Merge pull request #679 from splunk/develop

sync develop/master for patch2 release

base/centos-7/install.sh

@@ -47,3 +47,7 @@ rm -rf /etc/security/limits.d/20-nproc.conf
 # Clean
 yum clean all
 rm -rf /anaconda-post.log /var/log/anaconda/*
+
+# symlink for python3
+ln -s /bin/python3 /bin/python
+ln -sf /usr/bin/pip3.7 /usr/bin/pip3

base/centos-8/install.sh

@@ -49,6 +49,7 @@ echo "
 
 # symlink for python3
 ln -s /bin/python3 /bin/python
+ln -sf /usr/bin/pip3.7 /usr/bin/pip3
 
 # Clean
 yum clean all

base/debian-10/install.sh

@@ -92,3 +92,7 @@ chmod u+s /bin/ping
 # Clean
 apt clean autoclean
 rm -rf /var/lib/apt/lists/*
+
+# Symlink python/pip
+ln -sf /usr/bin/python3.7 /usr/bin/python3
+ln -sf /usr/bin/pip3.7 /usr/bin/pip3

base/debian-9/install.sh

@@ -93,3 +93,7 @@ chmod u+s /bin/ping
 # Clean
 apt clean autoclean
 rm -rf /var/lib/apt/lists/*
+
+# Symlink python/pip
+ln -sf /usr/bin/python3.7 /usr/bin/python3
+ln -sf /usr/bin/pip3.7 /usr/bin/pip3

base/redhat-8/Dockerfile

@@ -28,8 +28,8 @@ LABEL name="splunk" \
 ARG BUSYBOX_URL
 
 ENV BUSYBOX_URL=${BUSYBOX_URL} \
-    PYTHON_VERSION=3.7.16 \
-    PYTHON_GPG_KEY_ID=0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
+    PYTHON_VERSION=3.9.19 \
+    PYTHON_GPG_KEY_ID=E3FF2839C048B25C084DEBE9B26995E310250568
 
 COPY install.sh /install.sh
 

base/redhat-8/install.sh

@@ -17,7 +17,8 @@ set -e
 
 # Generate UTF-8 char map and locale
 # Reinstalling local English def for now, removed in minimal image: https://bugzilla.redhat.com/show_bug.cgi?id=1665251
-microdnf -y --nodocs install glibc-langpack-en
+# Comment below install until glibc update is available in minimal image: https://access.redhat.com/errata/RHSA-2024:2722
+#microdnf -y --nodocs install glibc-langpack-en
 
 # Currently there is no access to the UTF-8 char map. The following command is commented out until
 # the base container can generate the locale.
@@ -28,7 +29,8 @@ export LANG=en_US.utf8
 # Install utility packages
 microdnf -y --nodocs install wget sudo shadow-utils procps tar make gcc \
                              openssl-devel bzip2-devel libffi-devel findutils \
-                             libssh-devel libcurl-devel glib2-devel ncurses-devel
+                             libssh-devel libcurl-devel glib2-devel ncurses-devel \
+                             diffutils bzip2
 # Patch security updates
 microdnf -y --nodocs update gnutls kernel-headers libdnf librepo libnghttp2 nettle \
                             libpwquality libxml2 systemd-libs lz4-libs curl \
@@ -39,6 +41,18 @@ microdnf -y --nodocs update gnutls kernel-headers libdnf librepo libnghttp2 nett
 # Reinstall tzdata (originally stripped from minimal image): https://bugzilla.redhat.com/show_bug.cgi?id=1903219
 microdnf -y --nodocs reinstall tzdata || microdnf -y --nodocs update tzdata
 
+# Build and install busybox direct from the multiarch since EPEL isn't available yet for redhat8
+cd ~
+wget https://busybox.net/downloads/busybox-1.36.1.tar.bz2
+bzip2 -d busybox-1.36.1.tar.bz2
+tar -xf busybox-1.36.1.tar
+cd busybox-1.36.1
+make defconfig
+make
+cp busybox /bin/busybox
+cd ~
+rm -rf busybox-1.36.1.tar busybox-1.36.1/
+
 # Install Python and necessary packages
 PY_SHORT=${PYTHON_VERSION%.*}
 wget -O /tmp/python.tgz https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz
@@ -58,10 +72,12 @@ make altinstall LDFLAGS="-Wl,--strip-all"
 rm -rf /tmp/pyinstall
 ln -sf /usr/bin/python${PY_SHORT} /usr/bin/python
 ln -sf /usr/bin/pip${PY_SHORT} /usr/bin/pip
+ln -sf /usr/bin/python${PY_SHORT} /usr/bin/python3
+ln -sf /usr/bin/pip${PY_SHORT} /usr/bin/pip3
 
 # Install splunk-ansible dependencies
 cd /
-/usr/bin/python3.7 -m pip install --upgrade pip
+/usr/bin/python3.9 -m pip install --upgrade pip
 pip -q --no-cache-dir install --upgrade "requests_unixsocket<2.29" "requests<2.29" six wheel Mako "urllib3<2.0.0" certifi jmespath future avro cryptography lxml protobuf setuptools ansible
 
 # Remove tests packaged in python libs
@@ -74,14 +90,9 @@ ldconfig
 microdnf remove -y make gcc openssl-devel bzip2-devel findutils glib2-devel glibc-devel cpp binutils \
                    keyutils-libs-devel krb5-devel libcom_err-devel libffi-devel libcurl-devel \
                    libselinux-devel libsepol-devel libssh-devel libverto-devel libxcrypt-devel \
-                   ncurses-devel pcre2-devel zlib-devel
+                   ncurses-devel pcre2-devel zlib-devel diffutils bzip2
 microdnf clean all
 
-# Install busybox direct from the multiarch since EPEL isn't available yet for redhat8
-BUSYBOX_URL=${BUSYBOX_URL:=https://busybox.net/downloads/binaries/1.35.0-`arch`-linux-musl/busybox}
-wget -O /bin/busybox ${BUSYBOX_URL}
-chmod +x /bin/busybox
-
 # Enable busybox symlinks
 cd /bin
 BBOX_LINKS=( clear find diff hostname killall netstat nslookup ping ping6 readline route syslogd tail traceroute vi )

docs/CHANGELOG.md

@@ -14,6 +14,7 @@ Red Hat images will continue to be published.
 * [9.2.0.1](#9201)
 * [9.2.0](#920)
 * [9.1.4](#914)
+* [9.1.3-patch1](#913p1)
 * [9.1.3](#913)
 * [9.1.2](#912)
 * [9.1.1](#911)
@@ -159,6 +160,20 @@ Red Hat images will continue to be published.
 
 ---
 
+## 9.1.3-patch1
+
+#### What's New?
+* Install busybox 1.36.1 for remediation of CVE-2022-28391 and CVE-2022-30065
+
+#### docker-splunk changes:
+* Bumping Splunk version. For details, see [Fixed issues for 9.1.3](https://docs.splunk.com/Documentation/Splunk/9.1.3/ReleaseNotes/Fixedissues#Splunk_Enterprise_9.1.3)
+
+#### splunk-ansible changes:
+* Docs updated
+* Bugfixes
+
+---
+
 ## 9.1.3
 
 #### What's New?

py23-image/centos-7/Dockerfile

@@ -17,8 +17,7 @@ RUN wget https://www.python.org/ftp/python/3.7.4/Python-3.7.4.tgz \
     && python3.7 get-pip.py \
     && rm -f get-pip.py \
     #pip version is not automatically "fixed", unlike debian-based
-    && ln -sf /usr/bin/pip2 /usr/bin/pip \
-    && ln -sf /usr/bin/pip3.7 /usr/bin/pip3
+    && ln -sf /usr/bin/pip2 /usr/bin/pip
 RUN yum remove -y --setopt=tsflags=noscripts gcc openssl-devel bzip2-devel libffi-devel \
     && yum autoremove -y \
     && yum clean all

py23-image/centos-8/Dockerfile

@@ -18,8 +18,7 @@ RUN wget https://www.python.org/ftp/python/3.7.4/Python-3.7.4.tgz \
     && python3.7 get-pip.py \
     && rm -f get-pip.py \
     # pip version is not automatically "fixed", unlike debian-based
-    && ln -sf /usr/bin/pip2 /usr/bin/pip \
-    && ln -sf /usr/bin/pip3.7 /usr/bin/pip3
+    && ln -sf /usr/bin/pip2 /usr/bin/pip
     # add python alias
     # && ln -s /bin/python3 /bin/python
 

py23-image/debian-10/Dockerfile

@@ -4,8 +4,6 @@ USER root
 
 RUN apt-get update -y \
     && apt-get install -y --no-install-recommends libpython-dev python-pip python-requests python-jmespath python-yaml \
-    && ln -sf /usr/bin/python3.7 /usr/bin/python3 \
-    && ln -sf /usr/bin/pip3.7 /usr/bin/pip3 \
     && ln -sf /usr/bin/python3.7 /usr/bin/python \
     && ln -sf /usr/bin/pip3.7 /usr/bin/pip \
     && pip3 install --upgrade ansible==3.4.0 requests==2.25.1 pyyaml==5.4.1 jmespath==0.10.0

py23-image/debian-9/Dockerfile

@@ -4,8 +4,6 @@ USER root
 
 RUN apt-get update -y \
     && apt-get install -y --no-install-recommends libpython-dev python-pip python-requests python-jmespath python-yaml \
-    && ln -sf /usr/bin/python3.7 /usr/bin/python3 \
-    && ln -sf /usr/bin/pip3.7 /usr/bin/pip3 \
     && ln -sf /usr/bin/python3.7 /usr/bin/python \
     && ln -sf /usr/bin/pip3.7 /usr/bin/pip \
     && pip3 install --upgrade ansible==3.4.0 requests==2.25.1 pyyaml==5.4.1 jmespath==0.10.0

py23-image/redhat-8/Dockerfile

@@ -3,10 +3,9 @@ FROM ${SPLUNK_PRODUCT}-redhat-8:latest
 USER root
 
 RUN microdnf -y --nodocs update \
-    && microdnf -y --nodocs install python2-pip python2-devel \
+    && microdnf -y --nodocs install python2 \
+    && pip2 install --upgrade pip \
     && pip2 --no-cache-dir install requests pyyaml jmespath \
-    && ln -sf /usr/bin/python3.7 /usr/bin/python3 \
-    && ln -sf /usr/bin/pip3.7 /usr/bin/pip3 \
-    && ln -sf /usr/bin/python3.7 /usr/bin/python \
-    && ln -sf /usr/bin/pip3.7 /usr/bin/pip \
-    && pip3 install --upgrade ansible==3.4.0 requests==2.25.1 pyyaml==5.4.1 jmespath==0.10.0
+    && ln -sf /usr/bin/python3.9 /usr/bin/python \
+    && ln -sf /usr/bin/pip3.9 /usr/bin/pip \
+    && pip3 install --upgrade requests==2.25.1 pyyaml==5.4.1 jmespath==0.10.0

splunk/common-files/Dockerfile

@@ -112,6 +112,7 @@ RUN sed -i -e 's/%sudo\s\+ALL=(ALL\(:ALL\)\?)\s\+ALL/%sudo ALL=NOPASSWD:ALL\nans
     && chgrp ${ANSIBLE_GROUP} ${SPLUNK_ANSIBLE_HOME} ${SPLUNK_ANSIBLE_HOME}/ansible.cfg \
     && chmod 775 ${SPLUNK_ANSIBLE_HOME} \
     && chmod 664 ${SPLUNK_ANSIBLE_HOME}/ansible.cfg \
+    && sed -i '/^\[defaults\]/a\interpreter_python = /usr/bin/python3' ${SPLUNK_ANSIBLE_HOME}/ansible.cfg \
     && chmod 755 /sbin/entrypoint.sh /sbin/createdefaults.py /sbin/checkstate.sh
 
 USER ${ANSIBLE_USER}

splunk/common-files/apps/splunk_enterprise_on_docker/metadata/default.meta

@@ -0,0 +1,2 @@
+[]
+access = read : [ * ], write : [ admin ]

splunk/common-files/make-minimal-exclude.py

@@ -39,7 +39,6 @@
     minor_version = version_string.group(2)
 
 if major_version:
-    print(EXCLUDE_V7)
     if int(major_version) == 7:
         print("*/bin/parsetest*")
         if int(minor_version) < 3:
@@ -51,3 +50,7 @@
         print("*/etc/apps/splunk_metrics_workspace*")
         if int(minor_version) < 1:
             print("*/bin/parsetest*")
+    elif int(major_version) >= 9:
+        if int(minor_version) >= 4:
+            EXCLUDE_V7 = EXCLUDE_V7.replace('*/bin/jsmin*', '')
+    print(EXCLUDE_V7)

uf/common-files/Dockerfile

@@ -105,6 +105,7 @@ RUN sed -i -e 's/%sudo\s\+ALL=(ALL\(:ALL\)\?)\s\+ALL/%sudo ALL=NOPASSWD:ALL\nans
     && chgrp ${ANSIBLE_GROUP} ${SPLUNK_ANSIBLE_HOME} ${SPLUNK_ANSIBLE_HOME}/ansible.cfg \
     && chmod 775 ${SPLUNK_ANSIBLE_HOME} \
     && chmod 664 ${SPLUNK_ANSIBLE_HOME}/ansible.cfg \
+    && sed -i '/^\[defaults\]/a\interpreter_python = /usr/bin/python3' ${SPLUNK_ANSIBLE_HOME}/ansible.cfg \
     && chmod 755 /sbin/entrypoint.sh /sbin/createdefaults.py /sbin/checkstate.sh
 
 USER ${ANSIBLE_USER}