Make Docker images suitable for ESS/ECE #49926
Comments
|
Pinging @elastic/es-core-infra (:Core/Infra/Core) |
|
cc @dliappis / @nachogiljaldo for input. |
Please can whoever does this work ping me so we make sure the kill order of the "mini- |
|
Talking to @mieciu, we do want the GID 0 approach for the user running ES, which is good. We may need to support UIDs other than 1000 - I'm trying to find out more. |
|
@droberts195 any idea who fixed it in Cloud, or a PR number maybe? Just so I can have a peek. |
It was @mieciu. The PR is in a private repo. |
Closes elastic#49926 and elastic#46166. * Add a mini-init process (copied from Cloud) * Don't use root at all when running the container * Add an explicity TERM handler * Ensure no files in the image have the setuid flag Also improve dependency tracking in the build.
Closes #49926 and #46166. Rework the Docker image so that it comes with a tiny init system, to ensure ML processes are correctly cleaned up, and to run ES as a regular user instead of root. Also: * Ensure no files in the image have the setuid/setgid flag * Also improve dependency tracking in the build * Remove TAKE_FILE_OWNERSHIP option and its documentation
Cloud currently builds and runs a fully custom Elasticsearch image. The Stack image should provide an image suitable for direct use instead.
User / Group IDs
Cloud currently expects to be able to set the user and group IDs via environment variables. The entry point script changes the
founduseruser's UID and GID to those provided in the env vars, and performs a recursivechownon some directories in the container.The Stack image takes a different approach, in that it follows the OKD image guidelines and uses GID 0 for all files.
The different in approaches may well be due to Cloud's multi-tenancy. I don't know how OKD handles this.
(There is a related open issue, "Pin USER in Dockerfile complying with Docker best practices" (#46166).)
setuid flags
Cloud ensures that there are no files with setuid, in order to mitigate "stackclash" attacks. Basically, they do this:
This could be done in the Stack image.
Init process
Cloud runs Elasticsearch via a mini-
initprocess in order to avoid zombie processes. There should be no harm in adopting this in the Stack image.JVM options
Cloud comments out the heap settings and disables the
HeapDumpOnOutOfMemoryErrorflag injvm.options. Cloud is also passing the relevant heap options on the command line so it's not necessary to comment out the heap settings (this has been the case since 5.0). It does has the advantage that the resulting Elasticsearch command line flags is tidier. I don't know if that's important to Cloud.Quota-aware filesystem
Cloud changes the default filesystem provider to an implementation that is aware of user quotas. This is achieved by providing a file to the container that contains the quota settings, which the provider then takes into account then answering capacity questions. The file has a default location, which can be changed via a system property. The filesystem provider is changed via a JVM option, set via
ES_JAVA_OPTS.Cloud has suggested that the Stack provide "a native and equivalent way to deal with this". There is a Stack Overflow question that suggests that Java lacks support for this at present. It ought to be possible to perform native calls on Linux (and possibly other operating systems) that return quota information, but it's unclear how feasible / time consuming that will be. Cloud can continue using their current solution without modifying the base image.
Plugins
The Cloud Docker build process downloads and adds plugins to the image, in a "plugin-archive" directory. Then, when an allocator run an Elasticsearch image, it runs the
elasticsearch-plugintool to install the active plugins from the archive directory. User-provided plugins are downloaded and installed dynamically.There's nothing obvious that the Stack image needs to do here.
The text was updated successfully, but these errors were encountered: