homelab/cloudflared
1
0
Fork 0
mirror of https://github.com/cloudflare/cloudflared.git synced 2026-06-23 04:10:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2026.5.0
cloudflared/Dockerfile.amd64
T
Gonçalo Garcia a453612e7c TUN-10507: Bump go and go-boring to 1.26.2 
## What

Bumps go-boring from 1.26.0-1 to 1.26.2-1 and CI builder image from \`3501-fc698419a625\` to \`3595-779e088c0ec4\`.

go1.26.2 (released 2026-04-07) includes security fixes to the \`go\` command, the compiler, and the \`archive/tar\`, \`crypto/tls\`, \`crypto/x509\`, \`html/template\`, and \`os\` packages, as well as bug fixes to the \`net\`, \`net/http\`, and \`net/url\` packages.

### Security fixes (relevant)
- **crypto/tls**: multiple CVEs — cloudflared uses TLS extensively for tunnel connections
- **crypto/x509**: CVE-2026-32280 (excessive chain-building in \`Verify\`), CVE-2026-32281 (quadratic work in policy validation)

### Net bug fixes (not applicable)
- **net/url #78111**: \`url.Parse\` regression for MongoDB-style multi-host URLs — not used in cloudflared
- **net/http #78019**: race condition on Windows when using \`os.File\` as HTTP request body — cloudflared does not pass \`os.File\` as a request body
- **net #77885**: \`ReadMsgUDP\`/\`WriteMsgUDP\` WSAEFAULT on Windows with empty non-nil oob — quic-go uses \`basicConn\` on Windows (\`ReadFrom\`, not \`ReadMsgUDP\`)

## Jira

[TUN-10507](https://jira.cfdata.org/browse/TUN-10507)
2026-05-07 08:39:53 +00:00

34 lines
1.2 KiB
Docker
Raw Permalink Blame History

# use a builder image for building cloudflare
FROM golang:1.26.2 AS builder
ENV GO111MODULE=on \
CGO_ENABLED=0 \
# the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
# which changes how cloudflared binds the metrics server
CONTAINER_BUILD=1
WORKDIR /go/src/github.com/cloudflare/cloudflared/
# copy our sources into the builder image
COPY . .
# compile cloudflared
RUN GOOS=linux GOARCH=amd64 make cloudflared
# use a distroless base image with glibc
FROM gcr.io/distroless/base-debian13:nonroot
LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
# copy our compiled binary
COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
# run as nonroot user
# We need to use numeric user id's because Kubernetes doesn't support strings:
# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
USER 65532:65532
# command / entrypoint of container
ENTRYPOINT ["cloudflared", "--no-autoupdate"]
CMD ["version"]
Reference in New Issue View Git Blame Copy Permalink