Use Cloudflare's zlib in Docker images

[pugnascotia]

Closes #81208. Elasticsearch uses zlib for two purposes:

• Compression of stored fields with index.codec: best_compression,
  which we use for observability and security data.
• Request / response compression.

Historically, zlib was packaged within the JDK, so that users wouldn't
have to have zlib installed for basic usage of Java. However, the
original zlib optimizes for portability and misses a number of important
optimizations such as leveraging vectorization support for x86 and ARM
architectures. Several forks have been created in order to address this.

Since version 9, the JDK uses the system's zlib when available and falls
back to the zlib that is packaged within the JDK if a system zlib cannot
be found.

This commit changes the Docker image to install the Cloudflare fork of
zlib, and run Java using the fork instead of the original zlib, so that
users of the Docker image can get better performance.

Other ES distribution types are out-of-scope, since configuring the JVM
to use an alternative zlib requires an environment config as well as
installed another zlib, and Docker is the only distribution type where
we can control both.

[elasticmachine]

Pinging @elastic/es-delivery (Team:Delivery)

[elasticsearchmachine]

Hi @pugnascotia, I've created a changelog YAML for you.

[jpountz]

Wow, thanks for putting up a PR so quickly! I wonder if there's a way we can test that this cloudflare-zlib is actually being picked up by the bundled JDK, such as running ldd /path/to/java | grep libz and making sure it's the cloudflare zlib and not the original zlib?

[jpountz]

should we try to preserve existing values of LD_LIBRARY_PATH, e.g.

Suggested change

	export LD_LIBRARY_PATH=/usr/local/cloudflare-zlib/lib
	export LD_LIBRARY_PATH=/usr/local/cloudflare-zlib/lib:$LD_LIBRARY_PATH

[pugnascotia]

I wondered about that, but I also struggled to think of another reason why someone else would also be setting LD_LIBRARY_PATH with our image. Any ideas, anyone?

Also, I now think that this isn't the right place for this change, because Cloud do something different with the Docker entrypoint. I'll move this into the elasticsearch script and put a guard on it with $ES_DISTRIBUTION_TYPE.

[pugnascotia]

Looks like it gets picked up OK:

$ docker run -u root -it --rm elasticsearch:test bash
root@443cf81c2b16:/usr/share/elasticsearch# export LD_LIBRARY_PATH=/usr/local/cloudflare-zlib/lib
root@443cf81c2b16:/usr/share/elasticsearch# ldd jdk/bin/java
        linux-vdso.so.1 (0x0000ffff851b9000)
        libz.so.1 => /usr/local/cloudflare-zlib/lib/libz.so.1 (0x0000ffff85140000)
        libjli.so => /usr/share/elasticsearch/jdk/bin/../lib/libjli.so (0x0000ffff8511f000)
        libpthread.so.0 => /lib/aarch64-linux-gnu/libpthread.so.0 (0x0000ffff850ef000)
        libdl.so.2 => /lib/aarch64-linux-gnu/libdl.so.2 (0x0000ffff850db000)
        libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff84f68000)
        /lib/ld-linux-aarch64.so.1 (0x0000ffff85189000)

[pugnascotia]

@mark-vieira the packaging tests on SLES are reporting failure again, with what looks like a failure to talk to HOMER?

[DJRickyB]

A few thoughts on scope:

Other ES distribution types are out-of-scope, since configuring the JVM
to use an alternative zlib requires an environment config as well as
installed another zlib, and Docker is the only distribution type where
we can control both.

Now since the environment config is being applied from within bin/elasticsearch this is slightly less true. Likewise we are adding a build step for a tiny binary, the version being > 8 years old. Would we consider instead building/persisting the platform-specific libraries somewhere (possibly even in this repo) if they are small enough, rather than adding a build step to our process?

If so:

• the tarball could package the library, meaning the enhancement comes on every supported platform
• our nightly benchmarks could pick up the change, as they do not currently test using the docker distribution
• the added library gets scoped into more integrations tests, including those driven by the rest of the stack/solutions
• we can simplify the elasticsearch script condition to simply look for the library in $ES_HOME/wherever, or generically add a place for native libraries in ES_HOME and always set this

[DJRickyB]

a note on testing in docker, i think at this point we'd want to see the following show cloudflare-zlib in use, given setting the library path has moved out of the entrypoint script:

# bin/elasticsearch -d
# pmap -p $(pidof java)

[pugnascotia]

Thanks @DJRickyB, I added a test case to cover this.

[jpountz]

nit: it would be nice to have the output of the command in the error message in case the problem is not fully reproducible?

[pugnascotia]

Good idea @jpountz, I've modified the test.

[mark-vieira]

@mark-vieira the packaging tests on SLES are reporting failure again, with what looks like a failure to talk to HOMER?

Infra merged a fix for this which might take a day to percolate through CI as the images get rebuilt.

[pugnascotia]

@elasticmachine run elasticsearch-ci/packaging-tests-unix

[pugnascotia]

Backported to 8.0 in e807fb3.

[pugnascotia]

Backported to 7.16 in 6582acf.

[pugnascotia]

Hmm, we may have missed the cut-off for 7.16.0, meaning that we'd either release this in 7.16.1 (which is questionable) or wait until 7.17.0.

[mark-vieira]

Would this be considered breaking in any way? What are the user facing implications here?

[jpountz]

FWIW my expectation was that this change would make it to 8.1 since it's an enhancement and we're past feature freeze for both 7.16 and 8.0.

[mark-vieira]

If we back it out of 7.16 we definitely want it in for 7.17 though. That said, we haven't created a branch for that release yet so we'd have to hold off on the backport until that is done.

[pugnascotia]

OK, I've yanked it from 7.16 in 4eb9667 for now. I can apply it to 7.17 once it exists.

[jpountz]

I can apply it to 7.17 once it exists.

Given recent communication that 7.17 should effectively be treated as a patch release, I think we should only target 8.x with this change.