From 4b485aebd087236b11b5bbe7bab4b56419f2a789 Mon Sep 17 00:00:00 2001 From: Sunil Yadav Date: Tue, 6 Jan 2026 18:42:39 +0000 Subject: [PATCH 1/9] Upgrade Telegraf and Fluent-bit --- kubernetes/linux/setup.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kubernetes/linux/setup.sh b/kubernetes/linux/setup.sh index ed037d598..82fc8ff0b 100644 --- a/kubernetes/linux/setup.sh +++ b/kubernetes/linux/setup.sh @@ -62,7 +62,8 @@ sudo tdnf install jq-1.7.1-1.azl3 -y #used to setcaps for ruby process to read /proc/env sudo tdnf install libcap -y -sudo tdnf install telegraf-agent-1.36.4 -y +sudo curl -L -O https://kubernetesreleases.blob.core.windows.net/dalec-packages/telegraf-agent/1.37.0/azl3/x86_64/telegraf-agent-1.37.0-1.azl3.x86_64.rpm +sudo tdnf install -y --nogpgcheck telegraf-agent-1.37.0-1.azl3.x86_64.rpm telegraf_version=$(sudo tdnf list installed | grep telegraf | awk '{print $2}') echo "telegraf $telegraf_version" >> packages_version.txt mv /usr/bin/telegraf-agent /opt/telegraf @@ -73,7 +74,7 @@ docker_cimprov_version=$(sudo tdnf list installed | grep docker-cimprov | awk '{ echo "DOCKER_CIMPROV_VERSION=$docker_cimprov_version" >> packages_version.txt #install fluent-bit -sudo tdnf install azcu-fluent-bit-4.0.9 -y +sudo tdnf install azcu-fluent-bit-4.1.1 -y echo "$(fluent-bit --version)" >> packages_version.txt # install fluentd From f1fb1a20344de1788a7ab8c19037723e1fc02043 Mon Sep 17 00:00:00 2001 From: Sunil Yadav Date: Tue, 6 Jan 2026 19:31:35 +0000 Subject: [PATCH 2/9] re-install uri --- kubernetes/linux/setup.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kubernetes/linux/setup.sh b/kubernetes/linux/setup.sh index 82fc8ff0b..dacc6403b 100644 --- a/kubernetes/linux/setup.sh +++ b/kubernetes/linux/setup.sh @@ -40,6 +40,12 @@ gem uninstall net-imap --force # remove rexml gem as it has a known CVE (CVE-2025-58767) and is not used by the agent gem uninstall rexml --force +# upgrade uri gem to mitigate CVE-2025-61594 +gem uninstall uri --force +rm /usr/lib/ruby/gems/3.3.0/specifications/default/uri-0.13.2.gemspec +rm -rf /usr/lib/ruby/gems/3.3.0/gems/uri-0.13.2 +gem install uri -v "0.13.3" --no-document + sudo tdnf install -y azure-mdsd-1.37.0 cp -f $TMPDIR/mdsd.xml /etc/mdsd.d cp -f $TMPDIR/envmdsd /etc/mdsd.d From 2e42ea97fca128542a1d7be6ddbdb703cdb88573 Mon Sep 17 00:00:00 2001 From: Sunil Yadav Date: Tue, 6 Jan 2026 20:11:22 +0000 Subject: [PATCH 3/9] uninstall uri --- kubernetes/linux/setup.sh | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/kubernetes/linux/setup.sh b/kubernetes/linux/setup.sh index dacc6403b..309ba5101 100644 --- a/kubernetes/linux/setup.sh +++ b/kubernetes/linux/setup.sh @@ -40,11 +40,8 @@ gem uninstall net-imap --force # remove rexml gem as it has a known CVE (CVE-2025-58767) and is not used by the agent gem uninstall rexml --force -# upgrade uri gem to mitigate CVE-2025-61594 +# remove uri gem as it has a known CVE (CVE-2025-61594) and is not used by the agent gem uninstall uri --force -rm /usr/lib/ruby/gems/3.3.0/specifications/default/uri-0.13.2.gemspec -rm -rf /usr/lib/ruby/gems/3.3.0/gems/uri-0.13.2 -gem install uri -v "0.13.3" --no-document sudo tdnf install -y azure-mdsd-1.37.0 cp -f $TMPDIR/mdsd.xml /etc/mdsd.d From 87d8136d5e64af63f9c475ce76f3d93a3a94fd94 Mon Sep 17 00:00:00 2001 From: Sunil Yadav Date: Tue, 6 Jan 2026 21:14:47 +0000 Subject: [PATCH 4/9] Remove uri files --- kubernetes/linux/setup.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kubernetes/linux/setup.sh b/kubernetes/linux/setup.sh index 309ba5101..97696f271 100644 --- a/kubernetes/linux/setup.sh +++ b/kubernetes/linux/setup.sh @@ -42,6 +42,8 @@ gem uninstall rexml --force # remove uri gem as it has a known CVE (CVE-2025-61594) and is not used by the agent gem uninstall uri --force +rm /usr/lib/ruby/gems/3.3.0/specifications/default/uri-0.13.2.gemspec +rm -rf /usr/lib/ruby/gems/3.3.0/gems/uri-0.13.2 sudo tdnf install -y azure-mdsd-1.37.0 cp -f $TMPDIR/mdsd.xml /etc/mdsd.d From aa9c23644af373725eb8ecdc5cc6d053c195dfb1 Mon Sep 17 00:00:00 2001 From: Sunil Yadav Date: Wed, 7 Jan 2026 20:59:01 +0000 Subject: [PATCH 5/9] gem install uri --- kubernetes/linux/setup.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/linux/setup.sh b/kubernetes/linux/setup.sh index 97696f271..79d5dd90f 100644 --- a/kubernetes/linux/setup.sh +++ b/kubernetes/linux/setup.sh @@ -44,6 +44,7 @@ gem uninstall rexml --force gem uninstall uri --force rm /usr/lib/ruby/gems/3.3.0/specifications/default/uri-0.13.2.gemspec rm -rf /usr/lib/ruby/gems/3.3.0/gems/uri-0.13.2 +gem install uri -v "0.13.3" --no-document sudo tdnf install -y azure-mdsd-1.37.0 cp -f $TMPDIR/mdsd.xml /etc/mdsd.d From b89cc2b9f9218b78175b5c5e2e0f0b456e452203 Mon Sep 17 00:00:00 2001 From: Sunil Yadav Date: Thu, 8 Jan 2026 01:22:26 +0000 Subject: [PATCH 6/9] Upgrade ruby --- kubernetes/linux/setup.sh | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/kubernetes/linux/setup.sh b/kubernetes/linux/setup.sh index 79d5dd90f..ea050776e 100644 --- a/kubernetes/linux/setup.sh +++ b/kubernetes/linux/setup.sh @@ -15,10 +15,10 @@ sudo update-ca-trust # arm64 build breaks intermittently when installing ruby from global packages, so installing it from mariner packages # the mariner package version is behind the global packages so we are using different versions for arm64 and x86_64 if [ "$ARCH" == "arm64" ]; then - sudo tdnf install ruby-3.3.5-1.azl3.aarch64 -y + sudo tdnf install ruby-3.3.5-6.azl3.aarch64 -y else tdnf install -y gcc patch bzip2 openssl-devel libyaml-devel libffi-devel readline-devel zlib-devel gdbm-devel ncurses-devel - wget https://github.com/rbenv/ruby-build/archive/refs/tags/v20250409.tar.gz -O ruby-build.tar.gz + wget https://github.com/rbenv/ruby-build/archive/refs/tags/v20251023.tar.gz -O ruby-build.tar.gz tar -xzf ruby-build.tar.gz PREFIX=/usr/local ./ruby-build-*/install.sh ruby-build 3.3.8 /usr -v @@ -41,10 +41,10 @@ gem uninstall net-imap --force gem uninstall rexml --force # remove uri gem as it has a known CVE (CVE-2025-61594) and is not used by the agent -gem uninstall uri --force -rm /usr/lib/ruby/gems/3.3.0/specifications/default/uri-0.13.2.gemspec -rm -rf /usr/lib/ruby/gems/3.3.0/gems/uri-0.13.2 -gem install uri -v "0.13.3" --no-document +# gem uninstall uri --force +# rm /usr/lib/ruby/gems/3.3.0/specifications/default/uri-0.13.2.gemspec +# rm -rf /usr/lib/ruby/gems/3.3.0/gems/uri-0.13.2 +# gem install uri -v "0.13.3" --no-document sudo tdnf install -y azure-mdsd-1.37.0 cp -f $TMPDIR/mdsd.xml /etc/mdsd.d @@ -68,8 +68,13 @@ sudo tdnf install jq-1.7.1-1.azl3 -y #used to setcaps for ruby process to read /proc/env sudo tdnf install libcap -y -sudo curl -L -O https://kubernetesreleases.blob.core.windows.net/dalec-packages/telegraf-agent/1.37.0/azl3/x86_64/telegraf-agent-1.37.0-1.azl3.x86_64.rpm -sudo tdnf install -y --nogpgcheck telegraf-agent-1.37.0-1.azl3.x86_64.rpm +if [ "$ARCH" == "arm64" ]; then + sudo curl -L -O https://kubernetesreleases.blob.core.windows.net/dalec-packages/telegraf-agent/1.37.0/azl3/aarch64/telegraf-agent-1.37.0-1.azl3.aarch64.rpm + sudo tdnf install -y --nogpgcheck telegraf-agent-1.37.0-1.azl3.aarch64.rpm +else + sudo curl -L -O https://kubernetesreleases.blob.core.windows.net/dalec-packages/telegraf-agent/1.37.0/azl3/x86_64/telegraf-agent-1.37.0-1.azl3.x86_64.rpm + sudo tdnf install -y --nogpgcheck telegraf-agent-1.37.0-1.azl3.x86_64.rpm +fi telegraf_version=$(sudo tdnf list installed | grep telegraf | awk '{print $2}') echo "telegraf $telegraf_version" >> packages_version.txt mv /usr/bin/telegraf-agent /opt/telegraf From 17622486cd9a90556e2f3240ca4ab12f3dfa469a Mon Sep 17 00:00:00 2001 From: Sunil Yadav Date: Thu, 8 Jan 2026 23:00:29 +0000 Subject: [PATCH 7/9] remove trivy --- kubernetes/linux/Dockerfile.multiarch | 31 --------------------------- kubernetes/linux/setup.sh | 4 ++-- 2 files changed, 2 insertions(+), 33 deletions(-) diff --git a/kubernetes/linux/Dockerfile.multiarch b/kubernetes/linux/Dockerfile.multiarch index 0479b31a0..12c818830 100644 --- a/kubernetes/linux/Dockerfile.multiarch +++ b/kubernetes/linux/Dockerfile.multiarch @@ -141,35 +141,4 @@ COPY --from=builder /lib/pkcs11/p11-kit-trust.so /lib/pkcs11/ RUN ln -s /lib/pkcs11/p11-kit-trust.so /lib/libnssckbi.so RUN ln -s /lib/libnssckbi.so /lib/p11-kit-trust.so -# Do vulnerability scan in a seperate stage to avoid adding layer -FROM distroless_image AS vulnscan -COPY .trivyignore .trivyignore -RUN ["/bin/bash", "-c", "curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.39.0"] - -# Set up primary and secondary repository URLs -ENV PRIMARY_TRIVY_DB_REPOSITORY="ghcr.io/aquasecurity/trivy-db" -ENV SECONDARY_TRIVY_DB_REPOSITORY="public.ecr.aws/aquasecurity/trivy-db" - -# Download Trivy main database with a fallback mechanism -RUN export TRIVY_DB_REPOSITORY=$PRIMARY_TRIVY_DB_REPOSITORY && \ - trivy image --download-db-only || \ - (echo "Primary TRIVY_DB_REPOSITORY failed, trying secondary." && \ - export TRIVY_DB_REPOSITORY=$SECONDARY_TRIVY_DB_REPOSITORY && \ - trivy image --download-db-only) || \ - (echo "Both TRIVY_DB_REPOSITORY sources failed." && exit 1) - -# Perform Trivy rootfs scan (only OS vulnerabilities, no Java scanning) -RUN ["/bin/bash", "-c", "trivy rootfs --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --vuln-type os --scanners vuln --skip-files \"/usr/local/bin/trivy\" /"] -RUN ["/bin/bash", "-c", "trivy rootfs --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --vuln-type os --scanners vuln /usr/lib"] -RUN ["/bin/bash", "-c", "trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --vuln-type os --scanners vuln --skip-files \"/usr/local/bin/trivy\" / > /dev/null 2>&1 && trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --vuln-type os --scanners vuln /usr/lib > /dev/null 2>&1"] - -# Revert to base layer before vulnscan -FROM distroless_image AS ContainerInsights -# force the trivy stage to run -# docker buildx (BUILDKIT) does not build stages which do not affect the final stage -# by copying over a file we create a dependency -# see: https://github.com/docker/build-push-action/issues/377 -COPY --from=vulnscan /usr/local/bin/trivy /usr/local/bin/trivy -RUN ["/bin/bash", "-c", "rm -rf /usr/local/bin/trivy"] - CMD [ "/opt/main.sh" ] diff --git a/kubernetes/linux/setup.sh b/kubernetes/linux/setup.sh index ea050776e..0507e1385 100644 --- a/kubernetes/linux/setup.sh +++ b/kubernetes/linux/setup.sh @@ -18,10 +18,10 @@ if [ "$ARCH" == "arm64" ]; then sudo tdnf install ruby-3.3.5-6.azl3.aarch64 -y else tdnf install -y gcc patch bzip2 openssl-devel libyaml-devel libffi-devel readline-devel zlib-devel gdbm-devel ncurses-devel - wget https://github.com/rbenv/ruby-build/archive/refs/tags/v20251023.tar.gz -O ruby-build.tar.gz + wget https://github.com/rbenv/ruby-build/archive/refs/tags/v20251225.tar.gz -O ruby-build.tar.gz tar -xzf ruby-build.tar.gz PREFIX=/usr/local ./ruby-build-*/install.sh - ruby-build 3.3.8 /usr -v + ruby-build 4.0.0 /usr -v rm ruby-build.tar.gz fi From e04a0ad7b659459bd94ea4c4d4dde41c41260ff2 Mon Sep 17 00:00:00 2001 From: Sunil Yadav Date: Thu, 8 Jan 2026 23:29:31 +0000 Subject: [PATCH 8/9] ruby 4.0 --- kubernetes/linux/Dockerfile.multiarch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/linux/Dockerfile.multiarch b/kubernetes/linux/Dockerfile.multiarch index 12c818830..cbb51aaa9 