Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add with-browser Docker image #829

Merged
merged 7 commits into from
Aug 27, 2024
Merged

Add with-browser Docker image #829

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c87f2fe
Add Drone stages to build *-with-browser images.
The-9880 Aug 19, 2024
7dc5b2b
Code review.
The-9880 Aug 19, 2024
c091617
Remove user and add --disable-dev-shm-usage to chromium args.
The-9880 Aug 20, 2024
4adbab7
Roll back GBT to v0.22.0
The-9880 Aug 27, 2024
dae6082
Remove eval from shell command.
The-9880 Aug 27, 2024
32449cd
Return to v0.23.0.
The-9880 Aug 27, 2024
dd0bd54
Remove curly braces.
The-9880 Aug 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 51 additions & 1 deletion .drone.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ steps:
- TARGETARCH=amd64
dry_run: "true"
repo: grafana/synthetic-monitoring-agent
target: release
- commands: []
depends_on:
- build
Expand All @@ -68,10 +69,27 @@ steps:
- TARGETVARIANT=v8
dry_run: "true"
repo: grafana/synthetic-monitoring-agent
target: release
- commands: []
depends_on:
- build
environment:
DOCKER_BUILDKIT: "1"
image: plugins/docker
name: docker build (with browser) (linux/amd64)
settings:
build_args:
- TARGETPLATFORM=linux/amd64
- TARGETOS=linux
- TARGETARCH=amd64
dry_run: "true"
repo: grafana/synthetic-monitoring-agent
target: with-browser
- commands:
- "true"
depends_on:
- docker build (linux/amd64)
- docker build (with browser) (linux/amd64)
- docker build (linux/arm64/v8)
image: alpine
name: docker build
Expand Down Expand Up @@ -130,6 +148,38 @@ steps:
when:
ref:
- refs/tags/v*.*.*
- commands:
- echo "latest-browser,$(./scripts/version)-browser" > .tags
depends_on:
- docker publish (release)
image: ghcr.io/grafana/grafana-build-tools:v0.23.0
name: docker publish (with browser) tags
- commands: []
depends_on:
- docker publish (with browser) tags
environment:
DOCKER_BUILDKIT: "1"
image: plugins/docker
name: docker publish (with browser) to docker (linux/amd64)
settings:
dry_run: "false"
password:
from_secret: docker_password
repo: grafana/synthetic-monitoring-agent
username:
from_secret: docker_username
when:
ref:
- refs/tags/v*.*.*
- commands:
- "true"
depends_on:
- docker publish (with browser) to docker (linux/amd64)
image: alpine
name: docker publish (with browser) (release)
when:
ref:
- refs/tags/v*.*.*
- commands: []
depends_on:
- docker publish (dev)
Expand Down Expand Up @@ -300,6 +350,6 @@ kind: secret
name: gpg_private_key
---
kind: signature
hmac: 698b37f156f33b7a50b91862c9fea26f77799ec55c1146bf8e4f16ac0c18e36d
hmac: d4db61b261c83fd65b96a3ea5bec1f3a1d8a5a4e7e80619c8573e6fd5dc6bbbd

...
17 changes: 16 additions & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ RUN apt-get update && apt-get -y install ca-certificates

ARG TARGETPLATFORM

FROM --platform=$TARGETPLATFORM debian:stable-slim
FROM --platform=$TARGETPLATFORM debian:stable-slim as release
nadiamoe marked this conversation as resolved.
Show resolved Hide resolved
ARG TARGETOS
ARG TARGETARCH
ARG HOST_DIST=$TARGETOS-$TARGETARCH
Expand All @@ -18,3 +18,18 @@ COPY scripts/pre-stop.sh /usr/local/lib/synthetic-monitoring-agent/pre-stop.sh
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

ENTRYPOINT ["/usr/local/bin/synthetic-monitoring-agent"]

# third stage with alpine base for better access to chromium
FROM alpine:3.18 as with-browser
The-9880 marked this conversation as resolved.
Show resolved Hide resolved

RUN apk --no-cache add tini
RUN apk --no-cache add chromium-swiftshader
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At this point we will be running everything as root. I think this can be left for a follow-up as well, but running a browser as root makes me a bit scared so we might want to avoid that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 I can add a user and operate the remainder of the target from there

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-thinking this (sorry)... This might get us into problems where running the agent as non-root might cause some check types to fail. e.g. traceroute/ping checks require either elevated privileges or net_raw capabilities to be added to the binary.

It might be better for now to run everything as root, and open an issue to narrow-down the privileges without breaking agent checks.


