Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[fix] EXPERIMENT: Switch docker base image to avoid mixing musl & glibc libraries at runtime #23366

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/pulsar-ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -474,7 +474,7 @@ jobs:
env:
DEVELOCITY_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}
CI_JDK_MAJOR_VERSION: ${{ needs.preconditions.outputs.jdk_major_version }}
IMAGE_JDK_MAJOR_VERSION: ${{ needs.preconditions.outputs.jdk_major_version }}
PULSAR_BASE_IMAGE: bellsoft/liberica-runtime-container:jdk-${{ needs.preconditions.outputs.jdk_major_version }}-cds-stream-glibc
steps:
- name: checkout
uses: actions/checkout@v4
Expand Down Expand Up @@ -830,7 +830,7 @@ jobs:
env:
DEVELOCITY_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}
CI_JDK_MAJOR_VERSION: ${{ needs.preconditions.outputs.jdk_major_version }}
IMAGE_JDK_MAJOR_VERSION: ${{ needs.preconditions.outputs.jdk_major_version }}
PULSAR_BASE_IMAGE: bellsoft/liberica-runtime-container:jdk-${{ needs.preconditions.outputs.jdk_major_version }}-cds-stream-glibc
steps:
- name: checkout
uses: actions/checkout@v4
Expand Down
80 changes: 0 additions & 80 deletions docker/glibc-package/Dockerfile

This file was deleted.

39 changes: 0 additions & 39 deletions docker/glibc-package/README.md

This file was deleted.

53 changes: 0 additions & 53 deletions docker/glibc-package/scripts/APKBUILD

This file was deleted.

21 changes: 0 additions & 21 deletions docker/glibc-package/scripts/glibc-bin.trigger

This file was deleted.

23 changes: 0 additions & 23 deletions docker/glibc-package/scripts/ld.so.conf

This file was deleted.

65 changes: 13 additions & 52 deletions docker/pulsar/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,11 @@
# under the License.
#

# Final image uses the Liberica JDK image running on Alpaquita Linux as the base image
# maven build passes PULSAR_BASE_IMAGE environment variable to the build as PULSAR_BASE_IMAGE argument
ARG PULSAR_BASE_IMAGE=bellsoft/liberica-runtime-container:jdk-17-cds-stream-glibc
# Alpine is used for intermediate stages
ARG ALPINE_VERSION=3.20
ARG IMAGE_JDK_MAJOR_VERSION=21

# First create a stage with just the Pulsar tarball and scripts
FROM alpine:$ALPINE_VERSION as pulsar
Expand Down Expand Up @@ -51,56 +54,29 @@ RUN for SUBDIRECTORY in conf data download logs instances/deps packages-storage;
RUN chmod -R g+rx /pulsar/bin
RUN chmod -R o+rx /pulsar

# Enable snappy-java to use system lib
RUN echo 'OPTS="$OPTS -Dorg.xerial.snappy.use.systemlib=true"' >> /pulsar/conf/bkenv.sh

### Create one stage to include JVM distribution
FROM amazoncorretto:${IMAGE_JDK_MAJOR_VERSION}-alpine AS jvm

RUN apk add --no-cache binutils

# Use JLink to create a slimmer JDK distribution (see: https://adoptium.net/blog/2021/10/jlink-to-produce-own-runtime/)
# This still includes all JDK modules, though in the future we could compile a list of required modules
RUN /usr/lib/jvm/default-jvm/bin/jlink --add-modules ALL-MODULE-PATH --compress zip-9 --no-man-pages --no-header-files --strip-debug --output /opt/jvm
RUN echo networkaddress.cache.ttl=1 >> /opt/jvm/conf/security/java.security
RUN echo networkaddress.cache.negative.ttl=1 >> /opt/jvm/conf/security/java.security

## Create one stage to include snappy-java native lib
# Fix the issue when using snappy-java in x86 arch alpine
# See https://github.com/xerial/snappy-java/issues/181 https://github.com/xerial/snappy-java/issues/579
# We need to ensure that the version of the native library matches the version of snappy-java imported via Maven
FROM alpine:$ALPINE_VERSION AS snappy-java

ARG SNAPPY_VERSION
RUN apk add git alpine-sdk util-linux cmake autoconf automake libtool openjdk17 maven curl bash tar
ENV JAVA_HOME=/usr
RUN curl -Ls https://github.com/xerial/snappy-java/archive/refs/tags/v$SNAPPY_VERSION.tar.gz | tar zxf - && cd snappy-java-$SNAPPY_VERSION && make clean-native native
FROM apachepulsar/glibc-base:2.38 as glibc

## Create final stage from Alpine image
## and add OpenJDK and Python dependencies (for Pulsar functions)
FROM alpine:$ALPINE_VERSION
## Create final stage from liberica-runtime-container image
## and add Python dependencies (for Pulsar functions)
FROM $PULSAR_BASE_IMAGE
ENV LANG C.UTF-8

# Upgrade all packages to get latest versions with security fixes
# Install some utilities, some are required by Pulsar scripts
RUN apk add --no-cache \
RUN apk update && apk upgrade --no-cache && apk add --no-cache \
bash \
python3 \
py3-pip \
py3-grpcio \
py3-yaml \
gcompat \
ca-certificates \
procps \
curl \
bind-tools \
openssl

# Upgrade all packages to get latest versions with security fixes
RUN apk upgrade --no-cache
# adjust default DNS caching TTL to 1 second
RUN echo networkaddress.cache.ttl=1 >> $JAVA_HOME/conf/security/java.security && echo networkaddress.cache.negative.ttl=1 >> $JAVA_HOME/conf/security/java.security

# Python dependencies

# The [email protected] is installed by apk, and [email protected] requires grpcio>=1.60.0, which causes the grocio to be reinstalled by pip.
# If pip cannot find the grpcio wheel that the doesn't match the OS, the grpcio will be compiled locally.
# Once https://github.com/apache/pulsar-client-python/pull/211 is released, keep only the pulsar-client[all] and kazoo dependencies, and remove comments.
Expand All @@ -118,31 +94,16 @@ prometheus_client\n\
ratelimit\n\
# avro\n\
fastavro>=1.9.2\n\
" > /requirements.txt

RUN pip3 install --break-system-packages --no-cache-dir --only-binary grpcio -r /requirements.txt
RUN rm /requirements.txt

# Install GLibc compatibility library
COPY --from=glibc /root/packages /root/packages
RUN apk add --allow-untrusted --force-overwrite /root/packages/glibc-*.apk

COPY --from=jvm /opt/jvm /opt/jvm
ENV JAVA_HOME=/opt/jvm

COPY --from=snappy-java /tmp/libsnappyjava.so /usr/lib/libsnappyjava.so
lhotari marked this conversation as resolved.
Show resolved Hide resolved
" > /tmp/requirements.txt && pip3 install --break-system-packages --no-cache-dir --only-binary grpcio -r /tmp/requirements.txt && rm /tmp/requirements.txt

# The default is /pulsat/bin and cannot be written.
ENV PULSAR_PID_DIR=/pulsar/logs

ENV PULSAR_ROOT_LOGGER=INFO,CONSOLE

COPY --from=pulsar /pulsar /pulsar

WORKDIR /pulsar
ENV PATH=$PATH:$JAVA_HOME/bin:/pulsar/bin

# The UID must be non-zero. Otherwise, it is arbitrary. No logic should rely on its specific value.
ARG DEFAULT_USERNAME=pulsar
RUN adduser ${DEFAULT_USERNAME} -u 10000 -G root -D -H -h /pulsar/data
USER 10000
USER 10000
Original file line number Diff line number Diff line change
Expand Up @@ -41,9 +41,9 @@ unzip $ROCKSDB_JAR > /dev/null

if [ "$ARCH" = "x86_64" ]
then
ROCKSDB_TO_KEEP=linux64-musl
ROCKSDB_TO_KEEP=linux64
else
ROCKSDB_TO_KEEP=linux-$ARCH-musl
ROCKSDB_TO_KEEP=linux-$ARCH
fi

ls librocksdbjni-* | grep -v librocksdbjni-${ROCKSDB_TO_KEEP}.so | xargs rm
Expand Down
2 changes: 1 addition & 1 deletion docker/pulsar/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@
<PULSAR_TARBALL>target/pulsar-server-distribution-${project.version}-bin.tar.gz</PULSAR_TARBALL>
<PULSAR_CLIENT_PYTHON_VERSION>${pulsar.client.python.version}</PULSAR_CLIENT_PYTHON_VERSION>
<SNAPPY_VERSION>${snappy.version}</SNAPPY_VERSION>
<IMAGE_JDK_MAJOR_VERSION>${IMAGE_JDK_MAJOR_VERSION}</IMAGE_JDK_MAJOR_VERSION>
<PULSAR_BASE_IMAGE>${PULSAR_BASE_IMAGE}</PULSAR_BASE_IMAGE>
</args>
<contextDir>${project.basedir}</contextDir>
<tags>
Expand Down
Loading
Loading