Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add official image for OpenSearch Dashboards #13194

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

rishabh6788
Copy link

@rishabh6788 rishabh6788 commented Sep 20, 2022

Signed-off-by: Rishabh Singh sngri@amazon.com

OpenSearch Dashboards is the default visualization tool for data in OpenSearch. It also serves as a user interface for many of the OpenSearch plugins, including security, alerting, Index State Management, SQL, and more.
To know more about OpenSearch Dashboards please read our documentation

Checklist for Review

NOTE: This checklist is intended for the use of the Official Images maintainers both to track the status of your PR and to help inform you and others of where we're at. As such, please leave the "checking" of items to the repository maintainers. If there is a point below for which you would like to provide additional information or note completion, please do so by commenting on the PR. Thanks! (and thanks for staying patient with us ❤️)

Signed-off-by: Rishabh Singh <sngri@amazon.com>
@github-actions
Copy link

Diff for f788144:
diff --git a/_bashbrew-cat b/_bashbrew-cat
index bdfae4a..01bfe6c 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -1 +1,7 @@
-Maintainers: New Image! :D (@docker-library-bot)
+Maintainers: OpenSearch Project Team <opensearch@amazon.com> (@opensearch-project), Rishabh Singh <sngri@amazon.com> (@rishabh6788), Peter Zhu <zhujiaxi@amazon.com> (@peterzhuamazon), Prudhvi Godithi <pgodithi@amazon.com> (@prudhvigodithi)
+GitRepo: https://github.com/opensearch-project/dashboards-docker-images.git
+
+Tags: 2.3.0, 2.3, 2, latest
+Architectures: amd64, arm64v8
+GitCommit: c8f80771985daceb6dcbe9498790b2d848159786
+Directory: 2.x
diff --git a/_bashbrew-list b/_bashbrew-list
index e69de29..1abb8bf 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -0,0 +1,4 @@
+opensearch-dashboards:2
+opensearch-dashboards:2.3
+opensearch-dashboards:2.3.0
+opensearch-dashboards:latest
diff --git a/opensearch-dashboards_latest/Dockerfile b/opensearch-dashboards_latest/Dockerfile
new file mode 100644
index 0000000..1a207c8
--- /dev/null
+++ b/opensearch-dashboards_latest/Dockerfile
@@ -0,0 +1,96 @@
+# Copyright OpenSearch Contributors
+# SPDX-License-Identifier: Apache-2.0
+
+
+# This dockerfile generates an AmazonLinux-based image containing an OpenSearch-Dashboards installation.
+# It assumes that the working directory contains four files: an OpenSearch-Dashboards tarball (opensearch-dashboards.tgz), opensearch_dashboards.yml, opensearch-dashboards-docker-entrypoint.sh, and example certs.
+# Build arguments:
+#   VERSION: Required. Used to label the image.
+#   UID: Optional. Specify the opensearch-dashboards userid. Defaults to 1000.
+#   GID: Optional. Specify the opensearch-dashboards groupid. Defaults to 1000.
+#   OPENSEARCH_DASHBOARDS_HOME: Optional. Specify the opensearch-dashboards root directory. Defaults to /usr/share/opensearch-dashboards.
+
+########################### Stage 0 ########################
+FROM amazonlinux:2 AS linux_stage_0
+
+ARG UID=1000
+ARG GID=1000
+ARG OPENSEARCH_DASHBOARDS_HOME=/usr/share/opensearch-dashboards
+ARG TEMP_DIR=/tmp/opensearch-dashboards
+ARG OSD_VERSION=2.3.0
+
+# Update packages
+# Install the tools we need: tar and gzip to unpack the OpenSearch tarball, and shadow-utils to give us `groupadd` and `useradd`.
+# Install which to allow running of securityadmin.sh
+RUN yum update -y && yum install -y tar gzip shadow-utils which && yum clean all
+
+# Create an opensearch-dashboards user, group, and directory
+RUN groupadd -g $GID opensearch-dashboards && \
+    adduser -u $UID -g $GID -d $OPENSEARCH_DASHBOARDS_HOME opensearch-dashboards && \
+    mkdir $TEMP_DIR
+
+RUN set -eux ; \
+    cur_arch="" ; \
+    case "$(arch)" in \
+        aarch64) cur_arch='arm64' ;; \
+        x86_64)  cur_arch='x64' ;; \
+        *) echo >&2 ; echo >&2 "Unsupported architecture $(arch)" ; echo >&2 ; exit 1 ;; \
+    esac ; \
+    curl --retry 10 -S -L --output $TEMP_DIR/opensearch-dashboards.tar.gz https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/$OSD_VERSION/opensearch-dashboards-$OSD_VERSION-linux-$cur_arch.tar.gz; \
+    curl --output $TEMP_DIR/opensearch-dashboards.pgp https://artifacts.opensearch.org/publickeys/opensearch.pgp; \
+    gpg --import $TEMP_DIR/opensearch-dashboards.pgp; \
