stack

mosaic/stack

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jason Woltje	dce975bf4e	fix(#363 ): Update OpenBao image to fix CRITICAL CVE-2025-68121 + 4 HIGH CVEs Pin OpenBao base image from unpinned :2 tag to :2.5.0 (latest stable, released 2026-02-04) in both the Dockerfile and the dev docker-compose. CVEs resolved: - CVE-2025-68121 (CRITICAL): Go stdlib crypto/tls session resumption - CVE-2024-8185 (HIGH): DoS via Raft join requests - CVE-2024-9180 (HIGH): Root namespace privilege escalation - CVE-2025-59043 (HIGH): DoS via malicious JSON - CVE-2025-64761 (HIGH): Identity group root escalation All fixed in OpenBao >= 2.4.4; v2.5.0 includes all patches plus new features (horizontal read scalability, OCI plugin distribution). Files changed: - docker/openbao/Dockerfile: FROM tag 2 -> 2.5.0 - docker/docker-compose.yml: openbao + openbao-init image tags 2 -> 2.5.0 The production/swarm compose files use the custom-built git.mosaicstack.dev/mosaic/stack-openbao image which is built FROM this Dockerfile, so they inherit the fix on next CI build. Fixes #363	2026-02-12 12:36:08 -06:00
Jason Woltje	a61f9262e6	fix(ci): Add missing OpenBao Dockerfile All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details The docker-build-openbao pipeline step was failing because the Dockerfile was missing from docker/openbao/. Created a minimal Dockerfile that: - Uses official quay.io/openbao/openbao:2 as base - Copies config.hcl and init.sh into the image - Exposes port 8200 - Preserves the default entrypoint from base image This allows Kaniko to build the stack-openbao image for Swarm deployment. Fixes pipeline #325 docker-build-openbao failure. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-08 02:20:02 -06:00

Author

SHA1

Message

Date

Jason Woltje

dce975bf4e

fix(#363 ): Update OpenBao image to fix CRITICAL CVE-2025-68121 + 4 HIGH CVEs

Pin OpenBao base image from unpinned :2 tag to :2.5.0 (latest stable,
released 2026-02-04) in both the Dockerfile and the dev docker-compose.

CVEs resolved:
- CVE-2025-68121 (CRITICAL): Go stdlib crypto/tls session resumption
- CVE-2024-8185 (HIGH): DoS via Raft join requests
- CVE-2024-9180 (HIGH): Root namespace privilege escalation
- CVE-2025-59043 (HIGH): DoS via malicious JSON
- CVE-2025-64761 (HIGH): Identity group root escalation

All fixed in OpenBao >= 2.4.4; v2.5.0 includes all patches plus new
features (horizontal read scalability, OCI plugin distribution).

Files changed:
- docker/openbao/Dockerfile: FROM tag 2 -> 2.5.0
- docker/docker-compose.yml: openbao + openbao-init image tags 2 -> 2.5.0

The production/swarm compose files use the custom-built
git.mosaicstack.dev/mosaic/stack-openbao image which is built FROM
this Dockerfile, so they inherit the fix on next CI build.

Fixes #363

2026-02-12 12:36:08 -06:00

Jason Woltje

a61f9262e6

fix(ci): Add missing OpenBao Dockerfile

ci/woodpecker/push/woodpecker Pipeline was successful

Details

The docker-build-openbao pipeline step was failing because the Dockerfile
was missing from docker/openbao/.

Created a minimal Dockerfile that:
- Uses official quay.io/openbao/openbao:2 as base
- Copies config.hcl and init.sh into the image
- Exposes port 8200
- Preserves the default entrypoint from base image

This allows Kaniko to build the stack-openbao image for Swarm deployment.

Fixes pipeline #325 docker-build-openbao failure.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-08 02:20:02 -06:00

2 Commits