github-mirrors/logstash
1
0
Fork 0
mirror of https://github.com/elastic/logstash.git synced 2025-06-28 09:46:03 -04:00
Code Issues Projects Releases Packages Wiki Activity

Modernize ironbank Dockerfile (#16022)

Browse source 
- remove golang assets (go1.17.8.linux-amd64.tar.gz)
- remove yaml lib assets (v2.3.0.tar.gz)
- use go container to build env2yaml
- remove unnecessary layers
- remove HEALTHCHECK
- switch yum to dnf

Fixes: elastic/ingest-dev#3008
This commit is contained in:
kaisecheng 2024-03-28 11:15:01 +00:00 committed by GitHub
parent e429795039
commit a7779664af
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 97 additions and 118 deletions
Download patch file Download diff file Expand all files Collapse all files

181
docker/templates/Dockerfile.erb
View file

@ -1,148 +1,149 @@
# This Dockerfile was generated from templates/Dockerfile.erb # This Dockerfile was generated from templates/Dockerfile.erb
<% if local_artifacts == 'false' -%>
<% url_root = 'https://artifacts.elastic.co/downloads/logstash' -%>
<% else -%>
<% url_root = 'http://localhost:8000' -%>
<% end -%>
<% if image_flavor == 'oss' -%>
<% tarball = "logstash-oss-#{elastic_version}-linux-$(arch).tar.gz" -%>
<% license = 'Apache 2.0' -%>
<% else -%>
<% tarball = "logstash-#{elastic_version}-linux-$(arch).tar.gz" -%>
<% license = 'Elastic License' -%>
<% end -%>
<% if image_flavor == 'ubi8' %>
<% base_image = 'docker.elastic.co/ubi8/ubi-minimal' -%>
<% package_manager = 'microdnf' -%>
# Minimal distributions do not ship with en language packs.
<% locale = 'C.UTF-8' -%>
<% elsif image_flavor == 'ironbank' -%>
<% package_manager = 'yum' -%>
<% else -%>
<% base_image = 'ubuntu:20.04' -%>
<% package_manager = 'apt-get' -%>
<% locale = 'en_US.UTF-8' -%>
<% end -%>
<% if image_flavor == 'ironbank' -%> <% if image_flavor == 'ironbank' -%>
ARG BASE_REGISTRY=registry1.dsop.io <%# Start image_flavor 'ironbank' %>
ARG BASE_REGISTRY=registry1.dso.mil
ARG BASE_IMAGE=ironbank/redhat/ubi/ubi9 ARG BASE_IMAGE=ironbank/redhat/ubi/ubi9
ARG BASE_TAG=9.2 ARG BASE_TAG=9.3
ARG LOGSTASH_VERSION=<%= elastic_version %> ARG LOGSTASH_VERSION=<%= elastic_version %>
ARG GOLANG_VERSION=1.17.8 ARG GOLANG_VERSION=1.21.8
FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS env2yaml # stage 1: build env2yaml
FROM ${BASE_REGISTRY}/google/golang/ubi9/golang-1.21:${GOLANG_VERSION} AS env2yaml
ARG GOLANG_VERSION ENV GOPATH=/go
# install golang COPY scripts/go /go
RUN yum update -y && yum install -y git
COPY go${GOLANG_VERSION}.linux-amd64.tar.gz /opt/go.tar.gz
RUN tar -C /usr/local -xzf /opt/go.tar.gz
ENV PATH=$PATH:/usr/local/go/bin
# compile the env2yaml tool USER root
COPY v2.3.0.tar.gz /opt/env2yaml.tar.gz
COPY scripts/go /usr/local/src/go
WORKDIR /usr/local/src/go/src/env2yaml
RUN mkdir -p vendor/gopkg.in
RUN tar -zxf /opt/env2yaml.tar.gz -C vendor/gopkg.in
RUN mv vendor/gopkg.in/yaml-2.3.0 vendor/gopkg.in/yaml.v2
ENV GOPATH=/usr/local/src/go
RUN go build -mod vendor
# stage 1: unpack logstash RUN dnf-3 -y upgrade && dnf-3 install -y git && \
FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS builder cd /go/src/env2yaml && \
go build
# Final stage
FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
ARG LOGSTASH_VERSION ARG LOGSTASH_VERSION
WORKDIR /usr/share/ ENV ELASTIC_CONTAINER true
COPY logstash-${LOGSTASH_VERSION}-linux-x86_64.tar.gz /opt/logstash.tar.gz ENV PATH=/usr/share/logstash/bin:$PATH
RUN tar zxf /opt/logstash.tar.gz && \ WORKDIR /usr/share
mv /usr/share/logstash-${LOGSTASH_VERSION} /usr/share/logstash
FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} COPY --from=env2yaml /go/src/env2yaml/env2yaml /usr/local/bin/env2yaml
COPY scripts/config/* config/
COPY scripts/pipeline/default.conf pipeline/logstash.conf
COPY scripts/bin/docker-entrypoint /usr/local/bin/
COPY logstash-${LOGSTASH_VERSION}-linux-x86_64.tar.gz /tmp/logstash.tar.gz
RUN dnf -y upgrade && \
dnf install -y procps findutils tar gzip which shadow-utils && \
dnf clean all && \
groupadd --gid 1000 logstash && \
adduser --uid 1000 --gid 1000 --home-dir /usr/share/logstash --no-create-home logstash && \
tar -zxf /tmp/logstash.tar.gz -C /usr/share/ && \
mv /usr/share/logstash-${LOGSTASH_VERSION} /usr/share/logstash && \
chown -R 1000:0 /usr/share/logstash && \
chown --recursive logstash:logstash /usr/share/logstash/ && \
chown -R logstash:root /usr/share/logstash config/ pipeline/ && \
chmod -R g=u /usr/share/logstash && \
mv config/* /usr/share/logstash/config && \
mv pipeline /usr/share/logstash/pipeline && \
mkdir /licenses/ && \
mv /usr/share/logstash/NOTICE.TXT /licenses/NOTICE.TXT && \
mv /usr/share/logstash/LICENSE.txt /licenses/LICENSE.txt && \
ln -s /usr/share/logstash /opt/logstash && \
chmod 0755 /usr/local/bin/docker-entrypoint && \
rmdir config && \
rm /tmp/logstash.tar.gz
<%# End image_flavor 'ironbank' %>
<% else -%> <% else -%>
<%# Start image_flavor 'full', oss', 'ubi8' %>
<% if local_artifacts == 'false' -%>
<% url_root = 'https://artifacts.elastic.co/downloads/logstash' -%>
<% else -%>
<% url_root = 'http://localhost:8000' -%>
<% end -%>
<% if image_flavor == 'oss' -%>
<% tarball = "logstash-oss-#{elastic_version}-linux-$(arch).tar.gz" -%>
<% license = 'Apache 2.0' -%>
<% else -%>
<% tarball = "logstash-#{elastic_version}-linux-$(arch).tar.gz" -%>
<% license = 'Elastic License' -%>
<% end -%>
<% if image_flavor == 'ubi8' %>
<% base_image = 'docker.elastic.co/ubi8/ubi-minimal' -%>
<% package_manager = 'microdnf' -%>
# Minimal distributions do not ship with en language packs.
<% locale = 'C.UTF-8' -%>
<% else -%>
<% base_image = 'ubuntu:20.04' -%>
<% package_manager = 'apt-get' -%>
<% locale = 'en_US.UTF-8' -%>
<% end -%>
FROM <%= base_image %> FROM <%= base_image %>
<% end -%>
RUN for iter in {1..10}; do \ RUN for iter in {1..10}; do \
<% if image_flavor == 'full' || image_flavor == 'oss' -%> <% if image_flavor == 'full' || image_flavor == 'oss' -%>
export DEBIAN_FRONTEND=noninteractive && \ export DEBIAN_FRONTEND=noninteractive && \
<% end -%> <% end -%>
<%= package_manager %> update -y && \ <%= package_manager %> update -y && \
<% if image_flavor != 'ironbank' -%>
<%= package_manager %> upgrade -y && \ <%= package_manager %> upgrade -y && \
<% end -%>
<%= package_manager %> install -y procps findutils tar gzip && \ <%= package_manager %> install -y procps findutils tar gzip && \
<% if image_flavor == 'ubi8' -%> <% if image_flavor == 'ubi8' -%>
<%= package_manager %> install -y openssl && \ <%= package_manager %> install -y openssl && \
<% end -%> <% end -%>
<% if image_flavor == 'ubi8' || image_flavor == 'ironbank' -%> <% if image_flavor == 'ubi8' -%>
<%= package_manager %> install -y which shadow-utils && \ <%= package_manager %> install -y which shadow-utils && \
<% else -%> <% else -%>
<%= package_manager %> install -y locales && \ <%= package_manager %> install -y locales && \
<% end -%> <% end -%>
<% if image_flavor != 'ubi9' && image_flavor != 'ironbank' -%> <% if image_flavor != 'ubi9' -%>
<%= package_manager %> install -y curl && \ <%= package_manager %> install -y curl && \
<% end -%> <% end -%>
<%= package_manager %> clean all && \ <%= package_manager %> clean all && \
<% if image_flavor == 'full' || image_flavor == 'oss' -%> <% if image_flavor == 'full' || image_flavor == 'oss' -%>
locale-gen 'en_US.UTF-8' && \ locale-gen 'en_US.UTF-8' && \
<%= package_manager %> clean metadata && \ <%= package_manager %> clean metadata && \
<% end -%> <% end -%>
exit_code=0 && break || exit_code=$? && \ exit_code=0 && break || exit_code=$? && \
echo "packaging error: retry $iter in 10s" && \ echo "packaging error: retry $iter in 10s" && \
<%= package_manager %> clean all && \ <%= package_manager %> clean all && \
<% if image_flavor == 'full' || image_flavor == 'oss' -%> <% if image_flavor == 'full' || image_flavor == 'oss' -%>
<%= package_manager %> clean metadata && \ <%= package_manager %> clean metadata && \
<% end -%> <% end -%>
sleep 10; done; \ sleep 10; done; \
(exit $exit_code) (exit $exit_code)
# Provide a non-root user to run the process. # Provide a non-root user to run the process.
RUN groupadd --gid 1000 logstash && \ RUN groupadd --gid 1000 logstash && \
adduser --uid 1000 --gid 1000 \ adduser --uid 1000 --gid 1000 --home /usr/share/logstash --no-create-home logstash
<% if image_flavor != 'ironbank' %>--home <% else %>--home-dir <% end %>/usr/share/logstash --no-create-home \
logstash
<% if image_flavor == 'ironbank' %>
WORKDIR /usr/share/logstash
COPY --from=env2yaml /usr/local/src/go/src/env2yaml/env2yaml /usr/local/bin/env2yaml
COPY --from=builder --chown=1000:0 /usr/share/logstash /usr/share/logstash
<% end -%>
# Add Logstash itself. # Add Logstash itself.
RUN \ RUN curl -Lo - <%= url_root %>/<%= tarball %> | \
<% if image_flavor != 'ironbank' %> curl -Lo - <%= url_root %>/<%= tarball %> | \
tar zxf - -C /usr/share && \ tar zxf - -C /usr/share && \
mv /usr/share/logstash-<%= elastic_version %> /usr/share/logstash && \ mv /usr/share/logstash-<%= elastic_version %> /usr/share/logstash && \
<% end -%>
chown --recursive logstash:logstash /usr/share/logstash/ && \ chown --recursive logstash:logstash /usr/share/logstash/ && \
chown -R logstash:root /usr/share/logstash && \ chown -R logstash:root /usr/share/logstash && \
chmod -R g=u /usr/share/logstash && \ chmod -R g=u /usr/share/logstash && \
mkdir /licenses/ && \ mkdir /licenses/ && \
mv /usr/share/logstash/NOTICE.TXT /licenses/NOTICE.TXT && \ mv /usr/share/logstash/NOTICE.TXT /licenses/NOTICE.TXT && \
mv /usr/share/logstash/LICENSE.txt /licenses/LICENSE.txt && \ mv /usr/share/logstash/LICENSE.txt /licenses/LICENSE.txt && \
<% if image_flavor != 'ironbank' -%>
find /usr/share/logstash -type d -exec chmod g+s {} \; && \ find /usr/share/logstash -type d -exec chmod g+s {} \; && \
<% end -%>
ln -s /usr/share/logstash /opt/logstash ln -s /usr/share/logstash /opt/logstash
<% if image_flavor != 'ironbank' %>
WORKDIR /usr/share/logstash WORKDIR /usr/share/logstash
<% end -%>
ENV ELASTIC_CONTAINER true ENV ELASTIC_CONTAINER true
ENV PATH=/usr/share/logstash/bin:$PATH ENV PATH=/usr/share/logstash/bin:$PATH
# Provide a minimal configuration, so that simple invocations will provide # Provide a minimal configuration, so that simple invocations will provide
# a good experience. # a good experience.
<% if image_flavor != 'ironbank' -%>
COPY config/pipelines.yml config/pipelines.yml COPY config/pipelines.yml config/pipelines.yml
<% if image_flavor == 'oss' -%> <% if image_flavor == 'oss' -%>
COPY config/logstash-oss.yml config/logstash.yml COPY config/logstash-oss.yml config/logstash.yml
<% else -%> <% else -%>
COPY config/logstash-full.yml config/logstash.yml COPY config/logstash-full.yml config/logstash.yml
<% end -%> <% end -%>
COPY config/log4j2.properties config/ COPY config/log4j2.properties config/
COPY config/log4j2.file.properties config/ COPY config/log4j2.file.properties config/
@ -155,18 +156,10 @@ ARG TARGETARCH
COPY env2yaml/env2yaml-${TARGETARCH} /usr/local/bin/env2yaml COPY env2yaml/env2yaml-${TARGETARCH} /usr/local/bin/env2yaml
# Place the startup wrapper script. # Place the startup wrapper script.
COPY bin/docker-entrypoint /usr/local/bin/ COPY bin/docker-entrypoint /usr/local/bin/
<% else -%>
COPY scripts/config/pipelines.yml config/pipelines.yml
COPY scripts/config/logstash.yml config/logstash.yml
COPY scripts/config/log4j2.properties config/
COPY scripts/config/log4j2.file.properties config/
COPY scripts/pipeline/default.conf pipeline/logstash.conf
RUN chown --recursive logstash:root config/ pipeline/
# Place the startup wrapper script.
COPY scripts/bin/docker-entrypoint /usr/local/bin/
<% end -%>
RUN chmod 0755 /usr/local/bin/docker-entrypoint RUN chmod 0755 /usr/local/bin/docker-entrypoint
<%# End image_flavor 'full', oss', 'ubi8' %>
<% end -%>
USER 1000 USER 1000
@ -196,8 +189,4 @@ LABEL org.label-schema.schema-version="1.0" \
org.opencontainers.image.created=<%= created_date %> org.opencontainers.image.created=<%= created_date %>
<% end -%> <% end -%>
<% if image_flavor == 'ironbank' -%>
HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD curl -I -f --max-time 5 http://localhost:9600 || exit 1
<% end -%>
ENTRYPOINT ["/usr/local/bin/docker-entrypoint"] ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]

14
docker/templates/hardening_manifest.yaml.erb
View file

@ -14,9 +14,9 @@ tags:
# Build args passed to Dockerfile ARGs # Build args passed to Dockerfile ARGs
args: args:
BASE_IMAGE: "redhat/ubi/ubi9" BASE_IMAGE: "redhat/ubi/ubi9"
BASE_TAG: "9.2" BASE_TAG: "9.3"
LOGSTASH_VERSION: "<%= elastic_version %>" LOGSTASH_VERSION: "<%= elastic_version %>"
GOLANG_VERSION: "1.17.8" GOLANG_VERSION: "1.21.8"
# Docker image labels # Docker image labels
labels: labels:
@ -44,16 +44,6 @@ resources:
validation: validation:
type: sha512 type: sha512
value: <INSERT SHA512 VALUE FROM https://artifacts.elastic.co/downloads/logstash/logstash-<%= elastic_version %>-linux-x86_64.tar.gz.sha512> value: <INSERT SHA512 VALUE FROM https://artifacts.elastic.co/downloads/logstash/logstash-<%= elastic_version %>-linux-x86_64.tar.gz.sha512>
- filename: go1.17.8.linux-amd64.tar.gz
url: https://dl.google.com/go/go1.17.8.linux-amd64.tar.gz
validation:
type: sha256
value: 980e65a863377e69fd9b67df9d8395fd8e93858e7a24c9f55803421e453f4f99
- filename: v2.3.0.tar.gz
url: https://github.com/go-yaml/yaml/archive/v2.3.0.tar.gz
validation:
type: sha512
value: ba934e9cb5ebd2346d3897308b71d13bc6471a8dbc0dc0d46a02644ee6b6553d20c20393471b81025b572a9b03e3326bde9c3e8be156474f1a1f91ff027b6a4f
# List of project maintainers # List of project maintainers
maintainers: maintainers: