Update tiflash base image version

@ilovesoup Can you help me upgrade the base image of TiFlash v4.0.16 to the newest version to avoid critical vulnerability issues? TiFlash is not open source so I can’t do it by myself.

vulnerabilities	package	CRITICAL Vulnerability found in os package type (rpm) - nss-tools (fixed in: 0:3.67.0-4.el7_9)(CVE-2021-43527 - https://access.redhat.com/security/cve/CVE-2021-43527)
vulnerabilities	package	CRITICAL Vulnerability found in os package type (rpm) - expat (fixed in: 0:2.1.0-11.el7)(CVE-2015-2716 - https://access.redhat.com/security/cve/CVE-2015-2716)
vulnerabilities	package	CRITICAL Vulnerability found in os package type (rpm) - nss-sysinit (fixed in: 0:3.67.0-4.el7_9)(CVE-2021-43527 - https://access.redhat.com/security/cve/CVE-2021-43527)
vulnerabilities	package	CRITICAL Vulnerability found in os package type (rpm) - nss (fixed in: 0:3.67.0-4.el7_9)(CVE-2021-43527 - https://access.redhat.com/security/cve/CVE-2021-43527)

If you have concerns about changing the base image from centos 7.6 to 7.9 due to stability, alternatively can you upgrade the os package inside the image to have a workaround?

Hi, thanks for your question. Could you please provide your operation step for the upgrade? If your TiDB cluster uses TiDB-operator on the Kubernetes, reference these documents.https://docs.pingcap.com/tidb-in-kubernetes/stable/upgrade-tidb-operator

To clarify the question, there’s no problem with tidb operator. The tiflash image pingcap/tiflash:v4.0.16 contains vulnerability issues. Can you ask the tiflash team to upgrade the base image of tiflash to solve this problem?

Yep, I get your point now. I have sent this question to our security team, think so much more wait time, we will feedback workaround.

By the way, if you want to get more user benefits, you can register for customer certification at AskTUG forum. 团队认证操作指南

Hi, we’ve reached out to the team that maintains the image, and our internal image update process will take some time. If this problem is very urgent, you can try the following methods, use pingcap/tiflash:v4.0.16 as the base image to build a new image, and update the system dependencies during the rebuild process , as shown in the following Dockerfile:

FROM pingcap/tiflash:v4.0.16

RUN yum update -y

Yep it’s the last choice. But I think it would be better to maintain the image from the community side.

When can we expect a release?

Hi, the image upgrade work is in progress. Dependency upgrades introduce some behavioral changes that can lead to serious bugs in specific scenarios. We need some time to analyze and resolve these issues. If everything goes well, the update will be completed next week.

Thanks. Let me know if new image is ready.

Hello, sorry to inform you that due to limited QA resources, the update of the base image will be released in the next version (including 5.0.7, 5.1.4, 5.2.4, 5.3.1, 5.4.0, and possibly 4.0.17 ).
Temporary solution (upgrade only nss and expat packages):

FROM pingcap/tiflash:v4.0.16

RUN yum update -y nss expat

As the support period for 4.x is about to expire (not sure if there will be a patch version in the future), it is recommended to upgrade to 5.x. The earliest fixes will be 5.1.4 and 5.4.0, which will be released next month.

Thanks for the info. I’ll do it by myself.

BTW can you confirm that the images built from specific tags in github for pd/tidb/tikv/… are equivalent to the images in docker.io at code level? I’m asking because the images built from github have ‘dirty’ suffix in version. For example ‘v4.0.16-dirty’.

The suffix comes from the git subcommand option --dirty see pd/Makefile#L41 and git describe for more details, we use this suffix to help mark the development version of the binary.