Avi Sanwal created FLINK-37881:
----------------------------------
Summary: Drop gosu in favour of Dockerfile's USER
Key: FLINK-37881
URL: https://issues.apache.org/jira/browse/FLINK-37881
Project: Flink
Issue Type: Improvement
Components: flink-docker
Affects Versions: 2.1.0
Reporter: Avi Sanwal
This is a minor improvement from security standpoint on flink's docker image.
If you see the dockerfile of flink's docker image, we are adding gosu:
https://github.com/apache/flink-docker/blob/6e226503dbb228467905c70ccfb6f33f4c676872/1.20/scala_2.12-java17-ubuntu/Dockerfile#L27-L44
This is later used to switch to the user flink in the entrypoint script:
https://github.com/apache/flink-docker/blob/6e226503dbb228467905c70ccfb6f33f4c676872/1.20/scala_2.12-java17-ubuntu/docker-entrypoint.sh#L37.
Gosu itself is tagged by popular scanners as being vulnerable due to outdated
golang usage (though gosu itself is not).
Instead of using gosu/su-exec, it may be preferrable to switch to flink user
using {{USER flink}} or something similar in Dockerfile. This way we could
avoid depending on gosu, and present a cleaner scan result.
While this does not really solve any vulnerabilties in the system, it can help
satisfy auditors against false positive reports provided by heuristical
scanners.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
