`main` tells me:
./src/python-common/ceph/cephadm/images.py: GRAFANA =
_create_image('quay.io/ceph/grafana:10.4.16', 'grafana')
The `reef` branch:
./src/cephadm/cephadm.py:DEFAULT_GRAFANA_IMAGE =
'quay.io/ceph/ceph-grafana:9.4.7'
YMMV, but looking at the CVE I’m not panicking - one has to enable a
non-default option, and then you’re still only vulnerable to insiders, unless
you leave your Grafana endpoint exposed on a non-ACL’d routable address.
9.4.x may be EOL, but it wasn’t when Reef was released.
A quick search on tracker.ceph.com <http://tracker.ceph.com/> does not find a
hit for CVE-2023-1387
I suggest opening an issue, this is a simple one-line fix but it’s not
immediately clear to me how to properly open a PR against the reef branch.
TL;DR:
PROMETHEUS = _create_image('quay.io/prometheus/prometheus:v2.51.0',
'prometheus')
LOKI = _create_image('docker.io/grafana/loki:3.0.0', 'loki')
PROMTAIL = _create_image('docker.io/grafana/promtail:3.0.0', 'promtail')
NODE_EXPORTER = _create_image('quay.io/prometheus/node-exporter:v1.7.0',
'node_exporter')
ALERTMANAGER = _create_image('quay.io/prometheus/alertmanager:v0.27.0',
'alertmanager')
GRAFANA = _create_image('quay.io/ceph/grafana:10.4.16', 'grafana')
HAPROXY = _create_image('quay.io/ceph/haproxy:2.3', 'haproxy')
KEEPALIVED = _create_image('quay.io/ceph/keepalived:2.2.4', 'keepalived')
NVMEOF = _create_image('quay.io/ceph/nvmeof:1.5', 'nvmeof')
SNMP_GATEWAY = _create_image('docker.io/maxwo/snmp-notifier:v1.2.1',
'snmp_gateway')
ELASTICSEARCH = _create_image('quay.io/omrizeneva/elasticsearch:6.8.23',
'elasticsearch')
JAEGER_COLLECTOR =
_create_image('quay.io/jaegertracing/jaeger-collector:1.29',
'jaeger_collector')
JAEGER_AGENT = _create_image('quay.io/jaegertracing/jaeger-agent:1.29',
'jaeger_agent')
JAEGER_QUERY = _create_image('quay.io/jaegertracing/jaeger-query:1.29',
'jaeger_query')
SAMBA =
_create_image('quay.io/samba.org/samba-server:devbuilds-centos-amd64', 'samba')
SAMBA_METRICS = _create_image('quay.io/samba.org/samba-metrics:latest',
'samba_metrics')
NGINX = _create_image('quay.io/ceph/nginx:sclorg-nginx-126', 'nginx')
OAUTH2_PROXY = _create_image('quay.io/oauth2-proxy/oauth2-proxy:v7.6.0',
'oauth2_proxy’)
> On Apr 17, 2025, at 9:40 AM, Wyll Ingersoll <[email protected]>
> wrote:
>
> ceph-grafana should be upgraded to 10.4 or later because it is not compatible
> with the latest prometheus alertmanager (0.27 or later) which only support
> the alertmanager V2 API.
>
> Is there an issue to track this?
>
>
>
> ________________________________
> From: Sake Ceph <[email protected]>
> Sent: Thursday, April 17, 2025 9:35 AM
> To: [email protected] <[email protected]>
> Subject: [ceph-users] Re: Grafana vulnerability - cephadm deployment
>
> But Grafana 9.4 is EOL for a long time. Shouldn't it be time to upgrade the
> image?
>
> Kind regards,
> Sake
>> Op 17-04-2025 09:14 CEST schreef Robert Sander
>> <[email protected]>:
>>
>>
>> Hi,
>>
>> Am 4/16/25 um 21:11 schrieb Anthony D'Atri:
>>> This is covered in the docs:
>>>
>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.ceph.com%2Fen%2Freef%2Fcephadm%2Fservices%2Fmonitoring%2F%23using-custom-images&data=05%7C02%7Cwyllys.ingersoll%40keepertech.com%7Cea14dd831bc8452956d908dd7db4df15%7Ca0e92bbdedfc4a2faf16799792ef0c87%7C0%7C0%7C638804939107001287%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=xN0ENm1GGSU8gadc6gqRO4KP21%2F1KHm%2FA3Hn4pcR7jg%3D&reserved=0<https://docs.ceph.com/en/reef/cephadm/services/monitoring/#using-custom-images>
>>
>> There is a newer Grafana container available at
>> quay.io/ceph/ceph-grafana:9.4.12
>>
>> You can use it with
>>
>> # ceph config set mgr mgr/cephadm/container_image_grafana
>> quay.io/ceph/ceph-grafana:9.4.12
>> # ceph orch redeploy grafana
>>
>> Regards
>> --
>> Robert Sander
>> Linux Consultant
>>
>> Heinlein Consulting GmbH
>> Schwedter Str. 8/9b, 10119 Berlin
>>
>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.heinlein-support.de%2F&data=05%7C02%7Cwyllys.ingersoll%40keepertech.com%7Cea14dd831bc8452956d908dd7db4df15%7Ca0e92bbdedfc4a2faf16799792ef0c87%7C0%7C0%7C638804939107047712%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=rCO%2BmKAhv4X7XZUR2uEMAiSr6uLYcPtBLjmesxWnhfE%3D&reserved=0<https://www.heinlein-support.de/>
>>
>> Tel: +49 30 405051 - 0
>> Fax: +49 30 405051 - 19
>>
>> Amtsgericht Berlin-Charlottenburg - HRB 220009 B
>> Geschäftsführer: Peer Heinlein - Sitz: Berlin
>> _______________________________________________
>> ceph-users mailing list -- [email protected]
>> To unsubscribe send an email to [email protected]
> _______________________________________________
> ceph-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> _______________________________________________
> ceph-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
