Skip to content

Switch the base Docker image to Wolfi #3760

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rdner merged 2 commits into from
Jul 29, 2024
Merged

Switch the base Docker image to Wolfi #3760

rdner merged 2 commits into from
Jul 29, 2024

Conversation

@rdner
Copy link
Member

@rdner rdner commented Jul 26, 2024
edited
Loading

What is the problem this PR solves?

It improves overall security of the Fleet Server's Docker image.

How does this PR solve the problem?

It switches the base Docker image from Ubuntu:20.04 to Wolfi and switches the root user to a unprivileged fleet-server user.

How to test this PR locally

  1. Run make build-docker and the command should succeed.
  2. Run the container using the newly built image:
docker run -it --rm \
  -e ELASTICSEARCH_HOSTS="https://elasticsearch:9200" \
  -e ELASTICSEARCH_SERVICE_TOKEN="someservicetoken" \
  -e ELASTICSEARCH_CA_TRUSTED_FINGERPRINT="somefingerprint" \
  docker.elastic.co/fleet-server/fleet-server:8.16.0

and the Fleet Server should successfully start without crashing.

  1. Run the shell inside the container:
docker run -it --entrypoint /bin/ash docker.elastic.co/fleet-server/fleet-server:8.16.0
  1. Verify that you're running the fleet-server user with the whoami command.

The image comparison:

Before:

REPOSITORY                                    TAG       IMAGE ID       CREATED          SIZE
docker.elastic.co/fleet-server/fleet-server   8.16.0    ae499a75167e   11 seconds ago   101MB

IMAGE          CREATED          CREATED BY                                      SIZE      COMMENT
ae499a75167e   28 seconds ago   CMD ["/bin/sh" "-c" "/usr/bin/fleet-server -…   0B        buildkit.dockerfile.v0
<missing>      28 seconds ago   COPY /usr/src/fleet-server/build/binaries/fl…   35.7MB    buildkit.dockerfile.v0
<missing>      47 seconds ago   COPY fleet-server.yml /etc/fleet-server.yml …   967B      buildkit.dockerfile.v0
<missing>      47 seconds ago   ARG TARGETARCH                                  0B        buildkit.dockerfile.v0
<missing>      47 seconds ago   ARG TARGETOS                                    0B        buildkit.dockerfile.v0
<missing>      47 seconds ago   ARG VERSION                                     0B        buildkit.dockerfile.v0
<missing>      7 weeks ago      /bin/sh -c #(nop)  CMD ["/bin/bash"]            0B        
<missing>      7 weeks ago      /bin/sh -c #(nop) ADD file:6d8cc056ee741f09a…   65.7MB    
<missing>      7 weeks ago      /bin/sh -c #(nop)  LABEL org.opencontainers.…   0B        
<missing>      7 weeks ago      /bin/sh -c #(nop)  LABEL org.opencontainers.…   0B        
<missing>      7 weeks ago      /bin/sh -c #(nop)  ARG LAUNCHPAD_BUILD_ARCH     0B        
<missing>      7 weeks ago      /bin/sh -c #(nop)  ARG RELEASE                  0B

After:

REPOSITORY                                    TAG       IMAGE ID       CREATED         SIZE
docker.elastic.co/fleet-server/fleet-server   8.16.0    fd3ffec22e4a   8 seconds ago   61.3MB

IMAGE          CREATED          CREATED BY                                      SIZE      COMMENT
fd3ffec22e4a   27 seconds ago   CMD ["/bin/sh" "-c" "/usr/bin/fleet-server -…   0B        buildkit.dockerfile.v0
<missing>      27 seconds ago   COPY --chown=fleet-server:fleet-server --chm…   35.7MB    buildkit.dockerfile.v0
<missing>      41 seconds ago   COPY --chown=fleet-server:fleet-server --chm…   967B      buildkit.dockerfile.v0
<missing>      41 seconds ago   USER fleet-server                               0B        buildkit.dockerfile.v0
<missing>      41 seconds ago   RUN |3 VERSION=8.16.0 TARGETOS=linux TARGETA…   3.67kB    buildkit.dockerfile.v0
<missing>      42 seconds ago   RUN |3 VERSION=8.16.0 TARGETOS=linux TARGETA…   11.9MB    buildkit.dockerfile.v0
<missing>      42 seconds ago   ARG TARGETARCH                                  0B        buildkit.dockerfile.v0
<missing>      42 seconds ago   ARG TARGETOS                                    0B        buildkit.dockerfile.v0
<missing>      42 seconds ago   ARG VERSION                                     0B        buildkit.dockerfile.v0
<missing>      2 days ago       apko                                            13.8MB    This is an apko single-layer image

Down in size by 101-61.3=39.7MB.

To my knowledge we don't ship this image publicly, therefore I think we don't need a change log entry.

Related issues

Relates to https://github.com/elastic/elastic-agent/pull/5062

@rdner
Switch the base Docker image to Wolfi
ab20220 
It's a security-focused image.
@rdner rdner added enhancement New feature or request backport-skip Skip notification from the automated backport with mergify Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team labels Jul 26, 2024
@rdner rdner self-assigned this Jul 26, 2024
@rdner rdner marked this pull request as ready for review July 26, 2024 14:52
@rdner rdner requested a review from a team as a code owner July 26, 2024 14:52
@rdner rdner requested review from cmacknz, faec and michalpristas and removed request for faec July 26, 2024 14:52
@AndersonQ
Copy link
Member

AndersonQ commented Jul 26, 2024

@rdner, please, only merge it Monday :)

michel-laterman
michel-laterman approved these changes Jul 26, 2024
View reviewed changes
Copy link
Contributor

@michel-laterman michel-laterman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

we only use these images internally at the moment

@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Jul 26, 2024
edited
Loading

Quality Gate passed Quality Gate passed

Issues
1 New issue
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

@rdner
Copy link
Member Author

rdner commented Jul 26, 2024
edited
Loading

@michel-laterman to my knowledge this image is used in serverless.

@rdner rdner merged commit 3df3b98 into elastic:main Jul 29, 2024
@rdner rdner deleted the docker-wolfi branch July 29, 2024 07:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michel-laterman michel-laterman michel-laterman approved these changes

@michalpristas michalpristas Awaiting requested review from michalpristas michalpristas is a code owner automatically assigned from elastic/elastic-agent-control-plane

@cmacknz cmacknz Awaiting requested review from cmacknz

Assignees

@rdner rdner

Labels

backport-skip Skip notification from the automated backport with mergify enhancement New feature or request Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rdner @AndersonQ @michel-laterman