+    curl --output $TEMP_DIR/opensearch-dashboards.tar.gz.sig https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/$OSD_VERSION/opensearch-dashboards-$OSD_VERSION-linux-$cur_arch.tar.gz.sig; \
+    gpg --verify $TEMP_DIR/opensearch-dashboards.tar.gz.sig $TEMP_DIR/opensearch-dashboards.tar.gz; \
+    tar --warning=no-timestamp -zxf $TEMP_DIR/opensearch-dashboards.tar.gz -C $OPENSEARCH_DASHBOARDS_HOME --strip-components=1;
+
+COPY config/* $OPENSEARCH_DASHBOARDS_HOME/config/
+COPY bin/* $OPENSEARCH_DASHBOARDS_HOME/
+
+########################### Stage 1 ########################
+# Copy working directory to the actual release docker images
+FROM amazonlinux:2
+
+ARG UID=1000
+ARG GID=1000
+ARG OPENSEARCH_DASHBOARDS_HOME=/usr/share/opensearch-dashboards
+ARG OSD_VERSION=2.3.0
+
+# Update packages
+# Install the tools we need: tar and gzip to unpack the OpenSearch tarball, and shadow-utils to give us `groupadd` and `useradd`.
+# Install which to allow running of securityadmin.sh
+RUN yum update -y && yum install -y tar gzip shadow-utils which \
+    libnss3.so xorg-x11-fonts-100dpi xorg-x11-fonts-75dpi xorg-x11-utils \
+    xorg-x11-fonts-cyrillic xorg-x11-fonts-Type1 xorg-x11-fonts-misc fontconfig \
+    freetype && yum clean all
+
+# Create an opensearch-dashboards user, group
+RUN groupadd -g $GID opensearch-dashboards && \
+    adduser -u $UID -g $GID -d $OPENSEARCH_DASHBOARDS_HOME opensearch-dashboards
+
+COPY --from=linux_stage_0 --chown=$UID:$GID $OPENSEARCH_DASHBOARDS_HOME $OPENSEARCH_DASHBOARDS_HOME
+
+# Setup OpenSearch-dashboards
+WORKDIR $OPENSEARCH_DASHBOARDS_HOME
+
+# Set PATH
+ENV PATH=$PATH:$OPENSEARCH_DASHBOARDS_HOME/bin
+
+# Change user
+USER $UID
+
+# Expose port
+EXPOSE 5601
+
+# Label
+LABEL org.label-schema.schema-version="1.0" \
+  org.label-schema.name="opensearch-dashboards" \
+  org.label-schema.version="$OSD_VERSION" \
+  org.label-schema.url="https://opensearch.org" \
+  org.label-schema.vcs-url="https://github.com/opensearch-project/OpenSearch-Dashboards" \
+  org.label-schema.license="Apache-2.0" \
+  org.label-schema.vendor="Amazon"
+
+# CMD to run
+ENTRYPOINT ["./opensearch-dashboards-docker-entrypoint.sh"]
+CMD ["opensearch-dashboards"]
+
diff --git a/opensearch-dashboards_latest/bin/opensearch-dashboards-docker-entrypoint.sh b/opensearch-dashboards_latest/bin/opensearch-dashboards-docker-entrypoint.sh
new file mode 100755
index 0000000..894e48e
--- /dev/null
+++ b/opensearch-dashboards_latest/bin/opensearch-dashboards-docker-entrypoint.sh
@@ -0,0 +1,228 @@
+#!/bin/bash
+
+# Copyright OpenSearch Contributors
+# SPDX-License-Identifier: Apache-2.0
+
+#
+# Run OpenSearch-Dashboards, using environment variables to
+# set longopts defining OpenSearch-Dashboards's configuration.
+#
+# eg. Setting the environment variable:
+#
+#       OPENSEARCH_STARTUPTIMEOUT=60
+#
+# will cause OpenSearch-Dashboards to be invoked with:
+#
+#       --opensearch.startupTimeout=60
+
+# Setup Home Directory
+export OPENSEARCH_DASHBOARDS_HOME=/usr/share/opensearch-dashboards
+
+opensearch_dashboards_vars=(
+    console.enabled
+    console.proxyConfig
+    console.proxyFilter
+    ops.cGroupOverrides.cpuPath
+    ops.cGroupOverrides.cpuAcctPath
+    csp.rules
+    csp.strict
+    csp.warnLegacyBrowsers
+    data.search.usageTelemetry.enabled
+    opensearch.customHeaders
+    opensearch.hosts
+    opensearch.logQueries
+    opensearch.memoryCircuitBreaker.enabled
+    opensearch.memoryCircuitBreaker.maxPercentage
+    opensearch.password
+    opensearch.pingTimeout
+    opensearch.requestHeadersWhitelist
+    opensearch.requestTimeout
+    opensearch.shardTimeout
+    opensearch.sniffInterval
+    opensearch.sniffOnConnectionFault
+    opensearch.sniffOnStart
+    opensearch.ssl.alwaysPresentCertificate
+    opensearch.ssl.certificate
+    opensearch.ssl.certificateAuthorities
+    opensearch.ssl.key
+    opensearch.ssl.keyPassphrase
+    opensearch.ssl.keystore.path
+    opensearch.ssl.keystore.password
+    opensearch.ssl.truststore.path
+    opensearch.ssl.truststore.password
+    opensearch.ssl.verificationMode
+    opensearch.username
+    i18n.locale
+    interpreter.enableInVisualize
+    opensearchDashboards.autocompleteTerminateAfter
+    opensearchDashboards.autocompleteTimeout
+    opensearchDashboards.defaultAppId
+    opensearchDashboards.index
+    logging.dest
+    logging.json
+    logging.quiet
+    logging.rotate.enabled
