From f3dac4d854b551cb345f7252b550c3f064952920 Mon Sep 17 00:00:00 2001 From: Denis Rechkunov Date: Wed, 14 Aug 2024 10:40:46 +0200 Subject: [PATCH] Make Wolfi a part of Docker packaging * New images with `-wolfi` suffix get created * Wolfi is used for preparing the file structure for Docker images --- dev-tools/packaging/packages.yml | 235 ++++++++++++------ .../templates/docker/Dockerfile.tmpl | 52 ++-- 2 files changed, 192 insertions(+), 95 deletions(-) diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml index 23f51fbe0c7a..84148b5c4bac 100644 --- a/dev-tools/packaging/packages.yml +++ b/dev-tools/packaging/packages.yml @@ -1,25 +1,24 @@ --- - # This file contains the package specifications for both Community Beats and # Official Beats. The shared section contains YAML anchors that are used to # define common parts of the package in order to not repeat ourselves. shared: - &common - name: '{{.BeatName}}' - service_name: '{{.BeatServiceName}}' - os: '{{.GOOS}}' - arch: '{{.PackageArch}}' - vendor: '{{.BeatVendor}}' - version: '{{ beat_version }}' - license: '{{.BeatLicense}}' - url: '{{.BeatURL}}' - description: '{{.BeatDescription}}' + name: "{{.BeatName}}" + service_name: "{{.BeatServiceName}}" + os: "{{.GOOS}}" + arch: "{{.PackageArch}}" + vendor: "{{.BeatVendor}}" + version: "{{ beat_version }}" + license: "{{.BeatLicense}}" + url: "{{.BeatURL}}" + description: "{{.BeatDescription}}" # Deb/RPM spec for community beats. - &deb_rpm_spec <<: *common - post_install_script: '{{ elastic_beats_dir }}/dev-tools/packaging/files/linux/systemd-daemon-reload.sh' + post_install_script: "{{ elastic_beats_dir }}/dev-tools/packaging/files/linux/systemd-daemon-reload.sh" files: /usr/share/{{.BeatName}}/bin/{{.BeatName}}{{.BinaryExt}}: source: build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} @@ -28,23 +27,23 @@ shared: source: fields.yml mode: 0644 /usr/share/{{.BeatName}}/LICENSE.txt: - source: '{{ repo.RootDir }}/LICENSE.txt' + source: "{{ repo.RootDir }}/LICENSE.txt" mode: 0644 /usr/share/{{.BeatName}}/NOTICE.txt: - source: '{{ repo.RootDir }}/NOTICE.txt' + source: "{{ repo.RootDir }}/NOTICE.txt" mode: 0644 /usr/share/{{.BeatName}}/README.md: - template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/common/README.md.tmpl' + template: "{{ elastic_beats_dir }}/dev-tools/packaging/templates/common/README.md.tmpl" mode: 0644 /usr/share/{{.BeatName}}/.build_hash.txt: content: > {{ commit }} mode: 0644 /etc/{{.BeatName}}/{{.BeatName}}.reference.yml: - source: '{{.BeatName}}.reference.yml' + source: "{{.BeatName}}.reference.yml" mode: 0644 /etc/{{.BeatName}}/{{.BeatName}}.yml: - source: '{{.BeatName}}.yml' + source: "{{.BeatName}}.yml" mode: 0600 config: true /usr/share/{{.BeatName}}/kibana: @@ -54,13 +53,13 @@ shared: source: build/golang-crossbuild/god-{{.GOOS}}-{{.Platform.Arch}} mode: 0755 /usr/bin/{{.BeatName}}: - template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/linux/beatname.sh.tmpl' + template: "{{ elastic_beats_dir }}/dev-tools/packaging/templates/linux/beatname.sh.tmpl" mode: 0755 /lib/systemd/system/{{.BeatServiceName}}.service: - template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/linux/systemd.unit.tmpl' + template: "{{ elastic_beats_dir }}/dev-tools/packaging/templates/linux/systemd.unit.tmpl" mode: 0644 /etc/init.d/{{.BeatServiceName}}: - template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/{{.PackageType}}/init.sh.tmpl' + template: "{{ elastic_beats_dir }}/dev-tools/packaging/templates/{{.PackageType}}/init.sh.tmpl" mode: 0755 # MacOS pkg spec for community beats. @@ -70,29 +69,29 @@ shared: # OS X 10.8 Mountain Lion is the oldest supported by Go 1.10. # https://golang.org/doc/go1.10#ports min_supported_osx_version: 10.8 - identifier: 'co.{{.BeatVendor | tolower}}.beats.{{.BeatName}}' + identifier: "co.{{.BeatVendor | tolower}}.beats.{{.BeatName}}" install_path: /Library/Application Support - pre_install_script: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/darwin/scripts/preinstall.tmpl' - post_install_script: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/darwin/scripts/postinstall.tmpl' + pre_install_script: "{{ elastic_beats_dir }}/dev-tools/packaging/templates/darwin/scripts/preinstall.tmpl" + post_install_script: "{{ elastic_beats_dir }}/dev-tools/packaging/templates/darwin/scripts/postinstall.tmpl" files: /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/bin/{{.BeatName}}{{.BinaryExt}}: source: build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} mode: 0755 /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/LICENSE.txt: - source: '{{ repo.RootDir }}/LICENSE.txt' + source: "{{ repo.RootDir }}/LICENSE.txt" mode: 0644 /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/NOTICE.txt: - source: '{{ repo.RootDir }}/NOTICE.txt' + source: "{{ repo.RootDir }}/NOTICE.txt" mode: 0644 /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/README.md: - template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/common/README.md.tmpl' + template: "{{ elastic_beats_dir }}/dev-tools/packaging/templates/common/README.md.tmpl" mode: 0644 /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/.build_hash.txt: content: > {{ commit }} mode: 0644 /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/{{.identifier}}.plist: - template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/darwin/launchd-daemon.plist.tmpl' + template: "{{ elastic_beats_dir }}/dev-tools/packaging/templates/darwin/launchd-daemon.plist.tmpl" mode: 0644 /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/kibana: source: _meta/kibana.generated @@ -101,38 +100,38 @@ shared: source: fields.yml mode: 0644 /etc/{{.BeatName}}/{{.BeatName}}.reference.yml: - source: '{{.BeatName}}.reference.yml' + source: "{{.BeatName}}.reference.yml" mode: 0644 /etc/{{.BeatName}}/{{.BeatName}}.yml: - source: '{{.BeatName}}.yml' + source: "{{.BeatName}}.yml" mode: 0600 config: true - &binary_files - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": source: build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} mode: 0755 fields.yml: source: fields.yml mode: 0644 LICENSE.txt: - source: '{{ repo.RootDir }}/LICENSE.txt' + source: "{{ repo.RootDir }}/LICENSE.txt" mode: 0644 NOTICE.txt: - source: '{{ repo.RootDir }}/NOTICE.txt' + source: "{{ repo.RootDir }}/NOTICE.txt" mode: 0644 README.md: - template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/common/README.md.tmpl' + template: "{{ elastic_beats_dir }}/dev-tools/packaging/templates/common/README.md.tmpl" mode: 0644 .build_hash.txt: content: > {{ commit }} mode: 0644 - '{{.BeatName}}.reference.yml': - source: '{{.BeatName}}.reference.yml' + "{{.BeatName}}.reference.yml": + source: "{{.BeatName}}.reference.yml" mode: 0644 - '{{.BeatName}}.yml': - source: '{{.BeatName}}.yml' + "{{.BeatName}}.yml": + source: "{{.BeatName}}.yml" mode: 0600 config: true kibana: @@ -151,44 +150,54 @@ shared: files: <<: *binary_files install-service-{{.BeatName}}.ps1: - template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/windows/install-service.ps1.tmpl' + template: "{{ elastic_beats_dir }}/dev-tools/packaging/templates/windows/install-service.ps1.tmpl" mode: 0755 uninstall-service-{{.BeatName}}.ps1: - template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/windows/uninstall-service.ps1.tmpl' + template: "{{ elastic_beats_dir }}/dev-tools/packaging/templates/windows/uninstall-service.ps1.tmpl" mode: 0755 - &docker_spec <<: *binary_spec extra_vars: - from: 'ubuntu:20.04' - buildFrom: 'ubuntu:20.04' - user: '{{ .BeatName }}' - linux_capabilities: '' + from: "--platform=linux/amd64 ubuntu:20.04" + buildFrom: "--platform=linux/amd64 cgr.dev/chainguard/wolfi-base" + user: "{{ .BeatName }}" + linux_capabilities: "" files: - '{{.BeatName}}.yml': - source: '{{.BeatName}}.docker.yml' + "{{.BeatName}}.yml": + source: "{{.BeatName}}.docker.yml" mode: 0600 config: true - &docker_arm_spec <<: *docker_spec extra_vars: - from: 'arm64v8/ubuntu:20.04' - buildFrom: 'arm64v8/ubuntu:20.04' + from: "--platform=linux/arm64 ubuntu:20.04" + buildFrom: "--platform=linux/arm64 cgr.dev/chainguard/wolfi-base" - &docker_ubi_spec extra_vars: - image_name: '{{.BeatName}}-ubi' - from: 'docker.elastic.co/ubi9/ubi-minimal' + image_name: "{{.BeatName}}-ubi" + from: "--platform=linux/amd64 docker.elastic.co/ubi9/ubi-minimal" - &docker_arm_ubi_spec extra_vars: - image_name: '{{.BeatName}}-ubi' - from: 'registry.access.redhat.com/ubi9/ubi-minimal:9.3' + image_name: "{{.BeatName}}-ubi" + from: "--platform=linux/arm64 docker.elastic.co/ubi9/ubi-minimal" + + - &docker_wolfi_spec + extra_vars: + image_name: "{{.BeatName}}-wolfi" + from: "--platform=linux/amd64 cgr.dev/chainguard/wolfi-base" + + - &docker_arm_wolfi_spec + extra_vars: + image_name: "{{.BeatName}}-wolfi" + from: "--platform=linux/arm64 cgr.dev/chainguard/wolfi-base" - &elastic_docker_spec extra_vars: - repository: 'docker.elastic.co/beats' + repository: "docker.elastic.co/beats" # # License modifiers for Apache 2.0 @@ -197,21 +206,21 @@ shared: license: "ASL 2.0" files: LICENSE.txt: - source: '{{ repo.RootDir }}/licenses/APACHE-LICENSE-2.0.txt' + source: "{{ repo.RootDir }}/licenses/APACHE-LICENSE-2.0.txt" mode: 0644 - &apache_license_for_deb_rpm license: "ASL 2.0" files: /usr/share/{{.BeatName}}/LICENSE.txt: - source: '{{ repo.RootDir }}/licenses/APACHE-LICENSE-2.0.txt' + source: "{{ repo.RootDir }}/licenses/APACHE-LICENSE-2.0.txt" mode: 0644 - &apache_license_for_macos_pkg license: "ASL 2.0" files: /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/LICENSE.txt: - source: '{{ repo.RootDir }}/licenses/APACHE-LICENSE-2.0.txt' + source: "{{ repo.RootDir }}/licenses/APACHE-LICENSE-2.0.txt" mode: 0644 # @@ -221,21 +230,21 @@ shared: license: "Elastic License" files: LICENSE.txt: - source: '{{ repo.RootDir }}/licenses/ELASTIC-LICENSE.txt' + source: "{{ repo.RootDir }}/licenses/ELASTIC-LICENSE.txt" mode: 0644 - &elastic_license_for_deb_rpm license: "Elastic License" files: /usr/share/{{.BeatName}}/LICENSE.txt: - source: '{{ repo.RootDir }}/licenses/ELASTIC-LICENSE.txt' + source: "{{ repo.RootDir }}/licenses/ELASTIC-LICENSE.txt" mode: 0644 - &elastic_license_for_macos_pkg license: "Elastic License" files: /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/LICENSE.txt: - source: '{{ repo.RootDir }}/licenses/ELASTIC-LICENSE.txt' + source: "{{ repo.RootDir }}/licenses/ELASTIC-LICENSE.txt" mode: 0644 # specs is a list of named packaging "flavors". @@ -280,28 +289,28 @@ specs: spec: <<: *windows_binary_spec <<: *apache_license_for_binaries - name: '{{.BeatName}}-oss' + name: "{{.BeatName}}-oss" - os: darwin types: [tgz] spec: <<: *binary_spec <<: *apache_license_for_binaries - name: '{{.BeatName}}-oss' + name: "{{.BeatName}}-oss" - os: linux types: [tgz] spec: <<: *binary_spec <<: *apache_license_for_binaries - name: '{{.BeatName}}-oss' + name: "{{.BeatName}}-oss" - os: linux types: [deb, rpm] spec: <<: *deb_rpm_spec <<: *apache_license_for_deb_rpm - name: '{{.BeatName}}-oss' + name: "{{.BeatName}}-oss" - os: linux types: [docker] @@ -309,14 +318,14 @@ specs: <<: *docker_spec <<: *elastic_docker_spec <<: *apache_license_for_binaries - name: '{{.BeatName}}-oss' + name: "{{.BeatName}}-oss" - os: aix types: [tgz] spec: <<: *binary_spec <<: *apache_license_for_binaries - name: '{{.BeatName}}-oss' + name: "{{.BeatName}}-oss" # Elastic Beat with Elastic License and binary taken the current directory. elastic_beat_xpack: @@ -364,6 +373,15 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries + - os: linux + arch: amd64 + types: [docker] + spec: + <<: *docker_spec + <<: *docker_wolfi_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + - os: linux arch: arm64 types: [docker] @@ -381,6 +399,15 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries + - os: linux + arch: arm64 + types: [docker] + spec: + <<: *docker_arm_spec + <<: *docker_arm_wolfi_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + - os: aix types: [tgz] spec: @@ -427,7 +454,7 @@ specs: <<: *windows_binary_spec <<: *elastic_license_for_binaries files: - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} - os: darwin @@ -436,7 +463,7 @@ specs: <<: *binary_spec <<: *elastic_license_for_binaries files: - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} - os: linux @@ -445,7 +472,7 @@ specs: <<: *binary_spec <<: *elastic_license_for_binaries files: - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} - os: linux @@ -465,7 +492,7 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries files: - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} - os: linux @@ -477,7 +504,19 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries files: - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": + source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + + - os: linux + arch: amd64 + types: [docker] + spec: + <<: *docker_spec + <<: *docker_wolfi_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + files: + "{{.BeatName}}{{.BinaryExt}}": source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} - os: linux @@ -488,7 +527,7 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries files: - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} - os: linux @@ -500,7 +539,19 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries files: - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": + source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + + - os: linux + arch: arm64 + types: [docker] + spec: + <<: *docker_arm_spec + <<: *docker_arm_wolfi_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + files: + "{{.BeatName}}{{.BinaryExt}}": source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} - os: aix @@ -509,7 +560,7 @@ specs: <<: *binary_spec <<: *elastic_license_for_binaries files: - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} - os: linux @@ -529,7 +580,7 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries files: - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} # Complete image gets a 'complete' variant for synthetics and other large @@ -541,7 +592,7 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries files: - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} # Cloud specific docker image @@ -552,7 +603,7 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries files: - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} - os: linux @@ -563,7 +614,18 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries files: - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": + source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + + - os: linux + arch: amd64 + types: [docker] + spec: + <<: *docker_wolfi_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + files: + "{{.BeatName}}{{.BinaryExt}}": source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} - os: linux @@ -573,7 +635,7 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries files: - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} # Complete image gets a 'complete' variant for synthetics and other large @@ -585,7 +647,7 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries files: - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} # Cloud specific docker image @@ -596,7 +658,7 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries files: - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} - os: linux @@ -607,7 +669,18 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries files: - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": + source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + + - os: linux + arch: arm64 + types: [docker] + spec: + <<: *docker_arm_wolfi_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + files: + "{{.BeatName}}{{.BinaryExt}}": source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} - os: aix @@ -615,7 +688,7 @@ specs: spec: <<: *elastic_license_for_binaries files: - '{{.BeatName}}{{.BinaryExt}}': + "{{.BeatName}}{{.BinaryExt}}": source: data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}} symlink: true - mode: 0755 \ No newline at end of file + mode: 0755 diff --git a/dev-tools/packaging/templates/docker/Dockerfile.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.tmpl index 115119be4279..2c86c7860a2b 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.tmpl @@ -6,6 +6,15 @@ # the final image because of permission changes. FROM {{ .buildFrom }} AS home +{{- if contains .buildFrom "wolfi" }} + RUN for iter in {1..10}; do \ + apk update && \ + apk add --no-cache libcap-utils && \ + exit_code=0 && break || exit_code=$? && echo "apk error: retry $iter in 10s" && sleep 10; \ + done; \ + (exit $exit_code) +{{- end }} + COPY beat {{ $beatHome }} RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/logs && \ @@ -18,13 +27,36 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/logs && \ {{- end }} chmod 0775 {{ $beatHome }}/data {{ $beatHome }}/logs +{{- if .linux_capabilities }} +# Since the beat is stored at the other end of a symlink we must follow the symlink first +# For security reasons setcap does not support symlinks. This is smart in the general case +# but in our specific case since we're building a trusted image from trusted binaries this is +# fine. Thus, we use readlink to follow the link and setcap on the actual binary +RUN readlink -f {{ $beatBinary }} | xargs setcap {{ .linux_capabilities }} +{{- end }} + FROM {{ .from }} +{{- if contains .from "wolfi" }} +RUN for iter in {1..10}; do \ + apk update && \ + apk add --no-cache curl shadow bash && \ + exit_code=0 && break || exit_code=$? && echo "apk error: retry $iter in 10s" && sleep 10; \ + done; \ + (exit $exit_code) +{{- end }} + {{- if contains .from "ubi-minimal" }} -RUN microdnf -y update && \ - microdnf -y install findutils shadow-utils && \ - microdnf clean all -{{- else }} +RUN for iter in {1..10}; do \ + microdnf -y update && \ + microdnf -y install findutils shadow-utils && \ + microdnf clean all && \ + exit_code=0 && break || exit_code=$? && echo "apk error: retry $iter in 10s" && sleep 10; \ + done; \ + (exit $exit_code) +{{- end }} + +{{- if contains .from "ubuntu" }} RUN for iter in {1..10}; do \ apt-get update -y && \ DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes ca-certificates curl gawk libcap2-bin xz-utils && \ @@ -97,19 +129,11 @@ RUN mkdir /licenses COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses -{{- if .linux_capabilities }} -# Since the beat is stored at the other end of a symlink we must follow the symlink first -# For security reasons setcap does not support symlinks. This is smart in the general case -# but in our specific case since we're building a trusted image from trusted binaries this is -# fine. Thus, we use readlink to follow the link and setcap on the actual binary -RUN readlink -f {{ $beatBinary }} | xargs setcap {{ .linux_capabilities }} -{{- end }} - {{- if ne .user "root" }} RUN groupadd --gid 1000 {{ .BeatName }} RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }} -{{- if (and (eq .BeatName "heartbeat") (not (contains .from "ubi-minimal"))) }} +{{- if (and (eq .BeatName "heartbeat") (contains .from "ubuntu")) }} ENV NODE_PATH={{ $beatHome }}/.node RUN echo \ $NODE_PATH \ @@ -153,7 +177,7 @@ RUN chown -R {{ .user }} $NODE_PATH USER {{ .user }} # If this fails dump the NPM logs RUN npm i -g --loglevel verbose --production --engine-strict @elastic/synthetics@stack_release || sh -c 'tail -n +1 /root/.npm/_logs/* && exit 1' -RUN chmod ug+rwX -R $NODE_PATH +RUN chmod ug+rwX -R $NODE_PATH USER root # Install the deps as needed by the exact version of playwright elastic synthetics uses