Remove curl as an Envoy dependency #11816
Comments
htuch
changed the title
|
+1 for removal. I was against adding in the first place. |
|
+1 for removal |
|
Yes, OpenCensus uses curl in its zipkin exporter (to push traces to zipkin). |
|
Having an indirect networking API instead of curl in libraries would also help compiling them to Wasm binaries for sandboxing. The API would be implemented via Wasm ABI. |
|
@g-easy would it be possible to modify the Zipkin exporter to work with some more generic HTTP interface that Envoy can supply? |
|
As per #9958 at some point OpenCensus should be replaced by the new OpenTracing + OpenCensus project called OpenTelemetry. One would hope that OpenTelemetry doesn't require curl |
|
For opencensus, since the "issue" is with the Zipkin span exporter implementation ( class ZipkinSpanExporterHandler : public ::opencensus::trace::exporter::SpanExporter::Handler,
public Http::AsyncClient::Callbacks {
...
};Which basically "retrieves" the spans stored by However, this will "force" the configuration to require a defined collector cluster to let Envoy's async-client to work (I think this is also relevant to the approach for the "aws" utility). Even the dynamic forward proxy requires a cluster definition. I wonder if we can/are allowed to somehow construct a cluster without defining in the config, but build it on the fly when it is required (#3479 cc. @ramaraochavali). @moderation, when we are needed to "upgrade" to OpenTelemetry, if the approach is the same (i.e. data is gathered in worker thread managed by the "tracer" library) and we want to support Zipkin exporter, we still need to provide an Envoy's async-client-friendly implementation for that. |
This is tracked in open-telemetry/opentelemetry-cpp#6 |
|
#11816 (comment) sounds pretty great to me. Note that opencensus's existing background thread calls into Handler::Export() periodically. |
|
@mattklein123 what is the best way of resolving URI for async client calls without explicitly defining a cluster for it? Is #3479 the way to do it? Need your advice on this. Thank you! |
|
@dio yeah we would probably need to add new functionality to AsyncClient to optionally expose the dynamic forward proxy functionality. |
|
PR13063 is another example, which picks up the fix of CVE-2020-8231: libcurl: wrong connect-only connection As Envoy does NOT use the affected CURLOPT_CONNECT_ONLY toggle, |
Picks up fix of CVE-2020-8231: libcurl: wrong connect-only connection (Envoy does NOT use the affected CURLOPT_CONNECT_ONLY toggle, this change simply satisfies overly-simplistic audits, and this further reinforces issue #11816 ) Resolve premature force-AF_UNIX toggle in our working branch and disables UNIX_SOCKETS on windows, until afunix.h is used for sys/un.h (Breakage is between curl 7.69 and curl 7.72, which doesn't pick up afunix.h on windows; will address and resolve upstream before revisiting at envoy.) Work around misplaced -MD cflag on Windows build See bazel-contrib/rules_foreign_cc#426 for comprehensive discussion of the defect. This workaround could be dropped if rules_foreign_cc works around it for us. Preparing for specific corrections to get curl building curl.lib with cmake using clang-cl on Windows, starting at envoy and pushing the fix(es) to CMakeLists.txt upstream. Risk Level: low Testing: local Docs Changes: n/a Release Notes: n/a Signed-off-by: William A Rowe Jr <wrowe@vmware.com> Co-authored-by: Sunjay Bhatia <sunjayb@vmware.com>
|
As part of my EnvoyCon talk, I looked at all CVEs for our dependencies since 2018. Curl is by far the worst here, with 14 CVEs and 23 releases since 2018. Further evidence that we really want to make some progress here. |
Prefer to have operators use Envoy's native Zipkin tracer, since Zipkin implies libcurl in opencensus. Once we complete a deprecation cycle here, we should be able to remove this source of libcurl dependency. Part of envoyproxy#11816. Risk level: Low Testing: bazel test //test/... Signed-off-by: Harvey Tuch <htuch@google.com>
Prefer to have operators use Envoy's native Zipkin tracer, since Zipkin implies libcurl in opencensus. Once we complete a deprecation cycle here, we should be able to remove this source of libcurl dependency. Part of #11816. Risk level: Low Testing: bazel test //test/... Signed-off-by: Harvey Tuch <htuch@google.com>
|
Bumping priority given the high CVE rate (almost always false positives as well). |
|
OpenTelemetry went 1.0.0 is Feb - https://medium.com/opentelemetry/opentelemetry-specification-v1-0-0-tracing-edition-72dd08936978. Looks the Zipkin exporter still needs Curl
