diff --git a/.buildkite/pipelines/artifacts.yml b/.buildkite/pipelines/artifacts.yml index 7d3f794fb95109..8f7f37eb673854 100644 --- a/.buildkite/pipelines/artifacts.yml +++ b/.buildkite/pipelines/artifacts.yml @@ -92,6 +92,16 @@ steps: - exit_status: '*' limit: 1 + - command: KIBANA_DOCKER_CONTEXT=chainguard .buildkite/scripts/steps/artifacts/docker_context.sh + label: 'Docker Context Verification' + agents: + queue: n2-2 + timeout_in_minutes: 30 + retry: + automatic: + - exit_status: '*' + limit: 1 + - command: KIBANA_DOCKER_CONTEXT=ironbank .buildkite/scripts/steps/artifacts/docker_context.sh label: 'Docker Context Verification' agents: diff --git a/.buildkite/scripts/build_kibana.sh b/.buildkite/scripts/build_kibana.sh index da709ee6eb08c3..bb86b0abf8d45b 100755 --- a/.buildkite/scripts/build_kibana.sh +++ b/.buildkite/scripts/build_kibana.sh @@ -32,6 +32,7 @@ if is_pr_with_label "ci:build-cloud-image"; then --skip-docker-ubi \ --skip-docker-fips \ --skip-docker-ubuntu \ + --skip-docker-chainguard \ --skip-docker-serverless \ --skip-docker-contexts diff --git a/.buildkite/scripts/pipelines/security_solution_quality_gate/create_periodic_test_docker_image.sh b/.buildkite/scripts/pipelines/security_solution_quality_gate/create_periodic_test_docker_image.sh index 968938a629ae6e..5a47026f7cced4 100644 --- a/.buildkite/scripts/pipelines/security_solution_quality_gate/create_periodic_test_docker_image.sh +++ b/.buildkite/scripts/pipelines/security_solution_quality_gate/create_periodic_test_docker_image.sh @@ -34,6 +34,7 @@ node scripts/build \ --docker-namespace="kibana-ci" \ --docker-tag="$KIBANA_IMAGE_TAG" \ --skip-docker-ubuntu \ + --skip-docker-chainguard \ --skip-docker-ubi \ --skip-docker-cloud \ --skip-docker-contexts \ diff --git a/.buildkite/scripts/steps/artifacts/docker_context.sh b/.buildkite/scripts/steps/artifacts/docker_context.sh index ad09e00124ab13..8ee1c0ba2a4387 100755 --- a/.buildkite/scripts/steps/artifacts/docker_context.sh +++ b/.buildkite/scripts/steps/artifacts/docker_context.sh @@ -20,6 +20,9 @@ case $KIBANA_DOCKER_CONTEXT in default) DOCKER_CONTEXT_FILE="kibana-$FULL_VERSION-docker-build-context.tar.gz" ;; + chainguard) + DOCKER_CONTEXT_FILE="kibana-chainguard-$FULL_VERSION-docker-build-context.tar.gz" + ;; cloud) DOCKER_CONTEXT_FILE="kibana-cloud-$FULL_VERSION-docker-build-context.tar.gz" ;; diff --git a/.buildkite/scripts/steps/artifacts/docker_image.sh b/.buildkite/scripts/steps/artifacts/docker_image.sh index 8a482a341867fb..09622bbe0f02d9 100755 --- a/.buildkite/scripts/steps/artifacts/docker_image.sh +++ b/.buildkite/scripts/steps/artifacts/docker_image.sh @@ -32,6 +32,7 @@ node scripts/build \ --docker-namespace="kibana-ci" \ --docker-tag="$KIBANA_IMAGE_TAG" \ --skip-docker-ubuntu \ + --skip-docker-chainguard \ --skip-docker-ubi \ --skip-docker-fips \ --skip-docker-cloud \ diff --git a/.buildkite/scripts/steps/cloud/build_and_deploy.sh b/.buildkite/scripts/steps/cloud/build_and_deploy.sh index 8b269e24389778..267e986f85cd76 100755 --- a/.buildkite/scripts/steps/cloud/build_and_deploy.sh +++ b/.buildkite/scripts/steps/cloud/build_and_deploy.sh @@ -43,6 +43,7 @@ else --skip-docker-ubi \ --skip-docker-fips \ --skip-docker-ubuntu \ + --skip-docker-chainguard \ --skip-docker-serverless \ --skip-docker-contexts fi diff --git a/.buildkite/scripts/steps/fips/build.sh b/.buildkite/scripts/steps/fips/build.sh index e7d359b1cc2ae8..0dfebdf2a6de1b 100755 --- a/.buildkite/scripts/steps/fips/build.sh +++ b/.buildkite/scripts/steps/fips/build.sh @@ -23,6 +23,7 @@ node scripts/build \ --docker-push \ --skip-docker-ubi \ --skip-docker-ubuntu \ + --skip-docker-chainguard \ --skip-docker-cloud \ --skip-docker-serverless \ --skip-docker-contexts diff --git a/src/dev/build/args.test.ts b/src/dev/build/args.test.ts index 1bb50cf3cd9c16..85f799daa8a0d0 100644 --- a/src/dev/build/args.test.ts +++ b/src/dev/build/args.test.ts @@ -31,6 +31,7 @@ it('build default and oss dist for current platform, without packages, by defaul "createArchives": true, "createCdnAssets": true, "createDebPackage": false, + "createDockerChainguard": false, "createDockerCloud": false, "createDockerContexts": true, "createDockerFIPS": false, @@ -71,6 +72,7 @@ it('builds packages if --all-platforms is passed', () => { "createArchives": true, "createCdnAssets": true, "createDebPackage": true, + "createDockerChainguard": true, "createDockerCloud": true, "createDockerContexts": true, "createDockerFIPS": true, @@ -111,6 +113,7 @@ it('limits packages if --rpm passed with --all-platforms', () => { "createArchives": true, "createCdnAssets": true, "createDebPackage": false, + "createDockerChainguard": false, "createDockerCloud": false, "createDockerContexts": true, "createDockerFIPS": false, @@ -151,6 +154,7 @@ it('limits packages if --deb passed with --all-platforms', () => { "createArchives": true, "createCdnAssets": true, "createDebPackage": true, + "createDockerChainguard": false, "createDockerCloud": false, "createDockerContexts": true, "createDockerFIPS": false, @@ -192,6 +196,7 @@ it('limits packages if --docker passed with --all-platforms', () => { "createArchives": true, "createCdnAssets": true, "createDebPackage": false, + "createDockerChainguard": true, "createDockerCloud": true, "createDockerContexts": true, "createDockerFIPS": true, @@ -240,6 +245,7 @@ it('limits packages if --docker passed with --skip-docker-ubi and --all-platform "createArchives": true, "createCdnAssets": true, "createDebPackage": false, + "createDockerChainguard": true, "createDockerCloud": true, "createDockerContexts": true, "createDockerFIPS": true, @@ -281,6 +287,7 @@ it('limits packages if --all-platforms passed with --skip-docker-ubuntu', () => "createArchives": true, "createCdnAssets": true, "createDebPackage": true, + "createDockerChainguard": true, "createDockerCloud": true, "createDockerContexts": true, "createDockerFIPS": true, @@ -322,6 +329,7 @@ it('limits packages if --all-platforms passed with --skip-docker-fips', () => { "createArchives": true, "createCdnAssets": true, "createDebPackage": true, + "createDockerChainguard": true, "createDockerCloud": true, "createDockerContexts": true, "createDockerFIPS": false, diff --git a/src/dev/build/args.ts b/src/dev/build/args.ts index 0996a8688ef22d..9526d10eb2ae11 100644 --- a/src/dev/build/args.ts +++ b/src/dev/build/args.ts @@ -31,6 +31,7 @@ export function readCliArgs(argv: string[]) { 'skip-docker-contexts', 'skip-docker-ubi', 'skip-docker-ubuntu', + 'skip-docker-chainguard', 'skip-docker-cloud', 'skip-docker-serverless', 'skip-docker-fips', @@ -139,6 +140,8 @@ export function readCliArgs(argv: string[]) { createDebPackage: isOsPackageDesired('deb'), createDockerUbuntu: isOsPackageDesired('docker-images') && !Boolean(flags['skip-docker-ubuntu']), + createDockerChainguard: + isOsPackageDesired('docker-images') && !Boolean(flags['skip-docker-chainguard']), createDockerCloud: isOsPackageDesired('docker-images') && !Boolean(flags['skip-docker-cloud']), createDockerServerless: isOsPackageDesired('docker-images') && !Boolean(flags['skip-docker-serverless']), diff --git a/src/dev/build/build_distributables.ts b/src/dev/build/build_distributables.ts index ab9731e4ba112b..cc23b57530a680 100644 --- a/src/dev/build/build_distributables.ts +++ b/src/dev/build/build_distributables.ts @@ -31,6 +31,7 @@ export interface BuildOptions { createDebPackage: boolean; createDockerUBI: boolean; createDockerUbuntu: boolean; + createDockerChainguard: boolean; createDockerCloud: boolean; createDockerServerless: boolean; createDockerContexts: boolean; @@ -150,6 +151,10 @@ export async function buildDistributables(log: ToolingLog, options: BuildOptions await run(Tasks.CreateDockerUbuntu); } + if (options.createDockerChainguard) { + // control w/ --docker-images or --skip-docker-chainguard or --skip-os-packages + await run(Tasks.CreateDockerChainguard); + } if (options.createDockerCloud) { // control w/ --docker-images and --skip-docker-cloud if (options.downloadCloudDependencies) { diff --git a/src/dev/build/cli.ts b/src/dev/build/cli.ts index e9acd8245af02c..86160988c0f726 100644 --- a/src/dev/build/cli.ts +++ b/src/dev/build/cli.ts @@ -46,6 +46,7 @@ if (showHelp) { --skip-cdn-assets {dim Don't build CDN assets} --skip-docker-ubi {dim Don't build the docker ubi image} --skip-docker-ubuntu {dim Don't build the docker ubuntu image} + --skip-docker-chainguard {dim Don't build the docker chainguard image} --skip-docker-fips {dim Don't build the docker fips image} --release {dim Produce a release-ready distributable} --version-qualifier {dim Suffix version with a qualifier} diff --git a/src/dev/build/tasks/os_packages/create_os_package_tasks.ts b/src/dev/build/tasks/os_packages/create_os_package_tasks.ts index e623dd86b9d6fc..b71f900986380a 100644 --- a/src/dev/build/tasks/os_packages/create_os_package_tasks.ts +++ b/src/dev/build/tasks/os_packages/create_os_package_tasks.ts @@ -80,6 +80,27 @@ export const CreateDockerUbuntu: Task = { }, }; +export const CreateDockerChainguard: Task = { + description: 'Creating Docker Chainguard image', + + async run(config, log, build) { + await runDockerGenerator(config, log, build, { + architecture: 'x64', + baseImage: 'chainguard', + context: false, + image: true, + dockerBuildDate, + }); + await runDockerGenerator(config, log, build, { + architecture: 'aarch64', + baseImage: 'chainguard', + context: false, + image: true, + dockerBuildDate, + }); + }, +}; + export const CreateDockerServerless: Task = { description: 'Creating Docker Serverless image', @@ -161,6 +182,12 @@ export const CreateDockerContexts: Task = { image: false, dockerBuildDate, }); + await runDockerGenerator(config, log, build, { + baseImage: 'chainguard', + context: true, + image: false, + dockerBuildDate, + }); await runDockerGenerator(config, log, build, { baseImage: 'ubi', context: true, diff --git a/src/dev/build/tasks/os_packages/docker_generator/run.ts b/src/dev/build/tasks/os_packages/docker_generator/run.ts index cf2ddd34913b8f..a0aed0a71c1f7e 100644 --- a/src/dev/build/tasks/os_packages/docker_generator/run.ts +++ b/src/dev/build/tasks/os_packages/docker_generator/run.ts @@ -29,7 +29,7 @@ export async function runDockerGenerator( build: Build, flags: { architecture?: string; - baseImage: 'none' | 'ubi' | 'ubuntu'; + baseImage: 'none' | 'chainguard' | 'ubi' | 'ubuntu'; context: boolean; image: boolean; ironbank?: boolean; @@ -42,9 +42,12 @@ export async function runDockerGenerator( let baseImageName = ''; if (flags.baseImage === 'ubuntu') baseImageName = 'ubuntu:20.04'; if (flags.baseImage === 'ubi') baseImageName = 'docker.elastic.co/ubi9/ubi-minimal:latest'; + if (flags.baseImage === 'chainguard') + baseImageName = 'docker.elastic.co/wolfi/chainguard-base:20230214'; let imageFlavor = ''; if (flags.baseImage === 'ubi') imageFlavor += `-ubi`; + if (flags.baseImage === 'chainguard') imageFlavor += `-chainguard`; if (flags.ironbank) imageFlavor += '-ironbank'; if (flags.cloud) imageFlavor += '-cloud'; if (flags.serverless) imageFlavor += '-serverless'; diff --git a/src/dev/build/tasks/os_packages/docker_generator/template_context.ts b/src/dev/build/tasks/os_packages/docker_generator/template_context.ts index 7734c347edfaa9..b6cdd9e5499562 100644 --- a/src/dev/build/tasks/os_packages/docker_generator/template_context.ts +++ b/src/dev/build/tasks/os_packages/docker_generator/template_context.ts @@ -24,7 +24,7 @@ export interface TemplateContext { dockerBuildDate: string; usePublicArtifact?: boolean; publicArtifactSubdomain: string; - baseImage: 'none' | 'ubi' | 'ubuntu'; + baseImage: 'none' | 'ubi' | 'ubuntu' | 'chainguard'; baseImageName: string; cloud?: boolean; serverless?: boolean; diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile b/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile index 799d6efabdfd86..9a58281ba55b3b 100644 --- a/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile +++ b/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile @@ -12,11 +12,14 @@ FROM {{{baseImageName}}} AS builder {{#ubi}} -RUN {{packageManager}} install -y findutils tar gzip +RUN microdnf install -y findutils tar gzip {{/ubi}} {{#ubuntu}} -RUN {{packageManager}} update && DEBIAN_FRONTEND=noninteractive {{packageManager}} install -y curl +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y curl {{/ubuntu}} +{{#chainguard}} +RUN apk --no-cache add curl +{{/chainguard}} {{#usePublicArtifact}} RUN cd /tmp && \ @@ -32,8 +35,8 @@ COPY {{artifactTarball}} /tmp/kibana.tar.gz RUN mkdir /usr/share/kibana WORKDIR /usr/share/kibana RUN tar \ -# Exclude serverless.yml disabled assets {{#serverless}} +# Exclude serverless.yml disabled assets --exclude=screenshotting-plugin/chromium \ --exclude=screenshotting-plugin/server/assets \ {{/serverless}} @@ -90,10 +93,10 @@ EXPOSE 5601 {{#ubi}} RUN for iter in {1..10}; do \ - {{packageManager}} update --setopt=tsflags=nodocs -y && \ - {{packageManager}} install --setopt=tsflags=nodocs -y \ + microdnf update --setopt=tsflags=nodocs -y && \ + microdnf install --setopt=tsflags=nodocs -y \ fontconfig freetype shadow-utils nss findutils {{#fips}}perl make gcc tar {{/fips}}&& \ - {{packageManager}} clean all && exit_code=0 && break || exit_code=$? && echo "{{packageManager}} error: retry $iter in 10s" && \ + microdnf clean all && exit_code=0 && break || exit_code=$? && echo "microdnf error: retry $iter in 10s" && \ sleep 10; \ done; \ (exit $exit_code) @@ -101,16 +104,19 @@ RUN for iter in {1..10}; do \ {{#ubuntu}} RUN for iter in {1..10}; do \ export DEBIAN_FRONTEND=noninteractive && \ - {{packageManager}} update && \ - {{packageManager}} upgrade -y && \ - {{packageManager}} install -y --no-install-recommends \ - fontconfig libnss3 ca-certificates && \ - {{packageManager}} clean && \ - rm -rf /var/lib/apt/lists/* && exit_code=0 && break || exit_code=$? && echo "{{packageManager}} error: retry $iter in 10s" && \ + apt-get update && \ + apt-get upgrade -y && \ + apt-get install -y --no-install-recommends \ + fontconfig libnss3 ca-certificates && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* && exit_code=0 && break || exit_code=$? && echo "apt-get error: retry $iter in 10s" && \ sleep 10; \ done; \ (exit $exit_code) {{/ubuntu}} +{{#chainguard}} +RUN apk --no-cache add bash curl fontconfig libstdc++ freetype nss findutils shadow +{{/chainguard}} # Bring in Kibana from the initial stage. COPY --from=builder --chown=1000:0 /usr/share/kibana /usr/share/kibana diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.ts b/src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.ts index dd35323808d514..b07be8b073747e 100755 --- a/src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.ts +++ b/src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.ts @@ -16,7 +16,7 @@ function generator(options: TemplateContext) { const dir = options.ironbank ? 'ironbank' : 'base'; const template = readFileSync(resolve(__dirname, dir, './Dockerfile')); return Mustache.render(template.toString(), { - packageManager: options.baseImage === 'ubi' ? 'microdnf' : 'apt-get', + chainguard: options.baseImage === 'chainguard', ubi: options.baseImage === 'ubi', ubuntu: options.baseImage === 'ubuntu', opensslLegacyProvider: !(options.cloud || options.serverless || options.fips),