Envoy: Remove curl as an Envoy dependency
Currently we depend on libcurl for URL fetching in AWS extension common utils https://github.com/envoyproxy/envoy/blob/89d6c6c6fa202aa7a01e85d2d887b56c8a3268ad/source/extensions/common/aws/utility.cc#L97 and I think OpenCensus (@g-easy can you confirm?)
The use of curl is largely redundant, since Envoy itself can do HTTP fetch. In addition, Curl does not have a compatible threading and observability model with Envoy. The recent disclosures of CVE-2020-8169 and CVE-2020-8177 provide an example of why we should eliminate this from our trusted compute base.
Opening this tracking ticket to discuss further whether we can remove this dep.
htuch
All 13 comments
+1 for removal. I was against adding in the first place.
mattklein123
on 30 Jun 2020
+1 for removal
moderation
on 30 Jun 2020
Yes, OpenCensus uses curl in its zipkin exporter (to push traces to zipkin).
g-easy
on 1 Jul 2020
Having an indirect networking API instead of curl in libraries would also help compiling them to Wasm binaries for sandboxing. The API would be implemented via Wasm ABI.
kyessenov
on 1 Jul 2020
@g-easy would it be possible to modify the Zipkin exporter to work with some more generic HTTP interface that Envoy can supply?
htuch
on 1 Jul 2020
As per https://github.com/envoyproxy/envoy/issues/9958 at some point OpenCensus should be replaced by the new OpenTracing + OpenCensus project called OpenTelemetry. One would hope that OpenTelemetry doesn't require curl
moderation
on 1 Jul 2020
For opencensus, since the "issue" is with the Zipkin span exporter implementation (opencensus_exporter_zipkin). I think we could own Envoy-specific implementation of that in our tree (I can try to own it if it is desired)? At minimum:
class ZipkinSpanExporterHandler : public ::opencensus::trace::exporter::SpanExporter::Handler,
public Http::AsyncClient::Callbacks {
...
};
Which basically "retrieves" the spans stored by opencensus-cpp worker thread implementation and send that to Envoy's thread which has access to a dispatcher (I think server's dispatcher is OK to use here). As a "bonus", we also need to serialize the opencensus::trace::exporter::SpanData to Zipkin's v2 via ProtobufWkt::Struct (instead of rapidjson employed by the current opencensus-cpp Zipkin span exporter implementation).
However, this will "force" the configuration to require a defined collector cluster to let Envoy's async-client to work (I think this is also relevant to the approach for the "aws" utility). Even the dynamic forward proxy requires a cluster definition. I wonder if we can/are allowed to somehow construct a cluster without defining in the config, but build it on the fly when it is required (https://github.com/envoyproxy/envoy/pull/3479 cc. @ramaraochavali).
@moderation, when we are needed to "upgrade" to OpenTelemetry, if the approach is the same (i.e. data is gathered in worker thread managed by the "tracer" library) and we want to support Zipkin exporter, we still need to provide an Envoy's async-client-friendly implementation for that.
dio
on 5 Jul 2020
One would hope that OpenTelemetry doesn't require curl
This is tracked in https://github.com/open-telemetry/opentelemetry-cpp/issues/6
g-easy
on 6 Jul 2020
https://github.com/envoyproxy/envoy/issues/11816#issuecomment-653838495 sounds pretty great to me.
Note that opencensus's existing background thread calls into Handler::Export() periodically.
g-easy
on 6 Jul 2020
@mattklein123 what is the best way of resolving URI for async client calls without explicitly defining a cluster for it? Is https://github.com/envoyproxy/envoy/pull/3479 the way to do it? Need your advice on this. Thank you!
dio
on 21 Jul 2020
@dio yeah we would probably need to add new functionality to AsyncClient to optionally expose the dynamic forward proxy functionality.
mattklein123
on 21 Jul 2020
PR13063 is another example, which picks up the fix of
CVE-2020-8231: libcurl: wrong connect-only connection
As Envoy does NOT use the affected CURLOPT_CONNECT_ONLY toggle,
this change simply satisfies overly-simplistic audits.
wrowe
on 11 Sep 2020
As part of my EnvoyCon talk, I looked at all CVEs for our dependencies since 2018. Curl is by far the worst here, with 14 CVEs and 23 releases since 2018. Further evidence that we really want to make some progress here.
htuch
on 6 Oct 2020
Related issues
jmillikin-stripe
路
3Comments
sabiurr
路
3Comments
anatolebeuzon
路
3Comments
alkov-ibm
路
3Comments
lps0535
路
3Comments
Most helpful comment
For opencensus, since the "issue" is with the Zipkin span exporter implementation (
opencensus_exporter_zipkin). I think we could own Envoy-specific implementation of that in our tree (I can try to own it if it is desired)? At minimum:Which basically "retrieves" the spans stored by
opencensus-cppworker thread implementation and send that to Envoy's thread which has access to a dispatcher (I think server's dispatcher is OK to use here). As a "bonus", we also need to serialize theopencensus::trace::exporter::SpanDatato Zipkin's v2 viaProtobufWkt::Struct(instead of rapidjson employed by the currentopencensus-cppZipkin span exporter implementation).However, this will "force" the configuration to require a defined collector cluster to let Envoy's async-client to work (I think this is also relevant to the approach for the "aws" utility). Even the dynamic forward proxy requires a cluster definition. I wonder if we can/are allowed to somehow construct a cluster without defining in the config, but build it on the fly when it is required (https://github.com/envoyproxy/envoy/pull/3479 cc. @ramaraochavali).
@moderation, when we are needed to "upgrade" to OpenTelemetry, if the approach is the same (i.e. data is gathered in worker thread managed by the "tracer" library) and we want to support Zipkin exporter, we still need to provide an Envoy's async-client-friendly implementation for that.