Deploying Metric Insights Security Builds

Beginning in v7.1.1 Metric Insights can be deployed using security builds - Docker images which are updated each month with the latest security patches. These security releases include updated system libraries and dependencies, ensuring that the known vulnerabilities are addressed and the build is more secure.

Importantly, security builds do not introduce any new features or functionality changes. This means you can enhance your deployment’s security without affecting existing functionality of the core MI application.

The described instructions consist of enabling the security build feature and pulling security images for each service. You will need to pull new security images each time a new security build is available.

NOTES:

  • Security builds only support Lite installation packages and AMD64 (x86_64) architecture. Full packages and systems with ARM64 architecture are not supported.
  • Security images are not provided for the MySQL and Logger containers.
  • An active internet connection is required to pull the latest security Docker images.

Simple Install

1. Enable Security Images

  1. Download Lite installation package
  2. Run the MI installer with --use-security-images option: ./installer.py --use-security-images

2. Pull and Recreate Containers

After installation completes, update your running containers to use the new security images. Run the following commands:

  1. Pull the latest security Docker images for all Metric Insights services: mi-control pull
  2. Force recreate containers using the newly pulled security images: mi-control up -d --force-recreate

NOTE: Once these steps are done, your Metric Insights instance will be running on the security build of the specified version. You should repeat this process each time a new monthly security release is published for your version.

You can list all available security image versions for your current release by running the installer command with the security flag:

./installer.py images --use-security-images

This will display the complete list of security-tagged Docker images and versions available for Metric Insights, which can help you confirm the correct tags for your deployment.

Orchestrated Environments

1. Update Docker Image References

For orchestrated deployments, you will need to manually update the image references in deployment manifests to use security builds.

For each Metric Insights service image, append /security to the image path before the tag. For example:

docker.metricinsights.com/metric-insights/release_7_1/84:amd64

would be changed to:

docker.metricinsights.com/metric-insights/release_7_1/84/security:amd64

In this example, "84" represents the base image ID or version, and we're appending /security before the architecture tag. Make sure to apply this pattern to all Metric Insights service images.

2. Recreate Pods/Services with New Images

Apply your updated configuration and recreate the pods/services so that the new image references take effect. The orchestration platform will pull the security images and launch new containers with those images. Ensure each service is successfully restarted using the security build image (you can verify the image names in your container runtime or orchestration status).