From c90afdad6a18b053d2edfb7e1b4f8061cc93d253 Mon Sep 17 00:00:00 2001 From: Jonathan Budzenski Date: Mon, 1 Feb 2021 15:12:44 -0600 Subject: [PATCH 1/4] [build] Generate ironbank docker context --- .../os_packages/create_os_package_tasks.ts | 16 +- .../docker_generator/bundle_dockerfiles.ts | 20 +- .../resources/{ => base}/bin/kibana-docker | 0 .../resources/ironbank/LICENSE | 280 ++++++++++++++++++ .../tasks/os_packages/docker_generator/run.ts | 30 +- .../docker_generator/template_context.ts | 5 +- .../templates/{ => base}/Dockerfile | 0 .../templates/build_docker_sh.template.ts | 7 +- .../templates/dockerfile.template.ts | 6 +- .../templates/ironbank/Dockerfile | 75 +++++ .../templates/ironbank/Jenkinsfile | 2 + .../templates/ironbank/README.md | 39 +++ .../templates/ironbank/download.json | 16 + 13 files changed, 468 insertions(+), 28 deletions(-) rename src/dev/build/tasks/os_packages/docker_generator/resources/{ => base}/bin/kibana-docker (100%) create mode 100644 src/dev/build/tasks/os_packages/docker_generator/resources/ironbank/LICENSE rename src/dev/build/tasks/os_packages/docker_generator/templates/{ => base}/Dockerfile (100%) create mode 100644 src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Dockerfile create mode 100644 src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Jenkinsfile create mode 100644 src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/README.md create mode 100644 src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/download.json diff --git a/src/dev/build/tasks/os_packages/create_os_package_tasks.ts b/src/dev/build/tasks/os_packages/create_os_package_tasks.ts index fd0224d3de13b..3f97c0a055403 100644 --- a/src/dev/build/tasks/os_packages/create_os_package_tasks.ts +++ b/src/dev/build/tasks/os_packages/create_os_package_tasks.ts @@ -54,15 +54,13 @@ export const CreateDockerCentOS: Task = { async run(config, log, build) { await runDockerGenerator(config, log, build, { - ubi: false, - context: false, architecture: 'x64', + context: false, image: true, }); await runDockerGenerator(config, log, build, { - ubi: false, - context: false, architecture: 'aarch64', + context: false, image: true, }); }, @@ -74,9 +72,9 @@ export const CreateDockerUBI: Task = { async run(config, log, build) { if (!build.isOss()) { await runDockerGenerator(config, log, build, { - ubi: true, - context: false, architecture: 'x64', + context: false, + ubi: true, image: true, }); } @@ -88,7 +86,6 @@ export const CreateDockerContexts: Task = { async run(config, log, build) { await runDockerGenerator(config, log, build, { - ubi: false, context: true, image: false, }); @@ -99,6 +96,11 @@ export const CreateDockerContexts: Task = { context: true, image: false, }); + await runDockerGenerator(config, log, build, { + ironbank: true, + context: true, + image: false, + }); } }, }; diff --git a/src/dev/build/tasks/os_packages/docker_generator/bundle_dockerfiles.ts b/src/dev/build/tasks/os_packages/docker_generator/bundle_dockerfiles.ts index 4780457fe8054..7260adb3ebc18 100644 --- a/src/dev/build/tasks/os_packages/docker_generator/bundle_dockerfiles.ts +++ b/src/dev/build/tasks/os_packages/docker_generator/bundle_dockerfiles.ts @@ -7,18 +7,18 @@ */ import { resolve } from 'path'; +import { readFileSync } from 'fs'; import { ToolingLog } from '@kbn/dev-utils'; +import Mustache from 'mustache'; import { compressTar, copyAll, mkdirp, write, Config } from '../../../lib'; import { dockerfileTemplate } from './templates'; import { TemplateContext } from './template_context'; export async function bundleDockerFiles(config: Config, log: ToolingLog, scope: TemplateContext) { - log.info( - `Generating kibana${scope.imageFlavor}${scope.ubiImageFlavor} docker build context bundle` - ); - const dockerFilesDirName = `kibana${scope.imageFlavor}${scope.ubiImageFlavor}-${scope.version}-docker-build-context`; + log.info(`Generating kibana${scope.imageFlavor} docker build context bundle`); + const dockerFilesDirName = `kibana${scope.imageFlavor}-${scope.version}-docker-build-context`; const dockerFilesBuildDir = resolve(scope.dockerBuildDir, dockerFilesDirName); const dockerFilesOutputDir = config.resolveFromTarget(`${dockerFilesDirName}.tar.gz`); @@ -38,6 +38,18 @@ export async function bundleDockerFiles(config: Config, log: ToolingLog, scope: // dockerfiles folder await copyAll(resolve(scope.dockerBuildDir, 'bin'), resolve(dockerFilesBuildDir, 'bin')); await copyAll(resolve(scope.dockerBuildDir, 'config'), resolve(dockerFilesBuildDir, 'config')); + if (scope.ironbank) { + await copyAll(resolve(scope.dockerBuildDir), resolve(dockerFilesBuildDir), { + select: ['LICENSE'], + }); + // 'Jenkinsfile', download.json + const templates = ['download.json', 'Jenkinsfile', 'README.md']; + for (const template of templates) { + const file = readFileSync(resolve(__dirname, 'templates/ironbank', template)); + const output = Mustache.render(file.toString(), scope); + await write(resolve(dockerFilesBuildDir, template), output); + } + } // Compress dockerfiles dir created inside // docker build dir as output it as a target diff --git a/src/dev/build/tasks/os_packages/docker_generator/resources/bin/kibana-docker b/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker similarity index 100% rename from src/dev/build/tasks/os_packages/docker_generator/resources/bin/kibana-docker rename to src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker diff --git