appscode-images
diff --git a/‎README.md
Lines changed: 1 addition & 1 deletion b/‎README.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎elasticsearch/Dockerfile
Lines changed: 190 additions & 62 deletions b/‎elasticsearch/Dockerfile
Lines changed: 190 additions & 62 deletions
@@ -78,4 +78,4 @@ and includes the full set of [free
 features](https://www.elastic.co/subscriptions).
 
 View the detailed release notes
-[here](https://www.elastic.co/guide/en/elasticsearch/reference/7.14/es-release-notes.html).
+[here](https://www.elastic.co/guide/en/elasticsearch/reference/8.0/es-release-notes.html).
@@ -5,36 +5,167 @@
 ################################################################################
 
 ################################################################################
-# Build stage 0 `builder`:
-# Extract Elasticsearch artifact
+# Stage 1. Build curl statically. Installing it from RPM on CentOS pulls in too
+# many dependencies.
 ################################################################################
+FROM alpine:3.13 AS curl
 
-FROM centos:8 AS builder
+ENV VERSION 7.71.0
+ENV TARBALL_URL https://curl.haxx.se/download/curl-${VERSION}.tar.xz
+ENV TARBALL_PATH curl-${VERSION}.tar.xz
+
+# Install dependencies
+RUN for iter in {1..10}; do \
+      apk add gnupg gcc make musl-dev openssl-dev openssl-libs-static file && \
+      exit_code=0 && break || \
+        exit_code=$? && echo "apk error: retry $iter in 10s" && sleep 10; \
+    done; \
+    exit $exit_code
+
+RUN mkdir /work
+WORKDIR /work
+
+# Fetch curl sources and files for validation. Note that alpine's `wget` doesn't have retry options.
+RUN function retry_wget() { \
+      local URL="$1" ; \
+      local DEST="$2" ; \
+      for iter in {1..10}; do \
+        wget "$URL" -O "$DEST" && \
+        exit_code=0 && break || \
+          exit_code=$? && echo "wget error: retry $iter in 10s" && sleep 10; \
+      done; \
+      return $exit_code ; \
+    } ; \
+    retry_wget "https://daniel.haxx.se/mykey.asc" "curl-gpg.pub" && \
+    retry_wget "${TARBALL_URL}.asc" "${TARBALL_PATH}.asc" && \
+    retry_wget "${TARBALL_URL}" "${TARBALL_PATH}"
+
+# Validate source
+RUN gpg --import --always-trust "curl-gpg.pub" && \
+    gpg --verify "${TARBALL_PATH}.asc" "${TARBALL_PATH}"
+
+# Unpack and build
+RUN set -e ; \
+    tar xfJ "${TARBALL_PATH}" ; \
+    cd "curl-${VERSION}" ; \
+    if ! ./configure --disable-shared --with-ca-fallback --with-ca-bundle=/etc/pki/tls/certs/ca-bundle.crt ; then \
+        [[ -e config.log ]] && cat config.log ; \
+        exit 1 ; \
+    fi ; \
+    make curl_LDFLAGS="-all-static" ; \
+    cp src/curl /work/curl ; \
+    strip /work/curl
+
+################################################################################
+# Step 2. Create a minimal root filesystem directory. This will form the basis
+# for our image.
+################################################################################
+FROM centos:8 AS rootfs
+
+ENV TINI_VERSION 0.19.0
+
+# Start off with an up-to-date system
+RUN yum update --setopt=tsflags=nodocs -y
+
+# Create a directory into which we will install files
+RUN mkdir /rootfs
+
+# Create required devices
+RUN mkdir -m 755 /rootfs/dev && \
+    mknod -m 600 /rootfs/dev/console c 5 1 && \
+    mknod -m 600 /rootfs/dev/initctl p && \
+    mknod -m 666 /rootfs/dev/full c 1 7 && \
+    mknod -m 666 /rootfs/dev/null c 1 3 && \
+    mknod -m 666 /rootfs/dev/ptmx c 5 2 && \
+    mknod -m 666 /rootfs/dev/random c 1 8 && \
+    mknod -m 666 /rootfs/dev/tty c 5 0 && \
+    mknod -m 666 /rootfs/dev/tty0 c 4 0 && \
+    mknod -m 666 /rootfs/dev/urandom c 1 9 && \
+    mknod -m 666 /rootfs/dev/zero c 1 5
+
+# Install a minimal set of dependencies, and some for Elasticsearch
+RUN yum --installroot=/rootfs --releasever=/ --setopt=tsflags=nodocs \
+      --setopt=group_package_types=mandatory -y  \
+      --skip-broken \
+      install basesystem bash zip zlib
 
 # `tini` is a tiny but valid init for containers. This is used to cleanly
 # control how ES and any child processes are shut down.
 #
 # The tini GitHub page gives instructions for verifying the binary using
 # gpg, but the keyservers are slow to return the key and this can fail the
 # build. Instead, we check the binary against the published checksum.
-RUN set -eux ; \
-    tini_bin="" ; \
+#
+# Also, we use busybox instead of installing utility RPMs, which pulls in
+# all kinds of stuff we don't want.
+RUN set -e ; \
+    TINI_BIN="" ; \
+    BUSYBOX_COMMIT="" ; \
     case "$(arch)" in \
-        aarch64) tini_bin='tini-arm64' ;; \
-        x86_64)  tini_bin='tini-amd64' ;; \
-        *) echo >&2 ; echo >&2 "Unsupported architecture $(arch)" ; echo >&2 ; exit 1 ;; \
+        aarch64) \
+            BUSYBOX_COMMIT='8a500845daeaeb926b25f73089c0668cac676e97' ; \
+            TINI_BIN='tini-arm64' ; \
+            ;; \
+        x86_64) \
+            BUSYBOX_COMMIT='cc81bf8a3c979f596af2d811a3910aeaa230e8ef' ; \
+            TINI_BIN='tini-amd64' ; \
+            ;; \
+        *) echo >&2 "Unsupported architecture $(arch)" ; exit 1 ;; \
     esac ; \
-    curl --retry 10 -S -L -O https://github.com/krallin/tini/releases/download/v0.19.0/${tini_bin} ; \
-    curl --retry 10 -S -L -O https://github.com/krallin/tini/releases/download/v0.19.0/${tini_bin}.sha256sum ; \
-    sha256sum -c ${tini_bin}.sha256sum ; \
-    rm ${tini_bin}.sha256sum ; \
-    mv ${tini_bin} /bin/tini ; \
-    chmod +x /bin/tini
+    curl --retry 10 -S -L -O "https://github.com/krallin/tini/releases/download/v0.19.0/${TINI_BIN}" ; \
+    curl --retry 10 -S -L -O "https://github.com/krallin/tini/releases/download/v0.19.0/${TINI_BIN}.sha256sum" ; \
+    sha256sum -c "${TINI_BIN}.sha256sum" ; \
+    rm "${TINI_BIN}.sha256sum" ; \
+    mv "${TINI_BIN}" /rootfs/bin/tini ; \
+    chmod 0555 /rootfs/bin/tini ; \
+    curl --retry 10 -L -O \
+      # Here we're fetching the same binaries used for the official busybox docker image from their GtiHub repository
+      "https://github.com/docker-library/busybox/raw/${BUSYBOX_COMMIT}/stable/musl/busybox.tar.xz" ; \
+    tar -xf busybox.tar.xz -C /rootfs/bin --strip=2 ./bin ; \
+    rm busybox.tar.xz ;
+
+# Curl needs files under here. More importantly, we change Elasticsearch's
+# bundled JDK to use /etc/pki/ca-trust/extracted/java/cacerts instead of
+# the bundled cacerts.
+RUN mkdir -p /rootfs/etc && \
+    cp -a /etc/pki /rootfs/etc/
+
+# Cleanup the filesystem
+RUN yum --installroot=/rootfs -y clean all && \
+    cd /rootfs && \
+    rm -rf \
+        etc/{X11,centos-release*,csh*,profile*,skel*,yum*} \
+        sbin/sln \
+        usr/bin/rpm \
+        {usr,var}/games \
+        usr/lib/{dracut,systemd,udev} \
+        usr/lib64/X11 \
+        usr/local \
+        usr/share/{awk,centos-release,cracklib,desktop-directories,gcc-*,i18n,icons,licenses,xsessions,zoneinfo} \
+        usr/share/{man,doc,info,games,gdb,ghostscript,gnome,groff,icons,pixmaps,sounds,backgrounds,themes,X11} \
+        usr/{{lib,share}/locale,{lib,lib64}/gconv,bin/localedef,sbin/build-locale-archive} \
+        var/cache/yum \
+        var/lib/{rpm,yum} \
+        var/log/yum.log
+
+# ldconfig
+RUN rm -rf /rootfs/etc/ld.so.cache /rootfs/var/cache/ldconfig && \
+    mkdir -p --mode=0755 /rootfs/var/cache/ldconfig
+
+COPY --from=curl /work/curl /rootfs/usr/bin/curl
+
+# Ensure that there are no files with setuid or setgid, in order to mitigate "stackclash" attacks.
+RUN find /rootfs -xdev -perm -4000 -exec chmod ug-s {} +
+
+################################################################################
+# Step 3. Fetch the Elasticsearch distribution and configure it for Docker
+################################################################################
+FROM centos:8 AS builder
 
 RUN mkdir /usr/share/elasticsearch
 WORKDIR /usr/share/elasticsearch
 
-RUN curl --retry 10 -S -L --output /opt/elasticsearch.tar.gz https://artifacts-no-kpi.elastic.co/downloads/elasticsearch/elasticsearch-7.14.0-linux-$(arch).tar.gz
+RUN curl --retry 10 -S -L --output /opt/elasticsearch.tar.gz https://artifacts-no-kpi.elastic.co/downloads/elasticsearch/elasticsearch-8.0.0-alpha1-linux-$(arch).tar.gz
 
 RUN tar -zxf /opt/elasticsearch.tar.gz --strip-components=1
 
@@ -43,57 +174,43 @@ COPY config/elasticsearch.yml config/
 COPY config/log4j2.properties config/log4j2.docker.properties
 
 #  1. Configure the distribution for Docker
-#  2. Ensure directories are created. Most already are, but make sure
-#  3. Apply correct permissions
-#  4. Move the distribution's default logging config aside
-#  5. Generate a docker logging config, to be used by default
-#  6. Apply more correct permissions
-#  7. The JDK's directories' permissions don't allow `java` to be executed under a different
-#     group to the default. Fix this.
-#  8. Remove write permissions from all files under `lib`, `bin`, `jdk` and `modules`
-#  9. Ensure that there are no files with setuid or setgid, in order to mitigate "stackclash" attacks.
-# 10. Ensure all files are world-readable by default. It should be possible to
-#     examine the contents of the image under any UID:GID
+#  2. Create required directory
+#  3. Move the distribution's default logging config aside
+#  4. Move the generated docker logging config so that it is the default
+#  5. Reset permissions on all directories
+#  6. Reset permissions on all files
+#  7. Make CLI tools executable
+#  8. Make some directories writable. `bin` must be writable because
+#     plugins can install their own CLI utilities.
+#  9. Make some files writable
 RUN sed -i -e 's/ES_DISTRIBUTION_TYPE=tar/ES_DISTRIBUTION_TYPE=docker/' bin/elasticsearch-env && \
-    mkdir -p config/jvm.options.d data logs plugins && \
-    chmod 0775 config config/jvm.options.d data logs plugins && \
+    mkdir data && \
     mv config/log4j2.properties config/log4j2.file.properties && \
     mv config/log4j2.docker.properties config/log4j2.properties && \
-    chmod 0660 config/elasticsearch.yml config/log4j2*.properties && \
-    find ./jdk -type d -exec chmod 0755 {} + && \
-    chmod -R a-w lib bin jdk modules && \
-    find . -xdev -perm -4000 -exec chmod ug-s {} + && \
-    find . -type f -exec chmod o+r {} +
+    find . -type d -exec chmod 0555 {} + && \
+    find . -type f -exec chmod 0444 {} + && \
+    chmod 0555 bin/* jdk/bin/* jdk/lib/jspawnhelper modules/x-pack-ml/platform/linux-*/bin/* && \
+    chmod 0775 bin config config/jvm.options.d data logs plugins && \
+    find config -type f -exec chmod 0664 {} +
 
 ################################################################################
-# Build stage 1 (the actual Elasticsearch image):
-#
-# Copy elasticsearch from stage 0
-# Add entrypoint
+# Stage 4. Build the final image, using the rootfs above as the basis, and
+# copying in the Elasticsearch distribution
 ################################################################################
+FROM scratch
 
-FROM centos:8
+# Setup the initial filesystem.
+COPY --from=rootfs /rootfs /
 
-RUN for iter in {1..10}; do \
-      yum update --setopt=tsflags=nodocs -y && \
-      yum install --setopt=tsflags=nodocs -y \
-      nc shadow-utils zip unzip  && \
-      yum clean all && \
-      exit_code=0 && break || \
-        exit_code=$? && echo "yum error: retry $iter in 10s" && sleep 10; \
-    done; \
-    exit $exit_code
-
-RUN groupadd -g 1000 elasticsearch && \
-    adduser -u 1000 -g 1000 -G 0 -d /usr/share/elasticsearch elasticsearch && \
-    chmod 0775 /usr/share/elasticsearch && \
-    chown -R 1000:0 /usr/share/elasticsearch
+RUN addgroup -g 1000 elasticsearch && \
+    adduser -D -u 1000 -G elasticsearch -g elasticsearch -h /usr/share/elasticsearch elasticsearch && \
+    addgroup elasticsearch root && \
+    chown -R 0:0 /usr/share/elasticsearch
 
 ENV ELASTIC_CONTAINER true
 
 WORKDIR /usr/share/elasticsearch
-COPY --from=builder --chown=1000:0 /usr/share/elasticsearch /usr/share/elasticsearch
-COPY --from=builder --chown=0:0 /bin/tini /bin/tini
+COPY --from=builder --chown=0:0 /usr/share/elasticsearch /usr/share/elasticsearch
 
 ENV PATH /usr/share/elasticsearch/bin:$PATH
 
@@ -106,34 +223,45 @@ COPY bin/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 # 4. Replace OpenJDK's built-in CA certificate keystore with the one from the OS
 #    vendor. The latter is superior in several ways.
 #    REF: https://github.com/elastic/elasticsearch-docker/issues/171
+# 5. Tighten up permissions on the ES home dir (the permissions of the contents are handled earlier)
+# 6. You can't install plugins that include configuration when running as `elasticsearch` and the `config`
+#    dir is owned by `root`, because the installed tries to manipulate the permissions on the plugin's
+#    config directory.
 RUN chmod g=u /etc/passwd && \
-    chmod 0775 /usr/local/bin/docker-entrypoint.sh && \
+    chmod 0555 /usr/local/bin/docker-entrypoint.sh && \
     find / -xdev -perm -4000 -exec chmod ug-s {} + && \
-    ln -sf /etc/pki/ca-trust/extracted/java/cacerts /usr/share/elasticsearch/jdk/lib/security/cacerts
+    ln -sf /etc/pki/ca-trust/extracted/java/cacerts /usr/share/elasticsearch/jdk/lib/security/cacerts && \
+    chmod 0775 /usr/share/elasticsearch && \
+    chown elasticsearch bin config config/jvm.options.d data logs plugins
 
 EXPOSE 9200 9300
 
-LABEL org.label-schema.build-date="2021-07-29T20:49:32.864135063Z" \
+LABEL org.label-schema.build-date="2021-08-03T20:46:41.477290628Z" \
   org.label-schema.license="Elastic-License-2.0" \
   org.label-schema.name="Elasticsearch" \
   org.label-schema.schema-version="1.0" \
   org.label-schema.url="https://www.elastic.co/products/elasticsearch" \
   org.label-schema.usage="https://www.elastic.co/guide/en/elasticsearch/reference/index.html" \
-  org.label-schema.vcs-ref="dd5a0a2acaa2045ff9624f3729fc8a6f40835aa1" \
+  org.label-schema.vcs-ref="b11c15b7e0af64f90c3eb9c52c2534b4f143a070" \
   org.label-schema.vcs-url="https://github.com/elastic/elasticsearch" \
   org.label-schema.vendor="Elastic" \
-  org.label-schema.version="7.14.0" \
-  org.opencontainers.image.created="2021-07-29T20:49:32.864135063Z" \
+  org.label-schema.version="8.0.0-alpha1" \
+  org.opencontainers.image.created="2021-08-03T20:46:41.477290628Z" \
   org.opencontainers.image.documentation="https://www.elastic.co/guide/en/elasticsearch/reference/index.html" \
   org.opencontainers.image.licenses="Elastic-License-2.0" \
-  org.opencontainers.image.revision="dd5a0a2acaa2045ff9624f3729fc8a6f40835aa1" \
+  org.opencontainers.image.revision="b11c15b7e0af64f90c3eb9c52c2534b4f143a070" \
   org.opencontainers.image.source="https://github.com/elastic/elasticsearch" \
   org.opencontainers.image.title="Elasticsearch" \
   org.opencontainers.image.url="https://www.elastic.co/products/elasticsearch" \
   org.opencontainers.image.vendor="Elastic" \
-  org.opencontainers.image.version="7.14.0"
+  org.opencontainers.image.version="8.0.0-alpha1"
 
+USER elasticsearch:root
+
+# Our actual entrypoint is `tini`, a minimal but functional init program. It
+# calls the entrypoint we provide, while correctly forwarding signals.
 ENTRYPOINT ["/bin/tini", "--", "/usr/local/bin/docker-entrypoint.sh"]
+
 # Dummy overridable parameter parsed by entrypoint
 CMD ["eswrapper"]