[build] Add image based on chainguard (#183200)

Adds a new docker image, `kibana-chainguard` using
[chainguard-base](https://images.chainguard.dev/directory/image/chainguard-base).
For now this is only for testing, exact naming tbd.

Testing
```
docker load < kibana-chainguard-8.15.0-SNAPSHOT-docker-image-aarch64.tar.gz
docker run --rm docker.elastic.co/kibana/kibana-chainguard:8.15.0-SNAPSHOT
```

.buildkite/pipelines/artifacts.yml

@@ -92,6 +92,16 @@ steps:
         - exit_status: '*'
           limit: 1
 
+  - command: KIBANA_DOCKER_CONTEXT=chainguard .buildkite/scripts/steps/artifacts/docker_context.sh
+    label: 'Docker Context Verification'
+    agents:
+      queue: n2-2
+    timeout_in_minutes: 30
+    retry:
+      automatic:
+        - exit_status: '*'
+          limit: 1
+
   - command: KIBANA_DOCKER_CONTEXT=ironbank .buildkite/scripts/steps/artifacts/docker_context.sh
     label: 'Docker Context Verification'
     agents:

.buildkite/scripts/build_kibana.sh

@@ -32,6 +32,7 @@ if is_pr_with_label "ci:build-cloud-image"; then
   --skip-docker-ubi \
   --skip-docker-fips \
   --skip-docker-ubuntu \
+  --skip-docker-chainguard \
   --skip-docker-serverless \
   --skip-docker-contexts
 

.buildkite/scripts/pipelines/security_solution_quality_gate/create_periodic_test_docker_image.sh

@@ -34,6 +34,7 @@ node scripts/build \
   --docker-namespace="kibana-ci" \
   --docker-tag="$KIBANA_IMAGE_TAG" \
   --skip-docker-ubuntu \
+  --skip-docker-chainguard \
   --skip-docker-ubi \
   --skip-docker-cloud \
   --skip-docker-contexts \

.buildkite/scripts/steps/artifacts/docker_context.sh

@@ -20,6 +20,9 @@ case $KIBANA_DOCKER_CONTEXT in
   default)
     DOCKER_CONTEXT_FILE="kibana-$FULL_VERSION-docker-build-context.tar.gz"
   ;;
+  chainguard)
+    DOCKER_CONTEXT_FILE="kibana-chainguard-$FULL_VERSION-docker-build-context.tar.gz"
+  ;;
   cloud)
     DOCKER_CONTEXT_FILE="kibana-cloud-$FULL_VERSION-docker-build-context.tar.gz"
   ;;

.buildkite/scripts/steps/artifacts/docker_image.sh

@@ -32,6 +32,7 @@ node scripts/build \
   --docker-namespace="kibana-ci" \
   --docker-tag="$KIBANA_IMAGE_TAG" \
   --skip-docker-ubuntu \
+  --skip-docker-chainguard \
   --skip-docker-ubi \
   --skip-docker-fips \
   --skip-docker-cloud \

.buildkite/scripts/steps/cloud/build_and_deploy.sh

@@ -43,6 +43,7 @@ else
     --skip-docker-ubi \
     --skip-docker-fips \
     --skip-docker-ubuntu \
+    --skip-docker-chainguard \
     --skip-docker-serverless \
     --skip-docker-contexts
 fi

.buildkite/scripts/steps/fips/build.sh

@@ -23,6 +23,7 @@ node scripts/build \
     --docker-push \
     --skip-docker-ubi \
     --skip-docker-ubuntu \
+    --skip-docker-chainguard \
     --skip-docker-cloud \
     --skip-docker-serverless \
     --skip-docker-contexts

