dockerfiles: distroless for multiarch (fluent#4686)

Pat · web-flow · commit 8a9b564a17a9 · 2022-01-26T11:56:27.000+01:00
* dockerfiles: distroless for multiarch

Signed-off-by: Patrick Stephens &lt;pat@calyptia.com&gt;

* dockerfiles: linting fixes

Signed-off-by: Patrick Stephens &lt;pat@calyptia.com&gt;

* dockerfiles: remove unnecessary RUN

Signed-off-by: Patrick Stephens &lt;pat@calyptia.com&gt;

* dockerfiles: linting fixes

Signed-off-by: Patrick Stephens &lt;pat@calyptia.com&gt;

* dockerfiles: add missing dependencies

Signed-off-by: Patrick Stephens &lt;pat@calyptia.com&gt;

* workflows: smoke test PR multiarch

Signed-off-by: Patrick Stephens &lt;pat@calyptia.com&gt;
diff --git a/.github/workflows/pr-image-tests.yaml b/.github/workflows/pr-image-tests.yaml
@@ -51,6 +51,19 @@ jobs:
       secrets:
         token: ${{ secrets.GITHUB_TOKEN }}
 
+    pr-image-tests-smoke-test-multiarch-images:
+      name: PR - multiarch smoke test images
+      needs: [pr-get-latest-tag, pr-image-tests-build-images]
+      uses: fluent/fluent-bit/.github/workflows/call-test-images.yaml@master
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        image: ${{ github.repository }}/pr-${{ github.event.number }}/multiarch
+        image-tag: ${{ needs.pr-get-latest-tag.outputs.latest_tag }}
+        environment: pr
+      secrets:
+        token: ${{ secrets.GITHUB_TOKEN }}
+
     pr-image-tests-classic-docker-build:
       name: PR - Classic docker build test
       needs: pr-get-latest-tag
diff --git a/dockerfiles/Dockerfile.multiarch b/dockerfiles/Dockerfile.multiarch
@@ -81,8 +81,51 @@ COPY conf/fluent-bit.conf \
      conf/plugins.conf \
      /fluent-bit/etc/
 
-# FROM gcr.io/distroless/cc-debian11 as production
-FROM debian:bullseye-slim as production
+# Simple example of how to properly extract packages for reuse in distroless
+# Taken from: https://github.com/GoogleContainerTools/distroless/issues/863
+FROM debian:bullseye-slim as deb-extractor
+COPY --from=qemu-arm32 /usr/bin/qemu-arm-static /usr/bin/
+COPY --from=qemu-arm64 /usr/bin/qemu-aarch64-static /usr/bin/
+
+# We download all debs locally then extract them into a directory we can use as the root for distroless
+WORKDIR /tmp
+RUN apt-get update && \
+    apt-get download \
+        libssl1.1 \
+        libsasl2-2 \
+        pkg-config \
+        libpq5 \
+        libsystemd0 \
+        zlib1g \
+        ca-certificates \
+        libatomic1 \
+        libgcrypt20 \
+        libzstd1 \
+        liblz4-1 \
+        libgssapi-krb5-2 \
+        libldap-2.4-2 \
+        libgpg-error0 \
+        libkrb5-3 \
+        libk5crypto3 \
+        libcom-err2 \
+        libkrb5support0 \
+        libgnutls30 \
+        libkeyutils1 \
+        libp11-kit0 \
+        libidn2-0 \
+        libunistring2 \
+        libtasn1-6 \
+        libnettle8 \
+        libhogweed6 \
+        libgmp10 \
+        libffi7 \
+        liblzma5 && \
+    mkdir -p /dpkg && \
+    for deb in *.deb; do dpkg --extract "$deb" /dpkg || exit 10; done
+
+# We want latest at time of build
+# hadolint ignore=DL3006
+FROM gcr.io/distroless/cc-debian11 as production
 LABEL description="Fluent Bit multi-architecture container image" \
       vendor="Fluent Organization" \
       version="1.9.0" \
@@ -96,34 +139,18 @@ LABEL description="Fluent Bit multi-architecture container image" \
       org.opencontainers.image.documentation="https://docs.fluentbit.io/manual/" \
       org.opencontainers.image.authors="Eduardo Silva <eduardo@calyptia.com>"
 
-COPY --from=qemu-arm32 /usr/bin/qemu-arm-static /usr/bin/
-COPY --from=qemu-arm64 /usr/bin/qemu-aarch64-static /usr/bin/
-
-# hadolint ignore=DL3008
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-      libssl1.1 \
-      libsasl2-2 \
-      pkg-config \
-      libpq5 \
-      libsystemd0 \
-      zlib1g \
-      ca-certificates \
-      libatomic1 \
-      libgcrypt20 \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+# Copy the libraries from the extractor stage into root
+COPY --from=deb-extractor /dpkg /
 
 COPY --from=builder /fluent-bit /fluent-bit
-RUN rm -f /usr/bin/qemu-*-static
 
 EXPOSE 2020
 
 # Entry point
 ENTRYPOINT [ "/fluent-bit/bin/fluent-bit" ]
 CMD ["/fluent-bit/bin/fluent-bit", "-c", "/fluent-bit/etc/fluent-bit.conf"]
 
-FROM production as debug
+FROM debian:bullseye-slim as debug
 LABEL description="Fluent Bit multi-architecture container image" \
       vendor="Fluent Organization" \
       version="1.9.0" \
@@ -136,14 +163,23 @@ ENV DEBIAN_FRONTEND noninteractive
 # hadolint ignore=DL3008
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
-    bash gdb valgrind build-essential \
+        libssl1.1 \
+        libsasl2-2 \
+        pkg-config \
+        libpq5 \
+        libsystemd0 \
+        zlib1g \
+        ca-certificates \
+        libatomic1 \
+        libgcrypt20 \
+        bash gdb valgrind build-essential \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
 RUN rm -f /usr/bin/qemu-*-static
+COPY --from=builder /fluent-bit /fluent-bit
 
 EXPOSE 2020
 
-# Entry point
-ENTRYPOINT [ "/fluent-bit/bin/fluent-bit" ]
+# No entry point so we can just shell in
 CMD ["/fluent-bit/bin/fluent-bit", "-c", "/fluent-bit/etc/fluent-bit.conf"]