+    logging.rotate.everyBytes
+    logging.rotate.keepFiles
+    logging.rotate.pollingInterval
+    logging.rotate.usePolling
+    logging.silent
+    logging.useUTC
+    logging.verbose
+    map.includeOpenSearchMapsService
+    map.proxyOpenSearchMapsServiceInMaps
+    map.regionmap
+    map.tilemap.options.attribution
+    map.tilemap.options.maxZoom
+    map.tilemap.options.minZoom
+    map.tilemap.options.subdomains
+    map.tilemap.url
+    monitoring.cluster_alerts.email_notifications.email_address
+    monitoring.enabled
+    monitoring.opensearchDashboards.collection.enabled
+    monitoring.opensearchDashboards.collection.interval
+    monitoring.ui.container.opensearch.enabled
+    monitoring.ui.container.logstash.enabled
+    monitoring.ui.opensearch.password
+    monitoring.ui.opensearch.pingTimeout
+    monitoring.ui.opensearch.hosts
+    monitoring.ui.opensearch.username
+    monitoring.ui.opensearch.logFetchCount
+    monitoring.ui.opensearch.ssl.certificateAuthorities
+    monitoring.ui.opensearch.ssl.verificationMode
+    monitoring.ui.enabled
+    monitoring.ui.max_bucket_size
+    monitoring.ui.min_interval_seconds
+    newsfeed.enabled
+    ops.interval
+    path.data
+    pid.file
+    regionmap
+    security.showInsecureClusterWarning
+    server.basePath
+    server.customResponseHeaders
+    server.compression.enabled
+    server.compression.referrerWhitelist
+    server.cors
+    server.cors.origin
+    server.defaultRoute
+    server.host
+    server.keepAliveTimeout
+    server.maxPayloadBytes
+    server.name
+    server.port
+    server.rewriteBasePath
+    server.socketTimeout
+    server.ssl.cert
+    server.ssl.certificate
+    server.ssl.certificateAuthorities
+    server.ssl.cipherSuites
+    server.ssl.clientAuthentication
+    server.customResponseHeaders
+    server.ssl.enabled
+    server.ssl.key
+    server.ssl.keyPassphrase
+    server.ssl.keystore.path
+    server.ssl.keystore.password
+    server.ssl.truststore.path
+    server.ssl.truststore.password
+    server.ssl.redirectHttpFromPort
+    server.ssl.supportedProtocols
+    server.xsrf.disableProtection
+    server.xsrf.whitelist
+    status.allowAnonymous
+    status.v6ApiFormat
+    tilemap.options.attribution
+    tilemap.options.maxZoom
+    tilemap.options.minZoom
+    tilemap.options.subdomains
+    tilemap.url
+    timeline.enabled
+    vega.enableExternalUrls
+    apm_oss.apmAgentConfigurationIndex
+    apm_oss.indexPattern
+    apm_oss.errorIndices
+    apm_oss.onboardingIndices
+    apm_oss.spanIndices
+    apm_oss.sourcemapIndices
+    apm_oss.transactionIndices
+    apm_oss.metricsIndices
+    telemetry.allowChangingOptInStatus
+    telemetry.enabled
+    telemetry.optIn
+    telemetry.optInStatusUrl
+    telemetry.sendUsageFrom
+)
+
+function setupSecurityDashboardsPlugin {
+    SECURITY_DASHBOARDS_PLUGIN="securityDashboards"
+
+    if [ -d "$OPENSEARCH_DASHBOARDS_HOME/plugins/$SECURITY_DASHBOARDS_PLUGIN" ]; then
+        if [ "$DISABLE_SECURITY_DASHBOARDS_PLUGIN" = "true" ]; then
+            echo "Disabling OpenSearch Security Dashboards Plugin"
+            ./bin/opensearch-dashboards-plugin remove securityDashboards
+
+            # Remove all security related parameters as well as changing HTTPS to HTTP
+            # Temporary fix before security-dashboards plugin implement a parameter to disable the plugin entirely
+            # https://github.com/opensearch-project/security-dashboards-plugin/issues/896
+            UPDATED_CONFIG=`cat $OPENSEARCH_DASHBOARDS_HOME/config/opensearch_dashboards.yml | sed "/^opensearch_security/d" | sed "s/https/http/g"`
+            echo "$UPDATED_CONFIG" > $OPENSEARCH_DASHBOARDS_HOME/config/opensearch_dashboards.yml
+        fi
+    fi
+}
+
+function runOpensearchDashboards {
+    longopts=()
+    for opensearch_dashboards_var in ${opensearch_dashboards_vars[*]}; do
+        # 'opensearch.hosts' -> 'OPENSEARCH_URL'
+        env_var=$(echo ${opensearch_dashboards_var^^} | tr . _)
+
+        # Indirectly lookup env var values via the name of the var.
+        # REF: http://tldp.org/LDP/abs/html/bashver2.html#EX78
+        value=${!env_var}
+        if [[ -n $value ]]; then
+            longopt="--${opensearch_dashboards_var}=${value}"
+            longopts+=("${longopt}")
+        fi
+    done
+
+    # Files created at run-time should be group-writable, for Openshift's sake.
+    umask 0002
