Download add-logging-agent-repo.sh and verify checksum before running #355
Conversation
curl | bash of "unvendored" scripts is a security risk. This change address that by downloading the image and verifying the checkup before running.
There was a problem hiding this comment.
This is technically a trusted script, so we may not need this, but I'll let @qingling128 make that decision.
| && curl -sS https://dl.google.com/cloudagents/add-logging-agent-repo.sh | REPO_SUFFIX="$REPO_SUFFIX" REPO_CODENAME=stretch DO_NOT_INSTALL_CATCH_ALL_CONFIG=true bash /dev/stdin --also-install \ | ||
| && curl -sS -o add-logging-agent-repo.sh https://dl.google.com/cloudagents/add-logging-agent-repo.sh \ | ||
| && (echo "499cbd999bc9cc26aebd2516d4428623ec7bb9e56a559239cd21b41ae38f0d95 add-logging-agent-repo.sh" | sha256sum --check) \ | ||
| && cat add-logging-agent-repo.sh | REPO_SUFFIX="$REPO_SUFFIX" REPO_CODENAME=stretch DO_NOT_INSTALL_CATCH_ALL_CONFIG=true bash /dev/stdin --also-install \ |
There was a problem hiding this comment.
Why not just REPO_SUFFIX="$REPO_SUFFIX" REPO_CODENAME=stretch DO_NOT_INSTALL_CATCH_ALL_CONFIG=true bash add-logging-agent-repo.sh --also-install?
There was a problem hiding this comment.
could do that as well. Simply followed existing style. Will update if we end up needing this PR.
| @@ -19,7 +19,10 @@ RUN apt-get update \ | |||
| ca-certificates \ | |||
| adduser \ | |||
| # Install Logging Agent. | |||
| && curl -sS https://dl.google.com/cloudagents/add-logging-agent-repo.sh | REPO_SUFFIX="$REPO_SUFFIX" REPO_CODENAME=stretch DO_NOT_INSTALL_CATCH_ALL_CONFIG=true bash /dev/stdin --also-install \ | |||
| && curl -sS -o add-logging-agent-repo.sh https://dl.google.com/cloudagents/add-logging-agent-repo.sh \ | |||
| && (echo "499cbd999bc9cc26aebd2516d4428623ec7bb9e56a559239cd21b41ae38f0d95 add-logging-agent-repo.sh" | sha256sum --check) \ | |||
There was a problem hiding this comment.
This will require us to update the checksum every time we update the script, which will introduce additional maintenance burden, so I'd like @qingling128 to sign off on that.
There was a problem hiding this comment.
This requires changing our build / test / release pipeline to extract and update this checksum whenever we do an install script release. Otherwise the logging agent pre-release validation is gonna fail. We'd need to prioritize that work before this PR could get in.
There was a problem hiding this comment.
thanks. Will confirm on the exemption and update the comments.
|
This script is deployed and hosted by Google. Is it possible to get an exemption for that reason? |
curl | bashof "unvendored" scripts is a security risk. This change address that by downloading the image and verifying the checkup before running.b/193812194