Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make Docker images suitable for ESS/ECE/ECK #52450

Closed
tylersmalley opened this issue Dec 6, 2019 · 2 comments
Closed

Make Docker images suitable for ESS/ECE/ECK #52450

tylersmalley opened this issue Dec 6, 2019 · 2 comments
Labels
blocker Feature:Build Packaging Team:Operations Team label for Operations Team v8.0.0

Comments

@tylersmalley
Copy link
Contributor

tylersmalley commented Dec 6, 2019
edited
Loading

Cloud currently builds and runs a fully custom Kibana image. The Stack image should provide an image suitable for direct use instead.

User / Group IDs

Cloud currently expects to be able to set the user and group IDs via environment variables. The entry point script changes the founduser user's UID and GID to those provided in the env vars, and performs a recursive chown on some directories in the container.

The Stack image takes a different approach, in that it follows the OKD image guidelines and uses GID 0 for all files.

setuid flags

PR: #56826

Cloud ensures that there are no files with setuid, in order to mitigate "stackclash" attacks. Basically, they do this:

RUN find / -xdev -perm -4000 -exec chmod u-s {} +

This could be done in the Stack image.

Init process

Cloud runs Kibana via a mini-init process in order to avoid zombie processes. There should be no harm in adopting this in the Stack image. https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/

Unpack Chromium

Issue: #53664

Unpacking Chromium at startup results in a slower startup. Because of this, Cloud has chosen to unpack Chromium and delete remove the zip to conserve space.

License Management UI

Issue: #52709

In a managed environment, there is no need for the license management UI to be present. For this, the license management plugin is disabled, however this triggers an optimization run. I believe we can add a configuration option to disable the UI, while keeping the plugin installed, preventing an optimization run.
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-operations (Team:Operations)

@tylersmalley tylersmalley mentioned this issue Dec 11, 2019
Closed
@tylersmalley tylersmalley changed the title Make Docker images suitable for ESS/ECE Make Docker images suitable for ESS/ECE/ECK Dec 16, 2019
@tylersmalley tylersmalley mentioned this issue Dec 20, 2019
Closed
@mieciu mieciu mentioned this issue Feb 5, 2020
Merged
1 task
tylersmalley pushed a commit to tylersmalley/kibana that referenced this issue Feb 5, 2020
[build] Adds a mini-init process for Docker
b8cad1e 
Based on elastic/elasticsearch#50277
Related to elastic#52450

Signed-off-by: Tyler Smalley <[email protected]>
@tylersmalley tylersmalley mentioned this issue Feb 5, 2020
Closed
@tylersmalley
Copy link
Contributor Author

This is complete.

@tylersmalley tylersmalley mentioned this issue May 12, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocker Feature:Build Packaging Team:Operations Team label for Operations Team v8.0.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tylersmalley @elasticmachine