Add initial version #1
Conversation
|
@patrick-stephens the initial offering for discussion. |
stevehipwell
force-pushed
the
initial-version
branch
from
20a7faa to
77c3a9b
Compare
There was a problem hiding this comment.
Looks decent to me although a few things need adding:
- Linting using Hadolint, Shellcheck, ActionLint, MarkdownLint
- Some more documentation
- Dependabot for actions and dockerfile
Unless you're planning on adding images other than Alpine I would simplify the CI and push all files up to the repo root.
Can you raise an issue if you don't want to do a big bang PR for these?
- Trivy + Dockle scans
- Testing - we need some level of sanity check
- Once supports fluentd, I think we should use the new config linter we have here: https://github.com/calyptia/fluent-linter-action
|
@patrick-stephens I need to review how the workflow for this is designed, what I've got here doesn't actually make sense. As you alluded to in a comment above I don't have a good solution for the versioning, I am against the Fluentd Docker versioning strategy ( I'm now thinking that maybe this repo tracks the latest Fluentd minor release and bumps the major version when this changes (e.g. v1.14 -> v1 and v1.15 -> v2) which will allow Fluentd or plugin updates/additions to be represented by minor or patch versions. It would then be possible to patch old versions if ever required by taking a branch from a release tag and working from that to tag a new version.
Do you have an example?
Isn't this setup at the repo level in the UI?
Do you have an example? |
|
@patrick-stephens we probably want a Ruby expert to take a look at this as I suspect we might get better security scanning if we added the plugins via a different method. What would really make this easier would be if the fluentd-docker-image CI was updated for multi-arch builds then the quantity of code in the repo would drop significantly. |
|
I'm happy if you want to land this just to get things moving and we tackle the rest as issues. We can make sure it's not GA or a major release until then. |
stevehipwell
force-pushed
the
initial-version
branch
from
77c3a9b to
0ec5022
Compare
|
@patrick-stephens sorry I've been crazy busy but could you take a quick look at this again? It's now architected as a single rolling release with AMD64 and ARM64 builds for Alpine and Debian. I'll take a look at your previous comments but the idea would be to land it and release |
|
Sounds good, I'll try to have a look tomorrow if possible |
|
Do you want to mark as ready for review? |
| @@ -0,0 +1,3 @@ | |||
| * text=auto eol=lf | |||
| *.{cmd,[cC][mM][dD]} text eol=crlf | |||
| *.{bat,[bB][aA][tT]} text eol=crlf | |||
There was a problem hiding this comment.
Probably want to add Linux shell scripts as well as they don't like the wrong line ending either
There was a problem hiding this comment.
Line 1 says everything will use lf unless explicitly overridden, so only file types needing crlf need specifying.
stevehipwell
force-pushed
the
initial-version
branch
4 times, most recently
from
41a48b0 to
52f1b26
Compare
stevehipwell
force-pushed
the
initial-version
branch
2 times, most recently
from
4a6fc5d to
5014a5f
Compare
|
@patrick-stephens this is ready for review now and should be a lot more fully featured than the previous attempt; it's based on the latest version of my Fluentd Aggregator which I'm currently in the process of testing. If there is a Ruby expert working on the Fluentd project who could provide the correct configuration to use Bundler from the Dockerfile instead of the inline script we could have Dependabot watch for updates of the Ruby Gems. The failing Grype code scanning results need addressing; I'd suggest setting the repo failure level in the UI and then either ignore blocking issues in the UI or mitigate them (probably upstream of this repo). I suspect that any attempt to be more secure than the Fluentd Docker image is likely to be painful. |
|
@cosmo0920 might be a good person to ask about the Fluentd bundling, I'm afraid I try to avoid Ruby :) |
There was a problem hiding this comment.
Looks fine to me, only a few queries really.
One thing I would check is whether it is easier to combine those workflows to simplify future updates. There appears to be some duplication across commit, pull request and tags which means any update must be done to all three so I've had issues in the past with missing one out. I don't think this should block though.
alpine.dockerfile
Outdated
| @@ -0,0 +1,60 @@ | |||
| FROM alpine:3.16 | |||
| LABEL maintainer "Fluentd developers <[email protected]>" | |||
| LABEL description="Fluentd aggregator OCI image based on Fluentd v1.15.2" version="0.0.1" | |||
There was a problem hiding this comment.
Do you want the base version of Fluentd to be configurable via a build arg?
Note that the various actions can overwrite labels, and indeed set a load of the default OCI ones so it may be worth checking them.
There was a problem hiding this comment.
I'm already using an action to do this, I'd just forgotten to remove the labels from the Dockerfiles. I've pushed up the change to do this now.
There was a problem hiding this comment.
Do you want the base version of Fluentd to be configurable via a build arg?
I don't think we can do this as all of the other package versions need changing in coordination with this (it's also no longer in the description anyway).
stevehipwell
force-pushed
the
initial-version
branch
from
5014a5f to
f787f30
Compare
As YAML isn't a programming language I'd choose duplication over the complexity of supporting the different workflows in a single file. For DRYing these out I'd recommend breaking the common patterns out into composite actions rather than trying to use a single workflow. |
Or a reusable workflow but yeah. Whatever works for you I think: as I say doesn't really block anything here - my concern would be that you know it but anyone submitting a PR doesn't so it has to be covered in review. |
That'd be the next logical progression if other repos were using the same automation, and something which I'm likely to do but wouldn't be exclusively for this use case. It's a shame GitHub doesn't allow more granular controls for GH actions sources. RE the review I'd suggest a CODEOWNERS file so any changes to the workflows next extra approval, IMHO this should be the case even if the actions were super simple. |
|
Yeah that's a good shout @stevehipwell , I don't want to block the review though on it unless you want to quickly add one. |
stevehipwell
force-pushed
the
initial-version
branch
from
f787f30 to
88b52b3
Compare
|
@patrick-stephens I've added an empty CODEOWNERS file but I don't think we want to dry the automation out until we've got it working and have used it a few times. |
fluent.conf
Outdated
| @@ -0,0 +1,18 @@ | |||
| <source> | |||
| @type forward | |||
| @label @default | |||
There was a problem hiding this comment.
We should use uppercase for label name:
- @label @default
+ @label @DEFAULT
fluent.yaml
Outdated
| config: | ||
| - source: | ||
| $type: forward | ||
| $label: '@default' |
There was a problem hiding this comment.
Ditto.
- $label: '@default'
+ $label: '@DEFAULT'
@cosmo0920 would you be able to help with this? |
@cosmo0920 there are a couple of reasons why I think we need specific versions. Firstly by pinning specific versions and using Dependabot we get notified about potential upstream changes, can choose to take them or not, and can then decide when a release is required. Secondly having the explicit versions makes the documentation clearer and tracking down issues much easier. Thirdly, and most importantly, CNCF security best practices (amongst others) say that dependencies should be immutable and captured in a SBOM. This is why I'd like to use Bundler to integrate with other tooling. |
|
Thanks for your reply. Hmm, it's reasonable to introduce bundler to manage Fluentd and its plugins' dependencies. 👍 |
stevehipwell
force-pushed
the
initial-version
branch
from
88b52b3 to
aff08e1
Compare
|
For bundler migration: First, we have to create Gemfile to manage minimal plugin dependencies by hands: Second, generate complete dependency information by alpine or other lightweight but including ruby binary containers like as: $ docker run --rm -it --mount type=bind,source="$(pwd)"/Gemfile,target=/Gemfile,readonly \
ruby:alpine sh -c "apk add --no-cache --quiet git && bundle lock --print --remove-platform x86_64-linux-musl --add-platform ruby" > Gemfile.lockFinally, use # other stuffs
if ! echo $@ | grep -e ' \-p' -e ' \-\-gemfile' ; then
set -- "$@" --gemfile /path/to/Gemfile
firef: https://docs.fluentd.org/deployment/plugin-management#gemfile-option |
|
For further plugin management, maybe we have to create Makefile or similar approach to provide short-circuit to update Fluentd and its plugin dependencies. |
|
Thanks @cosmo0920, would it be possible to apply the locked Gemfile during the Docker build rather than at runtime? I assume so but could you give me the correct command to do this? Once I've got my questions answered I'll give the Gemfile a try on my stevehipwell/fluentd-aggregator image which is the basis for this one. |
|
Ah, I forgot to mention to use the following step: COPY Gemfile* /fluentd/ |
|
@cosmo0920 I think it'd be best to apply the Gemfile (with lock) during the Docker build so what would be the correct bundler command to do that? |
|
Our official image should use these command: |
stevehipwell
force-pushed
the
initial-version
branch
from
aff08e1 to
fbff4d5
Compare
|
@cosmo0920 I've tested Bundler in my other repo and have added it to this PR. I do have a couple of questions which you might be able to help me with?
|
Just for historical reason. I think that we don't need to handle them on Gemfile.
This is because
No, we don't. Due to Ruby 2.7 support is needed for now.
From apt repository installation, sometimes it will install a bit of older versions. We need to install the specific version that we need to include the container. |
In my understanding, refs:
Probably |
|
In other words, we confirm fluentd well with |
|
@ashie @cosmo0920 I've added some further questions. Just for context we're only talking about Ruby 3 here and a single up to date Debian or Alpine version at any one time.
That makes sense, so are we OK to update the versions within the constraints set out in the fluentd.gemspec? For example What about for
I don't think this is the case for |
Yes.
We don't support async 2.0 yet even if on Ruby 3, it doesn't work well.
Should use latest one, jemalloc v5 is recommended. |
stevehipwell
force-pushed
the
initial-version
branch
2 times, most recently
from
73e2021 to
46c7bff
Compare
|
@ashie @cosmo0920 I've updated the Debian Dockerfile to use the apt version of |
stevehipwell
force-pushed
the
initial-version
branch
2 times, most recently
from
adbb4ae to
6765a65
Compare
Signed-off-by: Steve Hipwell <[email protected]>
stevehipwell
force-pushed
the
initial-version
branch
from
6765a65 to
7f04324
Compare
|
@patrick-stephens what do you want to do about the Grype issues? Some of them might be valid but a lot of them are false positives. I think this is related to anchore/grype#603. |
|
@stevehipwell I've not used Grype and for an initial drop I think it is fine - we should probably make sure we track them and resolve (either fix or ignore as appropriate). |
|
@patrick-stephens if you're happy I'll merge? |
|
@stevehipwell please do, all fine by me. |
This PR adds the initial version of the Fluentd Aggregator based on stevehipwell/fluentd-aggregator.
Before this can be merged the following needs to be completed.
After this has been merged the following actions need to be completed.