src/dev/build/args.test.ts

@@ -31,6 +31,7 @@ it('build default and oss dist for current platform, without packages, by defaul
         "createArchives": true,
         "createCdnAssets": true,
         "createDebPackage": false,
+        "createDockerChainguard": false,
         "createDockerCloud": false,
         "createDockerContexts": true,
         "createDockerFIPS": false,
@@ -71,6 +72,7 @@ it('builds packages if --all-platforms is passed', () => {
         "createArchives": true,
         "createCdnAssets": true,
         "createDebPackage": true,
+        "createDockerChainguard": true,
         "createDockerCloud": true,
         "createDockerContexts": true,
         "createDockerFIPS": true,
@@ -111,6 +113,7 @@ it('limits packages if --rpm passed with --all-platforms', () => {
         "createArchives": true,
         "createCdnAssets": true,
         "createDebPackage": false,
+        "createDockerChainguard": false,
         "createDockerCloud": false,
         "createDockerContexts": true,
         "createDockerFIPS": false,
@@ -151,6 +154,7 @@ it('limits packages if --deb passed with --all-platforms', () => {
         "createArchives": true,
         "createCdnAssets": true,
         "createDebPackage": true,
+        "createDockerChainguard": false,
         "createDockerCloud": false,
         "createDockerContexts": true,
         "createDockerFIPS": false,
@@ -192,6 +196,7 @@ it('limits packages if --docker passed with --all-platforms', () => {
         "createArchives": true,
         "createCdnAssets": true,
         "createDebPackage": false,
+        "createDockerChainguard": true,
         "createDockerCloud": true,
         "createDockerContexts": true,
         "createDockerFIPS": true,
@@ -240,6 +245,7 @@ it('limits packages if --docker passed with --skip-docker-ubi and --all-platform
         "createArchives": true,
         "createCdnAssets": true,
         "createDebPackage": false,
+        "createDockerChainguard": true,
         "createDockerCloud": true,
         "createDockerContexts": true,
         "createDockerFIPS": true,
@@ -281,6 +287,7 @@ it('limits packages if --all-platforms passed with --skip-docker-ubuntu', () =>
         "createArchives": true,
         "createCdnAssets": true,
         "createDebPackage": true,
+        "createDockerChainguard": true,
         "createDockerCloud": true,
         "createDockerContexts": true,
         "createDockerFIPS": true,
@@ -322,6 +329,7 @@ it('limits packages if --all-platforms passed with --skip-docker-fips', () => {
         "createArchives": true,
         "createCdnAssets": true,
         "createDebPackage": true,
+        "createDockerChainguard": true,
         "createDockerCloud": true,
         "createDockerContexts": true,
         "createDockerFIPS": false,

src/dev/build/args.ts

@@ -31,6 +31,7 @@ export function readCliArgs(argv: string[]) {
       'skip-docker-contexts',
       'skip-docker-ubi',
       'skip-docker-ubuntu',
+      'skip-docker-chainguard',
       'skip-docker-cloud',
       'skip-docker-serverless',
       'skip-docker-fips',
@@ -139,6 +140,8 @@ export function readCliArgs(argv: string[]) {
     createDebPackage: isOsPackageDesired('deb'),
     createDockerUbuntu:
       isOsPackageDesired('docker-images') && !Boolean(flags['skip-docker-ubuntu']),
+    createDockerChainguard:
+      isOsPackageDesired('docker-images') && !Boolean(flags['skip-docker-chainguard']),
     createDockerCloud: isOsPackageDesired('docker-images') && !Boolean(flags['skip-docker-cloud']),
     createDockerServerless:
       isOsPackageDesired('docker-images') && !Boolean(flags['skip-docker-serverless']),

src/dev/build/build_distributables.ts

@@ -31,6 +31,7 @@ export interface BuildOptions {
   createDebPackage: boolean;
   createDockerUBI: boolean;
   createDockerUbuntu: boolean;
+  createDockerChainguard: boolean;
   createDockerCloud: boolean;
   createDockerServerless: boolean;
   createDockerContexts: boolean;
@@ -150,6 +151,10 @@ export async function buildDistributables(log: ToolingLog, options: BuildOptions
     await run(Tasks.CreateDockerUbuntu);
   }
 
