SG-4240: Remove Fluentbit and apply security updates#36
Merged
Conversation
hllvc
force-pushed
the
SG-4240-security-update
branch
from
9f71eb7 to
891d162
Compare
Collaborator
Author
|
Remove fluentbit completely. We don't use it anymore for logging. |
hllvc
changed the title
arunim2405
approved these changes
Jun 18, 2026
There was a problem hiding this comment.
Pull request overview
This PR removes Fluent Bit-related functionality from sg-runner and tightens operational security by hardening logging/diagnostics locations, input validation, and network/proxy handling in the main runner script.
Changes:
- Removed Fluent Bit container/config generation and any related runtime checks.
- Hardened runner script behavior (safer log/diagnostic paths & permissions, proxy validation/config, more structured API calling).
- Refactored parts of diagnostics, cleanup, and preflight logic.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
README.md |
Updates health-check docs to remove Fluent Bit container mention (but still needs updates for new log/diagnostic paths). |
main.sh |
Removes Fluent Bit logic; adds security/robustness improvements (diagnostic dir perms, proxy validation/config), refactors API calls and diagnostics, and adjusts cleanup/preflight behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
665
to
+666
| bridge_id="br-$($CONTAINER_ORCHESTRATOR network ls -q --filter "name=${SG_DOCKER_NETWORK}")" | ||
| iptables \ | ||
| -I DOCKER-USER \ | ||
| -i "${bridge_id}" \ | ||
| -d 169.254.169.254,10.0.0.0/24 \ | ||
| -j DROP | ||
| iptables_ensure -I DOCKER-USER -i "${bridge_id}" -d 169.254.169.254,10.0.0.0/24 -j DROP |
|
|
||
| # Use the token if available; otherwise, proceed without it for IMDSv1 compatibility | ||
| if [ -n "$imdsv2_token" ]; then | ||
| attached_iam_role=$(curl --max-time 10 -fSsLk --proto "https" -H "X-aws-ec2-metadata-token: $imdsv2_token" "http://169.254.169.254/latest/meta-data/iam/security-credentials/" 2>/dev/null) |
Comment on lines
+990
to
992
| local prune_filter="until=4h" | ||
| local curr_time | ||
| curr_time=$(date) |
Comment on lines
132
to
+133
| This command will print status of `ecs` and `docker` services. | ||
| Also, including all related Docker containers (`ecs-agent`, `fluentbit-agent`). | ||
| Also, including the related Docker container (`ecs-agent`). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR removes Fluentbit completely from the sg-runner project, as it is no longer used for logging. Alongside this removal, security updates are applied to improve overall system security.
Changes Made
Testing