From 7b393a682ae431a7dbb93864f1b1f7458974a395 Mon Sep 17 00:00:00 2001 From: ramisettyhp Date: Wed, 10 Jun 2026 15:11:59 +0530 Subject: [PATCH 1/4] JOBS-2475: Migrate fluentd sidecar to Echo secure base, bump image to 4.20 - Replace bitnami/fluentd:1.18.0 with reg.echohq.com/fluentd:1.19.2 - Remediates Critical/High CVEs: CVE-2026-31789, CVE-2026-33845, CVE-2026-42010 - Pin fluent-plugin-jfrog-metrics ~> 0.2.17 - Bump Helm sidecar image tag from 4.19 to 4.20 --- CHANGELOG.md | 5 +++++ docker-build/Dockerfile | 33 ++++++++++++++++----------------- helm/artifactory-ha-values.yaml | 2 +- helm/artifactory-values.yaml | 2 +- helm/xray-values.yaml | 2 +- 5 files changed, 24 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ffd99a8..e2bf9d0 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,11 @@ All changes to the log analytics integration will be documented in this file. +## [1.0.16] - June 2026 + +* Fluentd sidecar image bumped to 4.20: migrated to Echo secure base (fluentd 1.19.2, Debian 13), remediating Critical/High CVEs in 4.19 (JOBS-2475) +* Pinned fluent-plugin-jfrog-metrics ~> 0.2.17 + ## [1.0.15] - April 2026 * Fix incorrect field name in access-security-audit log parsing: renamed `token_id` capture group to `trace_id` to match the actual log format documented at https://docs.jfrog.com/administration/docs/audit-trail-log (JOBS-2031) diff --git a/docker-build/Dockerfile b/docker-build/Dockerfile index f57990c..c6719cc 100644 --- a/docker-build/Dockerfile +++ b/docker-build/Dockerfile @@ -1,5 +1,5 @@ -# Dockerfile for bitnami/fluentd sidecar image with all the necessary plugins for our log analytic providers -FROM bitnami/fluentd:1.18.0 +# Dockerfile for fluentd sidecar image with all the necessary plugins for our log analytic providers +FROM reg.echohq.com/fluentd:1.19.2 LABEL maintainer="Partner Engineering " ## Build time Arguments, short circuit them to ENV Variables so they are available at run time also @@ -13,23 +13,22 @@ ENV TGT_PLATFORM=$TARGET USER root -## Install JFrog Plugins -RUN fluent-gem install fluent-plugin-concat -RUN fluent-gem install fluent-plugin-splunk-hec -RUN fluent-gem install fluent-plugin-jfrog-siem -RUN fluent-gem install fluent-plugin-jfrog-metrics -RUN fluent-gem install fluent-plugin-jfrog-send-metrics - # Install prerequisites -RUN apt-get update && apt-get install -y curl -CMD /bin/bash +RUN apt-get update && \ + apt-get install -y --no-install-recommends curl && \ + rm -rf /var/lib/apt/lists/* -## Download Config Files -RUN if [ "$SRC_PLATFORM" = "JFRT" ] ; then echo "Downloading the fluentd config file for $SRC_PLATFORM and $TGT_PLATFORM "; curl https://raw.githubusercontent.com/jfrog/log-analytics-splunk/master/fluent.conf.rt -o /opt/bitnami/fluentd/conf/fluentd.conf; else echo "Not Downloading"; fi -RUN if [ "$SRC_PLATFORM" = "JFXRAY" ] ; then echo "Downloading the fluentd config file for $SRC_PLATFORM and $TGT_PLATFORM "; curl https://raw.githubusercontent.com/jfrog/log-analytics-splunk/master/fluent.conf.xray -o /opt/bitnami/fluentd/conf/fluentd.conf; else echo "Not Downloading"; fi +## Install JFrog Plugins +RUN fluent-gem install fluent-plugin-concat && \ + fluent-gem install fluent-plugin-splunk-hec && \ + fluent-gem install fluent-plugin-jfrog-siem && \ + fluent-gem install fluent-plugin-jfrog-metrics -v '~> 0.2.17' && \ + fluent-gem install fluent-plugin-jfrog-send-metrics -ENTRYPOINT if [ "$TGT_PLATFORM" = "SPLUNK" ] ; then cat /opt/bitnami/fluentd/conf/fluentd.conf; fluentd -v -c /opt/bitnami/fluentd/conf/fluentd.conf; fi +## Download Config Files +RUN if [ "$SRC_PLATFORM" = "JFRT" ] ; then curl -fsSL https://raw.githubusercontent.com/jfrog/log-analytics-splunk/master/fluent.conf.rt -o /fluentd/etc/fluent.conf; fi +RUN if [ "$SRC_PLATFORM" = "JFXRAY" ] ; then curl -fsSL https://raw.githubusercontent.com/jfrog/log-analytics-splunk/master/fluent.conf.xray -o /fluentd/etc/fluent.conf; fi -USER 1001 +USER fluent -STOPSIGNAL SIGTERM \ No newline at end of file +STOPSIGNAL SIGTERM diff --git a/helm/artifactory-ha-values.yaml b/helm/artifactory-ha-values.yaml index 20ffeeb..ab4f1a7 100644 --- a/helm/artifactory-ha-values.yaml +++ b/helm/artifactory-ha-values.yaml @@ -18,7 +18,7 @@ artifactory: name: volume customSidecarContainers: | - name: "artifactory-fluentd-sidecar" - image: "releases-docker.jfrog.io/fluentd:4.19" + image: "releases-docker.jfrog.io/fluentd:4.20" imagePullPolicy: "IfNotPresent" volumeMounts: - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" diff --git a/helm/artifactory-values.yaml b/helm/artifactory-values.yaml index 91ac97d..e867939 100644 --- a/helm/artifactory-values.yaml +++ b/helm/artifactory-values.yaml @@ -18,7 +18,7 @@ artifactory: name: artifactory-volume customSidecarContainers: | - name: "artifactory-fluentd-sidecar" - image: "releases-docker.jfrog.io/fluentd:4.19" + image: "releases-docker.jfrog.io/fluentd:4.20" imagePullPolicy: "IfNotPresent" volumeMounts: - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" diff --git a/helm/xray-values.yaml b/helm/xray-values.yaml index d9bd5f9..9359b9e 100644 --- a/helm/xray-values.yaml +++ b/helm/xray-values.yaml @@ -19,7 +19,7 @@ common: name: data-volume customSidecarContainers: | - name: "xray-platform-fluentd-sidecar" - image: "releases-docker.jfrog.io/fluentd:4.19" + image: "releases-docker.jfrog.io/fluentd:4.20" imagePullPolicy: "IfNotPresent" volumeMounts: - mountPath: "{{ .Values.xray.persistence.mountPath }}" From 01bb09cd7029a1d859d1c3935b2aac032cd008b6 Mon Sep 17 00:00:00 2001 From: ramisettyhp Date: Thu, 11 Jun 2026 12:26:22 +0530 Subject: [PATCH 2/4] JOBS-2477: scope PR to Echo base Dockerfile only Move the Helm 4.19->4.20 bump + CHANGELOG to a separate PR so this Dockerfile change can merge to master first and let internal CI build fluentd:4.20. The Helm PR is merged only after 4.20 is promoted to releases-docker.jfrog.io. Ref JOBS-2487. --- CHANGELOG.md | 5 ----- helm/artifactory-ha-values.yaml | 2 +- helm/artifactory-values.yaml | 2 +- helm/xray-values.yaml | 2 +- 4 files changed, 3 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e2bf9d0..ffd99a8 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,11 +2,6 @@ All changes to the log analytics integration will be documented in this file. -## [1.0.16] - June 2026 - -* Fluentd sidecar image bumped to 4.20: migrated to Echo secure base (fluentd 1.19.2, Debian 13), remediating Critical/High CVEs in 4.19 (JOBS-2475) -* Pinned fluent-plugin-jfrog-metrics ~> 0.2.17 - ## [1.0.15] - April 2026 * Fix incorrect field name in access-security-audit log parsing: renamed `token_id` capture group to `trace_id` to match the actual log format documented at https://docs.jfrog.com/administration/docs/audit-trail-log (JOBS-2031) diff --git a/helm/artifactory-ha-values.yaml b/helm/artifactory-ha-values.yaml index ab4f1a7..20ffeeb 100644 --- a/helm/artifactory-ha-values.yaml +++ b/helm/artifactory-ha-values.yaml @@ -18,7 +18,7 @@ artifactory: name: volume customSidecarContainers: | - name: "artifactory-fluentd-sidecar" - image: "releases-docker.jfrog.io/fluentd:4.20" + image: "releases-docker.jfrog.io/fluentd:4.19" imagePullPolicy: "IfNotPresent" volumeMounts: - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" diff --git a/helm/artifactory-values.yaml b/helm/artifactory-values.yaml index e867939..91ac97d 100644 --- a/helm/artifactory-values.yaml +++ b/helm/artifactory-values.yaml @@ -18,7 +18,7 @@ artifactory: name: artifactory-volume customSidecarContainers: | - name: "artifactory-fluentd-sidecar" - image: "releases-docker.jfrog.io/fluentd:4.20" + image: "releases-docker.jfrog.io/fluentd:4.19" imagePullPolicy: "IfNotPresent" volumeMounts: - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" diff --git a/helm/xray-values.yaml b/helm/xray-values.yaml index 9359b9e..d9bd5f9 100644 --- a/helm/xray-values.yaml +++ b/helm/xray-values.yaml @@ -19,7 +19,7 @@ common: name: data-volume customSidecarContainers: | - name: "xray-platform-fluentd-sidecar" - image: "releases-docker.jfrog.io/fluentd:4.20" + image: "releases-docker.jfrog.io/fluentd:4.19" imagePullPolicy: "IfNotPresent" volumeMounts: - mountPath: "{{ .Values.xray.persistence.mountPath }}" From 2dc691e7f0e700590cbc6bfbd972adc27817c215 Mon Sep 17 00:00:00 2001 From: ramisettyhp Date: Fri, 12 Jun 2026 12:37:11 +0530 Subject: [PATCH 3/4] JOBS-2477: remove fluent-plugin-jfrog-metrics version pin (install latest) The Echo migration pinned fluent-plugin-jfrog-metrics to '~> 0.2.17', but the other plugins in this image and the shared buildx image install it unpinned. The config only requires >= 0.2.16, and 0.2.17 is currently the latest release, so dropping the cap installs the same version today (verified: 0.2.17) while no longer blocking future updates. --- docker-build/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-build/Dockerfile b/docker-build/Dockerfile index c6719cc..0b2c604 100644 --- a/docker-build/Dockerfile +++ b/docker-build/Dockerfile @@ -22,7 +22,7 @@ RUN apt-get update && \ RUN fluent-gem install fluent-plugin-concat && \ fluent-gem install fluent-plugin-splunk-hec && \ fluent-gem install fluent-plugin-jfrog-siem && \ - fluent-gem install fluent-plugin-jfrog-metrics -v '~> 0.2.17' && \ + fluent-gem install fluent-plugin-jfrog-metrics && \ fluent-gem install fluent-plugin-jfrog-send-metrics ## Download Config Files From 149c5c312a6f24d002058133ee1f56dfc6b15ebb Mon Sep 17 00:00:00 2001 From: ramisettyhp Date: Fri, 12 Jun 2026 12:37:11 +0530 Subject: [PATCH 4/4] JOBS-2477: document uid 999 log-dir permissions for Docker run The Echo base runs fluentd as the non-root user `fluent` (uid 999). When the container tails the mounted Artifactory logs it writes .pos files into that directory, which fails with Errno::EACCES if the logs are owned by the product user (e.g. uid 1030). Document the root/uid/permission workarounds so customers do not hit a crash loop on first run. --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 2b7ab89..baa5ac3 100644 --- a/README.md +++ b/README.md @@ -277,6 +277,9 @@ For Splunk as the observability platform, execute these commands to setup the do docker run -it --name jfrog-fluentd-splunk-rt -v $JFROG_HOME/artifactory/var/:/var/opt/jfrog/artifactory --env-file docker.env jfrog/fluentd-splunk-rt ``` +> [!IMPORTANT] +> The fluentd image runs as a non-root user (`fluent`, uid `999`). The container tails the Artifactory log files from the mounted directory and writes `.pos` (position) files next to them, so uid `999` must be able to **read** the mounted log files and **write** into the mounted log directory. JFrog product logs are typically owned by the product user (for example uid `1030`, directory mode `755`, files mode `640`), which uid `999` cannot access by default - fluentd then fails with `Errno::EACCES ... .pos` and the worker restarts in a loop. To avoid this, either run the container as root (`docker run --user root ...`), run it as the uid that owns the Artifactory logs (`--user `), or make the mounted log directory readable and writable by uid `999`. + ### Kubernetes Deployment with Helm Recommended installation for Kubernetes is to utilize the helm chart with the associated values.yaml in this repo.