Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[7.17](backport #29681) Change docker image from CentOS 7 to Ubuntu 20.04 #29817

Merged
merged 3 commits into from
Jan 18, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .ci/packer_cache.sh
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ function dockerPullCommonImages() {
docker.elastic.co/observability-ci/database-enterprise:12.2.0.1
docker.elastic.co/beats-dev/fpm:1.11.0
golang:1.14.12-stretch
centos:7
ubuntu:20.04
"
for image in ${DOCKER_IMAGES} ; do
(retry 2 docker pull ${image}) || echo "Error pulling ${image} Docker image. Continuing."
Expand Down
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
*Affecting all Beats*

- Add job.name in pods controlled by Jobs {pull}28954[28954]
- Change Docker base image from CentOS 7 to Ubuntu 20.04 {pull}29681[29681]

*Auditbeat*

Expand Down
2 changes: 1 addition & 1 deletion auditbeat/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ FROM golang:1.17.5

RUN \
apt-get update \
&& apt-get install -y --no-install-recommends \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
python3 \
python3-pip \
python3-venv \
Expand Down
16 changes: 8 additions & 8 deletions dev-tools/packaging/packages.yml
Original file line number Diff line number Diff line change
Expand Up @@ -476,8 +476,8 @@ shared:
- &agent_docker_spec
<<: *agent_binary_spec
extra_vars:
from: 'centos:7'
buildFrom: 'centos:7'
from: 'ubuntu:20.04'
buildFrom: 'ubuntu:20.04'
dockerfile: 'Dockerfile.elastic-agent.tmpl'
docker_entrypoint: 'docker-entrypoint.elastic-agent.tmpl'
user: '{{ .BeatName }}'
Expand All @@ -496,8 +496,8 @@ shared:
- &agent_docker_arm_spec
<<: *agent_docker_spec
extra_vars:
from: 'arm64v8/centos:7'
buildFrom: 'arm64v8/centos:7'
from: 'arm64v8/ubuntu:20.04'
buildFrom: 'arm64v8/ubuntu:20.04'

- &agent_docker_complete_spec
<<: *agent_docker_spec
Expand Down Expand Up @@ -648,8 +648,8 @@ shared:
- &docker_spec
<<: *binary_spec
extra_vars:
from: 'centos:7'
buildFrom: 'centos:7'
from: 'ubuntu:20.04'
buildFrom: 'ubuntu:20.04'
user: '{{ .BeatName }}'
linux_capabilities: ''
files:
Expand All @@ -661,8 +661,8 @@ shared:
- &docker_arm_spec
<<: *docker_spec
extra_vars:
from: 'arm64v8/centos:7'
buildFrom: 'arm64v8/centos:7'
from: 'arm64v8/ubuntu:20.04'
buildFrom: 'arm64v8/ubuntu:20.04'

- &docker_ubi_spec
extra_vars:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,43 +22,50 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_s
{{- end }}
true

{{- if .linux_capabilities }}
# Since the beat is stored at the other end of a symlink we must follow the symlink first
# For security reasons setcap does not support symlinks. This is smart in the general case
# but in our specific case since we're building a trusted image from trusted binaries this is
# fine. Thus, we use readlink to follow the link and setcap on the actual binary
RUN readlink -f {{ $beatBinary }} | xargs setcap {{ .linux_capabilities }}
{{- end }}

FROM {{ .from }}

ENV BEAT_SETUID_AS={{ .user }}

{{- if contains .from "ubi-minimal" }}
RUN for iter in {1..10}; do microdnf update -y && microdnf install -y shadow-utils jq && microdnf clean all && exit_code=0 && break || exit_code=$? && echo "microdnf error: retry $iter in 10s" && sleep 10; done; (exit $exit_code)
RUN for iter in {1..10}; do microdnf update -y && microdnf install -y findutils shadow-utils && microdnf clean all && exit_code=0 && break || exit_code=$? && echo "microdnf error: retry $iter in 10s" && sleep 10; done; (exit $exit_code)
{{- else }}
# Installing jq needs to be installed after epel-release and cannot be in the same yum install command.
RUN case $(arch) in aarch64) YUM_FLAGS="-x bind-license";; esac; \
for iter in {1..10}; do \
yum update -y $YUM_FLAGS && \
yum install -y epel-release && \
yum update -y $YUM_FLAGS && \
yum install -y jq && \

yum clean all && \
exit_code=0 && break || exit_code=$? && echo "yum error: retry $iter in 10s" && sleep 10; \
RUN for iter in {1..10}; do \
apt-get update -y && \
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes ca-certificates curl libcap2-bin xz-utils && \
apt-get clean all && \
exit_code=0 && break || exit_code=$? && echo "apt-get error: retry $iter in 10s" && sleep 10; \
done; \
(exit $exit_code)
{{- end }}

{{- if (and (contains .image_name "-complete") (not (contains .from "ubi-minimal"))) }}
RUN for iter in {1..10}; do \
yum -y install atk gtk gdk xrandr pango libXcomposite libXcursor libXdamage \
libXext libXi libXtst libXScrnSaver libXrandr GConf2 \
alsa-lib atk gtk3 ipa-gothic-fonts xorg-x11-fonts-100dpi xorg-x11-fonts-75dpi xorg-x11-utils \
xorg-x11-fonts-cyrillic xorg-x11-fonts-Type1 xorg-x11-fonts-misc \
yum clean all && \
exit_code=0 && break || exit_code=$? && echo "yum error: retry $iter in 10s" && sleep 10; \
RUN apt-get update -y && \
for iter in {1..10}; do \
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes \
libglib2.0-0\
libnss3\
libnspr4\
libatk1.0-0\
libatk-bridge2.0-0\
libcups2\
libdrm2\
libdbus-1-3\
libxcb1\
libxkbcommon0\
libx11-6\
libxcomposite1\
libxdamage1\
libxext6\
libxfixes3\
libxrandr2\
libgbm1\
libpango-1.0-0\
libcairo2\
libasound2\
libatspi2.0-0\
libxshmfence1 && \
apt-get clean all && \
exit_code=0 && break || exit_code=$? && echo "apt-get error: retry $iter in 10s" && sleep 10; \
done; \
(exit $exit_code)
ENV NODE_PATH={{ $beatHome }}/.node
Expand Down Expand Up @@ -137,6 +144,14 @@ RUN mkdir /licenses
COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses
COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses

{{- if .linux_capabilities }}
# Since the beat is stored at the other end of a symlink we must follow the symlink first
# For security reasons setcap does not support symlinks. This is smart in the general case
# but in our specific case since we're building a trusted image from trusted binaries this is
# fine. Thus, we use readlink to follow the link and setcap on the actual binary
RUN readlink -f {{ $beatBinary }} | xargs setcap {{ .linux_capabilities }}
{{- end }}

{{- if ne .user "root" }}
RUN groupadd --gid 1000 {{ .BeatName }}
RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }}
Expand Down
67 changes: 46 additions & 21 deletions dev-tools/packaging/templates/docker/Dockerfile.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -18,36 +18,52 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/logs && \
{{- end }}
chmod 0775 {{ $beatHome }}/data {{ $beatHome }}/logs

{{- if .linux_capabilities }}
# Since the beat is stored at the other end of a symlink we must follow the symlink first
# For security reasons setcap does not support symlinks. This is smart in the general case
# but in our specific case since we're building a trusted image from trusted binaries this is
# fine. Thus, we use readlink to follow the link and setcap on the actual binary
RUN readlink -f {{ $beatBinary }} | xargs setcap {{ .linux_capabilities }}
{{- end }}

FROM {{ .from }}

{{- if contains .from "ubi-minimal" }}
RUN microdnf -y update && \
microdnf install shadow-utils && \
microdnf install findutils shadow-utils && \
microdnf clean all
{{- else }}
# FIXME: Package bind-license failed to update in arm
RUN case $(arch) in aarch64) YUM_FLAGS="-x bind-license";; esac; \
yum -y update $YUM_FLAGS \
{{- if (eq .BeatName "heartbeat") }}
&& yum -y install epel-release \
&& yum -y install atk gtk gdk xrandr pango libXcomposite libXcursor libXdamage \
libXext libXi libXtst libXScrnSaver libXrandr GConf2 \
alsa-lib atk gtk3 ipa-gothic-fonts xorg-x11-fonts-100dpi xorg-x11-fonts-75dpi xorg-x11-utils \
xorg-x11-fonts-cyrillic xorg-x11-fonts-Type1 xorg-x11-fonts-misc \
{{- end }}
&& yum clean all && rm -rf /var/cache/yum
# See https://access.redhat.com/discussions/3195102 for why rm is needed
RUN for iter in {1..10}; do \
apt-get update -y && \
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes ca-certificates curl libcap2-bin xz-utils && \
apt-get clean all && \
exit_code=0 && break || exit_code=$? && echo "apt-get error: retry $iter in 10s" && sleep 10; \
done; \
(exit $exit_code)
{{- end }}

{{- if (and (eq .BeatName "heartbeat") (not (contains .from "ubi-minimal"))) }}
RUN apt-get update -y && \
for iter in {1..10}; do \
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes \
libglib2.0-0\
libnss3\
libnspr4\
libatk1.0-0\
libatk-bridge2.0-0\
libcups2\
libdrm2\
libdbus-1-3\
libxcb1\
libxkbcommon0\
libx11-6\
libxcomposite1\
libxdamage1\
libxext6\
libxfixes3\
libxrandr2\
libgbm1\
libpango-1.0-0\
libcairo2\
libasound2\
libatspi2.0-0\
libxshmfence1 && \
apt-get clean all && \
exit_code=0 && break || exit_code=$? && echo "apt-get error: retry $iter in 10s" && sleep 10; \
done; \
(exit $exit_code)
ENV NODE_PATH={{ $beatHome }}/.node
RUN echo \
$NODE_PATH \
Expand Down Expand Up @@ -93,6 +109,7 @@ RUN set -e ; \
TINI_BIN=""; \
TINI_SHA256=""; \
TINI_VERSION="v0.19.0"; \
echo "The arch value is $(arch)"; \
case "$(arch)" in \
x86_64) \
TINI_BIN="tini-amd64"; \
Expand Down Expand Up @@ -120,6 +137,14 @@ RUN mkdir /licenses
COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses
COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses

{{- if .linux_capabilities }}
# Since the beat is stored at the other end of a symlink we must follow the symlink first
# For security reasons setcap does not support symlinks. This is smart in the general case
# but in our specific case since we're building a trusted image from trusted binaries this is
# fine. Thus, we use readlink to follow the link and setcap on the actual binary
RUN readlink -f {{ $beatBinary }} | xargs setcap {{ .linux_capabilities }}
{{- end }}

{{- if ne .user "root" }}
RUN groupadd --gid 1000 {{ .BeatName }}
RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }}
Expand Down
2 changes: 1 addition & 1 deletion filebeat/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ FROM golang:1.17.5

RUN \
apt-get update \
&& apt-get install -y --no-install-recommends \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
libsystemd-dev \
netcat \
rsync \
Expand Down
2 changes: 1 addition & 1 deletion heartbeat/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ FROM golang:1.17.5

RUN \
apt-get update \
&& apt-get install -y --no-install-recommends \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
netcat \
python3 \
python3-pip \
Expand Down
2 changes: 1 addition & 1 deletion libbeat/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ FROM golang:1.17.5

RUN \
apt-get update \
&& apt-get install -y --no-install-recommends \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
netcat \
libpcap-dev \
python3 \
Expand Down
4 changes: 2 additions & 2 deletions metricbeat/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
FROM golang:1.17.5

RUN \
apt-get update \
&& apt-get install -y --no-install-recommends \
apt update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -qq -y --no-install-recommends \
netcat \
python3 \
python3-dev \
Expand Down
2 changes: 1 addition & 1 deletion packetbeat/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ FROM golang:1.17.5

RUN \
apt-get update \
&& apt-get install -y --no-install-recommends \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
python3 \
python3-pip \
python3-venv \
Expand Down
2 changes: 1 addition & 1 deletion x-pack/functionbeat/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ FROM golang:1.17.5

RUN \
apt-get update \
&& apt-get install -y --no-install-recommends \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
netcat \
rsync \
python3 \
Expand Down
2 changes: 1 addition & 1 deletion x-pack/libbeat/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ FROM golang:1.17.5

RUN \
apt-get update \
&& apt-get install -y --no-install-recommends \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
netcat \
rsync \
python3 \
Expand Down