Use a tiny base image for Docker builds #52519
Conversation
The Docker tests framework captures container logs when Elasticsearch fails to start. However, it doesn't do this if a later shell command fails. Amend the DockerShell wrapper to capture the container logs if a command fails when it should succeed.
When DockerShell.run() catches a ShellException, dump out the logs and then rethrow the exception, rather than wrapping the original exception.
pugnascotia
added
:Delivery/Packaging
|
Pinging @elastic/es-core-infra (:Core/Infra/Packaging) |
|
It'd be nice for changes like this to include a summary of the impact. Things like:
We also have a number of items/questions that still need addressing if we choose to peruse this further:
All and all there are a lot of added complexity here, and that's still w/o all the build integration stuff completely fleshed out. I think we need to consider to end benefit here, which is why I ask for the overall numbers to provide some context in making that decision. |
|
One thing to bear in mind here is that a reduction in size isn't strictly the goal. Rather, we want to reduce the amount of unnecessary stuff, which can e.g. trigger vulnerability warnings in security scans. Anyway, the uncompessed image size, as reported by The compressed size is 383MB before and 290MB after, so 93MB smaller. On my laptop, with all Docker images purged, the time to build the base image is 3m 16s (which included downloading the I haven't engaged with Cloud yet as I wanted to validate the approach thus far. They would definitely need to make changes though, since the base image only provides user and group management utilities from BusyBox, which are usable but less full-featured than other utils. The changes to the In terms on maintenance, I see this similarly to bitnami/minidev, another stripped-down base distro that Bitnami uses for their Elasticsearch image. We might also choose to use it as a basis for e.g. Logstash at some point down the line. BTW I haven't forgotten about |
Thanks, Rory. That's important context and I would have known that had I actually read #51670 😉
👍 That would save us a lot of redundant effort and headache in our build if we could go this route. We'd need to figure out a lot of details here but IMO that would my preference I think so we could rip out all that additional complexity from our build and basically the only thing that would change in the ES repo is the base image used in our Dockerfile. |
|
Still looking for feedback on this PR. |
|
Can we still run "yum update" inside the container after these changes? |
|
No |
|
@elasticmachine update branch |
|
merge conflict between base and head |
|
@pugnascotia I like the direction here, but I'll withhold a thorough review until after you take this out of draft stage. Let me know it's ready for a thorough review. |
|
I've updated this PR with |
|
I don't think it's a big deal. I prefer this to duplication since Docker doesn't have a good solution for "sharing" logic aside from base images which isn't ideal for this use case. |
|
@jasontedor Latest stats:
In terms of reducing attack surface, we would ship about a third fewer files, notably omitting the standard CentOS stuff like systemd and We should see a greater size reduction on ARM, because the CentOS image ships a whole bunch of device drivers (at least I think that's what they are?), which adds hundreds of megabytes to the image. I actually can't remember when I last tried this build on ARM, however, so I should do that before merging. |
|
OK, I spun up an ARM images in AWS and checked that the branch builds OK, which it does. The Entertainingly, the ARM version of So...I guess we're good to go. Eek. |
Following elastic#52519, our Docker build pulls down `curl` sources in an Alpine Linux container using `wget`. However that version of `wget` doesn't support any retry flags. Since network issues can cause build failures, wrap the `wget` calls in the same retry construct used for `yum` commands elsewhere. Closes elastic#63600.
Following #52519, our Docker build pulls down curl sources in an Alpine Linux container using wget. However that version of wget doesn't support any retry flags. Since network issues can cause build failures, wrap the wget calls in the same retry construct used for yum commands elsewhere. Closes #63600.
mark-vieira
added
Team:Delivery
|
@pugnascotia have we considered using |
|
Can you point me at the image? We can only use an official image on Docker Hub, because one of requirements for publishing official images is that you extend an official image (or |
|
Ah I see, I was thinking about https://catalog.redhat.com/software/containers/rhel-minimal/5b4a52bbbed8bd2fe667e449 so yeah no "official" image |
|
is there a slim/alpine version of elastic search I could use for my CI? instead of pulling 640mb? |
We do not offer an image based on alpine linux for a couple of reasons. Firstly, the majority of the size of the image is due to the included JDK, so using a "slimmer" base image won't actually reduce the size that much. Also, we found that there were compatibility issues when running against musl libc vs glibc. |
Closes #51670, closes #50838.
Introduce a tiny base image for Docker builds. It aims to create a basic filesystem with as little as possible, which is mostly
glibc,busyboxandbash. A statically-builtcurlis also provided.We still use CentOS 8 as a base. All the fun stuff happens in the
Dockerfile.Note: The comment history below covers a time period when there was an intermediate base image, and a time when the new parts of the build existed in scripts. The current form of the build is a result of discussions with Docker about how official images should be written.