a/src/dev/build/tasks/os_packages/docker_generator/resources/ironbank/LICENSE b/src/dev/build/tasks/os_packages/docker_generator/resources/ironbank/LICENSE new file mode 100644 index 0000000000000..632c3abe22e9b --- /dev/null +++ b/src/dev/build/tasks/os_packages/docker_generator/resources/ironbank/LICENSE @@ -0,0 +1,280 @@ +ELASTIC LICENSE AGREEMENT + +PLEASE READ CAREFULLY THIS ELASTIC LICENSE AGREEMENT (THIS "AGREEMENT"), WHICH +CONSTITUTES A LEGALLY BINDING AGREEMENT AND GOVERNS ALL OF YOUR USE OF ALL OF +THE ELASTIC SOFTWARE WITH WHICH THIS AGREEMENT IS INCLUDED ("ELASTIC SOFTWARE") +THAT IS PROVIDED IN OBJECT CODE FORMAT, AND, IN ACCORDANCE WITH SECTION 2 BELOW, +CERTAIN OF THE ELASTIC SOFTWARE THAT IS PROVIDED IN SOURCE CODE FORMAT. BY +INSTALLING OR USING ANY OF THE ELASTIC SOFTWARE GOVERNED BY THIS AGREEMENT, YOU +ARE ASSENTING TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE +WITH SUCH TERMS AND CONDITIONS, YOU MAY NOT INSTALL OR USE THE ELASTIC SOFTWARE +GOVERNED BY THIS AGREEMENT. IF YOU ARE INSTALLING OR USING THE SOFTWARE ON +BEHALF OF A LEGAL ENTITY, YOU REPRESENT AND WARRANT THAT YOU HAVE THE ACTUAL +AUTHORITY TO AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT ON BEHALF OF +SUCH ENTITY. + +Posted Date: April 20, 2018 + +This Agreement is entered into by and between Elasticsearch BV ("Elastic") and +You, or the legal entity on behalf of whom You are acting (as applicable, +"You"). + +1. OBJECT CODE END USER LICENSES, RESTRICTIONS AND THIRD PARTY OPEN SOURCE +SOFTWARE + + 1.1 Object Code End User License. Subject to the terms and conditions of + Section 1.2 of this Agreement, Elastic hereby grants to You, AT NO CHARGE and + for so long as you are not in breach of any provision of this Agreement, a + License to the Basic Features and Functions of the Elastic Software. + + 1.2 Reservation of Rights; Restrictions. As between Elastic and You, Elastic + and its licensors own all right, title and interest in and to the Elastic + Software, and except as expressly set forth in Sections 1.1, and 2.1 of this + Agreement, no other license to the Elastic Software is granted to You under + this Agreement, by implication, estoppel or otherwise. You agree not to: (i) + reverse engineer or decompile, decrypt, disassemble or otherwise reduce any + Elastic Software provided to You in Object Code, or any portion thereof, to + Source Code, except and only to the extent any such restriction is prohibited + by applicable law, (ii) except as expressly permitted in this Agreement, + prepare derivative works from, modify, copy or use the Elastic Software Object + Code or the Commercial Software Source Code in any manner; (iii) except as + expressly permitted in Section 1.1 above, transfer, sell, rent, lease, + distribute, sublicense, loan or otherwise transfer, Elastic Software Object + Code, in whole or in part, to any third party; (iv) use Elastic Software + Object Code for providing time-sharing services, any software-as-a-service, + service bureau services or as part of an application services provider or + other service offering (collectively, "SaaS Offering") where obtaining access + to the Elastic Software or the features and functions of the Elastic Software + is a primary reason or substantial motivation for users of the SaaS Offering + to access and/or use the SaaS Offering ("Prohibited SaaS Offering"); (v) + circumvent the limitations on use of Elastic Software provided to You in + Object Code format that are imposed or preserved by any License Key, or (vi) + alter or remove any Marks and Notices in the Elastic Software. If You have any + question as to whether a specific SaaS Offering constitutes a Prohibited SaaS + Offering, or are interested in obtaining Elastic's permission to engage in + commercial or non-commercial distribution of the Elastic Software, please + contact elastic_license@elastic.co. + + 1.3 Third Party Open Source Software. The Commercial Software may contain or + be provided with third party open source libraries, components, utilities and + other open source software (collectively, "Open Source Software"), which Open + Source Software may have applicable license terms as identified on a website + designated by Elastic. Notwithstanding anything to the contrary herein, use of + the Open Source Software shall be subject to the license terms and conditions + applicable to such Open Source Software, to the extent required by the + applicable licensor (which terms shall not restrict the license rights granted + to You hereunder, but may contain additional rights). To the extent any + condition of this Agreement conflicts with any license to the Open Source + Software, the Open Source Software license will govern with respect to such + Open Source Software only. Elastic may also separately provide you with + certain open source software that is licensed by Elastic. Your use of such + Elastic open source software will not be governed by this Agreement, but by + the applicable open source license terms. + +2. COMMERCIAL SOFTWARE SOURCE CODE + + 2.1 Limited License. Subject to the terms and conditions of Section 2.2 of + this Agreement, Elastic hereby grants to You, AT NO CHARGE and for so long as + you are not in breach of any provision of this Agreement, a limited, + non-exclusive, non-transferable, fully paid up royalty free right and license + to the Commercial Software in Source Code format, without the right to grant + or authorize sublicenses, to prepare Derivative Works of the Commercial + Software, provided You (i) do not hack the licensing mechanism, or otherwise + circumvent the intended limitations on the use of Elastic Software to enable + features other than Basic Features and Functions or those features You are + entitled to as part of a Subscription, and (ii) use the resulting object code + only for reasonable testing purposes. + + 2.2 Restrictions. Nothing in Section 2.1 grants You the right to (i) use the + Commercial Software Source Code other than in accordance with Section 2.1 + above, (ii) use a Derivative Work of the Commercial Software outside of a + Non-production Environment, in any production capacity, on a temporary or + permanent basis, or (iii) transfer, sell, rent, lease, distribute, sublicense, + loan or otherwise make available the Commercial Software Source Code, in whole + or in part, to any third party. Notwithstanding the foregoing, You may + maintain a copy of the repository in which the Source Code of the Commercial + Software resides and that copy may be publicly accessible, provided that you + include this Agreement with Your copy of the repository. + +3. TERMINATION + + 3.1 Termination. This Agreement will automatically terminate, whether or not + You receive notice of such Termination from Elastic, if You breach any of its + provisions. + + 3.2 Post Termination. Upon any termination of this Agreement, for any reason, + You shall promptly cease the use of the Elastic Software in Object Code format + and cease use of the Commercial Software in Source Code format. For the + avoidance of doubt, termination of this Agreement will not affect Your right + to use Elastic Software, in either Object Code or Source Code formats, made + available under the Apache License Version 2.0. + + 3.3 Survival. Sections 1.2, 2.2. 3.3, 4 and 5 shall survive any termination or + expiration of this Agreement. + +4. DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITY + + 4.1 Disclaimer of Warranties. TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE + LAW, THE ELASTIC SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, + AND ELASTIC AND ITS LICENSORS MAKE NO WARRANTIES WHETHER EXPRESSED, IMPLIED OR + STATUTORY REGARDING OR RELATING TO THE ELASTIC SOFTWARE. TO THE MAXIMUM EXTENT + PERMITTED UNDER APPLICABLE LAW, ELASTIC AND ITS LICENSORS SPECIFICALLY + DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + PURPOSE AND NON-INFRINGEMENT WITH RESPECT TO THE ELASTIC SOFTWARE, AND WITH + RESPECT TO THE USE OF THE FOREGOING. FURTHER, ELASTIC DOES NOT WARRANT RESULTS + OF USE OR THAT THE ELASTIC SOFTWARE WILL BE ERROR FREE OR THAT THE USE OF THE + ELASTIC SOFTWARE WILL BE UNINTERRUPTED. + + 4.2 Limitation of Liability. IN NO EVENT SHALL ELASTIC OR ITS LICENSORS BE + LIABLE TO YOU OR ANY THIRD PARTY FOR ANY DIRECT OR INDIRECT DAMAGES, + INCLUDING, WITHOUT LIMITATION, FOR ANY LOSS OF PROFITS, LOSS OF USE, BUSINESS + INTERRUPTION, LOSS OF DATA, COST OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY + SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND, IN CONNECTION WITH + OR ARISING OUT OF THE USE OR INABILITY TO USE THE ELASTIC SOFTWARE, OR THE + PERFORMANCE OF OR FAILURE TO PERFORM THIS AGREEMENT, WHETHER ALLEGED AS A + BREACH OF CONTRACT OR TORTIOUS CONDUCT, INCLUDING NEGLIGENCE, EVEN IF ELASTIC + HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + +5. MISCELLANEOUS + + This Agreement completely and exclusively states the entire agreement of the + parties regarding the subject matter herein, and it supersedes, and its terms + govern, all prior proposals, agreements, or other communications between the + parties, oral or written, regarding such subject matter. This Agreement may be + modified by Elastic from time to time, and any such modifications will be + effective upon the "Posted Date" set forth at the top of the modified + Agreement. If any provision hereof is held unenforceable, this Agreement will + continue without said provision and be interpreted to reflect the original + intent of the parties. This Agreement and any non-contractual obligation + arising out of or in connection with it, is governed exclusively by Dutch law. + This Agreement shall not be governed by the 1980 UN Convention on Contracts + for the International Sale of Goods. All disputes arising out of or in + connection with this Agreement, including its existence and validity, shall be + resolved by the courts with jurisdiction in Amsterdam, The Netherlands, except + where mandatory law provides for the courts at another location in The + Netherlands to have jurisdiction. The parties hereby irrevocably waive any and + all claims and defenses either might otherwise have in any such action or + proceeding in any of such courts based upon any alleged lack of personal + jurisdiction, improper venue, forum non conveniens or any similar claim or + defense. A breach or threatened breach, by You of Section 2 may cause + irreparable harm for which damages at law may not provide adequate relief, and + therefore Elastic shall be entitled to seek injunctive relief without being + required to post a bond. You may not assign this Agreement (including by + operation of law in connection with a merger or acquisition), in whole or in + part to any third party without the prior written consent of Elastic, which + may be withheld or granted by