-
Notifications
You must be signed in to change notification settings - Fork 4.9k
/
Dockerfile.elastic-agent.tmpl
215 lines (192 loc) · 8.33 KB
/
Dockerfile.elastic-agent.tmpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
{{- $beatHome := printf "%s/%s" "/usr/share" .BeatName }}
{{- $beatBinary := printf "%s/%s" $beatHome .BeatName }}
{{- $repoInfo := repo }}
# Prepare home in a different stage to avoid creating additional layers on
# the final image because of permission changes.
FROM {{ .buildFrom }} AS home
COPY beat {{ $beatHome }}
RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs && \
chown -R root:root {{ $beatHome }} && \
find {{ $beatHome }} -type d -exec chmod 0755 {} \; && \
find {{ $beatHome }} -type f -exec chmod 0644 {} \; && \
find {{ $beatHome }}/data -type d -exec chmod 0770 {} \; && \
find {{ $beatHome }}/data -type f -exec chmod 0660 {} \; && \
rm {{ $beatBinary }} && \
ln -s {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/elastic-agent {{ $beatBinary }} && \
chmod 0755 {{ $beatHome }}/data/elastic-agent-*/elastic-agent && \
{{- range $i, $modulesd := .ModulesDirs }}
chmod 0775 {{ $beatHome}}/{{ $modulesd }} && \
{{- end }}
{{- if contains .image_name "-cloud" }}
mkdir -p /opt/filebeat /opt/metricbeat && \
tar xf {{ $beatHome }}/data/elastic-agent-*/downloads/metricbeat-*.tar.gz -C /opt/metricbeat --strip-components=1 && \
tar xf {{ $beatHome }}/data/elastic-agent-*/downloads/filebeat-*.tar.gz -C /opt/filebeat --strip-components=1 && \
{{- end }}
true
{{- if .linux_capabilities }}
# Since the beat is stored at the other end of a symlink we must follow the symlink first
# For security reasons setcap does not support symlinks. This is smart in the general case
# but in our specific case since we're building a trusted image from trusted binaries this is
# fine. Thus, we use readlink to follow the link and setcap on the actual binary
RUN readlink -f {{ $beatBinary }} | xargs setcap {{ .linux_capabilities }}
{{- end }}
FROM {{ .from }}
ENV BEAT_SETUID_AS={{ .user }}
{{- if contains .from "ubi-minimal" }}
RUN for iter in {1..10}; do microdnf update -y && microdnf install -y shadow-utils jq && microdnf clean all && exit_code=0 && break || exit_code=$? && echo "microdnf error: retry $iter in 10s" && sleep 10; done; (exit $exit_code)
{{- else }}
# Installing jq needs to be installed after epel-release and cannot be in the same yum install command.
RUN case $(arch) in aarch64) YUM_FLAGS="-x bind-license";; esac; \
for iter in {1..10}; do \
yum update -y $YUM_FLAGS && \
yum install -y epel-release && \
yum update -y $YUM_FLAGS && \
yum install -y jq && \
yum clean all && \
exit_code=0 && break || exit_code=$? && echo "yum error: retry $iter in 10s" && sleep 10; \
done; \
(exit $exit_code)
{{- end }}
{{- if (and (contains .image_name "-complete") (not (contains .from "ubi-minimal"))) }}
RUN for iter in {1..10}; do \
yum -y install atk cups gtk gdk xrandr pango libXcomposite libXcursor libXdamage \
libXext libXi libXtst cups-libs libXScrnSaver libXrandr GConf2 \
alsa-lib atk gtk3 ipa-gothic-fonts xorg-x11-fonts-100dpi xorg-x11-fonts-75dpi xorg-x11-utils \
xorg-x11-fonts-cyrillic xorg-x11-fonts-Type1 xorg-x11-fonts-misc \
yum clean all && \
exit_code=0 && break || exit_code=$? && echo "yum error: retry $iter in 10s" && sleep 10; \
done; \
(exit $exit_code)
ENV NODE_PATH={{ $beatHome }}/.node
RUN echo \
$NODE_PATH \
{{ $beatHome }}/.config \
{{ $beatHome }}/.synthetics \
{{ $beatHome }}/.npm \
{{ $beatHome }}/.cache \
| xargs -IDIR sh -c 'mkdir -p DIR && chmod 0770 DIR'
{{- end }}
LABEL \
org.label-schema.build-date="{{ date }}" \
org.label-schema.schema-version="1.0" \
org.label-schema.vendor="{{ .BeatVendor }}" \
org.label-schema.license="{{ .License }}" \
org.label-schema.name="{{ .BeatName }}" \
org.label-schema.version="{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}" \
org.label-schema.url="{{ .BeatURL }}" \
org.label-schema.vcs-url="{{ $repoInfo.RootImportPath }}" \
org.label-schema.vcs-ref="{{ commit }}" \
io.k8s.description="{{ .BeatDescription }}" \
io.k8s.display-name="{{ .BeatName | title }} image" \