+
+    ##Security Dashboards Plugin
+    setupSecurityDashboardsPlugin
+
+    # TO DO:
+    # Confirm with Mihir if this is necessary
+
+    # The virtual file /proc/self/cgroup should list the current cgroup
+    # membership. For each hierarchy, you can follow the cgroup path from
+    # this file to the cgroup filesystem (usually /sys/fs/cgroup/) and
+    # introspect the statistics for the cgroup for the given
+    # hierarchy. Alas, Docker breaks this by mounting the container
+    # statistics at the root while leaving the cgroup paths as the actual
+    # paths. Therefore, OpenSearch-Dashboards provides a mechanism to override
+    # reading the cgroup path from /proc/self/cgroup and instead uses the
+    # cgroup path defined the configuration properties
+    # ops.cGroupOverrides.cpuPath and ops.cGroupOverrides.cpuAcctPath.
+    # Therefore, we set this value here so that cgroup statistics are
+    # available for the container this process will run in.
+
+    exec "$@" \
+        --ops.cGroupOverrides.cpuPath=/ \
+        --ops.cGroupOverrides.cpuAcctPath=/ \
+        "${longopts[@]}"
+}
+
+# Prepend "opensearch-dashboards" command if no argument was provided or if the
+# first argument looks like a flag (i.e. starts with a dash).
+if [ $# -eq 0 ] || [ "${1:0:1}" = '-' ]; then
+    set -- opensearch-dashboards "$@"
+fi
+
+if [ "$1" = "opensearch-dashboards" ]; then
+    runOpensearchDashboards "$@"
+else
+    exec "$@"
+fi
+
diff --git a/opensearch-dashboards_latest/config/opensearch.example.org.cert b/opensearch-dashboards_latest/config/opensearch.example.org.cert
new file mode 100644
index 0000000..555bf09
--- /dev/null
+++ b/opensearch-dashboards_latest/config/opensearch.example.org.cert
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDJTCCAg2gAwIBAgIJAKO3AgiyHbReMA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNV
+BAMMHm9wZW5kaXN0cm9mb3JlbGFzdGljc2VhcmNoLm9yZzAeFw0xOTAyMTUwNzI5
+MjNaFw0yOTAyMTIwNzI5MjNaMCkxJzAlBgNVBAMMHm9wZW5kaXN0cm9mb3JlbGFz
+dGljc2VhcmNoLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPO
+w4iMMWj7wODNeAR+t9fFoFkhWmo7NiV9qteUtOTnOLBFG6VWVh2kQev1Ph2dF0uw
+Dg632Pk3Tl1er+eKCoG+YzwkJqVZ0CJlxZdpN5jCpliCYxIaGUHO0I+Kdhzg1IUk
+1Q2+8aeVN7ddiYZC13T/b5Kut8lr13O8OTqeBX2zRxuzX+jUNAZjAsCAdsv2jRrO
+94883OyDzF6UXvETJcW5uF4j7NK9N2nfAplMy6Z7v/0kA89/ecuAb8wmf7MOul1h
+sHyNd4aJwIGhKW/qBLJG+GHB5BiO6OaMJMzr5kzSV9we5r/plas5viAl/jWsYECS
+rvGjUqBEOKOFy6RS2ZECAwEAAaNQME4wHQYDVR0OBBYEFI05BOGEHtUhrZmkIL3W
+6KpJLE71MB8GA1UdIwQYMBaAFI05BOGEHtUhrZmkIL3W6KpJLE71MAwGA1UdEwQF
+MAMBAf8wDQYJKoZIhvcNAQEFBQADggEBACvAn1fRvkJamVKdmsou+YTmxu5YhDva
+MepBVT6yeqctcgQgUfaneuBrl/+9zmxkjykZ1uimSS2IM1FxIXuB8rX+iAcgFyIs
+XXquOhJlaXs/kN0KBGUSRkTMQSGIaTh26U7GnCQrdaIZDtKp7CRWjNebeDucNOc+
+aXOqiNFbVePNe8+EZIDb0FmV4IiHuLcqCwzZvgesl3EUPuMsnrxeNKIw83ecpjqK
+YRwWWhvY57asVbOZjn+M57bJSpzO9bO70uib0ItWs19aWqYP1vEOuNHEDbr2EVel
+dejL2fYF06uiw179PSYnvDQohWdiqm8dM0Nx+QtJcbOR6BiBh8aQTjw=
+-----END CERTIFICATE-----
+
diff --git a/opensearch-dashboards_latest/config/opensearch.example.org.key b/opensearch-dashboards_latest/config/opensearch.example.org.key
new file mode 100644
index 0000000..2ecc2b6
--- /dev/null
+++ b/opensearch-dashboards_latest/config/opensearch.example.org.key
@@ -0,0 +1,28 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAs87DiIwxaPvA4M14BH6318WgWSFaajs2JX2q15S05Oc4sEUb
+pVZWHaRB6/U+HZ0XS7AODrfY+TdOXV6v54oKgb5jPCQmpVnQImXFl2k3mMKmWIJj
+EhoZQc7Qj4p2HODUhSTVDb7xp5U3t12JhkLXdP9vkq63yWvXc7w5Op4FfbNHG7Nf
+6NQ0BmMCwIB2y/aNGs73jzzc7IPMXpRe8RMlxbm4XiPs0r03ad8CmUzLpnu//SQD
+z395y4BvzCZ/sw66XWGwfI13honAgaEpb+oEskb4YcHkGI7o5owkzOvmTNJX3B7m
+v+mVqzm+ICX+NaxgQJKu8aNSoEQ4o4XLpFLZkQIDAQABAoIBAEtPKXRyi2tWLlW5
+mTAAxw1Xl65dGtptjGMtfDWo8g8BjSu+9jJMs+rcVkP2xppupkgsJ+cgN39CG89d
+jj1jAr2OuU+CMLGGqXcOuzCMgB26QSPHEKmPRs7aSV4ldwznWfueDqIgPGSdSeXC
+Boy2SDmXluqPxShWw7mUtz+G2fPoQ+TMcH3puL3ooeV2iy25ZciLG3SFFQ7jTiJP
+l6bNvnszVa7fRdapF25znC/XsfaW7XsXZwbV+NeWtO7CEIec/RExSy9N/abbmhWY
+BPidBT9AQG4MoN10YunS7iwbfpXCNW0HKlFf77Mr5FrCZ0RE/Mg5JJrFF3Bt+sNT
+v6/2+wUCgYEA3mEtewQCn40aIWYTTeXqtRCnpbt4y602B2PbY7OI/9N6xafATVnK
++bwcj9rKQRmUBbrvNGCY/GQJPqHRFjIRqK0y2QCavuR/980z96ojUXwsHG4eSmHY
+wX0Rs+JtHVJDDH13hRWj/5Zxa+0ln2olBpHkp+o/VwiyYNXeqmw4Lq8CgYEAzv3p
+kmOqNQpQ2y2jEdKYanIibsB27slb4UxBpCzEYSj3LF3CysaGF17GJRRCASH9Dm3Y
+dZSgJzuBVZSgYl9HNSB1wY1gpHYeLm0F0yaE1D4tSoXGD+8pbLbl6LjwHOUtH4Yx
+NCDwOv+pe6+tyO6v04xcAOSWWkcsHkesrcehi78CgYEAztNA8o3LRst8Rx3hzGyP
+O7HuyoSvF3fUrVDhZjw/qfft0tFvWEGwN08OnXjW7W81rZKsEWHaR7teocLsbSFK
+LUBQ72TRh8OLhVR0Bd9Wk93SROrh/zo719FT2qM36rJsq7wxojR7YCZy/PcGK9sT
+7qVYLhf+qxrqlIe1XXnjUv8CgYBhglm63Xp8HAz1A22zYqrsUjIITGB6op7G5p5x
+kak9QAgYfV7bGWRns/zR0NY7JGDKoFJ9KXO8p5qIz0gyr0GjNFRkxo4FS6NyKWe6
+DYY7WcMKPTSNoxO3o/1wgVaTth5ooFWjgfTJRlD39E2Av3hSxuc8gHKXurl81jTx
+dH6UjwKBgEA5JLPaICkkY4ppcwdnf7zFFi22Rq5e2AJQSJcHOgE0K8/jJqbv+VOy
+ugVjXRpq6VdNjGD3aLToe/SnRLUDmq+ZJqV+BoZSv3DJCsUkc4O9tS/E6Tn4A1di
+loi+vT/GFEVVE3MaB42XGaaC82VEgwdqE3hDqNM/F2i3DfyoKD6V
+-----END RSA PRIVATE KEY-----
+
diff --git a/opensearch-dashboards_latest/config/opensearch_dashboards.yml b/opensearch-dashboards_latest/config/opensearch_dashboards.yml
new file mode 100644
index 0000000..6695163
--- /dev/null
+++ b/opensearch-dashboards_latest/config/opensearch_dashboards.yml
@@ -0,0 +1,188 @@
+---
+# Copyright OpenSearch Contributors
+# SPDX-License-Identifier: Apache-2.0
+
+# Description:
+# Default configuration for OpenSearch Dashboards
+
+# OpenSearch Dashboards is served by a back end server. This setting specifies the port to use.
+# server.port: 5601
+
+# Specifies the address to which the OpenSearch Dashboards server will bind. IP addresses and host names are both valid values.
+# The default is 'localhost', which usually means remote machines will not be able to connect.
+# To allow connections from remote users, set this parameter to a non-loopback address.
+# server.host: "localhost"
+
+# Enables you to specify a path to mount OpenSearch Dashboards at if you are running behind a proxy.
+# Use the `server.rewriteBasePath` setting to tell OpenSearch Dashboards if it should remove the basePath
+# from requests it receives, and to prevent a deprecation warning at startup.
+# This setting cannot end in a slash.
+# server.basePath: ""
+
+# Specifies whether OpenSearch Dashboards should rewrite requests that are prefixed with
+# `server.basePath` or require that they are rewritten by your reverse proxy.
+# server.rewriteBasePath: false
+
+# The maximum payload size in bytes for incoming server requests.
+# server.maxPayloadBytes: 1048576
+
+# The OpenSearch Dashboards server's name.  This is used for display purposes.
+# server.name: "your-hostname"
+
+# The URLs of the OpenSearch instances to use for all your queries.
+# opensearch.hosts: ["http://localhost:9200"]
+
+# OpenSearch Dashboards uses an index in OpenSearch to store saved searches, visualizations and
+# dashboards. OpenSearch Dashboards creates a new index if the index doesn't already exist.
+# opensearchDashboards.index: ".opensearch_dashboards"
+
+# The default application to load.
+# opensearchDashboards.defaultAppId: "home"
+
+# Setting for an optimized healthcheck that only uses the local OpenSearch node to do Dashboards healthcheck.
+# This settings should be used for large clusters or for clusters with ingest heavy nodes.
+# It allows Dashboards to only healthcheck using the local OpenSearch node rather than fan out requests across all nodes.
+#
+# It requires the user to create an OpenSearch node attribute with the same name as the value used in the setting
+# This node attribute should assign all nodes of the same cluster an integer value that increments with each new cluster that is spun up
+# e.g. in opensearch.yml file you would set the value to a setting using node.attr.cluster_id:
+# Should only be enabled if there is a corresponding node attribute created in your OpenSearch config that matches the value here
+# opensearch.optimizedHealthcheckId: "cluster_id"
+
+# If your OpenSearch is protected with basic authentication, these settings provide
+# the username and password that the OpenSearch Dashboards server uses to perform maintenance on the OpenSearch Dashboards
+# index at startup. Your OpenSearch Dashboards users still need to authenticate with OpenSearch, which
+# is proxied through the OpenSearch Dashboards server.
+# opensearch.username: "opensearch_dashboards_system"
+# opensearch.password: "pass"
+
+# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
+# These settings enable SSL for outgoing requests from the OpenSearch Dashboards server to the browser.
+# server.ssl.enabled: false
+# server.ssl.certificate: /path/to/your/server.crt
+# server.ssl.key: /path/to/your/server.key
+
+# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
+# These files are used to verify the identity of OpenSearch Dashboards to OpenSearch and are required when
+# xpack.security.http.ssl.client_authentication in OpenSearch is set to required.
+# opensearch.ssl.certificate: /path/to/your/client.crt
+# opensearch.ssl.key: /path/to/your/client.key
+
+# Optional setting that enables you to specify a path to the PEM file for the certificate
+# authority for your OpenSearch instance.
+# opensearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
+
+# To disregard the validity of SSL certificates, change this setting's value to 'none'.
+# opensearch.ssl.verificationMode: full
+
+# Time in milliseconds to wait for OpenSearch to respond to pings. Defaults to the value of
+# the opensearch.requestTimeout setting.
+# opensearch.pingTimeout: 1500
+
+# Time in milliseconds to wait for responses from the back end or OpenSearch. This value
+# must be a positive integer.
+# opensearch.requestTimeout: 30000
+
+# List of OpenSearch Dashboards client-side headers to send to OpenSearch. To send *no* client-side
+# headers, set this value to [] (an empty list).
+# opensearch.requestHeadersWhitelist: [ authorization ]
+
+# Header names and values that are sent to OpenSearch. Any custom headers cannot be overwritten
+# by client-side headers, regardless of the opensearch.requestHeadersWhitelist configuration.
+# opensearch.customHeaders: {}
+
+# Time in milliseconds for OpenSearch to wait for responses from shards. Set to 0 to disable.
+# opensearch.shardTimeout: 30000
+
+# Logs queries sent to OpenSearch. Requires logging.verbose set to true.
+# opensearch.logQueries: false
+
+# Specifies the path where OpenSearch Dashboards creates the process ID file.
+# pid.file: /var/run/opensearchDashboards.pid
+
+# Enables you to specify a file where OpenSearch Dashboards stores log output.
+# logging.dest: stdout
+
+# Set the value of this setting to true to suppress all logging output.
+# logging.silent: false
+
+# Set the value of this setting to true to suppress all logging output other than error messages.
+# logging.quiet: false
+
+# Set the value of this setting to true to log all events, including system usage information
+# and all requests.
+# logging.verbose: false
+
+# Set the interval in milliseconds to sample system and process performance
+# metrics. Minimum is 100ms. Defaults to 5000.
+# ops.interval: 5000
+
+# Specifies locale to be used for all localizable strings, dates and number formats.
+# Supported languages are the following: English - en , by default , Chinese - zh-CN .
+# i18n.locale: "en"
+
+# Set the allowlist to check input graphite Url. Allowlist is the default check list.
+# vis_type_timeline.graphiteAllowedUrls: ['https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite']
+
+# Set the blocklist to check input graphite Url. Blocklist is an IP list.
+# Below is an example for reference
+# vis_type_timeline.graphiteBlockedIPs: [
+#  //Loopback
+#  '127.0.0.0/8',
+#  '::1/128',
+#  //Link-local Address for IPv6
+#  'fe80::/10',
+#  //Private IP address for IPv4
+#  '10.0.0.0/8',
+#  '172.16.0.0/12',
+#  '192.168.0.0/16',
+#  //Unique local address (ULA)
+#  'fc00::/7',
+#  //Reserved IP address
+#  '0.0.0.0/8',
+#  '100.64.0.0/10',
+#  '192.0.0.0/24',
+#  '192.0.2.0/24',
+#  '198.18.0.0/15',
+#  '192.88.99.0/24',
+#  '198.51.100.0/24',
+#  '203.0.113.0/24',
+#  '224.0.0.0/4',
+#  '240.0.0.0/4',
+#  '255.255.255.255/32',
+#  '::/128',
+#  '2001:db8::/32',
+#  'ff00::/8',
+# ]
+# vis_type_timeline.graphiteBlockedIPs: []
+
+# opensearchDashboards.branding:
+#   logo:
+#     defaultUrl: ""
+#     darkModeUrl: ""
+#   mark:
+#     defaultUrl: ""
+#     darkModeUrl: ""
+#   loadingLogo:
+#     defaultUrl: ""
+#     darkModeUrl: ""
+#   faviconUrl: ""
+#   applicationTitle: ""
+
+# Set the value of this setting to true to capture region blocked warnings and errors
+# for your map rendering services.
+# map.showRegionBlockedWarning: false%
+
+opensearch.hosts: [https://localhost:9200]
+opensearch.ssl.verificationMode: none
+opensearch.username: kibanaserver
+opensearch.password: kibanaserver
+opensearch.requestHeadersWhitelist: [authorization, securitytenant]
+
+opensearch_security.multitenancy.enabled: true
+opensearch_security.multitenancy.tenants.preferred: [Private, Global]
+opensearch_security.readonly_mode.roles: [kibana_read_only]
+# Use this setting if you are running opensearch-dashboards without https
+opensearch_security.cookie.secure: false
+server.host: '0.0.0.0'
+