100644 --- a/kubernetes/linux/Dockerfile.multiarch +++ b/kubernetes/linux/Dockerfile.multiarch @@ -119,7 +119,7 @@ COPY --from=builder /usr/lib/libinotifytools.so.0 /usr/lib/libstdc++.so.6 /usr/l # crond dependencies COPY --from=builder /usr/lib/libselinux.so.1 /usr/lib/libpam.so.0 /usr/lib/libc.so.6 /usr/lib/ # ruby dependencies -COPY --from=builder /usr/lib/libruby.so.3.3 /usr/lib/libc.so.6 /usr/lib/libz.so.1 /usr/lib/libgmp.so.10 /usr/lib/libcrypt.so.1 /usr/lib/libm.so.6 /usr/lib/ +COPY --from=builder /usr/lib/libruby.so.4.0 /usr/lib/libc.so.6 /usr/lib/libz.so.1 /usr/lib/libgmp.so.10 /usr/lib/libcrypt.so.1 /usr/lib/libm.so.6 /usr/lib/ # fluent-bit dependencies # libssl.so.3 & libcrypto.so.3 are already available with openssl in distroless and copying them over causes FIPS HMAC verification failures COPY --from=builder /usr/lib/libyaml-0.so.2 /usr/lib/libsystemd.so.0 /usr/lib/libcurl.so.4 /usr/lib/libz.so.1 /usr/lib/libzstd.so.1 /usr/lib/libsasl2.so.3 /usr/lib/libm.so.6 /usr/lib/libgcc_s.so.1 /usr/lib/libc.so.6 /usr/lib/libcap.so.2 /usr/lib/liblz4.so.1 /usr/lib/liblzma.so.5 /usr/lib/libnghttp2.so.14 /usr/lib/libssh2.so.1 /usr/lib/libgssapi_krb5.so.2 /usr/lib/libresolv.so.2 /usr/lib/libkrb5.so.3 /usr/lib/libk5crypto.so.3 /usr/lib/libcom_err.so.2 /usr/lib/libkrb5support.so.0 /usr/lib/libpq.so.5 /usr/lib/libldap.so.2 /usr/lib/liblber.so.2 /usr/lib/ From 13eeb82e2b140cf01609c9eabe1d46e60fdda879 Mon Sep 17 00:00:00 2001 From: Sunil Yadav Date: Sat, 10 Jan 2026 02:09:57 +0000 Subject: [PATCH 9/9] Telegraf mariner package --- kubernetes/linux/Dockerfile.multiarch | 2 +- kubernetes/linux/setup.sh | 20 ++++---------------- 2 files changed, 5 insertions(+), 17 deletions(-) diff --git a/kubernetes/linux/Dockerfile.multiarch b/kubernetes/linux/Dockerfile.multiarch index cbb51aaa9..12c818830 100644 --- a/kubernetes/linux/Dockerfile.multiarch +++ b/kubernetes/linux/Dockerfile.multiarch @@ -119,7 +119,7 @@ COPY --from=builder /usr/lib/libinotifytools.so.0 /usr/lib/libstdc++.so.6 /usr/l # crond dependencies COPY --from=builder /usr/lib/libselinux.so.1 /usr/lib/libpam.so.0 /usr/lib/libc.so.6 /usr/lib/ # ruby dependencies -COPY --from=builder /usr/lib/libruby.so.4.0 /usr/lib/libc.so.6 /usr/lib/libz.so.1 /usr/lib/libgmp.so.10 /usr/lib/libcrypt.so.1 /usr/lib/libm.so.6 /usr/lib/ +COPY --from=builder /usr/lib/libruby.so.3.3 /usr/lib/libc.so.6 /usr/lib/libz.so.1 /usr/lib/libgmp.so.10 /usr/lib/libcrypt.so.1 /usr/lib/libm.so.6 /usr/lib/ # fluent-bit dependencies # libssl.so.3 & libcrypto.so.3 are already available with openssl in distroless and copying them over causes FIPS HMAC verification failures COPY --from=builder /usr/lib/libyaml-0.so.2 /usr/lib/libsystemd.so.0 /usr/lib/libcurl.so.4 /usr/lib/libz.so.1 /usr/lib/libzstd.so.1 /usr/lib/libsasl2.so.3 /usr/lib/libm.so.6 /usr/lib/libgcc_s.so.1 /usr/lib/libc.so.6 /usr/lib/libcap.so.2 /usr/lib/liblz4.so.1 /usr/lib/liblzma.so.5 /usr/lib/libnghttp2.so.14 /usr/lib/libssh2.so.1 /usr/lib/libgssapi_krb5.so.2 /usr/lib/libresolv.so.2 /usr/lib/libkrb5.so.3 /usr/lib/libk5crypto.so.3 /usr/lib/libcom_err.so.2 /usr/lib/libkrb5support.so.0 /usr/lib/libpq.so.5 /usr/lib/libldap.so.2 /usr/lib/liblber.so.2 /usr/lib/ diff --git a/kubernetes/linux/setup.sh b/kubernetes/linux/setup.sh index 0507e1385..40ddc6966 100644 --- a/kubernetes/linux/setup.sh +++ b/kubernetes/linux/setup.sh @@ -15,13 +15,13 @@ sudo update-ca-trust # arm64 build breaks intermittently when installing ruby from global packages, so installing it from mariner packages # the mariner package version is behind the global packages so we are using different versions for arm64 and x86_64 if [ "$ARCH" == "arm64" ]; then - sudo tdnf install ruby-3.3.5-6.azl3.aarch64 -y + sudo tdnf install ruby-3.3.5-1.azl3.aarch64 -y else tdnf install -y gcc patch bzip2 openssl-devel libyaml-devel libffi-devel readline-devel zlib-devel gdbm-devel ncurses-devel - wget https://github.com/rbenv/ruby-build/archive/refs/tags/v20251225.tar.gz -O ruby-build.tar.gz + wget https://github.com/rbenv/ruby-build/archive/refs/tags/v20250409.tar.gz -O ruby-build.tar.gz tar -xzf ruby-build.tar.gz PREFIX=/usr/local ./ruby-build-*/install.sh - ruby-build 4.0.0 /usr -v + ruby-build 3.3.8 /usr -v rm ruby-build.tar.gz fi @@ -40,12 +40,6 @@ gem uninstall net-imap --force # remove rexml gem as it has a known CVE (CVE-2025-58767) and is not used by the agent gem uninstall rexml --force -# remove uri gem as it has a known CVE (CVE-2025-61594) and is not used by the agent -# gem uninstall uri --force -# rm /usr/lib/ruby/gems/3.3.0/specifications/default/uri-0.13.2.gemspec -# rm -rf /usr/lib/ruby/gems/3.3.0/gems/uri-0.13.2 -# gem install uri -v "0.13.3" --no-document - sudo tdnf install -y azure-mdsd-1.37.0 cp -f $TMPDIR/mdsd.xml /etc/mdsd.d cp -f $TMPDIR/envmdsd /etc/mdsd.d @@ -68,13 +62,7 @@ sudo tdnf install jq-1.7.1-1.azl3 -y #used to setcaps for ruby process to read /proc/env sudo tdnf install libcap -y -if [ "$ARCH" == "arm64" ]; then - sudo curl -L -O https://kubernetesreleases.blob.core.windows.net/dalec-packages/telegraf-agent/1.37.0/azl3/aarch64/telegraf-agent-1.37.0-1.azl3.aarch64.rpm - sudo tdnf install -y --nogpgcheck telegraf-agent-1.37.0-1.azl3.aarch64.rpm -else - sudo curl -L -O https://kubernetesreleases.blob.core.windows.net/dalec-packages/telegraf-agent/1.37.0/azl3/x86_64/telegraf-agent-1.37.0-1.azl3.x86_64.rpm - sudo tdnf install -y --nogpgcheck telegraf-agent-1.37.0-1.azl3.x86_64.rpm -fi +sudo tdnf install telegraf-agent-1.37.0 -y telegraf_version=$(sudo tdnf list installed | grep telegraf | awk '{print $2}') echo "telegraf $telegraf_version" >> packages_version.txt mv /usr/bin/telegraf-agent /opt/telegraf