alertmanager V2 API. > > > > > > Is there an issue to track this? > > > > > > > > > > > > ________________________________ > > > From: Sake Ceph <c...@paulusma.eu> > > > Sent: Thursday, April 17, 2025 9:35 AM > > > To: ceph-users@ceph.io <ceph-users@ceph.io> > > > Subject: [ceph-users] Re: Grafana vulnerability - cephadm deployment > > > > > > But Grafana 9.4 is EOL for a long time. Shouldn't it be time to > upgrade the image? > > > > > > Kind regards, > > > Sake > > >> Op 17-04-2025 09:14 CEST schreef Robert Sander < > r.san...@heinlein-support.de>: > > >> > > >> > > >> Hi, > > >> > > >> Am 4/16/25 um 21:11 schrieb Anthony D'Atri: > > >>> This is covered in the docs: > > >>> > > >>> > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.ceph.com%2Fen%2Freef%2Fcephadm%2Fservices%2Fmonitoring%2F%23using-custom-images&data=05%7C02%7Cwyllys.ingersoll%40keepertech.com%7Cea14dd831bc8452956d908dd7db4df15%7Ca0e92bbdedfc4a2faf16799792ef0c87%7C0%7C0%7C638804939107001287%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=xN0ENm1GGSU8gadc6gqRO4KP21%2F1KHm%2FA3Hn4pcR7jg%3D&reserved=0 > < > https://docs.ceph.com/en/reef/cephadm/services/monitoring/#using-custom-images > > > > >> > > >> There is a newer Grafana container available at > quay.io/ceph/ceph-grafana:9.4.12 > > >> > > >> You can use it with > > >> > > >> # ceph config set mgr mgr/cephadm/container_image_grafana > quay.io/ceph/ceph-grafana:9.4.12 > > >> # ceph orch redeploy grafana > > >> > > >> Regards > > >> -- > > >> Robert Sander > > >> Linux Consultant > > >> > > >> Heinlein Consulting GmbH > > >> Schwedter Str. 8/9b, 10119 Berlin > > >> > > >> > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.heinlein-support.de%2F&data=05%7C02%7Cwyllys.ingersoll%40keepertech.com%7Cea14dd831bc8452956d908dd7db4df15%7Ca0e92bbdedfc4a2faf16799792ef0c87%7C0%7C0%7C638804939107047712%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=rCO%2BmKAhv4X7XZUR2uEMAiSr6uLYcPtBLjmesxWnhfE%3D&reserved=0 > <https://www.heinlein-support.de/> > > >> > > >> Tel: +49 30 405051 - 0 > > >> Fax: +49 30 405051 - 19 > > >> > > >> Amtsgericht Berlin-Charlottenburg - HRB 220009 B > > >> Geschäftsführer: Peer Heinlein - Sitz: Berlin > > >> _______________________________________________ > > >> ceph-users mailing list -- ceph-users@ceph.io > > >> To unsubscribe send an email to ceph-users-le...@ceph.io > > > _______________________________________________ > > > ceph-users mailing list -- ceph-users@ceph.io > > > To unsubscribe send an email to ceph-users-le...@ceph.io > > > _______________________________________________ > > > ceph-users mailing list -- ceph-users@ceph.io > > > To unsubscribe send an email to ceph-users-le...@ceph.io > > > > _______________________________________________ > > ceph-users mailing list -- ceph-users@ceph.io > > To unsubscribe send an email to ceph-users-le...@ceph.io > _______________________________________________ > ceph-users mailing list -- ceph-users@ceph.io > To unsubscribe send an email to ceph-users-le...@ceph.io > -- Nizamudeen A Sr. Software Engineer - IBM Partner Engineer IBM and Red Hat Ceph Storage Red Hat <https://www.redhat.com/> <https://www.redhat.com/> _______________________________________________ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
