From 24bb6b425d932a69ded2f537806357d9d9ff6756 Mon Sep 17 00:00:00 2001 From: kruskall <99559985+kruskall@users.noreply.github.com> Date: Fri, 7 Jun 2024 18:25:53 +0200 Subject: [PATCH] feat: add wolfi based image (#12671) * feat: add chainguard dockerfile Use chainguard images for base image and building image. Remove shell script entrypoint and run apm-server directly. We lose the ability to run other binaries as the entrypoint but that's fine since there are no other binaries in the image. Update apm-server config in the builder image since we do not have posix tools in the static image. Drop tini since it is now included in docker. * fix: use GOLANG_VERSION build arg to retrieve correct image * Update Dockerfile.chainguard --- packaging/docker/Dockerfile.chainguard | 89 +++++++++++++++++++++++++- 1 file changed, 87 insertions(+), 2 deletions(-) diff --git a/packaging/docker/Dockerfile.chainguard b/packaging/docker/Dockerfile.chainguard index ddd0b22ff68..fc52612201c 100644 --- a/packaging/docker/Dockerfile.chainguard +++ b/packaging/docker/Dockerfile.chainguard @@ -1,2 +1,87 @@ -FROM docker.elastic.co/wolfi/chainguard-base:20230214 -RUN echo 'TBC' \ No newline at end of file +ARG GOLANG_VERSION + +################################################################################ +# Build stage 0 +# Build the apm-server binary. The golang image version is kept +# up to date with go.mod by Makefile. +################################################################################ +FROM docker.elastic.co/wolfi/go:${GOLANG_VERSION} as builder +WORKDIR /src +COPY go.mod go.sum .go-version /src/ +COPY internal/glog/go.mod /src/internal/glog/go.mod +RUN --mount=type=cache,target=/go/pkg/mod go mod download +COPY Makefile *.mk /src/ +COPY cmd /src/cmd +COPY internal /src/internal +COPY x-pack /src/x-pack +COPY .git /src/.git +COPY script /src/script + +RUN --mount=type=cache,target=/go/pkg/mod \ + --mount=type=cache,target=/root/.cache/go-build \ + make apm-server + +COPY apm-server.yml ./apm-server.yml +COPY --chmod=0644 apm-server.yml ./apm-server.yml +RUN sed -i 's/127.0.0.1:8200/0.0.0.0:8200/' apm-server.yml +RUN sed -i 's/localhost:9200/elasticsearch:9200/' apm-server.yml + +################################################################################ +# Build stage 1 +# Copy prepared files from the previous stage and complete the image. +################################################################################ +FROM cgr.dev/chainguard/static:latest@sha256:288b818c1b3dd89776d176f07f5f671b118fe836c4d80ec2cc3299b596fe71b7 +ARG TARGETARCH +ARG BUILD_DATE +ARG VERSION +ARG VCS_REF + +# Statically defined labels. +LABEL \ + org.label-schema.schema-version="1.0" \ + org.label-schema.vendor="Elastic" \ + org.label-schema.license="Elastic License" \ + org.label-schema.name="apm-server" \ + org.label-schema.url="https://www.elastic.co/apm" \ + org.label-schema.vcs-url="github.com/elastic/apm-server" \ + io.k8s.description="Elastic APM Server" \ + io.k8s.display-name="Apm-Server image" \ + org.opencontainers.image.licenses="Elastic License" \ + org.opencontainers.image.title="Apm-Server" \ + org.opencontainers.image.vendor="Elastic" \ + name="apm-server" \ + maintainer="infra@elastic.co" \ + vendor="Elastic" \ + release="1" \ + url="https://www.elastic.co/apm" \ + summary="apm-server" \ + license="Elastic License" \ + description="Elastic APM Server" + +# Dynamic labels, only set in published images. +LABEL \ + org.label-schema.build-date=${BUILD_DATE} \ + org.label-schema.version=${VERSION} \ + org.label-schema.vcs-ref=${VCS_REF} \ + org.opencontainers.image.created=${BUILD_DATE} \ + version=${VERSION} + +ENV ELASTIC_CONTAINER "true" + +# When running under Docker, we must ensure libbeat monitoring pulls cgroup +# metrics from /sys/fs/cgroup//, ignoring any paths found in +# /proc/self/cgroup. +ENV LIBBEAT_MONITORING_CGROUPS_HIERARCHY_OVERRIDE=/ + +# Disable libbeat's strict permissions checking, which is not relevant when +# running in Docker. +ENV BEAT_STRICT_PERMS=false + +COPY --chmod=0644 --chown=nonroot:nonroot licenses/ELASTIC-LICENSE-2.0.txt NOTICE.txt /licenses/ + +WORKDIR /usr/share/apm-server +COPY --chmod=0755 --chown=nonroot:nonroot --from=builder /src/apm-server ./apm-server +COPY --chmod=0644 --chown=nonroot:nonroot --from=builder /src/apm-server.yml ./apm-server.yml + +EXPOSE 8200 +ENTRYPOINT ["/usr/share/apm-server/apm-server", "--environment=container"]