Skip to content

alloy: add libzstd1 and liblzma5 for journal decompression#419

Open
to-kr wants to merge 1 commit into
docker-hardened-images:mainfrom
to-kr:tokr/alloy-add-libzstd
Open

alloy: add libzstd1 and liblzma5 for journal decompression#419
to-kr wants to merge 1 commit into
docker-hardened-images:mainfrom
to-kr:tokr/alloy-add-libzstd

Conversation

@to-kr

@to-kr to-kr commented Jun 11, 2026

Copy link
Copy Markdown

Description

The alloy runtime image ships libsystemd0 but not libzstd1. libsystemd dlopens libzstd.so.1 at runtime to decode zstd-compressed journal fields — the default journal compression since systemd 246 (2020). Without it, the loki.source.journal component fails on every entry with failed to read message field: operation not supported (EOPNOTSUPP from sd_journal_get_data()) and silently forwards nothing, while still reporting the component as healthy.

This adds libzstd1 and liblzma5 to the runtime package list of both variants. Both dependencies are declared by the libsystemd0 package itself (Recommends: libzstd1, Suggests: liblzma5) and by libsystemd's embedded dlopen feature manifest ("feature":"zstd","priority":"recommended"); since the image builder intentionally does not install Recommends, listing them explicitly is the intended mechanism. liblzma5 covers legacy XZ-compressed journals. Combined size is ~800 KB; both are plain compression libraries already used as runtime dependencies elsewhere in the catalog (e.g. percona-xtrabackup, pgvector, python).

Type of Change

  • Bug fix

Related Issues

Fixes #388

Changes Made

  • Add libzstd1 and liblzma5 to contents.packages in image/alloy/debian-13/1.yaml
  • Add the same packages to image/alloy/debian-13/1-dev.yaml

Testing

  • I have tested these changes locally

Verified end-to-end against a real zstd-compressed journal (created with systemd-journal-remote 257, file header shows Incompatible flags: COMPRESSED-ZSTD), using the reproduction config from #388 with loki.echo as the sink:

Image operation not supported errors Entries forwarded
dhi.io/alloy:1.16.2 (published) continuous 0 of 5
same + libzstd1/liblzma5 from the DHI trixie repo 0 5 of 5

Also verified that a minimal build through the dhi.io/build:2-debian13 frontend with the updated package list resolves both packages from the DHI Debian repo and places libzstd.so.1/liblzma.so.5 next to libsystemd.so.0.40.0 in the final filesystem. (A full local pipeline build wasn't possible — it requires access to the private definitions repo and SBOM indexer.)

Checklist

  • My changes follow the repository's style and conventions
  • I have updated documentation as needed
  • My commit messages are clear and descriptive

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@to-kr to-kr requested a review from a team as a code owner June 11, 2026 17:46
@to-kr

to-kr commented Jun 12, 2026

Copy link
Copy Markdown
Author

One heads-up on the CVE surface of the two added packages, so it doesn't come as a surprise from the scanner:

  • libzstd1 (1.5.7): no open CVEs in trixie; historically very quiet (4 CVEs total since 2019, all fixed).
  • liblzma5 (5.8.1): CVE-2026-34743 is currently open in trixie ("vulnerable, no DSA"; fixed upstream in xz 5.8.3, currently only in forky/sid). It's a heap buffer overflow in lzma_index_decoder() triggered by a crafted .xz file with an empty Index — rated moderate/low (primarily DoS). The journal read path doesn't appear to be affected: libsystemd decodes journal fields as raw streams and never parses an .xz container Index.

If the open CVE is a concern, this PR can be narrowed to libzstd1 only — that alone fixes #388, since zstd has been the default journal compression since systemd 246 and LZ4 is statically linked into the bundled libsystemd. liblzma5 only matters for journals written by systemd < 246 without LZ4 support (RHEL 7 / Ubuntu 16.04 era hosts), which are rare today. Happy to drop it if preferred.

References: Debian tracker (xz-utils), CVE-2026-34743

@to-kr to-kr force-pushed the tokr/alloy-add-libzstd branch from 55e92d5 to fab8a77 Compare June 13, 2026 06:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[bug]: alloy image missing libzstd.so.1 — loki.source.journal fails on systemd ≥ 246 hosts

1 participant