+  if (options.createDockerChainguard) {
+    // control w/ --docker-images or --skip-docker-chainguard or --skip-os-packages
+    await run(Tasks.CreateDockerChainguard);
+  }
   if (options.createDockerCloud) {
     // control w/ --docker-images and --skip-docker-cloud
     if (options.downloadCloudDependencies) {

src/dev/build/cli.ts

@@ -46,6 +46,7 @@ if (showHelp) {
         --skip-cdn-assets                    {dim Don't build CDN assets}
         --skip-docker-ubi                    {dim Don't build the docker ubi image}
         --skip-docker-ubuntu                 {dim Don't build the docker ubuntu image}
+        --skip-docker-chainguard             {dim Don't build the docker chainguard image}
         --skip-docker-fips                   {dim Don't build the docker fips image}
         --release                            {dim Produce a release-ready distributable}
         --version-qualifier                  {dim Suffix version with a qualifier}

src/dev/build/tasks/os_packages/create_os_package_tasks.ts

@@ -80,6 +80,27 @@ export const CreateDockerUbuntu: Task = {
   },
 };
 
+export const CreateDockerChainguard: Task = {
+  description: 'Creating Docker Chainguard image',
+
+  async run(config, log, build) {
+    await runDockerGenerator(config, log, build, {
+      architecture: 'x64',
+      baseImage: 'chainguard',
+      context: false,
+      image: true,
+      dockerBuildDate,
+    });
+    await runDockerGenerator(config, log, build, {
+      architecture: 'aarch64',
+      baseImage: 'chainguard',
+      context: false,
+      image: true,
+      dockerBuildDate,
+    });
+  },
+};
+
 export const CreateDockerServerless: Task = {
   description: 'Creating Docker Serverless image',
 
@@ -161,6 +182,12 @@ export const CreateDockerContexts: Task = {
       image: false,
       dockerBuildDate,
     });
+    await runDockerGenerator(config, log, build, {
+      baseImage: 'chainguard',
+      context: true,
+      image: false,
+      dockerBuildDate,
+    });
     await runDockerGenerator(config, log, build, {
       baseImage: 'ubi',
       context: true,

src/dev/build/tasks/os_packages/docker_generator/run.ts

@@ -29,7 +29,7 @@ export async function runDockerGenerator(
   build: Build,
   flags: {
     architecture?: string;
-    baseImage: 'none' | 'ubi' | 'ubuntu';
+    baseImage: 'none' | 'chainguard' | 'ubi' | 'ubuntu';
     context: boolean;
     image: boolean;
     ironbank?: boolean;
@@ -42,9 +42,12 @@ export async function runDockerGenerator(
   let baseImageName = '';
   if (flags.baseImage === 'ubuntu') baseImageName = 'ubuntu:20.04';
   if (flags.baseImage === 'ubi') baseImageName = 'docker.elastic.co/ubi9/ubi-minimal:latest';
+  if (flags.baseImage === 'chainguard')
+    baseImageName = 'docker.elastic.co/wolfi/chainguard-base:20230214';
 
   let imageFlavor = '';
   if (flags.baseImage === 'ubi') imageFlavor += `-ubi`;
+  if (flags.baseImage === 'chainguard') imageFlavor += `-chainguard`;
   if (flags.ironbank) imageFlavor += '-ironbank';
   if (flags.cloud) imageFlavor += '-cloud';
   if (flags.serverless) imageFlavor += '-serverless';

src/dev/build/tasks/os_packages/docker_generator/template_context.ts

@@ -24,7 +24,7 @@ export interface TemplateContext {
   dockerBuildDate: string;
   usePublicArtifact?: boolean;
   publicArtifactSubdomain: string;
-  baseImage: 'none' | 'ubi' | 'ubuntu';
+  baseImage: 'none' | 'ubi' | 'ubuntu' | 'chainguard';
   baseImageName: string;
   cloud?: boolean;
   serverless?: boolean;

src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile

@@ -12,11 +12,14 @@
 FROM {{{baseImageName}}} AS builder
 
 {{#ubi}}
-RUN {{packageManager}} install -y findutils tar gzip
+RUN microdnf install -y findutils tar gzip
 {{/ubi}}
 {{#ubuntu}}
-RUN {{packageManager}} update && DEBIAN_FRONTEND=noninteractive {{packageManager}} install -y curl
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y curl
 {{/ubuntu}}
+{{#chainguard}}
+RUN apk --no-cache add curl
+{{/chainguard}}
 
 {{#usePublicArtifact}}
 RUN cd /tmp && \
@@ -32,8 +35,8 @@ COPY {{artifactTarball}} /tmp/kibana.tar.gz
 RUN mkdir /usr/share/kibana
 WORKDIR /usr/share/kibana
 RUN tar \
-# Exclude serverless.yml disabled assets
 {{#serverless}}
+# Exclude serverless.yml disabled assets
   --exclude=screenshotting-plugin/chromium \
   --exclude=screenshotting-plugin/server/assets \
 {{/serverless}}
@@ -90,10 +93,10 @@ EXPOSE 5601
 
 {{#ubi}}
 RUN for iter in {1..10}; do \
-      {{packageManager}} update --setopt=tsflags=nodocs -y && \
-      {{packageManager}} install --setopt=tsflags=nodocs -y \
+      microdnf update --setopt=tsflags=nodocs -y && \
+      microdnf install --setopt=tsflags=nodocs -y \
         fontconfig freetype shadow-utils nss findutils {{#fips}}perl make gcc tar {{/fips}}&& \
-      {{packageManager}} clean all && exit_code=0 && break || exit_code=$? && echo "{{packageManager}} error: retry $iter in 10s" && \
+      microdnf clean all && exit_code=0 && break || exit_code=$? && echo "microdnf error: retry $iter in 10s" && \
       sleep 10; \
     done; \
     (exit $exit_code)
@@ -101,16 +104,19 @@ RUN for iter in {1..10}; do \
 {{#ubuntu}}
 RUN for iter in {1..10}; do \
       export DEBIAN_FRONTEND=noninteractive && \
-      {{packageManager}} update  && \
-      {{packageManager}} upgrade -y  && \
-      {{packageManager}} install -y --no-install-recommends \
-       fontconfig libnss3 ca-certificates  && \
-      {{packageManager}} clean && \
-      rm -rf /var/lib/apt/lists/* && exit_code=0 && break || exit_code=$? && echo "{{packageManager}} error: retry $iter in 10s" && \
+      apt-get update  && \
+      apt-get upgrade -y  && \
+      apt-get install -y --no-install-recommends \
+       fontconfig libnss3 ca-certificates && \
+      apt-get clean && \
+      rm -rf /var/lib/apt/lists/* && exit_code=0 && break || exit_code=$? && echo "apt-get error: retry $iter in 10s" && \
       sleep 10; \
     done; \
     (exit $exit_code)
 {{/ubuntu}}
+{{#chainguard}}
+RUN apk --no-cache add bash curl fontconfig libstdc++ freetype nss findutils shadow
+{{/chainguard}}
 
 # Bring in Kibana from the initial stage.
 COPY --from=builder --chown=1000:0 /usr/share/kibana /usr/share/kibana

src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.ts

@@ -16,7 +16,7 @@ function generator(options: TemplateContext) {
   const dir = options.ironbank ? 'ironbank' : 'base';
   const template = readFileSync(resolve(__dirname, dir, './Dockerfile'));
   return Mustache.render(template.toString(), {
-    packageManager: options.baseImage === 'ubi' ? 'microdnf' : 'apt-get',
+    chainguard: options.baseImage === 'chainguard',
     ubi: options.baseImage === 'ubi',
     ubuntu: options.baseImage === 'ubuntu',
     opensslLegacyProvider: !(options.cloud || options.serverless || options.fips),