Skip to content

Bump python, small image size, close python CVE, add new flag UVICORN_SSL_CA_TYPE #1390

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Nov 23, 2024
Merged

Bump python, small image size, close python CVE, add new flag UVICORN_SSL_CA_TYPE #1390

merged 10 commits into from
Nov 23, 2024

Conversation

v-kamerdinerov
Copy link
Contributor

@v-kamerdinerov v-kamerdinerov commented Oct 21, 2024
edited
Loading

What's done:

  • Reduced the size of the Docker image by almost half (47%). Build optimization.
❯ docker images | grep gozargah/marzban
gozargah/marzban    dev-0911    b9caa77a3b93      About a minute ago        361MB
gozargah/marzban    latest      c0bf4f4f415b      3 weeks ago               682MB
  • Closing vulnerable CVE python packages.

before:

gozargah/marzban:latest (debian 12.7)
Total: 983 (UNKNOWN: 37, LOW: 257, MEDIUM: 542, HIGH: 143, CRITICAL: 4)

Python (python-pkg)
Total: 42 (UNKNOWN: 0, LOW: 4, MEDIUM: 20, HIGH: 17, CRITICAL: 1)

After updating the libraries and docker image:

gozargah/marzban:dev-0911 (debian 12.7)
Total: 102 (UNKNOWN: 0, LOW: 74, MEDIUM: 17, HIGH: 10, CRITICAL: 1)

Python (python-pkg)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│        Library         │ Vulnerability  │ Severity │  Status  │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ python-jose (METADATA) │ CVE-2024-33663 │ HIGH     │ affected │ 3.3.0             │               │ python-jose: algorithm confusion with OpenSSH ECDSA keys and │
│                        │                │          │          │                   │               │ other key formats                                            │
│                        │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-33663                   │
│                        ├────────────────┼──────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                        │ CVE-2024-33664 │ MEDIUM   │          │                   │               │ python-jose: allows attackers to cause a denial of service   │
│                        │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-33664                   │
└────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
  • Added a new flag UVICORN_SSL_CA_TYPE to enable the use of a self-signed certificate
ubuntu@main:/opt/marzban$ cat .env | grep UVICORN_SSL_CA_TYPE
UVICORN_SSL_CA_TYPE = "private

INFO  [alembic.runtime.migration] Running upgrade a9cfd5611a82 -> 2ea33513efc0, noise for sqlite
INFO  [alembic.runtime.migration] Running upgrade 2ea33513efc0 -> 21226bc711ac, add threshold to NotificationReminder

IMPORTANT!
You're running Marzban with: UVICORN_SSL_CA_TYPE: private.
Self-signed CAs are useful in testing or internal use cases, they’re not suitable for secure public internet communications.

INFO:     Started server process [1]
INFO:     Waiting for application startup.
INFO:     Generating Xray core config
INFO:     Xray core config generated in 0.03 seconds
INFO:     Starting main Xray core
WARNING:  Xray core 24.11.5 started
INFO:     Starting nodes Xray core
INFO:     Application startup complete.
INFO:     Uvicorn running on https://0.0.0.0:10000 (Press CTRL+C to quit)
INFO:     127.0.0.1:38658 - "POST /api/admin/token HTTP/1.1" 200 OK

delete UVICORN_SSL_CA_TYPE from .env

Getting valid error about self CA

ValueError: Certificate verification failed: The certificate is self-signed and not issued by a trusted CA.

  • Added venv to .dockerignore

  • Update python version to 3.12 and some dependency libs

Check functionality:

image image Using Marzban-Node, you are able to scale up your 
ubuntu@main:~$ docker ps
CONTAINER ID   IMAGE                       COMMAND                  CREATED              STATUS                        PORTS     NAMES
bb414393a96b   haproxy:2.4.25              "docker-entrypoint.s…"   About a minute ago   Up 49 seconds                           marzban-haproxy-1
1b5a7e5c6510   vladkmrdnv/marzban:latest   "bash -c 'alembic up…"   About a minute ago   Up 49 seconds                           marzban-marzban-1
e4a1016a89be   mariadb:lts                 "docker-entrypoint.s…"   About a minute ago   Up About a minute (healthy)             marzban-mariadb-1

INFO:     Started server process [1]
INFO:     Waiting for application startup.
INFO:     Generating Xray core config
INFO:     Xray core config generated in 0.04 seconds
INFO:     Starting main Xray core
WARNING:  Xray core 24.11.5 started
INFO:     Starting nodes Xray core
INFO:     Application startup complete.
INFO:     Uvicorn running on https://0.0.0.0:10000 (Press CTRL+C to quit)
INFO:     127.0.0.1:52670 - "POST /api/admin/token HTTP/1.1" 200 OK
INFO:     127.0.0.1:52676 - "GET /api/hosts HTTP/1.1" 200 OK
INFO:     127.0.0.1:52686 - "PUT /api/hosts HTTP/1.1" 200 OK

@v-kamerdinerov
Copy link
Contributor Author

@SaintShit Hello. Can you check this out plz?

@v-kamerdinerov
Copy link
Contributor Author

@ImMohammad20000 @SaintShit hello! any news about review?

@ImMohammad20000
Copy link
Collaborator

Can you try to upgrade python version too?

@v-kamerdinerov
Copy link
Contributor Author

Can you try to upgrade python version too?

Yep, why not. Which do you prefer? 3.11?

@ImMohammad20000
Copy link
Collaborator

3.12 is better if possible

@ImMohammad20000
Copy link
Collaborator

ImMohammad20000 commented Nov 9, 2024
edited
Loading

i try ur docker image and i found something you didn't copy geofies

Xray 24.11.5 (Xray, Penetrates Everything.) afc7ec5 (go1.23.2 linux/amd64)

A unified platform for anti-censorship.
2024/11/09 14:47:43 [Info] infra/conf/serial: Reading config: &{Name:stdin: Format:json}
Failed to start: main: failed to load config files: [stdin:] > infra/conf: invalid field rule > infra/conf: failed to load GeoIP: private > infra/conf: failed to load file: geoip.dat > infra/conf: failed to open file: geoip.dat > open /usr/local/share/xray/geoip.dat: no such file or directory

Copy /usr/local/share/xray/ into final image

@v-kamerdinerov
Copy link
Contributor Author

i try ur docker image and i found something you didn't copy geofies

Xray 24.11.5 (Xray, Penetrates Everything.) afc7ec5 (go1.23.2 linux/amd64)

A unified platform for anti-censorship.
2024/11/09 14:47:43 [Info] infra/conf/serial: Reading config: &{Name:stdin: Format:json}
Failed to start: main: failed to load config files: [stdin:] > infra/conf: invalid field rule > infra/conf: failed to load GeoIP: private > infra/conf: failed to load file: geoip.dat > infra/conf: failed to open file: geoip.dat > open /usr/local/share/xray/geoip.dat: no such file or directory

Yes, it is possible - since I am using a multi stage build.

I will complete this copying along with adding python 3.12. testing now.

@ImMohammad20000
Copy link
Collaborator

Run it on a new machine so you can find all bugs

@v-kamerdinerov v-kamerdinerov changed the title Small image size, close python CVE, add new flag UVICORN_SSL_CA_TYPE (reopen) Bump python, small image size, close python CVE, add new flag UVICORN_SSL_CA_TYPE (reopen) Nov 9, 2024
@v-kamerdinerov
Copy link
Contributor Author

Run it on a new machine so you can find all bugs

Greetings again.

With the last commit, I successfully updated python to version 3.12. I also updated the libs for compatibility.

ubuntu@main:~$ docker exec -ti 1b5a7e5c6510 python --version
Python 3.12.7

Also i added the forgotten geosite/geoip db files, thank you for noticing.

ubuntu@main:~$ docker exec -ti 1b5a7e5c6510 ls /usr/local/share/xray
geoip.dat geosite.dat

Tested everything on a clean install from scratch.

New screenshots showing operability are presented in the original post to the pull request.

@v-kamerdinerov v-kamerdinerov changed the title Bump python, small image size, close python CVE, add new flag UVICORN_SSL_CA_TYPE (reopen) Bump python, small image size, close python CVE, add new flag UVICORN_SSL_CA_TYPE Nov 9, 2024
@ImMohammad20000
Copy link
Collaborator

I test this and it working
However we need @SaintShit opinion

@v-kamerdinerov
Copy link
Contributor Author

I test this and it working
However we need @SaintShit opinion

@SaintShit Hello. Can you check this out?

ImMohammad20000
ImMohammad20000 approved these changes Nov 12, 2024
View reviewed changes
@ImMohammad20000 ImMohammad20000 merged commit 633682b into Gozargah:dev Nov 23, 2024
@v-kamerdinerov v-kamerdinerov deleted the small-image-less-cve branch November 24, 2024 09:43
M03ED pushed a commit that referenced this pull request Apr 29, 2025
@ImMohammad20000
Merge pull request #1390 from v-kamerdinerov/small-image-less-cve
3c01d72 
Bump python, small image size, close python CVE, add new flag UVICORN_SSL_CA_TYPE
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ImMohammad20000 ImMohammad20000 ImMohammad20000 approved these changes

@SaintShit SaintShit SaintShit approved these changes

Assignees
No one assigned
Labels
Backend Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@v-kamerdinerov @ImMohammad20000 @SaintShit