I stood up a new Xibo 1.8.0rc3 instance on Ubuntu 16.04 yesterday. I love that you have fully committed to Docker as the way to install! The purpose of this new instance is for a customer of mine that is running 1.6.1 on CentOs 6.5, and currently the CentOs server is failing PCI scans. So once I had the new Ubuntu server running with Xibo, I scanned the server for PCI, and it failed due to apache version 2.4.7 being lower that 2.4.23.
So I wanted to ask your thoughts on upgrading the apache version inside the docker container. I have already done this, and the system is still working, but I wanted to see if there was a reason you all were not using apache 2.4.25 already.
How I did this, was to bash into the container first, and then run an upgrade.
This is just taking the most current version of apache2 from that distribution, so you could also upgrade to a specific version, but I chose to do it this way.
Just wanted to share my experiences here, and see if you had any feedback. I also noticed that you fixed the bandwidth calendar data selector that I raised on rc2 :)… that’s so cool how on top of stuff you all are!.
We’re using the latest version of Apache from Ubuntu 14.04. The container automatically rebuilds itself each time Ubuntu push a newer version of their image.
Ubuntu/Debian themselves backport patches in to the packaged version of Apache that to keep it secure. Your compliance tool is a blunt instrument in that respect if it’s only comparing the Apache version, and not the fixes backported in.
Your PPA brings in a newer version of Apache completely, but then that no longer receives the attention of the Ubuntu security team. Of the two, I’d trust Ubuntu to manage those packages and keep them secure for you rather than a third party who may opt to stop providing updates, or indeed add other things in to the official source without your knowledge at any time.
That being said, if you wanted to run with that PPA, you’d simply extend the official container Dockerfile we provide and add in the steps to add that PPA and upgrade Apache. You can then push that in to Dockerhub under your own image name. I don’t see it being a particular issue to Xibo, beyond it meaning that you’re then not running the exact same environment the developers are using, and that the test suite is run in, which in part defeats the object of us moving in this direction.
Thank you for the very detailed reply Alex. I understand backporting, and I have had this issue with other scan results on other servers. Trustwave scanning compliance only checks a version number, and you have to log exceptions in the results, with the backporting details. I simply failed to search for the CVE numbers, inside the docker container. I will take a look at this and see if I can find the proof of patching in the current docker build.
However, I have just found on another thread, that 1.8.0 clients are not going to work on XP, or in my case POSReady 2009 which is built on XP, because of a dependency on .NET 4.5. So I will have to remove this server and go back to the final stable release of 1.7.9 for this customer. It’s a shame because I really love the changes in 1.8.0, but I understand the need to move forward.
However, I do have 2 other environments running 1.8.0rc2, and when I upgrade them to rc3, I will keep these details in mind, and not modify the docker container. However, those two environments are not under PCI control, so I won’t face the same issue I was having here.
As always, thank you for taking your time to answer these questions and help the community through issues.