[FOLIO-3407] Don't use curl for java container health check Created: 11/Feb/22  Updated: 06/Nov/22  Resolved: 03/Nov/22

Status: Closed
Project: FOLIO
Components: Continuous Integration
Affects versions: None
Fix versions: None

Type: Umbrella Priority: P3
Reporter: Julian Ladisch Assignee: Julian Ladisch
Resolution: Done Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Defines
is defined by FOLIO-3409 Prefer wget over curl for healthChkCmd Closed
is defined by FOLIO-3507 Remove curl from folioci/alpine-jre-o... Closed
is defined by MODCR-82 Jenkinsfile healthChkCmd: Prefer wget... Closed
is defined by MODNOTES-223 Jenkinsfile healthChkCmd: Prefer wget... Closed
is defined by RSRVR-52 Jenkinsfile healthChkCmd: Prefer wget... Closed
Relates
relates to MODOAIPMH-393 Move health test from Jenkins file to... Closed
Sprint:
Development Team: None
RCA Group: TBD

 Description   

Remove curl from folioci/alpine-jre-openjdk-11 folioci/alpine-jre-openjdk-17 java image.

Many java based modules use curl for their health check; they set this healthChkCmd in their Jenkinsfile:

curl -sS --fail -o /dev/null  http://localhost:8081/apidocs/ || exit 1

Jenkins runs this command inside of the java container (containerHealthCheck.groovy, run healthcheck, builder healthcheck).

This requires that curl is installed inside of the java container. Currently we add curl to the java container: folio-java-docker/openjdk11/Dockerfile#L14

curl should be removed from this container and replaced by busybox wget or maven integration tests.

This has several advantages:

  • It reduces the container size.
  • It reduces the attack surface. curl's security history is worse then wget's: curl CVEs , wget CVEs. FOLIO's java container is based on Alpine, Alpine ships with BusyBox, a multi-call binary that contains wget with reduced number of options further reducing the attack surface.
  • It reduces complexity and maintenance effort. To run a .jar file no curl is needed, containers should be as small as possible.

Module developers have several options:

  • Remove the build health check from Jenkins file and move it into the maven integration test phase. This is the best option because it allows to add more smoke tests. Build and start the Docker container in maven integration test phase and test the health end point. Optionally add smoke tests to check that all libraries have been correctly assembled in the shaded uber fat jar. Examples: mod-eusage-reports ApiIT, mod-oai-pmh ModTenantAPIIT
  • Switch from curl to wget in the healthChkCmd in the Jenkinsfile:
    wget --no-verbose --tries=1 --spider http://localhost:8081/admin/health || exit 1
    
  • If a module really needs the features that curl provides it may amend it's own Dockerfile:
    RUN apk add --no-cache curl
    

    Best practice is to combine this with apk upgrade:

    RUN apk upgrade \
     && apk add \
          curl \
     && rm -rf /var/cache/apk/*
    


 Comments   
Comment by Craig McNally [ 03/Nov/22 ]

Curl is no longer being installed into the openjdk17 base image.  See https://github.com/folio-org/folio-tools/blob/master/folio-java-docker/openjdk17/Dockerfile

 

Closing this as done

Generated at Thu Feb 08 23:27:53 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.