COPY --from=release /usr/local/bin/synthetic-monitoring-agent /usr/local/bin/synthetic-monitoring-agent
COPY --from=release /usr/local/bin/sm-k6 /usr/local/bin/sm-k6
COPY --from=release /usr/local/lib/synthetic-monitoring-agent/pre-stop.sh /usr/local/lib/synthetic-monitoring-agent/pre-stop.sh
COPY --from=release /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

ENV K6_BROWSER_ARGS=no-sandbox,disable-dev-shm-usage

ENTRYPOINT ["tini", "--", "/usr/local/bin/synthetic-monitoring-agent"]
12 changes: 12 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,18 @@ Please refer to [Private Probe docs](https://grafana.com/docs/grafana-cloud/synt

See [examples/kubernetes](./examples/kubernetes) for the documentation and example yaml files


Docker Images
-------------
We release 2 versions of the [Docker image](https://hub.docker.com/r/grafana/synthetic-monitoring-agent) for the agent, depending on whether or not Chromium is installed in the environment for use in browser checks.

Variants with the browser installed are tagged with the suffix `*-browser`. These images are substantially larger and shouldn't be used unless you need the browser functionality to keep memory requirements minimal.

These are built using the same multi-stage Dockerfile, so be aware that `Docker build` scripts failing to specify a build target will produce the larger image every time.
* Without chromium: `docker build --target release .`
* With chromium: `docker build .` or `docker build --target with-browser .`


Signals
-------

Expand Down
40 changes: 36 additions & 4 deletions scripts/configs/drone/main.jsonnet
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ local vault_secret(name, vault_path, key) = {
},
};

local docker_step(tag, os, arch, version='') =
local docker_step(tag, os, arch, version='', with_browser=false) =
// We can't use 'make docker' without making this repo priveleged in drone
// so we will use the native docker plugin instead for security.
local platform = std.join('/', [ os, arch, if std.length(version) > 0 then version ]);
Expand All @@ -87,6 +87,7 @@ local docker_step(tag, os, arch, version='') =
settings: {
repo: docker_repo,
dry_run: 'true',
target: if with_browser then 'with-browser' else 'release',
build_args: [
'TARGETPLATFORM=' + platform,
'TARGETOS=' + os,
Expand All @@ -97,15 +98,24 @@ local docker_step(tag, os, arch, version='') =
},
};

local docker_build(os, arch, version='') =
docker_step('docker build', os, arch, version)
local docker_build(os, arch, version='', with_browser=false) =
local step = if with_browser then
'docker build (with browser)'
else
'docker build';
docker_step(step, os, arch, version, with_browser)
+ dependsOn([ 'build' ]);

local docker_publish(repo, auth, tag, os, arch, version='') =
docker_step('docker publish to ' + tag, os, arch, version)
docker_step('docker publish to ' + tag, os, arch, version, false)
+ { settings: { repo: repo, dry_run: 'false' } + auth }
+ dependsOn([ 'test', 'docker build' ]);

local docker_publish_with_browser(repo, auth, tag, os, arch) =
docker_step('docker publish (with browser) to ' + tag, os, arch, '', true)
+ { settings: { repo: repo, dry_run: 'false' } + auth }
+ dependsOn([ 'docker publish (with browser) tags' ]); // step to update .tags file with browser-specific image tags

[
pipeline('build', [
step('deps', [
Expand Down Expand Up @@ -141,9 +151,13 @@ local docker_publish(repo, auth, tag, os, arch, version='') =
docker_build('linux', 'amd64'),
docker_build('linux', 'arm64', 'v8'),

// dry run build with browser
docker_build('linux', 'amd64', '', true),

step('docker build', [ 'true' ], 'alpine')
+ dependsOn([
'docker build (linux/amd64)',
'docker build (with browser) (linux/amd64)',
'docker build (linux/arm64/v8)',
]),

Expand Down Expand Up @@ -174,6 +188,24 @@ local docker_publish(repo, auth, tag, os, arch, version='') =
])
+ releaseOnly,

step(
'docker publish (with browser) tags',
[
'echo "latest-browser,$(./scripts/version)-browser" > .tags', // use with-browser tags for docker plugin
],
go_tools_image,
)
+ dependsOn([ 'docker publish (release)' ]),

// publish image with chromium browser available
docker_publish_with_browser(docker_repo, docker_auth, 'docker', 'linux', 'amd64') + releaseOnly,

step('docker publish (with browser) (release)', [ 'true' ], 'alpine')
+ dependsOn([
'docker publish (with browser) to docker (linux/amd64)',
])
+ releaseOnly,

step('trigger argo workflow (dev)', [])
+ {
settings: {
Expand Down