b12708d7db
# What this PR does
Updating docker image for Redis to latest version on 7.0 branch
## Which issue(s) this PR closes
* (CVE-2022-35977) Integer overflow in the Redis SETRANGE and
SORT/SORT_RO
commands can drive Redis to OOM panic
* (CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and
ZRANDMEMBER
commands can lead to denial-of-service
* (CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and
HRANDFIELD
commands can trigger an integer overflow, resulting in a runtime
assertion
and termination of the Redis server process.
* (CVE-2022-36021) String matching commands (like SCAN or KEYS) with a
specially
crafted pattern to trigger a denial-of-service attack on Redis, causing
it to
hang and consume 100% CPU time.
* (CVE-2023-28425) Specially crafted MSETNX command can lead to
assertion and denial-of-service
* (CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command
to create
an invalid hash field that will crash Redis on access
* (CVE-2022-24834) A specially crafted Lua script executing in Redis can
trigger
a heap overflow in the cjson and cmsgpack libraries, and result in heap
corruption and potentially remote code execution. The problem exists in
all
versions of Redis with Lua scripting support, starting from 2.6, and
affects
only authenticated and authorized users.
* (CVE-2023-36824) Extracting key names from a command and a list of
arguments
may, in some cases, trigger a heap overflow and result in reading random
heap
memory, heap corruption and potentially remote code execution.
Specifically:
using COMMAND GETKEYS* and validation of key names in ACL rules.
* (CVE-2023-41053) Redis does not correctly identify keys accessed by
SORT_RO and
as a result may grant users executing this command access to keys that
are not
explicitly authorized by the ACL configuration.
* (CVE-2023-45145) The wrong order of listen(2) and chmod(2) calls
creates a
race condition that can be used by another process to bypass desired
Unix
socket permissions on startup.
* (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing
of memory
buffers which can result in incorrect accounting of buffer sizes and
lead to
heap overflow and potential remote code execution.
## Checklist
- [ ] Unit, integration, and e2e (if applicable) tests updated
- [ ] Documentation added (or `pr:no public docs` PR label added if not
required)
- [ ] Added the relevant release notes label (see labels prefixed w/
`release:`). These labels dictate how your PR will
show up in the autogenerated release notes.
121 lines
3 KiB
YAML
121 lines
3 KiB
YAML
x-environment: &oncall-environment
|
|
DATABASE_TYPE: sqlite3
|
|
BROKER_TYPE: redis
|
|
BASE_URL: $DOMAIN
|
|
SECRET_KEY: $SECRET_KEY
|
|
FEATURE_PROMETHEUS_EXPORTER_ENABLED: ${FEATURE_PROMETHEUS_EXPORTER_ENABLED:-false}
|
|
PROMETHEUS_EXPORTER_SECRET: ${PROMETHEUS_EXPORTER_SECRET:-}
|
|
REDIS_URI: redis://redis:6379/0
|
|
DJANGO_SETTINGS_MODULE: settings.hobby
|
|
CELERY_WORKER_QUEUE: "default,critical,long,slack,telegram,webhook,retry,celery,grafana"
|
|
CELERY_WORKER_CONCURRENCY: "1"
|
|
CELERY_WORKER_MAX_TASKS_PER_CHILD: "100"
|
|
CELERY_WORKER_SHUTDOWN_INTERVAL: "65m"
|
|
CELERY_WORKER_BEAT_ENABLED: "True"
|
|
GRAFANA_API_URL: http://grafana:3000
|
|
|
|
services:
|
|
engine:
|
|
image: grafana/oncall
|
|
restart: always
|
|
ports:
|
|
- "8080:8080"
|
|
command: sh -c "uwsgi --ini uwsgi.ini"
|
|
environment: *oncall-environment
|
|
volumes:
|
|
- oncall_data:/var/lib/oncall
|
|
depends_on:
|
|
oncall_db_migration:
|
|
condition: service_completed_successfully
|
|
redis:
|
|
condition: service_healthy
|
|
|
|
celery:
|
|
image: grafana/oncall
|
|
restart: always
|
|
command: sh -c "./celery_with_exporter.sh"
|
|
environment: *oncall-environment
|
|
volumes:
|
|
- oncall_data:/var/lib/oncall
|
|
depends_on:
|
|
oncall_db_migration:
|
|
condition: service_completed_successfully
|
|
redis:
|
|
condition: service_healthy
|
|
|
|
oncall_db_migration:
|
|
image: grafana/oncall
|
|
command: python manage.py migrate --noinput
|
|
environment: *oncall-environment
|
|
volumes:
|
|
- oncall_data:/var/lib/oncall
|
|
depends_on:
|
|
redis:
|
|
condition: service_healthy
|
|
|
|
redis:
|
|
image: redis:7.0.15
|
|
restart: always
|
|
expose:
|
|
- 6379
|
|
volumes:
|
|
- redis_data:/data
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
memory: 500m
|
|
cpus: "0.5"
|
|
healthcheck:
|
|
test: ["CMD", "redis-cli", "ping"]
|
|
timeout: 5s
|
|
interval: 5s
|
|
retries: 10
|
|
|
|
prometheus:
|
|
image: prom/prometheus
|
|
hostname: prometheus
|
|
restart: always
|
|
ports:
|
|
- "9090:9090"
|
|
volumes:
|
|
- ./prometheus.yml:/etc/prometheus/prometheus.yml
|
|
- prometheus_data:/prometheus
|
|
profiles:
|
|
- with_prometheus
|
|
|
|
grafana:
|
|
image: "grafana/${GRAFANA_IMAGE:-grafana:latest}"
|
|
restart: always
|
|
ports:
|
|
- "3000:3000"
|
|
environment:
|
|
GF_FEATURE_TOGGLES_ENABLE: externalServiceAccounts
|
|
GF_SECURITY_ADMIN_USER: ${GRAFANA_USER:-admin}
|
|
GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_PASSWORD:-admin}
|
|
GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS: grafana-oncall-app
|
|
GF_INSTALL_PLUGINS: grafana-oncall-app
|
|
GF_AUTH_MANAGED_SERVICE_ACCOUNTS_ENABLED: true
|
|
volumes:
|
|
- grafana_data:/var/lib/grafana
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
memory: 500m
|
|
cpus: "0.5"
|
|
profiles:
|
|
- with_grafana
|
|
configs:
|
|
- source: grafana.ini
|
|
target: /etc/grafana/grafana.ini
|
|
|
|
volumes:
|
|
grafana_data:
|
|
prometheus_data:
|
|
oncall_data:
|
|
redis_data:
|
|
|
|
configs:
|
|
grafana.ini:
|
|
content: |
|
|
[feature_toggles]
|
|
accessControlOnCall = false
|