Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace run-proxy.sh with a binary #6172

Closed
olix0r opened this issue May 24, 2021 · 0 comments · Fixed by #6228
Closed

Replace run-proxy.sh with a binary #6172

olix0r opened this issue May 24, 2021 · 0 comments · Fixed by #6228
Assignees
@dadjeibaah
Labels
help wanted priority/P1 Planned for Release
Milestone
stable-2.11.0

Comments

@olix0r
Copy link
Member

olix0r commented May 24, 2021

To support #5198, we should use a distroless image for the proxy's runtime (see #6165).

In order to move to a more restricted container image, we can't rely on a shell being present in the runtime container, however the proxy is started by an init script

linkerd2/proxy-identity/run-proxy.sh

Lines 1 to 10 in e784b5b

#!/usr/bin/env sh
set -eu
if [ -z "${LINKERD2_PROXY_IDENTITY_DISABLED:-}" ]; then
/usr/lib/linkerd/linkerd2-proxy-identity \
-dir "$LINKERD2_PROXY_IDENTITY_DIR" \
-name "$LINKERD2_PROXY_IDENTITY_LOCAL_NAME"
fi
exec /usr/lib/linkerd/linkerd2-proxy

We should either rewrite this as a small standalone binary or fold this logic directly into the identity helper and then update the proxy's dockerfile (as in https://github.com/linkerd/linkerd2/blob/d8f010d8ceedaba6f0509a3c5539c5a50844f4f4/Dockerfile-proxy) to use a restricted runtime image.
@olix0r olix0r added help wanted priority/P1 Planned for Release labels May 24, 2021
@olix0r olix0r added this to the stable-2.11.0 milestone May 24, 2021
@olix0r olix0r mentioned this issue May 24, 2021
Closed
tskinn added a commit to tskinn/linkerd2 that referenced this issue Jun 5, 2021
@tskinn
fold run-proxy.sh funtionality into proxy-dentity
49cce23 
A docker image with a shell is required to run the identity helper

The logic for the identity helper shell script docker entry point has been moved into proxy-identity/main.go and the docker file has been updated to reflect the removal of the run-proxy.sh script

none

Fixes linkerd#6172

Signed-off-by: Taylor Skinner <tskinn12@gmail.com>
@tskinn tskinn mentioned this issue Jun 5, 2021
Merged
@dadjeibaah dadjeibaah assigned dadjeibaah and unassigned dadjeibaah Jun 9, 2021
tskinn added a commit to tskinn/linkerd2 that referenced this issue Jun 11, 2021
@tskinn
fold run-proxy.sh funtionality into proxy-dentity
8b87b91 
A docker image with a shell is required to run the identity helper

The logic for the identity helper shell script docker entry point has been moved into proxy-identity/main.go and the docker file has been updated to reflect the removal of the run-proxy.sh script

none

Fixes linkerd#6172

Signed-off-by: Taylor Skinner <tskinn12@gmail.com>
tskinn added a commit to tskinn/linkerd2 that referenced this issue Jun 11, 2021
@tskinn
fold run-proxy.sh funtionality into proxy-dentity
faeaaeb 
A docker image with a shell is required to run the identity helper

The logic for the identity helper shell script docker entry point has been moved into proxy-identity/main.go and the docker file has been updated to reflect the removal of the run-proxy.sh script

none

Fixes linkerd#6172

Signed-off-by: Taylor Skinner <tskinn12@gmail.com>
kleimkuhler pushed a commit that referenced this issue Jun 11, 2021
@tskinn
fold run-proxy.sh funtionality into proxy-dentity (#6228)
308526d 
A docker image with a shell is required to run the identity helper which is undesirable. 

The logic for the identity helper shell script docker entry point has been moved into proxy-identity/main.go and the docker file has been updated to reflect the removal of the run-proxy.sh script

Fixes #6172

Signed-off-by: Taylor Skinner <tskinn12@gmail.com>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 16, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dadjeibaah dadjeibaah

Labels
help wanted priority/P1 Planned for Release
Projects
None yet
Milestone
stable-2.11.0
Development

Successfully merging a pull request may close this issue.

fold run-proxy.sh funtionality into proxy-dentity tskinn/linkerd2
2 participants
@olix0r @dadjeibaah