Elastic in its sole and absolute discretion. + Any assignment in violation of the preceding sentence is void. Notices to + Elastic may also be sent to legal@elastic.co. + +6. DEFINITIONS + + The following terms have the meanings ascribed: + + 6.1 "Affiliate" means, with respect to a party, any entity that controls, is + controlled by, or which is under common control with, such party, where + "control" means ownership of at least fifty percent (50%) of the outstanding + voting shares of the entity, or the contractual right to establish policy for, + and manage the operations of, the entity. + + 6.2 "Basic Features and Functions" means those features and functions of the + Elastic Software that are eligible for use under a Basic license, as set forth + at https://www.elastic.co/subscriptions, as may be modified by Elastic from + time to time. + + 6.3 "Commercial Software" means the Elastic Software Source Code in any file + containing a header stating the contents are subject to the Elastic License or + which is contained in the repository folder labeled "x-pack", unless a LICENSE + file present in the directory subtree declares a different license. + + 6.4 "Derivative Work of the Commercial Software" means, for purposes of this + Agreement, any modification(s) or enhancement(s) to the Commercial Software, + which represent, as a whole, an original work of authorship. + + 6.5 "License" means a limited, non-exclusive, non-transferable, fully paid up, + royalty free, right and license, without the right to grant or authorize + sublicenses, solely for Your internal business operations to (i) install and + use the applicable Features and Functions of the Elastic Software in Object + Code, and (ii) permit Contractors and Your Affiliates to use the Elastic + software as set forth in (i) above, provided that such use by Contractors must + be solely for Your benefit and/or the benefit of Your Affiliates, and You + shall be responsible for all acts and omissions of such Contractors and + Affiliates in connection with their use of the Elastic software that are + contrary to the terms and conditions of this Agreement. + + 6.6 "License Key" means a sequence of bytes, including but not limited to a + JSON blob, that is used to enable certain features and functions of the + Elastic Software. + + 6.7 "Marks and Notices" means all Elastic trademarks, trade names, logos and + notices present on the Documentation as originally provided by Elastic. + + 6.8 "Non-production Environment" means an environment for development, testing + or quality assurance, where software is not used for production purposes. + + 6.9 "Object Code" means any form resulting from mechanical transformation or + translation of Source Code form, including but not limited to compiled object + code, generated documentation, and conversions to other media types. + + 6.10 "Source Code" means the preferred form of computer software for making + modifications, including but not limited to software source code, + documentation source, and configuration files. + + 6.11 "Subscription" means the right to receive Support Services and a License + to the Commercial Software. + + +GOVERNMENT END USER ADDENDUM TO THE ELASTIC LICENSE AGREEMENT + + This ADDENDUM TO THE ELASTIC LICENSE AGREEMENT (this "Addendum") applies +only to U.S. Federal Government, State Government, and Local Government +entities ("Government End Users") of the Elastic Software. This Addendum is +subject to, and hereby incorporated into, the Elastic License Agreement, +which is being entered into as of even date herewith, by Elastic and You (the +"Agreement"). This Addendum sets forth additional terms and conditions +related to Your use of the Elastic Software. Capitalized terms not defined in +this Addendum have the meaning set forth in the Agreement. + + 1. LIMITED LICENSE TO DISTRIBUTE (DSOP ONLY). Subject to the terms and +conditions of the Agreement (including this Addendum), Elastic grants the +Department of Defense Enterprise DevSecOps Initiative (DSOP) a royalty-free, +non-exclusive, non-transferable, limited license to reproduce and distribute +the Elastic Software solely through a software distribution repository +controlled and managed by DSOP, provided that DSOP: (i) distributes the +Elastic Software complete and unmodified, inclusive of the Agreement +(including this Addendum) and (ii) does not remove or alter any proprietary +legends or notices contained in the Elastic Software. + + 2. CHOICE OF LAW. The choice of law and venue provisions set forth shall +prevail over those set forth in Section 5 of the Agreement. + + "For U.S. Federal Government Entity End Users. This Agreement and any + non-contractual obligation arising out of or in connection with it, is + governed exclusively by U.S. Federal law. To the extent permitted by + federal law, the laws of the State of Delaware (excluding Delaware choice + of law rules) will apply in the absence of applicable federal law. + + For State and Local Government Entity End Users. This Agreement and any + non-contractual obligation arising out of or in connection with it, is + governed exclusively by the laws of the state in which you are located + without reference to conflict of laws. Furthermore, the Parties agree that + the Uniform Computer Information Transactions Act or any version thereof, + adopted by any state in any form ('UCITA'), shall not apply to this + Agreement and, to the extent that UCITA is applicable, the Parties agree to + opt out of the applicability of UCITA pursuant to the opt-out provision(s) + contained therein." + + 3. ELASTIC LICENSE MODIFICATION. Section 5 of the Agreement is hereby +amended to replace + + "This Agreement may be modified by Elastic from time to time, and any + such modifications will be effective upon the "Posted Date" set forth at + the top of the modified Agreement." + + with: + + "This Agreement may be modified by Elastic from time to time; provided, + however, that any such modifications shall apply only to Elastic Software + that is installed after the "Posted Date" set forth at the top of the + modified Agreement." + +V100820.0 diff --git a/src/dev/build/tasks/os_packages/docker_generator/run.ts b/src/dev/build/tasks/os_packages/docker_generator/run.ts index c92de567cb446..c015d356a8db4 100644 --- a/src/dev/build/tasks/os_packages/docker_generator/run.ts +++ b/src/dev/build/tasks/os_packages/docker_generator/run.ts @@ -12,6 +12,7 @@ import { promisify } from 'util'; import { ToolingLog } from '@kbn/dev-utils'; +import { branch } from '../../../../../../package.json'; import { write, copyAll, mkdirp, exec, Config, Build } from '../../../lib'; import * as dockerTemplates from './templates'; import { TemplateContext } from './template_context'; @@ -30,21 +31,26 @@ export async function runDockerGenerator( architecture?: string; context: boolean; image: boolean; - ubi: boolean; + ubi?: boolean; + ironbank?: boolean; } ) { // UBI var config const baseOSImage = flags.ubi ? 'docker.elastic.co/ubi8/ubi-minimal:latest' : 'centos:8'; const ubiVersionTag = 'ubi8'; - const ubiImageFlavor = flags.ubi ? `-${ubiVersionTag}` : ''; + + let imageFlavor = ''; + if (flags.ubi) imageFlavor += `-${ubiVersionTag}`; + if (flags.ironbank) imageFlavor += '-ironbank'; + if (build.isOss()) imageFlavor += '-oss'; // General docker var config const license = build.isOss() ? 'ASL 2.0' : 'Elastic License'; - const imageFlavor = build.isOss() ? '-oss' : ''; const imageTag = 'docker.elastic.co/kibana/kibana'; const version = config.getBuildVersion(); const artifactArchitecture = flags.architecture === 'aarch64' ? 'aarch64' : 'x86_64'; - const artifactPrefix = `kibana${imageFlavor}-${version}-linux`; + const artifactFlavor = build.isOss() ? '-oss' : ''; + const artifactPrefix = `kibana${artifactFlavor}-${version}-linux`; const artifactTarball = `${artifactPrefix}-${artifactArchitecture}.tar.gz`; const artifactsDir = config.resolveFromTarget('.'); const dockerBuildDate = new Date().toISOString(); @@ -52,26 +58,27 @@ export async function runDockerGenerator( const dockerBuildDir = config.resolveFromRepo( 'build', 'kibana-docker', - build.isOss() ? `oss` : `default${ubiImageFlavor}` + build.isOss() ? `oss` : `default${imageFlavor}` ); const imageArchitecture = flags.architecture === 'aarch64' ? '-aarch64' : ''; const dockerTargetFilename = config.resolveFromTarget( - `kibana${imageFlavor}${ubiImageFlavor}-${version}-docker-image${imageArchitecture}.tar.gz` + `kibana${imageFlavor}-${version}-docker-image${imageArchitecture}.tar.gz` ); const scope: TemplateContext = { artifactPrefix, artifactTarball, imageFlavor, version, + branch, license, artifactsDir, imageTag, dockerBuildDir, dockerTargetFilename, baseOSImage, - ubiImageFlavor, dockerBuildDate, ubi: flags.ubi, + ironbank: flags.ironbank, architecture: flags.architecture, revision: config.getBuildSha(), }; @@ -107,10 +114,17 @@ export async function runDockerGenerator( // in order to build the docker image accordingly the dockerfile defined // under templates/kibana_yml.template/js await copyAll( - config.resolveFromRepo('src/dev/build/tasks/os_packages/docker_generator/resources'), + config.resolveFromRepo('src/dev/build/tasks/os_packages/docker_generator/resources/base'), dockerBuildDir ); + if (flags.ironbank) { + await copyAll( + config.resolveFromRepo('src/dev/build/tasks/os_packages/docker_generator/resources/ironbank'), + dockerBuildDir + ); + } + // Build docker image into the target folder // In order to do this we just call the file we // created from the templates/build_docker_sh.template.js diff --git a/src/dev/build/tasks/os_packages/docker_generator/template_context.ts b/src/dev/build/tasks/os_packages/docker_generator/template_context.ts index 8de2b5e9361e5..ad9f7dda02675 100644 --- a/src/dev/build/tasks/os_packages/docker_generator/template_context.ts +++ b/src/dev/build/tasks/os_packages/docker_generator/template_context.ts @@ -9,6 +9,7 @@ export interface TemplateContext { artifactPrefix: string; artifactTarball: string; + branch: string; imageFlavor: string; version: string; license: string; @@ -17,10 +18,10 @@ export interface TemplateContext { dockerBuildDir: string; dockerTargetFilename: string; baseOSImage: string; - ubiImageFlavor: string; dockerBuildDate: string; usePublicArtifact?: boolean; - ubi: boolean; + ubi?: boolean; + ironbank?: boolean; revision: string; architecture?: string; } diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/Dockerfile b/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile similarity index 100% rename from src/dev/build/tasks/os_packages/docker_generator/templates/Dockerfile rename to src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/build_docker_sh.template.ts b/src/dev/build/tasks/os_packages/docker_generator/templates/build_docker_sh.template.ts index d896e9cfa671c..c44fa1aa7bd37 100644 --- a/src/dev/build/tasks/os_packages/docker_generator/templates/build_docker_sh.template.ts +++ b/src/dev/build/tasks/os_packages/docker_generator/templates/build_docker_sh.template.ts @@ -16,7 +16,6 @@ function generator({ version, dockerTargetFilename, baseOSImage, - ubiImageFlavor, architecture, }: TemplateContext) { return dedent(` @@ -54,10 +53,10 @@ function generator({ retry_docker_pull ${baseOSImage} - echo "Building: kibana${imageFlavor}${ubiImageFlavor}-docker"; \\ - docker build -t ${imageTag}${imageFlavor}${ubiImageFlavor}:${version} -f Dockerfile . || exit 1; + echo "Building: kibana${imageFlavor}-docker"; \\ + docker build -t ${imageTag}${imageFlavor}:${version} -f Dockerfile . || exit 1; - docker save ${imageTag}${imageFlavor}${ubiImageFlavor}:${version} | gzip -c > ${dockerTargetFilename} + docker save ${imageTag}${imageFlavor}:${version} | gzip -c > ${dockerTargetFilename} exit 0 `); diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.ts b/src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.ts index f4e9d11ca9c21..d78842d838f51 100755 --- a/src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.ts +++ b/src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.ts @@ -13,10 +13,10 @@ import Mustache from 'mustache'; import { TemplateContext } from '../template_context'; function generator(options: TemplateContext) { - const template = readFileSync(resolve(__dirname, './Dockerfile')); + const dir = options.ironbank ? 'ironbank' : 'base'; + const template = readFileSync(resolve(__dirname, dir, './Dockerfile')); return Mustache.render(template.toString(), { - packageManager: options.ubiImageFlavor ? 'microdnf' : 'yum', - tiniBin: options.architecture === 'aarch64' ? 'tini-arm64' : 'tini-amd64', + packageManager: options.ubi ? 'microdnf' : 'yum', ...options, }); } diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Dockerfile b/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Dockerfile new file mode 100644 index 0000000000000..264c81dc7e24b --- /dev/null +++ b/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Dockerfile @@ -0,0 +1,75 @@ +################################################################################ +# Build stage 0 +# Extract Kibana and make various file manipulations. +################################################################################ +ARG BASE_REGISTRY=registry1.dsop.io +ARG BASE_IMAGE=redhat/ubi/ubi8 +ARG BASE_TAG=8.3 + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as prep_files + +RUN yum update --setopt=tsflags=nodocs -y && \ + yum install -y tar gzip && \ + yum clean all + +RUN mkdir /usr/share/kibana +WORKDIR /usr/share/kibana +COPY --chown=1000:0 {{artifactTarball}} . +RUN tar --strip-components=1 -zxf {{artifactTarball}} +# Ensure that group permissions are the same as user permissions. +# This will help when relying on GID-0 to run Kibana, rather than UID-1000. +# OpenShift does this, for example. +# REF: https://docs.openshift.org/latest/creating_images/guidelines.html +RUN chmod -R g=u /usr/share/kibana + + +################################################################################ +# Build stage 1 +# Copy prepared files from the previous stage and complete the image. +################################################################################ +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +EXPOSE 5601 + +RUN yum update --setopt=tsflags=nodocs -y && \ + yum install -y fontconfig freetype shadow-utils libnss3.so && \ + yum clean all + +COPY LICENSE /licenses/elastic-kibana + +# Add a dumb init process +WORKDIR /usr/local/bin +COPY dumb-init /usr/local/bin/dumb-init +RUN chmod +x /usr/local/bin/dumb-init + +# Bring in Kibana from the initial stage. +COPY --from=prep_files --chown=1000:0 /usr/share/kibana /usr/share/kibana +WORKDIR /usr/share/kibana +RUN ln -s /usr/share/kibana /opt/kibana + +ENV ELASTIC_CONTAINER true +ENV PATH=/usr/share/kibana/bin:$PATH + +# Set some Kibana configuration defaults. +COPY --chown=1000:0 config/kibana.yml /usr/share/kibana/config/kibana.yml + +# Add the launcher/wrapper script. It knows how to interpret environment +# variables and translate them to Kibana CLI options. +COPY --chown=1000:0 scripts/kibana-docker /usr/local/bin/ + +# Ensure gid 0 write permissions for OpenShift. +RUN chmod g+ws /usr/share/kibana && find /usr/share/kibana -gid 0 -and -not -perm /g+w -exec chmod g+w {} \; + +# Remove the suid bit everywhere to mitigate "Stack Clash" +RUN find / -xdev -perm -4000 -exec chmod u-s {} + + +# Provide a non-root user to run the process. +RUN groupadd --gid 1000 kibana && useradd --uid 1000 --gid 1000 --home-dir /usr/share/kibana --no-create-home kibana +USER kibana + +LABEL org.label-schema.schema-version="1.0" org.label-schema.vendor="Elastic" org.label-schema.name="kibana" org.label-schema.version="{{version}}" org.label-schema.url="https://www.elastic.co/products/kibana" org.label-schema.vcs-url="https://github.com/elastic/kibana" org.label-schema.license="Elastic License" license="Elastic License" + +ENTRYPOINT ["/usr/local/bin/dumb-init", "--"] + +CMD ["/usr/local/bin/kibana-docker"] + +HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD curl -I -f --max-time 5 http://localhost:5601 || exit 1 diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Jenkinsfile b/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Jenkinsfile new file mode 100644 index 0000000000000..df075e723608b --- /dev/null +++ b/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Jenkinsfile @@ -0,0 +1,2 @@ +@Library('DCCSCR@master') _ +dccscrPipeline(version: '{{version}}') diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/README.md b/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/README.md new file mode 100644 index 0000000000000..d297d135149f4 --- /dev/null +++ b/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/README.md @@ -0,0 +1,39 @@ +# Kibana + +**Kibana** lets you visualize your Elasticsearch data and navigate the Elastic Stack, +so you can do anything from learning why you're getting paged at 2:00 a.m. to +understanding the impact rain might have on your quarterly numbers. + +For more information about Kibana, please visit +https://www.elastic.co/products/kibana. + +### Installation instructions + +Please follow the documentation on [running Kibana on Docker](https://www.elastic.co/guide/en/kibana/{{branch}}/docker.html). + +### Where to file issues and PRs + +- [Issues](https://github.com/elastic/kibana/issues) +- [PRs](https://github.com/elastic/kibana/pulls) + +### DoD Restrictions + +Due to the [NODE-SECURITY-1184](https://www.npmjs.com/advisories/1184) issue, Kibana users should not use the `ALL_PROXY` environment variable to specify a proxy when installing Kibana plugins with the kibana-plugin command line application. + +### Where to get help + +- [Kibana Discuss Forums](https://discuss.elastic.co/c/kibana) +- [Kibana Documentation](https://www.elastic.co/guide/en/kibana/current/index.html) + +### Still need help? + +You can learn more about the Elastic Community and also understand how to get more help +visiting [Elastic Community](https://www.elastic.co/community). + +This software is governed by the [Elastic +License](https://github.com/elastic/elasticsearch/blob/{{branch}}/licenses/ELASTIC-LICENSE.txt), +and includes the full set of [free +features](https://www.elastic.co/subscriptions). + +View the detailed release notes +[here](https://www.elastic.co/guide/en/elasticsearch/reference/{{branch}}/es-release-notes.html). diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/download.json b/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/download.json new file mode 100644 index 0000000000000..32b634d08def7 --- /dev/null +++ b/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/download.json @@ -0,0 +1,16 @@ +{ + "resources": [ + { + "url": "/kibana-{{version}}-linux-x86_64.tar.gz", + "filename": "kibana-{{version}}-linux-x86_64.tar.gz" + }, + { + "url": "https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64", + "filename": "dumb-init", + "validation": { + "type": "sha256", + "value": "37f2c1f0372a45554f1b89924fbb134fc24c3756efaedf11e07f599494e0eff9" + } + } + ] +} From ca0cef1be20e82ab809d28550806b094636fa1c2 Mon Sep 17 00:00:00 2001 From: Jonathan Budzenski Date: Tue, 2 Feb 2021 09:23:27 -0600 Subject: [PATCH 2/4] replace download.json with hardening_manifest.yml --- .../templates/ironbank/download.json | 16 ----- .../templates/ironbank/hardening_manifest.yml | 58 +++++++++++++++++++ 2 files changed, 58 insertions(+), 16 deletions(-) delete mode 100644 src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/download.json create mode 100644 src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/hardening_manifest.yml diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/download.json b/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/download.json deleted file mode 100644 index 32b634d08def7..0000000000000 --- a/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/download.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "resources": [ - { - "url": "/kibana-{{version}}-linux-x86_64.tar.gz", - "filename": "kibana-{{version}}-linux-x86_64.tar.gz" - }, - { - "url": "https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64", - "filename": "dumb-init", - "validation": { - "type": "sha256", - "value": "37f2c1f0372a45554f1b89924fbb134fc24c3756efaedf11e07f599494e0eff9" - } - } - ] -} diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/hardening_manifest.yml b/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/hardening_manifest.yml new file mode 100644 index 0000000000000..8de5ac2973358 --- /dev/null +++ b/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/hardening_manifest.yml @@ -0,0 +1,58 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: 'elastic/kibana/kibana' + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: + - '{{version}}' + - 'latest' + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: 'redhat/ubi/ubi8' + BASE_TAG: '8.3' + +# Docker image labels +labels: + org.opencontainers.image.title: 'kibana' + org.opencontainers.image.description: 'Your window into the Elastic Stack.' + org.opencontainers.image.licenses: 'Elastic License' + org.opencontainers.image.url: 'https://www.elastic.co/products/kibana' + org.opencontainers.image.vendor: 'Elastic' + org.opencontainers.image.version: '{{version}}' + # mil.dso.ironbank.image.keywords: "" + # mil.dso.ironbank.image.type: "commercial" + mil.dso.ironbank.product.name: 'Kibana' + +# List of resources to make available to the offline build context +resources: + - filename: kibana-{{version}}-linux-x86_64.tar.gz + url: /kibana-{{version}}-linux-x86_64.tar.gz + validation: + type: sha512 + value: aa68f850cc09cf5dcb7c0b48bb8df788ca58eaad38d96141b8e59917fd38b42c728c0968f7cb2c8132c5aaeb595525cdde0859554346c496f53c569e03abe412 + - filename: tini + url: https://github.com/krallin/tini/releases/download/v0.19.0/tini-amd64 + validation: + type: sha512 + value: 8053cc21a3a9bdd6042a495349d1856ae8d3b3e7664c9654198de0087af031f5d41139ec85a2f5d7d2febd22ec3f280767ff23b9d5f63d490584e2b7ad3c218c + - filename: NotoSansCJK-Regular.ttc + url: https://github.com/googlefonts/noto-cjk/raw/NotoSansV2.001/NotoSansCJK-Regular.ttc + validation: + type: sha512 + value: 0ce56bde1853fed3e53282505bac65707385275a27816c29712ab04c187aa249797c82c58759b2b36c210d4e2683eda92359d739a8045cb8385c2c34d37cc9e1 + +# List of project maintainers +maintainers: + - email: 'tyler.smalley@elastic.co' + name: 'Tyler Smalley' + username: 'tylersmalley' + cht_member: false + - email: 'klepal_alexander@bah.com' + name: 'Alexander Klepal' + username: 'alexander.klepal' + cht_member: true From 86512448490f97a1866e1c948c67d1190509ae3d Mon Sep 17 00:00:00 2001 From: Jonathan Budzenski Date: Tue, 2 Feb 2021 09:25:32 -0600 Subject: [PATCH 3/4] update dockerfile --- .../templates/ironbank/Dockerfile | 26 ++++++++++--------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Dockerfile b/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Dockerfile index 264c81dc7e24b..6893883bf16a4 100644 --- a/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Dockerfile +++ b/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Dockerfile @@ -16,6 +16,7 @@ RUN mkdir /usr/share/kibana WORKDIR /usr/share/kibana COPY --chown=1000:0 {{artifactTarball}} . RUN tar --strip-components=1 -zxf {{artifactTarball}} + # Ensure that group permissions are the same as user permissions. # This will help when relying on GID-0 to run Kibana, rather than UID-1000. # OpenShift does this, for example. @@ -31,15 +32,19 @@ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} EXPOSE 5601 RUN yum update --setopt=tsflags=nodocs -y && \ - yum install -y fontconfig freetype shadow-utils libnss3.so && \ + yum install -y fontconfig freetype shadow-utils nss && \ yum clean all COPY LICENSE /licenses/elastic-kibana # Add a dumb init process -WORKDIR /usr/local/bin -COPY dumb-init /usr/local/bin/dumb-init -RUN chmod +x /usr/local/bin/dumb-init +COPY tini /bin/tini +RUN chmod +x /bin/tini + +# Noto Fonts +RUN mkdir /usr/share/fonts/local +COPY NotoSansCJK-Regular.ttc /usr/share/fonts/local/NotoSansCJK-Regular.ttc +RUN fc-cache -v # Bring in Kibana from the initial stage. COPY --from=prep_files --chown=1000:0 /usr/share/kibana /usr/share/kibana @@ -56,19 +61,16 @@ COPY --chown=1000:0 config/kibana.yml /usr/share/kibana/config/kibana.yml # variables and translate them to Kibana CLI options. COPY --chown=1000:0 scripts/kibana-docker /usr/local/bin/ -# Ensure gid 0 write permissions for OpenShift. -RUN chmod g+ws /usr/share/kibana && find /usr/share/kibana -gid 0 -and -not -perm /g+w -exec chmod g+w {} \; - # Remove the suid bit everywhere to mitigate "Stack Clash" RUN find / -xdev -perm -4000 -exec chmod u-s {} + # Provide a non-root user to run the process. -RUN groupadd --gid 1000 kibana && useradd --uid 1000 --gid 1000 --home-dir /usr/share/kibana --no-create-home kibana -USER kibana - -LABEL org.label-schema.schema-version="1.0" org.label-schema.vendor="Elastic" org.label-schema.name="kibana" org.label-schema.version="{{version}}" org.label-schema.url="https://www.elastic.co/products/kibana" org.label-schema.vcs-url="https://github.com/elastic/kibana" org.label-schema.license="Elastic License" license="Elastic License" +RUN groupadd --gid 1000 kibana && \ + useradd --uid 1000 --gid 1000 -G 0 \ + --home-dir /usr/share/kibana --no-create-home \ + kibana -ENTRYPOINT ["/usr/local/bin/dumb-init", "--"] +ENTRYPOINT ["/bin/tini", "--"] CMD ["/usr/local/bin/kibana-docker"] From e09b150c40824b466ac4396f0d1337a3bd823f09 Mon Sep 17 00:00:00 2001 From: Jonathan Budzenski Date: Tue, 2 Feb 2021 09:28:37 -0600 Subject: [PATCH 4/4] rm jenkinsfile --- .../tasks/os_packages/docker_generator/bundle_dockerfiles.ts | 3 +-- .../docker_generator/templates/ironbank/Jenkinsfile | 2 -- 2 files changed, 1 insertion(+), 4 deletions(-) delete mode 100644 src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Jenkinsfile diff --git a/src/dev/build/tasks/os_packages/docker_generator/bundle_dockerfiles.ts b/src/dev/build/tasks/os_packages/docker_generator/bundle_dockerfiles.ts index 7260adb3ebc18..034933a653d47 100644 --- a/src/dev/build/tasks/os_packages/docker_generator/bundle_dockerfiles.ts +++ b/src/dev/build/tasks/os_packages/docker_generator/bundle_dockerfiles.ts @@ -42,8 +42,7 @@ export async function bundleDockerFiles(config: Config, log: ToolingLog, scope: await copyAll(resolve(scope.dockerBuildDir), resolve(dockerFilesBuildDir), { select: ['LICENSE'], }); - // 'Jenkinsfile', download.json - const templates = ['download.json', 'Jenkinsfile', 'README.md']; + const templates = ['hardening_manifest.yml', 'README.md']; for (const template of templates) { const file = readFileSync(resolve(__dirname, 'templates/ironbank', template)); const output = Mustache.render(file.toString(), scope); diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Jenkinsfile b/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Jenkinsfile deleted file mode 100644 index df075e723608b..0000000000000 --- a/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Jenkinsfile +++ /dev/null @@ -1,2 +0,0 @@ -@Library('DCCSCR@master') _ -dccscrPipeline(version: '{{version}}')