Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build and push Docker image based on Chainguard base image #13137

Merged
merged 15 commits into from May 24, 2024
Merged

build and push Docker image based on Chainguard base image #13137

merged 15 commits into from May 24, 2024

Conversation

v1v
Copy link
Member

@v1v v1v commented May 10, 2024
edited

Motivation/summary

Release two flavours of Docker images:

Please note that we are going to preserve the current Dockerfile, so that users will still be able to build their own custom images based on ubuntu: this is needed because docker.elastic.co/wolfi/* is not a public base image, so docker build would fail for unauthenticated users.

Implementation details

I changed the Makefiles to support different Dockerfiles when running the docker build generation.
I added a tag for helping testing this in GitHub actions and then be able to push the docker images to an internal docker registry.
I fixed some warning regarding missing files when running the go build in the docker.

Checklist

For functional changes, consider:

  • Is it observable through the addition of either logging or metrics?
  • Is its use being published in telemetry to enable product improvement?
  • Have system tests been added to avoid regression?

How to test these changes

CI

Will create the docker images automatically when working on a feature branch or main/releases

docker images docker.elastic.co/observability-ci/apm-server-internal
REPOSITORY                                               TAG                     IMAGE ID       CREATED          SIZE
docker.elastic.co/observability-ci/apm-server-internal   8.15.0-SNAPSHOT-wolfi   dce4529d1383   11 minutes ago   126MB
docker.elastic.co/observability-ci/apm-server-internal   8.15.0-SNAPSHOT         d2e84aceb911   12 minutes ago   209MB

Locally

$ make package-snapshot

TBC what kind of tests should be done and how.

Related issues

#13139 will help with testing these changes in Buildkite without the need to be merged.
#12671 is also another in-progress task

@v1v v1v self-assigned this May 10, 2024
@v1v v1v added the backport-8.14 Automated backport with mergify label May 10, 2024
v1v
v1v commented May 10, 2024
View reviewed changes
packaging.mk Outdated Show resolved Hide resolved
v1v
v1v commented May 10, 2024
View reviewed changes
packaging.mk
@@ -186,7 +196,10 @@ build/dependencies-$(APM_SERVER_VERSION)-SNAPSHOT.csv: build/dependencies-$(APM_
cp $< $@

package-docker: $(DOCKER_IMAGE_RELEASE_TARBALLS)
@echo ">> $(DOCKER_IMAGE_RELEASE_TARBALLS)"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just to help with printing what it did

packaging.mk
package-docker-snapshot: $(DOCKER_IMAGE_SNAPSHOT_TARBALLS)
@echo ">> $(DOCKER_IMAGE_SNAPSHOT_TARBALLS)"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just to help with printing what it did

packaging.mk
--tag $(INTERNAL_DOCKER_IMAGE):$(VERSION)$(if $(findstring arm64,$(GOARCH)),-arm64)$(if $(findstring wolfi,$(@)),-wolfi) \
-f packaging/docker/Dockerfile .

# Docker image tarballs. We distribute UBI Docker images only for AMD64.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

docs: no ubi8 but ubi, #11977

packaging.mk

build/docker/%.txt: DOCKER_IMAGE_TAG := docker.elastic.co/apm/apm-server:%
build/docker/%.txt: VERSION := $(APM_SERVER_VERSION)
build/docker/%-SNAPSHOT.txt: VERSION := $(APM_SERVER_VERSION)-SNAPSHOT
build/docker/apm-server-ubi-%.txt: DOCKER_BUILD_ARGS+=--build-arg BASE_IMAGE=docker.elastic.co/ubi9/ubi-minimal
build/docker/apm-server-wolfi-%.txt: DOCKER_BUILD_ARGS+=--build-arg BASE_IMAGE=docker.elastic.co/wolfi/chainguard-base:20230214 --build-arg BASE_GOLANG_IMAGE=docker.elastic.co/wolfi/go

INTERNAL_DOCKER_IMAGE := docker.elastic.co/observability-ci/apm-server-internal
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should help create docker images and publish them to our internal docker registry - this is handy for validating changes before anything related to the DRA and in GitHub actions.

We are safe since these docker images won't be public available for the time being:

$ docker pull docker.elastic.co/observability-ci/apm-server-internal:8.15.0-SNAPSHOT-wolfi
Error response from daemon: pull access denied for docker.elastic.co/observability-ci/apm-server-internal, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

packaging/docker/Dockerfile
WORKDIR /src
COPY go.mod go.sum /src/
COPY go.mod go.sum .go-version /src/
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixes a warning when building the docker image

packaging/docker/Dockerfile
COPY internal/glog/go.mod /src/internal/glog/go.mod
RUN --mount=type=cache,target=/go/pkg/mod go mod download
COPY Makefile *.mk /src
COPY cmd /src/cmd
COPY internal /src/internal
COPY x-pack /src/x-pack
COPY .git /src/.git
COPY script /src/script
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixes a warning when building the docker image

packaging/docker/Dockerfile

ENV GOROOT /usr/local/go
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unrequired for building the wolfi version and in fact it's not needed for the traditional docker image

.github/workflows/ci.yml
- run: make package-snapshot
env:
GH_TOKEN: ${{ github.token }}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove some warnings in the github logs, regarding missing variable when running gh in the GitHub runner

.github/workflows/ci.yml Outdated
url: ${{ secrets.VAULT_ADDR }}
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
if: |
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only when working on branches in the upstream or PRs coming from the upstream then login, GitHub secrets are not available on forked PRs.

v1v
v1v commented May 10, 2024
View reviewed changes
.github/workflows/ci.yml Outdated Show resolved Hide resolved
@mergify mergify bot mentioned this pull request May 10, 2024
Draft
@v1v v1v marked this pull request as ready for review May 10, 2024 12:10
@v1v v1v requested a review from a team as a code owner May 10, 2024 12:10
@v1v v1v requested a review from a team May 10, 2024 12:11
reakaleek
reakaleek previously approved these changes May 14, 2024
View reviewed changes
kruskall
kruskall requested changes May 14, 2024
View reviewed changes
Copy link
Member

@kruskall kruskall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should use chainguard static image as apm-server is a static go binary now

@v1v
Copy link
Member Author

v1v commented May 15, 2024
edited

we should use chainguard static image as apm-server is a static go binary now

Would you agree that changing this PR to support a vanilla Dockerfile.<TBD> will be enough? - as long as, the Dockerfile.<TBD> is implemented in #12671

.<TBD> -> can be chainguard, minimal, static ... To Be Defined

Changes will be about:

  • Validating docker image generation on GitHub actions
  • Supporting docker image generate in Buildkite.
  • Supporting conditional docker generation - to avoid external contributors having failures because docker base images are not available by default.

@v1v v1v marked this pull request as draft May 15, 2024 16:39
@v1v v1v marked this pull request as ready for review May 15, 2024 16:51
@v1v v1v requested a review from kruskall May 15, 2024 16:51
@kruskall
Copy link
Member

Would you agree that changing this PR to support a vanilla Dockerfile. will be enough? - as long as, the Dockerfile. is implemented in #12671

That works 😄

v1v
v1v commented May 17, 2024
View reviewed changes
packaging/docker/Dockerfile
COPY internal/glog/go.mod /src/internal/glog/go.mod
RUN --mount=type=cache,target=/go/pkg/mod go mod download
COPY Makefile *.mk /src
COPY Makefile *.mk /src/
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed linting, when copy multiple files then the target should end with /

kruskall
kruskall previously approved these changes May 23, 2024
View reviewed changes
@v1v
Copy link
Member Author

v1v commented May 23, 2024
edited

I think I need to enable some docker login in Buildkite... (I'll disable the docker generation for Buildkite for the time being) while I work on that in a separated PR, sorry @kruskall , I need your review in 1 minutes

0db7be1 is the one disabling it

v1v
v1v commented May 23, 2024
View reviewed changes
.buildkite/package.yml Outdated Show resolved Hide resolved
v1v
v1v commented May 23, 2024
View reviewed changes
.buildkite/package.yml Outdated Show resolved Hide resolved
@v1v v1v mentioned this pull request May 23, 2024
Merged
2 tasks
@kruskall
Copy link
Member

@v1v can you sign the commits ?

@v1v v1v enabled auto-merge (squash) May 24, 2024 13:03
@v1v v1v merged commit b070b3c into main May 24, 2024
11 checks passed
@v1v v1v deleted the feature/docker-images-wolfi branch May 24, 2024 13:03
mergify bot pushed a commit that referenced this pull request May 24, 2024
@v1v @mergify
build and push Docker image based on Chainguard base image (#13137)
b023d18 
(cherry picked from commit b070b3c)
@mergify mergify bot mentioned this pull request May 24, 2024
Merged
2 tasks
mergify bot added a commit that referenced this pull request May 24, 2024
@mergify @v1v
build and push Docker image based on Chainguard base image (#13137) (#…
26c4223 
…13225)

(cherry picked from commit b070b3c)

Co-authored-by: Victor Martinez <victormartinezrubio@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kruskall kruskall kruskall approved these changes

@reakaleek reakaleek reakaleek left review comments

Assignees

@v1v v1v

Labels
backport-8.14 Automated backport with mergify
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@v1v @kruskall @reakaleek