I was thinking we could deprecate OpenCensus in favor of OT but if Curl is still present it doesn't look like it will help us. Hopefully the OT experts can provide some more context |
|
You can assign this to me. It looks like it's mostly the AWS filters. |
|
Its because http[s]_proxy vars are a very well accepted convention, and it makes the stock envoy config more mutable. That doesn't make it ideal, but you raised the question why, and I think we can and should revisit the earlier design decisions |
|
@tonya11en are you still working on this? |
|
@zirain no, this turned out to be more work than I was expecting to do in my free time :(. Feel free to pick it up and I'll happily help review. |
|
@lavignes as the other AWS filter owner, would you be able to take a look? If not we may need to bump the aws filter to contrib/ |
|
If we decide to move it to contrib due to not able to provide fix at the right time, I can take up the action item to move it to contrib. |
|
Awesome, thank you! |
|
We are planning to move ahead with removing libcurl dependency from AWS extensions. I have put a small doc to indicate the approach and consequences. https://docs.google.com/document/d/1MxREfLX4BONhOCNr7dvHwdr1_kArLb3OOSvhb-b02oQ I look forward to all of your opinions on this. I am mainly seeing your thoughts on
|
|
Is it still in process? |
|
Yes, working on this. At testing stage now. I will start with couple of PRs in next few weeks. Sorry for the delay. |
|
Sorry to bug - do you think it will land? I've ended up here via detective work trying to find out why IRSA wasn't working as I expected! (... and I've learnt a lot about aws in the process) |
|
I am still working on the changes. I haven't got enough time to dedicate to this task. In the current state I am able to make http calls to fetch the credentials but don't know how it can be fetched in main thread and updated on all the worker thread. main...suniltheta:envoy:cm_ref_2 Also, the change is no where close to the version where I would be able to raise the PR. If you want to make IRSA work, then I can point you towards a patch #23408. But unfortunate that still uses curl. |
|
Thank you so much for the quick response. I would offer to help but this is miles away from my knowledge area... I'm sure you thought of this, but just for my own knwoledge - since the lambda filter is still beta and already uses curl, is there a downside of incorporating the patch in the interim, while libcurl is being expunged? The patch didn't seem to be increasing the problem, but my reading of the patch is pretty basic |
|
Made some progress. Still working on improving the unit testing. I will be raise the PRs shortly after finalizing the PR breakup. |
|
/assign |
|
thanks for the update! if you're able to publish an image somewhere i can get at from a helm chart then can give it a spin |
|
@suniltheta Any update on this? |
|
Currently in progress in #29880. @ceastman-r7 are you using any particular filter? |
|
This was more of a concern of vulnerability scans flagging curl. for example:
CVE-2023-38545 curl:7.81.0-1ubuntu1.13 HIGH SOCKS5 heap buffer overflow which I was removing curl from the istio-pilot operating system image but another istio developer questioned if that mattered since curl was built into envoy. |
it doesnt matter to envoy - as said its compiled in not sure where curl is coming from - we dont seem to have it any of our images my advice would be to use the distroless base so you dont have to worry about extraneous deps, not sure how istio pilot is built - for some reason i thought they did use a distroless base |
Following the merge of #29880 and #30626 we can mark the curl usage as deprecated. Meanwhile bazel/repositories.bzl had stale info that OpenCensus tracer was still using libcurl. We can continue to keep the Issue #11816 open until curl is removed entirely after the deprecation time (Probably for v1.31 release). Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
Currently we depend on
libcurlfor URL fetching in AWS extension common utilsenvoy/source/extensions/common/aws/utility.cc
Line 97 in 89d6c6c
The use of curl is largely redundant, since Envoy itself can do HTTP fetch. In addition, Curl does not have a compatible threading and observability model with Envoy. The recent disclosures of CVE-2020-8169 and CVE-2020-8177 provide an example of why we should eliminate this from our trusted compute base.
Opening this tracking ticket to discuss further whether we can remove this dep.
The text was updated successfully, but these errors were encountered: