New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add alpine based grafana image #14913
Conversation
|
I pushed it to jsravn/grafana:master-alpine if anyone would like to try it out. Built against |
Great work. Would love to have an alpine image as an alternative to get the size down. Unfortunately image generation doesn't work. PhantomJS crashes due to missing libraries. Output from running phantomjs in the container manually:
|
Ah, phantomjs. Didn't see that. sgerrand/alpine-pkg-glibc#13 makes it sound like this isn't too hopeful. |
@jsravn No unfortunately not. On the other hand, we are hoping to remove PhantomJS in the near future, which would hopefully allow us to provide an alpine based image |
@xlson I should have something soon. I used https://github.com/AdoptOpenJDK/openjdk-docker/tree/master/8/jdk/alpine as an example. Basically you need to:
It looks like it's working now, I just need to wire up the build container to copy those libs over. I can copy from the build container directly but I'm not sure how up to date the build container is. Alternatively I could use the archlinux compiled libraries like AdoptOpenJDK uses.
|
Wow, that looks really promising. The build containers libraries are probably not that up-to-date as we are going for Centos6 compatibility. |
This copies the required phantomjs libs from the arch repo, similar to the approach AdoptOpenJDK takes (https://github.com/AdoptOpenJDK/openjdk-docker/tree/master/8/jdk/alpine). There's a fair amount of libs unfortunately, as recent versions of freetype depend on harfbuzz (a font shaping lib), which pulls in a lot of transitive dependencies. An advantage is it is easy to update the libraries as needed.
@xlson I got it working now. I've pushed an image at jsravn/grafana:master-alpine-2 built with the latest commits. I chose to go w/ the archlinux packages, same as AdoptOpenJDK. phantomjs has a lot of dependencies, so it is rather cumbersome. On the plus side, they are explicit and we only add the libraries we need in the alpine image. Let me know what you think about this approach. |
Thinking about it some more - I'm wondering if it would be better to just try compiling a static phantomjs in a build container, then copy it over. I may give that shot. |
@xlson Okay, I did that. It's a lot simpler now. I just fire up a debian container and copy the libraries out of it. This avoids having to maintain all the library versions when copying from Arch. I tested it and it all seems to work. Image pushed to jsravn/grafana:master-alpine-3. |
This is a lot simpler and easier to maintain. Just update the debian repository and install the latest fontconfig. Then copy the required libraries into the alpine container.
fc0aa86
to
b54b7c4
Compare
Good work. I tested it locally and it works fine. It seems we've lost some of the size advantage with the addition of glibc, but that is to be expected. The gometalinter issue should be solved by merging master. The approach seems good to me. There is the question of maintainability and if there are enough users that require an alpine-based docker image to warrant the maintenance burden. I'll leave the PR open for a bit so that we get a chance to discuss. |
Having fewer vulnerabilities and easier to update to remove the vulnerabilities is important to everyone! If they know about it or not. |
Alpine support would be great. We are currently seeing the following results with Snyk.io docker scanning of Grafana version 5.4.3: High: 9, Medium: 11, Low: 57 |
We currently have a multistage build that starts from the official Grafana image and creates an up to date alpine image. It would be great if there was an Alpine image included as an official tag. I was going to see about contributing it, but found this PR. |
@lmprice This sounds very interesting. Is it possible to have a look at it somewhere? Thanks. |
I just did a similar thing to what @lmprice said. Dockerfile below. ARG GRAFANA_VERSION=6.1.6
FROM grafana/grafana:${GRAFANA_VERSION} AS upstream
FROM alpine:3.9
ARG GF_UID="472"
ARG GF_GID="472"
ENV PATH=/usr/share/grafana/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
GF_PATHS_CONFIG="/etc/grafana/grafana.ini" \
GF_PATHS_DATA="/var/lib/grafana" \
GF_PATHS_HOME="/usr/share/grafana" \
GF_PATHS_LOGS="/var/log/grafana" \
GF_PATHS_PLUGINS="/var/lib/grafana/plugins" \
GF_PATHS_PROVISIONING="/etc/grafana/provisioning"
WORKDIR $GF_PATHS_HOME
####### Alpine phantomjs compatibility lifted from https://github.com/grafana/grafana/pull/14913/files
RUN apk add --update --no-cache shadow ca-certificates curl bash file openssl fontconfig ttf-dejavu && \
rm -rf /tmp/*.apk /var/cache/apk/*
# Add glibc - required by grafana-server, grafana-cli, and phantomjs.
ARG GLIBC_VER="2.28-r0"
RUN ALPINE_GLIBC_REPO="https://github.com/sgerrand/alpine-pkg-glibc/releases/download" && \
curl -Ls https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub -o /etc/apk/keys/sgerrand.rsa.pub && \
curl -Ls ${ALPINE_GLIBC_REPO}/${GLIBC_VER}/glibc-${GLIBC_VER}.apk > /tmp/${GLIBC_VER}.apk && \
apk add /tmp/${GLIBC_VER}.apk && \
curl -Ls ${ALPINE_GLIBC_REPO}/${GLIBC_VER}/glibc-bin-${GLIBC_VER}.apk > /tmp/${GLIBC_VER}-bin.apk && \
apk add /tmp/${GLIBC_VER}-bin.apk && \
rm -rf /tmp/*.apk /var/cache/apk/*
# Fix glibc ldd command - see https://github.com/sgerrand/alpine-pkg-glibc/issues/103.
RUN sed -i s/lib64/lib/ /usr/glibc-compat/bin/ldd
# Add required phantomjs libs.
COPY --from=upstream /lib/x86_64-linux-gnu/libz.so.1 /usr/glibc-compat/lib
COPY --from=upstream /usr/lib/x86_64-linux-gnu/libfontconfig.so.1 /usr/glibc-compat/lib
COPY --from=upstream /usr/lib/x86_64-linux-gnu/libfreetype.so.6 /usr/glibc-compat/lib
COPY --from=upstream /usr/lib/x86_64-linux-gnu/libstdc++.so.6 /usr/glibc-compat/lib
COPY --from=upstream /lib/x86_64-linux-gnu/libgcc_s.so.1 /usr/glibc-compat/lib
COPY --from=upstream /lib/x86_64-linux-gnu/libexpat.so.1 /usr/glibc-compat/lib
COPY --from=upstream /usr/lib/x86_64-linux-gnu/libpng16.so.16 /usr/glibc-compat/lib
RUN /usr/glibc-compat/sbin/ldconfig
########
COPY --from=upstream $GF_PATHS_CONFIG $GF_PATHS_CONFIG
COPY --from=upstream $GF_PATHS_DATA $GF_PATHS_DATA
COPY --from=upstream $GF_PATHS_HOME $GF_PATHS_HOME
COPY --from=upstream $GF_PATHS_LOGS $GF_PATHS_LOGS
COPY --from=upstream $GF_PATHS_PLUGINS $GF_PATHS_PLUGINS
COPY --from=upstream $GF_PATHS_PROVISIONING $GF_PATHS_PROVISIONING
COPY --from=upstream /run.sh /run.sh
RUN addgroup -g $GF_GID grafana && \
adduser -D -u $GF_UID -G grafana grafana && \
chown -R grafana:grafana "$GF_PATHS_DATA" "$GF_PATHS_HOME/.aws" "$GF_PATHS_LOGS" "$GF_PATHS_PLUGINS" "$GF_PATHS_PROVISIONING" && \
chmod 700 -R "$GF_PATHS_DATA" "$GF_PATHS_HOME/.aws" "$GF_PATHS_LOGS" "$GF_PATHS_PLUGINS" "$GF_PATHS_PROVISIONING"
EXPOSE 3000
USER grafana
ENTRYPOINT [ "/run.sh" ] |
It isn't exactly groundbreaking, but it served my needs. We're about to contribute a new OS project and our security team was going crazy with the Ubuntu and Debian images. Swapping to an Alpine base using something like this saved me a lot of time and effort.
|
@xlson with so may suggestions, why don't we pick one that seems to fit best and get rid of the vulnerabilities? |
@sbkg0002 Unfortunately a lot of these solutions doesn't work with PhantomJS and since we are in the process (actively) of replacing it we're holding off on introducing an alpine image. In the meantime we will most likely move to ubuntu as that has 0 high severity vulnerabilities at least. |
Thank you for taking the time to contribute to Grafana. I've decided to not merge this as we switched base image from debian to ubuntu in #17066 to get rid of all high severity issues. While we appreciate the effort of your solution its, not something we want to maintain. We are working on replacing phantomjs and once that's done we should reevaluate switching to alpine as the default container. |
For #14182
Reasons:
I tagged the image similar to other projects (like node, nginx), with a suffix
-alpine
on the version.This works for me when I build
grafana-server
in thegrafana/build-container:1.22
.