feat: Add Alpine-based image

This is mostly to get rid of the vulnerabilities that the Debian-based image carries with it.
SumoLogic · Aug 19, 2021 · c9379e5 · c9379e5
1 parent 9a54d29
commit c9379e5
Show file tree

Hide file tree

Showing 9 changed files with 218 additions and 11 deletions.
diff --git a/.github/workflows/dev_builds.yml b/.github/workflows/dev_builds.yml
@@ -27,14 +27,20 @@ jobs:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_PUBLIC_ECR_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PUBLIC_ECR_SECRET_ACCESS_KEY }}
 
-      - name: Build and push image
+      - name: Build and push Debian image
         run: make build-push-multiplatform
 
+      - name: Build and push Alpine image
+        run: make build-push-multiplatform-alpine
+
       - name: Login to Open Source ECR
         run: make login-opensource
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.OPENSOURCE_ECR_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.OPENSOURCE_ECR_SECRET_ACCESS_KEY }}
 
-      - name: Build and push image to Open Source ECR
+      - name: Build and push Debian image to Open Source ECR
         run: make build-push-multiplatform-opensource
+
+      - name: Build and push Alpine image to Open Source ECR
+        run: make build-push-multiplatform-alpine-opensource
diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml
@@ -90,11 +90,20 @@ jobs:
       - name: Test fluent-plugin-protobuf
         run: make test-fluent-plugin-protobuf
 
-  image-test:
+  image-test-debian:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/[email protected]
-      - name: Build kubernetes-fluentd
+      - name: Build Debian image
         run: make build
-      - name: Test kubernetes-fluentd image
+      - name: Test Debian image
         run: make image-test
+
+  image-test-alpine:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/[email protected]
+      - name: Build Alpine image
+        run: make build-alpine
+      - name: Test Alpine image
+        run: make image-test-alpine
diff --git a/.github/workflows/release_builds.yml b/.github/workflows/release_builds.yml
@@ -39,14 +39,20 @@ jobs:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_PUBLIC_ECR_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PUBLIC_ECR_SECRET_ACCESS_KEY }}
 
-      - name: Build and push image
+      - name: Build and push Debian image
         run: make build-push-multiplatform BUILD_TAG=${{ steps.extract_tag.outputs.tag }}
 
+      - name: Build and push Alpine image
+        run: make build-push-multiplatform-alpine BUILD_TAG=${{ steps.extract_tag.outputs.tag }}
+
       - name: Login to Open Source ECR
         run: make login-opensource
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.OPENSOURCE_ECR_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.OPENSOURCE_ECR_SECRET_ACCESS_KEY }}
 
-      - name: Build and push image to Open Source ECR
+      - name: Build and push Debian image to Open Source ECR
         run: make build-push-multiplatform-opensource BUILD_TAG=${{ steps.extract_tag.outputs.tag }}
+
+      - name: Build and push Alpine image to Open Source ECR
+        run: make build-push-multiplatform-alpine-opensource BUILD_TAG=${{ steps.extract_tag.outputs.tag }}
diff --git a/Dockerfile b/Dockerfile
@@ -18,7 +18,7 @@ RUN apt-get update \
 RUN gem install \
         fluentd:1.12.2 \
         concurrent-ruby:1.1.8 \
-        google-protobuf:3.9.2 \
+        google-protobuf:3.17.3 \
         lru_redux:1.1.0 \
         net-http-persistent:4.0.1 \
         snappy:0.0.17 \

diff --git a/Makefile b/Makefile
@@ -1,4 +1,5 @@
 BUILD_TAG ?= latest
+BUILD_TAG_ALPINE ?= latest-alpine
 BUILD_CACHE_TAG = latest-builder-cache
 IMAGE_NAME = kubernetes-fluentd
 ECR_URL = public.ecr.aws/u5z5f8z6
@@ -22,6 +23,13 @@ build:
 		--tag $(IMAGE_NAME):$(BUILD_TAG) \
 		.
 
+build-alpine:
+	docker build \
+		--build-arg BUILD_TAG=$(BUILD_TAG_ALPINE) \
+		--tag $(IMAGE_NAME):$(BUILD_TAG_ALPINE) \
+		--file alpine.Dockerfile \
+		.
+
 push:
 	docker tag $(IMAGE_NAME):$(BUILD_CACHE_TAG) $(REPO_URL):$(BUILD_CACHE_TAG)
 	docker push $(REPO_URL):$(BUILD_CACHE_TAG)
@@ -35,17 +43,40 @@ login:
 build-push-multiplatform:
 	REPO_URL=$(REPO_URL) BUILD_TAG=$(BUILD_TAG) ./ci/build-push-multiplatform.sh
 
+build-push-multiplatform-alpine:
+	docker buildx build \
+		--push \
+		--platform linux/amd64,linux/arm/v7,linux/arm64 \
+		--build-arg BUILD_TAG=$(BUILD_TAG)-alpine \
+		--tag $(REPO_URL):$(BUILD_TAG)-alpine \
+		--file alpine.Dockerfile \
+		.
+
 login-opensource:
 	aws ecr-public get-login-password --region us-east-1 \
 	| docker login --username AWS --password-stdin $(OPENSOURCE_ECR_URL)
 
 build-push-multiplatform-opensource:
 	REPO_URL=$(OPENSOURCE_REPO_URL) BUILD_TAG=$(BUILD_TAG) ./ci/build-push-multiplatform.sh
 
+
+build-push-multiplatform-alpine-opensource:
+	docker buildx build \
+		--push \
+		--platform linux/amd64,linux/arm/v7,linux/arm64 \
+		--build-arg BUILD_TAG=$(BUILD_TAG)-alpine \
+		--tag $(OPENSOURCE_REPO_URL):$(BUILD_TAG)-alpine \
+		--file alpine.Dockerfile \
+		.
+
 .PHONY: image-test
 image-test:
 	ruby test/test_docker.rb
 
+.PHONY: image-test-alpine
+image-test-alpine:
+	IMAGE_NAME=$(IMAGE_NAME):$(BUILD_TAG_ALPINE) ruby test/test_docker.rb
+
 .PHONY: test
 test: test-fluent-plugin-datapoint test-fluent-plugin-enhance-k8s-metadata test-fluent-plugin-events test-fluent-plugin-kubernetes-metadata-filter test-fluent-plugin-kubernetes-sumologic test-fluent-plugin-prometheus-format test-fluent-plugin-protobuf
 

diff --git a/alpine.Dockerfile b/alpine.Dockerfile
@@ -0,0 +1,122 @@
+FROM ruby:2.6.8-alpine3.14 AS builder
+
+RUN apk update \
+ && apk add \
+        build-base \
+        git \
+        gnupg \
+        linux-headers \
+        ruby-dev \
+        snappy-dev
+
+RUN echo 'gem: --no-document' >> /etc/gemrc
+
+# Fluentd plugin dependencies
+RUN gem install \
+        fluentd:1.12.2 \
+        concurrent-ruby:1.1.8 \
+        google-protobuf:3.17.3 \
+        lru_redux:1.1.0 \
+        net-http-persistent:4.0.1 \
+        snappy:0.0.17 \
+        specific_install:0.3.5
+
+# Use unreleased Kubeclient version with persistent HTTP connections.
+RUN gem specific_install https://github.com/abonas/kubeclient --ref 3267dc3fd02c49e3b19f1210ff7cb84c3b2a4478
+
+# FluentD plugins to allow customers to forward data if needed to various cloud providers
+RUN gem install \
+        fluent-plugin-s3
+        # TODO: Support additional cloud providers
+        # && gem install fluent-plugin-google-cloud \
+        # && gem install fluent-plugin-azure-storage-append-blob
+
+# FluentD plugins from RubyGems
+RUN gem install \
+        fluent-plugin-concat:2.4.0 \
+        fluent-plugin-prometheus:1.6.1 \
+        fluent-plugin-record-modifier:2.0.1 \
+        fluent-plugin-rewrite-tag-filter:2.2.0 \
+        fluent-plugin-sumologic_output:1.7.1 \
+        fluent-plugin-systemd:1.0.2
+
+WORKDIR /sumologic-kubernetes-fluentd
+
+COPY fluent-plugin-datapoint/ ./fluent-plugin-datapoint
+RUN cd fluent-plugin-datapoint \
+ && gem build fluent-plugin-datapoint.gemspec -o ../fluent-plugin-datapoint.gem \
+ && cd ..
+
+COPY fluent-plugin-enhance-k8s-metadata/ ./fluent-plugin-enhance-k8s-metadata
+RUN cd fluent-plugin-enhance-k8s-metadata \
+ && gem build fluent-plugin-enhance-k8s-metadata.gemspec -o ../fluent-plugin-enhance-k8s-metadata.gem \
+ && cd ..
+
+COPY fluent-plugin-events/ ./fluent-plugin-events
+RUN cd fluent-plugin-events \
+ && gem build fluent-plugin-events.gemspec -o ../fluent-plugin-events.gem \
+ && cd ..
+
+COPY fluent-plugin-kubernetes-metadata-filter ./fluent-plugin-kubernetes-metadata-filter
+RUN cd fluent-plugin-kubernetes-metadata-filter \
+ && gem build fluent-plugin-kubernetes-metadata-filter.gemspec -o ../fluent-plugin-kubernetes-metadata-filter.gem \
+ && cd ..
+
+COPY fluent-plugin-kubernetes-sumologic/ ./fluent-plugin-kubernetes-sumologic
+RUN cd fluent-plugin-kubernetes-sumologic \
+ && gem build fluent-plugin-kubernetes-sumologic.gemspec -o ../fluent-plugin-kubernetes-sumologic.gem \
+ && cd ..
+
+COPY fluent-plugin-prometheus-format ./fluent-plugin-prometheus-format
+RUN cd fluent-plugin-prometheus-format \
+ && gem build fluent-plugin-prometheus-format.gemspec -o ../fluent-plugin-prometheus-format.gem \
+ && cd ..
+
+COPY fluent-plugin-protobuf/ ./fluent-plugin-protobuf
+RUN cd fluent-plugin-protobuf \
+ && gem build fluent-plugin-protobuf.gemspec -o ../fluent-plugin-protobuf.gem \
+ && cd ..
+
+RUN gem install \
+        --local fluent-plugin-datapoint \
+        --local fluent-plugin-enhance-k8s-metadata \
+        --local fluent-plugin-events \
+        --local fluent-plugin-kubernetes-metadata-filter \
+        --local fluent-plugin-kubernetes-sumologic \
+        --local fluent-plugin-prometheus-format \
+        --local fluent-plugin-protobuf
+
+FROM ruby:2.6.8-alpine3.14
+
+RUN apk update \
+ && apk add --no-cache \
+        ca-certificates \
+        snappy-dev \
+        tini
+
+RUN delgroup ping \
+    && addgroup -S -g 999 fluent \
+    && adduser -S -g fluent -u 999 fluent \
+    # for log storage (maybe shared with host)
+    && mkdir -p /fluentd/log \
+    # configuration/plugins path (default: copied from .)
+    && mkdir -p /fluentd/etc /fluentd/plugins \
+    && chown -R fluent /fluentd && chgrp -R fluent /fluentd
+
+COPY fluent.conf /fluentd/etc/
+COPY entrypoint.sh /bin/
+
+ENV FLUENTD_CONF="fluent.conf"
+
+ENV LD_PRELOAD=""
+EXPOSE 24224 5140
+
+COPY --from=builder --chown=fluent:fluent /usr/local/bundle /usr/local/bundle
+
+USER 999:999
+
+ARG BUILD_TAG=latest
+ENV TAG $BUILD_TAG
+
+ENTRYPOINT ["tini",  "--", "/bin/entrypoint.sh"]
+CMD ["fluentd"]
diff --git a/fluent-plugin-protobuf/Gemfile.lock b/fluent-plugin-protobuf/Gemfile.lock
@@ -3,7 +3,7 @@ PATH
   specs:
     fluent-plugin-protobuf (2.0.0)
       fluentd (= 1.12.2)
-      google-protobuf (= 3.9.2)
+      google-protobuf (~> 3.17)
       snappy (> 0)
 
 GEM
@@ -23,7 +23,7 @@ GEM
       tzinfo-data (~> 1.0)
       webrick (>= 1.4.2, < 1.8.0)
       yajl-ruby (~> 1.0)
-    google-protobuf (3.9.2)
+    google-protobuf (3.17.3)
     http_parser.rb (0.6.0)
     msgpack (1.4.2)
     power_assert (2.0.0)

diff --git a/fluent-plugin-protobuf/fluent-plugin-protobuf.gemspec b/fluent-plugin-protobuf/fluent-plugin-protobuf.gemspec
@@ -18,7 +18,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "bundler", "~> 2.0"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "test-unit", "~> 3.0"
-  spec.add_runtime_dependency "google-protobuf", "= 3.9.2"
+  spec.add_runtime_dependency "google-protobuf", "~> 3.17"
   spec.add_runtime_dependency "snappy", "> 0"
   spec.add_runtime_dependency "fluentd", "= 1.12.2"
 end
diff --git a/fluent.conf b/fluent.conf
@@ -0,0 +1,33 @@
+<source>
+  @type  forward
+  @id    input1
+  @label @mainstream
+  port  24224
+</source>
+
+<filter **>
+  @type stdout
+</filter>
+
+<label @mainstream>
+  <match docker.**>
+    @type file
+    @id   output_docker1
+    path         /fluentd/log/docker.*.log
+    symlink_path /fluentd/log/docker.log
+    append       true
+    time_slice_format %Y%m%d
+    time_slice_wait   1m
+    time_format       %Y%m%dT%H%M%S%z
+  </match>
+  <match **>
+    @type file
+    @id   output1
+    path         /fluentd/log/data.*.log
+    symlink_path /fluentd/log/data.log
+    append       true
+    time_slice_format %Y%m%d
+    time_slice_wait   10m
+    time_format       %Y%m%dT%H%M%S%z
+  </match>
+</label>