@bbarani
Copy link

bbarani commented Sep 27, 2022

Gentle ping @tianon @yosifkit

@bbarani
Copy link

bbarani commented Oct 4, 2022

Friendly ping @tianon @yosifkit

1 similar comment
@bbarani
Copy link

bbarani commented Nov 4, 2022

Friendly ping @tianon @yosifkit

@bbarani
Copy link

bbarani commented Nov 21, 2022

Can you please provide an update @tianon @yosifkit

@bbarani
Copy link

bbarani commented Jan 4, 2023

Friendly ping @tianon @yosifkit

@yosifkit
Copy link
Member

Hello! ✨

Thanks for your interest in contributing to the official images program. 💭

As you may have noticed, we've usually got a pretty decently sized queue of new images (not to mention image updates and maintenance of images under @docker-library which are maintained by the core official images team). As such, it may be some time before we get to reviewing this image (image updates get priority both because users expect them and because reviewing new images is a more involved process than reviewing updates), so we apologize in advance! Please be patient with us -- rest assured, we've seen your PR and it's in the queue. ❤️

We do try to proactively add and update the "new image checklist" on each PR, so if you haven't looked at it yet, that's a good use of time while you wait. ☔

Thanks! 💖 💙 💚 ❤️

@tianon
Copy link
Member

tianon commented Feb 11, 2023

Thank you for your patience 🙇

I'd like to start with a bit of high-level feedback about Dashboards specifically, then I'll get into some more technical bits.


From what I've understood, Dashboards is very closely tied to OpenSearch, right? (even to the point of being pretty fairly version-locked?) The reason I'm asking is that we do strive for each official image to be reasonably "generally useful", so I'm wondering if this should perhaps be tags of opensearch itself (opensearch:dashboard, for example), since opensearch is pretty generally useful, but this is really somewhat more like optional functionality of that core product.


+FROM amazonlinux:2 AS linux_stage_0

The use of multi-stage here is a little bit dubious (https://github.com/docker-library/faq#multi-stage-builds), but I don't think that's necessarily a blocker. If you want to keep it multi-stage, can you please include Builder: buildkit in either your "global" entry (where Maintainers: and GitRepo: are) or in your Tags: entry to help mitigate the associated build cache issues? (We hope to turn that on for all builds eventually, but we're doing so cautiously to avoid potential breakage at a large scale.)


+ARG OSD_VERSION=2.3.0

Every time this changes (in both instances of it 🤔), it's going to cause a cache bust, so it should be moved down just before the layer/instruction which uses/requires/changes based on it (technically also true for the other ARGs, but I doubt they're going to change very often so I'm less concerned about them).


+    case "$(arch)" in \
+        aarch64) cur_arch='arm64' ;; \
+        x86_64)  cur_arch='x64' ;; \
+        *) echo >&2 ; echo >&2 "Unsupported architecture $(arch)" ; echo >&2 ; exit 1 ;; \
+    esac ; \

This is using kernel-based architecture detection, which won't work if you ever end up supporting 32bit architectures (so for those you'll want/need to do something more "clever" to do userspace detection -- for RPM-based distributions, https://github.com/docker-library/openjdk/blob/c54013c65130eb1c41268ab45a7a04e41b47c612/21/jdk/oraclelinux8/Dockerfile#L37 is the best I've currently come up with 😭). I doubt you're going to do that any time soon (if ever), but wanted to make sure you're aware.


+    curl --retry 10 -S -L --output $TEMP_DIR/opensearch-dashboards.tar.gz https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/$OSD_VERSION/opensearch-dashboards-$OSD_VERSION-linux-$cur_arch.tar.gz; \
+    curl --output $TEMP_DIR/opensearch-dashboards.pgp https://artifacts.opensearch.org/publickeys/opensearch.pgp; \
+    gpg --import $TEMP_DIR/opensearch-dashboards.pgp; \

As described a bit in https://github.com/docker-library/official-images#image-build, this PGP key's full fingerprint should be embedded/verified in the Dockerfile somehow. That can be done via gpg --import + gpg --export with the full fingerprint, but IMO it's easier to pull from a keyserver, especially one like https://keys.openpgp.org/ which is both hyper reliable and provides some verification of the provenance of the key (in the form of email address verification).

Irrespective of which direction you choose to go, any and all invocations of gpg should include --batch (which puts gpg into their "API mode" vs "UX mode").

It would also be ideal if you included a strong checksum (SHA256, etc) and verified that, since one verifies the artifact was published by the appropriate party and the other verifies that the artifact hasn't changed / was transferred successfully and correctly (but not strictly a blocker).

Additionally, every invocation of curl should include at least the -f/--fail flag so that download failures propagate appropriately (without relying on side effects like PGP verification failing).


+# Update packages
...
+RUN yum update -y && ...

For official images, we generally recommend against updating libraries that are included in the respective base image. Since the item cannot be deleted from an earlier layer, the update can add extra size to the resulting image. In order to have the most up-to-date packages, official images instead rely on periodic base image updates. We then rebuild all dependent images.

amazonlinux images are fairly active (PR history) and so already include very up-to-date packages.