org.opencontainers.image.created="{{ date }}" \
org.opencontainers.image.licenses="{{ .License }}" \
org.opencontainers.image.title="{{ .BeatName | title }}" \
org.opencontainers.image.vendor="{{ .BeatVendor }}" \
name="{{ .BeatName }}" \
maintainer="[email protected]" \
vendor="{{ .BeatVendor }}" \
version="{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}" \
release="1" \
url="{{ .BeatURL }}" \
summary="{{ .BeatName }}" \
license="{{ .License }}" \
description="{{ .BeatDescription }}"
ENV ELASTIC_CONTAINER "true"
ENV PATH={{ $beatHome }}:$PATH
ENV GODEBUG="madvdontneed=1"
# Add an init process, check the checksum to make sure it's a match
RUN set -e ; \
TINI_BIN=""; \
TINI_SHA256=""; \
TINI_VERSION="v0.19.0"; \
case "$(arch)" in \
x86_64) \
TINI_BIN="tini-amd64"; \
TINI_SHA256="93dcc18adc78c65a028a84799ecf8ad40c936fdfc5f2a57b1acda5a8117fa82c"; \
;; \
aarch64) \
TINI_BIN="tini-arm64"; \
TINI_SHA256="07952557df20bfd2a95f9bef198b445e006171969499a1d361bd9e6f8e5e0e81"; \
;; \
*) \
echo >&2 ; echo >&2 "Unsupported architecture \$(arch)" ; echo >&2 ; exit 1 ; \
;; \
esac ; \
curl --retry 8 -S -L -O "https://github.com/krallin/tini/releases/download/${TINI_VERSION}/${TINI_BIN}" ; \
echo "${TINI_SHA256} ${TINI_BIN}" | sha256sum -c - ; \
mv "${TINI_BIN}" /usr/bin/tini ; \
chmod +x /usr/bin/tini
COPY docker-entrypoint /usr/local/bin/docker-entrypoint
RUN chmod 755 /usr/local/bin/docker-entrypoint
COPY --from=home {{ $beatHome }} {{ $beatHome }}
# Elastic Agent needs group permissions in the home itself to be able to
# create fleet.yml when running as non-root.
RUN chmod 0770 {{ $beatHome }}
RUN mkdir /licenses
COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses
COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses
{{- if contains .image_name "-cloud" }}
COPY --from=home /opt /opt
{{- end }}
{{- if eq .user "root" }}
{{- if contains .image_name "-cloud" }}
# Generate folder for a stub command that will be overwritten at runtime
RUN mkdir /app
{{- end }}
{{- else }}
RUN groupadd --gid 1000 {{ .BeatName }}
RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }}
{{- if (and (contains .image_name "-complete") (not (contains .from "ubi-minimal"))) }}
RUN chown {{ .user }} $NODE_PATH
{{- end }}
{{- if contains .image_name "-cloud" }}
# Generate folder for a stub command that will be overwritten at runtime
RUN mkdir /app
RUN chown {{ .user }} /app
{{- end }}
{{- end }}
USER {{ .user }}
{{- if (and (contains .image_name "-complete") (not (contains .from "ubi-minimal"))) }}
# Setup synthetics env vars
ENV ELASTIC_SYNTHETICS_CAPABLE=true
ENV SUITES_DIR={{ $beatHome }}/suites
ENV NODE_VERSION=14.17.5
ENV PATH="$NODE_PATH/node/bin:$PATH"
# Install the latest version of @elastic/synthetics forcefully ignoring the previously
# cached node_modules, heartbeat then calls the global executable to run test suites
# Setup node
RUN cd {{$beatHome}}/.node \
&& NODE_DOWNLOAD_URL="" \
&& case "$(arch)" in \
x86_64) \
NODE_DOWNLOAD_URL=https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz \
;; \
aarch64) \
NODE_DOWNLOAD_URL=https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-arm64.tar.xz \
;; \
*) \
echo >&2 ; echo >&2 "Unsupported architecture \$(arch)" ; echo >&2 ; exit 1 ; \
;; \
esac \
&& mkdir -p node \
&& curl ${NODE_DOWNLOAD_URL} | tar -xJ --strip 1 -C node \
&& chmod ug+rwX -R $NODE_PATH \
&& npm i -g -f @elastic/synthetics && chmod ug+rwX -R $NODE_PATH
{{- end }}
{{- range $i, $port := .ExposePorts }}
EXPOSE {{ $port }}
{{- end }}
# When running under Docker, we must ensure libbeat monitoring pulls cgroup
# metrics from /sys/fs/cgroup/<subsystem>/, ignoring any paths found in
# /proc/self/cgroup.
ENV LIBBEAT_MONITORING_CGROUPS_HIERARCHY_OVERRIDE=/
WORKDIR {{ $beatHome }}
{{- if contains .image_name "-cloud" }}
ENTRYPOINT ["/usr/bin/tini", "--"]
CMD ["/app/apm.sh"]
# Generate a stub command that will be overwritten at runtime
RUN echo -e '#!/bin/sh\nexec /usr/local/bin/docker-entrypoint' > /app/apm.sh && \
chmod 0555 /app/apm.sh
{{- else }}
ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-entrypoint"]
{{- end }}