I’m experimenting with patching loadbalancer for now to enable TLS 1.0 but current haproxy in image does not have CVE-2016-2107 fix. How would you update it?
Rancher 1.0.1
rancher/agent-instance:v0.8.1 (rancher/load-balancer-service)
haproxy 1.6.3 2015/12/25 (in rancher/agent-instance:v0.8.1)
Rancher 1.0.2 is using also v0.8.1 so upgrade to latest stable won’t help.
For now I’m considering keeping highest build version of same min.maj of haproxy on each host where HA is running and mounting it into LB containers.
@alena You mentioned that loadbalancer refactoring will introduce providers. How security updates will be done when it is finished?
@mishak you would just to enable it on the lb image. Current image is build from this repo. Once you test the changes, you can create your PR against the current repo and ask @cloudnautique to review it. The new image would apply only to newly created LBs; existing LBs will have to be recreated to get the new image.
With the refactoring, the security updates should be submitted to the lb-controller repo (the image will be built from there), and we are yet to finalize system services update procedure - most likely it will be in-service upgrade offered to the user once the new image is uploaded to the dockerhub.