SOLR-17353 Bump gosu binary to v1.19 in docker images#4273
SOLR-17353 Bump gosu binary to v1.19 in docker images#4273janhoy wants to merge 3 commits intoapache:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates Solr’s Docker image build to source gosu from upstream GitHub releases (instead of the distro package) to pick up a newer Go toolchain in the bundled binary and reduce reported image vulnerabilities. Also adds Renovate automation to track future gosu release bumps in the Dockerfile template.
Changes:
- Install and GPG-verify
gosuv1.19 from GitHub releases during image build. - Remove
gosuinstallation viaaptfrom the Dockerfile template. - Add a Renovate custom regex manager to update the
ARG GOSU_VERSIONautomatically.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
solr/docker/templates/Dockerfile.body.template |
Switches gosu installation to GitHub release binary with signature verification. |
changelog/unreleased/SOLR-17353-docker-gosu-upgrade.yml |
Adds a changelog entry for the Docker gosu upgrade. |
.github/renovate.json |
Enables regex/custom manager config so Renovate can bump GOSU_VERSION. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
| "fileMatch": ["^solr/docker/templates/Dockerfile\\.body\\.template$"], | ||
| "matchStrings": ["ARG GOSU_VERSION=(?<currentValue>[^\\s]+)"], | ||
| "depNameTemplate": "tianon/gosu", | ||
| "datasourceTemplate": "github-releases" |
There was a problem hiding this comment.
This is not tested, a bit hard to dry-run these things, but is an attractive way to monitor version of a binary that would else fall between the cracks. The snippet is created by AI and I ran it through another AI to validate syntax. I suggest we do manual review and then test that it actaully works "live" post merge.
There was a problem hiding this comment.
According to our friend claude, this can be simplified by adding the below comment above the ARG in the dockerfile:
# renovate: datasource=github-releases depName=tianon/gosu
ARG GOSU_VERSION=1.19
Then you only have to include the below configuration to include the custom file in the scans:
{
...
"dockerfile": {
"fileMatch": ["(^|/)Dockerfile\\.body\\.template$"]
}
}There was a problem hiding this comment.
I also believe there is a simple way for running renovate on local repository through the local platform feature. I will see if I can prepare something for testing purposes and see if my above proposal works as expected. :)
There was a problem hiding this comment.
I could confirm your solution with the following command (renovate was installed via npm install -g renovate):
LOG_LEVEL=debug RENOVATE_LOG_FORMAT=json npx renovate --platform local --dry-run=lookup 2>&1 > report.logI downgraded to 1.17 to see if renovate picks it up, and the output confirmed it:
{"depName":"tianon/gosu","currentValue":"1.17","datasource":"github-releases","replaceString":"# renovate: datasource=github-releases depName=tianon/gosu\nARG GOSU_VERSION=1.17","updates":[{"bucket":"non-major","newVersion":"1.19","newValue":"1.19","releaseTimestamp":"2025-09-23T19:10:36.000Z","newVersionAgeInDays":198,"newMajor":1,"newMinor":19,"newPatch":0,"updateType":"minor","libYears":1.890115138254693,"branchName":"renovate/tianon-gosu-1.x"}],"packageName":"tianon/gosu","versioning":"semver-coerced","warnings":[],"sourceUrl":"https://github.com/tianon/gosu","registryUrl":"https://github.com","currentVersion":"1.17","currentVersionTimestamp":"2023-11-02T21:46:05.000Z","currentVersionAgeInDays":889,"isSingleVersion":true,"fixedVersion":"1.17"}
The solution with the comment can still be used though, so that we can generalize the matching to other packages as well (more future-proof). This can be done by changing the matchStrings with
"matchStrings": [
"# renovate: datasource=(?<datasource>[a-z-]+) depName=(?<depName>[^\\s]+)\\nARG \\w+_VERSION=(?<currentValue>[^\\s]+)"
],and add this comment above the ARG:
# renovate: datasource=github-releases depName=tianon/gosu
ARG GOSU_VERSION=1.19
renovate will then pick the datasource and depName from the comment, rather than the renovate.json file (more flexible).
| SOLR_HOST_BIND="0.0.0.0" \ | ||
| SOLR_ZOOKEEPER_EMBEDDED_HOST="0.0.0.0" | ||
|
|
||
| ARG GOSU_VERSION=1.19 |
There was a problem hiding this comment.
|
What do we use |
See my comment at the end of the PR description. I have never felt the need to use it. The theoretical need is if someone needs to customize some bootstrap logic which requires running the container as root instead of the declared But an attractive alternative to this to simply remove gosu, which will be a 1-line change... |
|
Ok, if its not documented, lets axe it in 10.1 |
🪓🪓🪓🪓 I could not find any documentation for it, so I'm in... |
|
I am open for removing gosu too, so that you know. Just wanted to confirm that the solution would work. :) |
https://issues.apache.org/jira/browse/SOLR-17353
A majority of flagged security issues in our docker image stems from "go", which again stems from the bundled go version in the
gosubinary that we provide for advanced users of docker images.Earlier we installed gosu with apt, but Canonical is slow to patch (re-build on newer go), so it is better to install latest binary from github which is newer.
In addition to installing from github releases, this PR also tries to add a mechanism for which RenovateBot / SolrBot can watch new versions and file a PR for bumping the version in our dockerfile template.
PS: I'm not super attached to gosu myself, have never had the need for it, so I can be convinced to an alternative approach, just skip it. I can't even find documentation in our docker folder on how to use it. Here are some refs on the topic.