+# Label
+LABEL org.label-schema.schema-version="1.0" \
+  org.label-schema.name="opensearch-dashboards" \
+  org.label-schema.version="$OSD_VERSION" \
+  org.label-schema.url="https://opensearch.org" \
+  org.label-schema.vcs-url="https://github.com/opensearch-project/OpenSearch-Dashboards" \
+  org.label-schema.license="Apache-2.0" \
+  org.label-schema.vendor="Amazon"

See #3540 (comment), especially:

label-schema is deprecated; see https://github.com/label-schema/label-schema.org#readme -- some of those labels have analogs in the image-spec, some do not.

and:

We don't actively recommend using labels. If an image maintainer wants to have labels, that is fine, but label names should adhere to the image spec: https://github.com/opencontainers/image-spec/blob/v1.0.1/annotations.md


+ENTRYPOINT ["./opensearch-dashboards-docker-entrypoint.sh"]

Using a relative path for this value is dangerous, as users changing --workdir/-w when they run the container will then cause it to fail (without a very compelling reason or a very great error message). I would suggest one of (in order of my own personal stylistic preference, but with no particular blocking reasons one way or another):

  1. move it into $OPENSEARCH_DASHBOARDS_HOME/bin and drop the ./ (thus relying on PATH)
  2. symlink into somewhere like /usr/local/bin (and drop the ./, thus relying on PATH)
  3. update ENTRYPOINT to use an absolute path

+#!/bin/bash
+

Not strictly required, but I would recommend including at least set -e here so that the script does not quietly continue running if any instruction in it fails. This requires a bit more discipline while writing the script (things that might fail need to explicitly handle that failure via if command-that-might-fail; then ... or if ! command-that-might-fail; then ... or command-that-might-fail-and-we-do-not-care || :, etc), but it does increase robustness. A related Bash-specific option that strengthens the protections offered by set -e is set -o pipefail.

I would also suggest set -u (and thus explicitly using things like if [ -n "${CHECKING_VARIABLE_THAT_MIGHT_NOT_BE_SET:-}" ]; then variable-is-set-code; fi), as it is extremely helpful for catching minor typos, but that one requires even more discipline, so is less strongly recommended.


+export OPENSEARCH_DASHBOARDS_HOME=/usr/share/opensearch-dashboards

This matches the value of the ARG set in the Dockerfile -- should that instead be ENV so that this script can just reference it directly? (That's what I would recommend.)


+opensearch_dashboards_vars=(

This is a very long list to maintain by hand. 😅 How often does it change? Once you inevitably are maintaining more than one version at a time, will the lists diverge and increase your maintenance burden even further? (Raising for visibility / as food for thought in case there are ways you can think of to help mitigate the maintenance cost on yourselves associated with this way of implementing this behavior.)


+function setupSecurityDashboardsPlugin {
+    SECURITY_DASHBOARDS_PLUGIN="securityDashboards"
+
+    if [ -d "$OPENSEARCH_DASHBOARDS_HOME/plugins/$SECURITY_DASHBOARDS_PLUGIN" ]; then
+        if [ "$DISABLE_SECURITY_DASHBOARDS_PLUGIN" = "true" ]; then
+            echo "Disabling OpenSearch Security Dashboards Plugin"
+            ./bin/opensearch-dashboards-plugin remove securityDashboards
+
+            # Remove all security related parameters as well as changing HTTPS to HTTP
+            # Temporary fix before security-dashboards plugin implement a parameter to disable the plugin entirely
+            # https://github.com/opensearch-project/security-dashboards-plugin/issues/896
+            UPDATED_CONFIG=`cat $OPENSEARCH_DASHBOARDS_HOME/config/opensearch_dashboards.yml | sed "/^opensearch_security/d" | sed "s/https/http/g"`
+            echo "$UPDATED_CONFIG" > $OPENSEARCH_DASHBOARDS_HOME/config/opensearch_dashboards.yml
+        fi
+    fi
+}

This is ... interesting (especially as the linked issue that describes why this was temporary is closed with a comment that sounds to me like it's a "wontfix").

I have a few thoughts on the specifics of the implementation here, but I'll keep them to myself for now because on a more general level I'm wondering whether you really want to have this logic at all? 😬


+    for opensearch_dashboards_var in ${opensearch_dashboards_vars[*]}; do
+        # 'opensearch.hosts' -> 'OPENSEARCH_URL'
+        env_var=$(echo ${opensearch_dashboards_var^^} | tr . _)

Minor shell code improvements (if you have a proper Bash array, using * and re-parsing/argument separating it doesn't make a lot of sense and this tr can be pure-shell 😅):

    for opensearch_dashboards_var in "${opensearch_dashboards_vars[@]}"; do
        # 'opensearch.hosts' -> 'OPENSEARCH_URL'
        env_var=${opensearch_dashboards_var^^}
        env_var=${env_var//./_}

+    # TO DO:
+    # Confirm with Mihir if this is necessary

😂 maybe Mihir could chime in here? 😇


+++ b/opensearch-dashboards_latest/config/opensearch.example.org.cert
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
...
+++ b/opensearch-dashboards_latest/config/opensearch.example.org.key
@@ -0,0 +1,28 @@
+-----BEGIN RSA PRIVATE KEY-----

It's a little bit weird to embed a certificate directly like this -- is this just an example? Is it necessary for opensearch to run? Used in the default (example?) configuration? What's the rotation story for this credential? How do we help make sure users don't end up running with this certificate as-is in production? 😬

(Some example alternatives to this: explain to users how to create one easily in the error message when they're missing, generate fresh ones on startup with a warning, etc.)


+++ b/opensearch-dashboards_latest/config/opensearch_dashboards.yml

Does the official distribution of Dashboards (like if I downloaded a raw release straight off the website) not contain an example/default configuration? If it does, how does that one differ from this one? (Back to the maintainability discussion, do you really want to maintain/update over time a whole new copy of that upstream configuration/example?)

@tianon tianon mentioned this pull request Feb 22, 2023
10 tasks
@tianon
Copy link
Member

tianon commented Apr 5, 2024

I'm updating the status of this PR to "draft" for now. When it's ready for re-review, please remove the draft status and leave a comment (GitHub unfortunately does not notify maintainers for draft state changes).

@tianon tianon marked this pull request as draft April 5, 2024 23:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants