diff --git a/dev-tools/packaging/templates/docker/Dockerfile.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.tmpl deleted file mode 100644 index d2edf7909cb..00000000000 --- a/dev-tools/packaging/templates/docker/Dockerfile.tmpl +++ /dev/null @@ -1,198 +0,0 @@ -{{- $beatHome := printf "%s/%s" "/usr/share" .BeatName }} -{{- $beatBinary := printf "%s/%s" $beatHome .BeatName }} -{{- $repoInfo := repo }} - -# Prepare home in a different stage to avoid creating additional layers on -# the final image because of permission changes. -FROM {{ .buildFrom }} AS home - -COPY beat {{ $beatHome }} - -RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/logs && \ - chown -R root:root {{ $beatHome }} && \ - find {{ $beatHome }} -type d -exec chmod 0755 {} \; && \ - find {{ $beatHome }} -type f -exec chmod 0644 {} \; && \ - chmod 0755 {{ $beatBinary }} && \ -{{- range $i, $modulesd := .ModulesDirs }} - chmod 0775 {{ $beatHome}}/{{ $modulesd }} && \ -{{- end }} - chmod 0775 {{ $beatHome }}/data {{ $beatHome }}/logs - -FROM {{ .from }} - -{{- if contains .from "ubi-minimal" }} -RUN microdnf -y update && \ - microdnf install findutils shadow-utils && \ - microdnf clean all -{{- else }} -RUN for iter in {1..10}; do \ - apt-get update -y && \ - DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes ca-certificates curl gawk libcap2-bin xz-utils && \ - apt-get clean all && \ - exit_code=0 && break || exit_code=$? && echo "apt-get error: retry $iter in 10s" && sleep 10; \ - done; \ - (exit $exit_code) -{{- end }} - -{{- if (and (eq .BeatName "heartbeat") (not (contains .from "ubi-minimal"))) }} -RUN apt-get update -y && \ - for iter in {1..10}; do \ - DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes \ - libglib2.0-0\ - libnss3\ - libnspr4\ - libatk1.0-0\ - libatk-bridge2.0-0\ - libcups2\ - libdrm2\ - libdbus-1-3\ - libxcb1\ - libxkbcommon0\ - libx11-6\ - libxcomposite1\ - libxdamage1\ - libxext6\ - libxfixes3\ - libxrandr2\ - libgbm1\ - libpango-1.0-0\ - libcairo2\ - libasound2\ - libatspi2.0-0\ - libxshmfence1 \ - fonts-noto \ - fonts-noto-cjk && \ - apt-get clean all && \ - exit_code=0 && break || exit_code=$? && echo "apt-get error: retry $iter in 10s" && sleep 10; \ - done; \ - (exit $exit_code) -ENV NODE_PATH={{ $beatHome }}/.node -RUN echo \ - $NODE_PATH \ - {{ $beatHome }}/.config \ - {{ $beatHome }}/.synthetics \ - {{ $beatHome }}/.npm \ - {{ $beatHome }}/.cache \ - | xargs -IDIR sh -c 'mkdir -p DIR && chmod 0770 DIR' -{{- end }} - -LABEL \ - org.label-schema.build-date="{{ date }}" \ - org.label-schema.schema-version="1.0" \ - org.label-schema.vendor="{{ .BeatVendor }}" \ - org.label-schema.license="{{ .License }}" \ - org.label-schema.name="{{ .BeatName }}" \ - org.label-schema.version="{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}" \ - org.label-schema.url="{{ .BeatURL }}" \ - org.label-schema.vcs-url="{{ $repoInfo.RootImportPath }}" \ - org.label-schema.vcs-ref="{{ commit }}" \ - io.k8s.description="{{ .BeatDescription }}" \ - io.k8s.display-name="{{ .BeatName | title }} image" \ - org.opencontainers.image.created="{{ date }}" \ - org.opencontainers.image.licenses="{{ .License }}" \ - org.opencontainers.image.title="{{ .BeatName | title }}" \ - org.opencontainers.image.vendor="{{ .BeatVendor }}" \ - name="{{ .BeatName }}" \ - maintainer="infra@elastic.co" \ - vendor="{{ .BeatVendor }}" \ - version="{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}" \ - release="1" \ - url="{{ .BeatURL }}" \ - summary="{{ .BeatName }}" \ - license="{{ .License }}" \ - description="{{ .BeatDescription }}" - -ENV ELASTIC_CONTAINER "true" -ENV PATH={{ $beatHome }}:$PATH -ENV GODEBUG="madvdontneed=1" - -# Add an init process, check the checksum to make sure it's a match -RUN set -e ; \ - TINI_BIN=""; \ - TINI_SHA256=""; \ - TINI_VERSION="v0.19.0"; \ - echo "The arch value is $(arch)"; \ - case "$(arch)" in \ - x86_64) \ - TINI_BIN="tini-amd64"; \ - TINI_SHA256="93dcc18adc78c65a028a84799ecf8ad40c936fdfc5f2a57b1acda5a8117fa82c"; \ - ;; \ - aarch64) \ - TINI_BIN="tini-arm64"; \ - TINI_SHA256="07952557df20bfd2a95f9bef198b445e006171969499a1d361bd9e6f8e5e0e81"; \ - ;; \ - *) \ - echo >&2 ; echo >&2 "Unsupported architecture \$(arch)" ; echo >&2 ; exit 1 ; \ - ;; \ - esac ; \ - curl --retry 8 -S -L -O "https://github.com/krallin/tini/releases/download/${TINI_VERSION}/${TINI_BIN}" ; \ - echo "${TINI_SHA256} ${TINI_BIN}" | sha256sum -c - ; \ - mv "${TINI_BIN}" /usr/bin/tini ; \ - chmod +x /usr/bin/tini - -COPY docker-entrypoint /usr/local/bin/docker-entrypoint -RUN chmod 755 /usr/local/bin/docker-entrypoint - -COPY --from=home {{ $beatHome }} {{ $beatHome }} - -RUN mkdir /licenses -COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses -COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses - -{{- if .linux_capabilities }} -# Since the beat is stored at the other end of a symlink we must follow the symlink first -# For security reasons setcap does not support symlinks. This is smart in the general case -# but in our specific case since we're building a trusted image from trusted binaries this is -# fine. Thus, we use readlink to follow the link and setcap on the actual binary -RUN readlink -f {{ $beatBinary }} | xargs setcap {{ .linux_capabilities }} -{{- end }} - -{{- if ne .user "root" }} -RUN groupadd --gid 1000 {{ .BeatName }} -RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }} -{{- if (and (eq .BeatName "heartbeat") (not (contains .from "ubi-minimal"))) }} -RUN chown {{ .user }} $NODE_PATH -{{- end }} -{{- end }} -USER {{ .user }} - -{{- if (and (eq .BeatName "heartbeat") (not (contains .from "ubi-minimal"))) }} -# Setup synthetics env vars -ENV ELASTIC_SYNTHETICS_CAPABLE=true -ENV SUITES_DIR={{ $beatHome }}/suites -ENV NODE_VERSION=16.15.0 -ENV PATH="$NODE_PATH/node/bin:$PATH" -# Install the latest version of @elastic/synthetics forcefully ignoring the previously -# cached node_modules, heartbeat then calls the global executable to run test suites -# Setup node -RUN cd /usr/share/heartbeat/.node \ - && NODE_DOWNLOAD_URL="" \ - && case "$(arch)" in \ - x86_64) \ - NODE_DOWNLOAD_URL=https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz \ - ;; \ - aarch64) \ - NODE_DOWNLOAD_URL=https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-arm64.tar.xz \ - ;; \ - *) \ - echo >&2 ; echo >&2 "Unsupported architecture \$(arch)" ; echo >&2 ; exit 1 ; \ - ;; \ - esac \ - && mkdir -p node \ - && curl ${NODE_DOWNLOAD_URL} | tar -xJ --strip 1 -C node \ - && chmod ug+rwX -R $NODE_PATH \ - && npm i -g -f @elastic/synthetics@stack_release && chmod ug+rwX -R $NODE_PATH -{{- end }} - -{{- range $i, $port := .ExposePorts }} -EXPOSE {{ $port }} -{{- end }} - -# When running under Docker, we must ensure libbeat monitoring pulls cgroup -# metrics from /sys/fs/cgroup//, ignoring any paths found in -# /proc/self/cgroup. -ENV LIBBEAT_MONITORING_CGROUPS_HIERARCHY_OVERRIDE=/ - -WORKDIR {{ $beatHome }} -ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-entrypoint"] -CMD ["-environment", "container"] diff --git a/dev-tools/packaging/templates/docker/docker-entrypoint.tmpl b/dev-tools/packaging/templates/docker/docker-entrypoint.tmpl deleted file mode 100644 index f073e21e318..00000000000 --- a/dev-tools/packaging/templates/docker/docker-entrypoint.tmpl +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -# Check if the the user has invoked the image with flags. -# eg. "{{ .BeatName }} -c {{ .BeatName }}.yml" -if [[ -z $1 ]] || [[ ${1:0:1} == '-' ]] ; then - exec {{ .BeatName }} "$@" -else - # They may be looking for a Beat subcommand, like "{{ .BeatName }} setup". - subcommands=$({{ .BeatName }} help \ - | awk 'BEGIN {RS=""; FS="\n"} /Available Commands:/' \ - | awk '/^\s+/ {print $1}') - - # If we _did_ get a subcommand, pass it to {{ .BeatName }}. - for subcommand in $subcommands; do - if [[ $1 == $subcommand ]]; then - exec {{ .BeatName }} "$@" - fi - done -fi - -# If neither of those worked, then they have specified the binary they want, so -# just do exactly as they say. -exec "$@"