Skip to content

Introduce Docker images build #36246

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 18 commits into from
Dec 6, 2018
Merged

Introduce Docker images build #36246

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
39c2372
Introduce Docker images build
jasontedor Dec 5, 2018
a12dc3c
Cleanup
jasontedor Dec 5, 2018
b7d2f08
More cleaup
jasontedor Dec 5, 2018
efad7cb
Rename
jasontedor Dec 5, 2018
a9c9166
Remove unnecessary files
jasontedor Dec 5, 2018
f8364d3
Fix SCM URL
jasontedor Dec 5, 2018
d50a5ce
Add missing newline
jasontedor Dec 5, 2018
8e78667
Simplify copy tasks
jasontedor Dec 5, 2018
684fcb5
Be explicit about requiring Docker
jasontedor Dec 5, 2018
26fe606
More checks
jasontedor Dec 5, 2018
e065cd8
Remove newline
jasontedor Dec 5, 2018
6419019
Add comments
jasontedor Dec 5, 2018
0c2e6ff
Move config to config
jasontedor Dec 5, 2018
b20be22
Add build.docker property
jasontedor Dec 5, 2018
859a87f
Merge branch 'master' into build-docker-images
jasontedor Dec 6, 2018
ed4bf10
Disable instead of only if
jasontedor Dec 6, 2018
507eaec
Simplify process execution
jasontedor Dec 6, 2018
cc31ddd
Simplify
jasontedor Dec 6, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 90 additions & 0 deletions buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ import org.gradle.api.tasks.compile.JavaCompile
import org.gradle.api.tasks.javadoc.Javadoc
import org.gradle.internal.jvm.Jvm
import org.gradle.process.ExecResult
import org.gradle.process.ExecSpec
import org.gradle.util.GradleVersion

import java.nio.charset.StandardCharsets
Expand Down Expand Up @@ -232,6 +233,95 @@ class BuildPlugin implements Plugin<Project> {
project.ext.java9Home = project.rootProject.ext.java9Home
}

static void requireDocker(final Task task) {
final Project rootProject = task.project.rootProject
if (rootProject.hasProperty('requiresDocker') == false) {
Copy link
Member

@rjernst rjernst Dec 5, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of using an essentially global property like this, can we have a property on the tasks using docker themselves? Then we can use a .all closure on the tasks container looking for the property, and check for docker in the middle of configuration instead of waiting until all projects are configured. There would still be a rootProject property to "remember" docker was already checked, but the tasks won't (directly) modify the root project.

Copy link
Contributor

@alpar-t alpar-t Dec 6, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 on marking the task, but I would make it a custom task and use tasks.withType.
The checks could live in the same class as static methods.
We could at some time introduce an interface and have a generic "this task requires something that we need to check up-front" mechanism, we already have others: docker-compose, jdk versions tasks (tests) that require specific inputs to run.

Copy link
Member Author

@jasontedor jasontedor Dec 6, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think these are very good suggestions but I’m going to ask one of you to pick this up on a follow-up please?

/*
* This is our first time encountering a task that requires Docker. We will add an extension that will let us track the tasks
* that register as requiring Docker. We will add a delayed execution that when the task graph is ready if any such tasks are
* in the task graph, then we check two things:
* - the Docker binary is available
* - we can execute a Docker command that requires privileges
*
* If either of these fail, we fail the build.
*/
final boolean buildDocker
final String buildDockerProperty = System.getProperty("build.docker")
if (buildDockerProperty == null || buildDockerProperty == "true") {
buildDocker = true
} else if (buildDockerProperty == "false") {
buildDocker = false
} else {
throw new IllegalArgumentException(
"expected build.docker to be unset or one of \"true\" or \"false\" but was [" + buildDockerProperty + "]")
}
rootProject.rootProject.ext.buildDocker = buildDocker
rootProject.rootProject.ext.requiresDocker = []
rootProject.gradle.taskGraph.whenReady { TaskExecutionGraph taskGraph ->
// check if the Docker binary exists and record its path
final List<String> maybeDockerBinaries = ['/usr/bin/docker2', '/usr/local/bin/docker2']
final String dockerBinary = maybeDockerBinaries.find { it -> new File(it).exists() }

int exitCode
String dockerErrorOutput
if (dockerBinary == null) {
exitCode = -1
dockerErrorOutput = null
} else {
// the Docker binary executes, check that we can execute a privileged command
final ByteArrayOutputStream output = new ByteArrayOutputStream()
final ExecResult result = LoggedExec.exec(rootProject, { ExecSpec it ->
it.commandLine dockerBinary, "images"
it.errorOutput = output
it.ignoreExitValue = true
})
if (result.exitValue == 0) {
return
}
exitCode = result.exitValue
dockerErrorOutput = output.toString()
}
final List<String> tasks =
((List<Task>)rootProject.requiresDocker).findAll { taskGraph.hasTask(it) }.collect { " ${it.path}".toString()}
if (tasks.isEmpty() == false) {
/*
* There are tasks in the task graph that require Docker. Now we are failing because either the Docker binary does not
* exist or because execution of a privileged Docker command failed.
*/
String message
if (dockerBinary == null) {
message = String.format(
Locale.ROOT,
"Docker (checked [%s]) is required to run the following task%s: \n%s",
maybeDockerBinaries.join(","),
tasks.size() > 1 ? "s" : "",
tasks.join('\n'))
} else {
assert exitCode > 0 && dockerErrorOutput != null
message = String.format(
Locale.ROOT,
"a problem occurred running Docker from [%s] yet it is required to run the following task%s: \n%s\n" +
"the problem is that Docker exited with exit code [%d] with standard error output [%s]",
dockerBinary,
tasks.size() > 1 ? "s" : "",
tasks.join('\n'),
exitCode,
dockerErrorOutput.trim())
}
throw new GradleException(
message + "\nyou can address this by attending to the reported issue, "
+ "removing the offending tasks from being executed, "
+ "or by passing -Dbuild.docker=false")
}
}
}
if (rootProject.buildDocker) {
rootProject.requiresDocker.add(task)
} else {
task.enabled = false
}
}

private static String findCompilerJavaHome() {
String compilerJavaHome = System.getenv('JAVA_HOME')
final String compilerJavaProperty = System.getProperty('compiler.java')
Expand Down
106 changes: 106 additions & 0 deletions distribution/docker/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
import org.elasticsearch.gradle.BuildPlugin
import org.elasticsearch.gradle.LoggedExec
import org.elasticsearch.gradle.MavenFilteringHack
import org.elasticsearch.gradle.VersionProperties

apply plugin: 'base'

configurations {
dockerPlugins
dockerSource
ossDockerSource
}

dependencies {
dockerPlugins project(path: ":plugins:ingest-geoip", configuration: 'zip')
dockerPlugins project(path: ":plugins:ingest-user-agent", configuration: 'zip')
dockerSource project(path: ":distribution:archives:tar")
ossDockerSource project(path: ":distribution:archives:oss-tar")
}

ext.expansions = { oss ->
return [
'elasticsearch' : oss ? "elasticsearch-oss-${VersionProperties.elasticsearch}.tar.gz" : "elasticsearch-${VersionProperties.elasticsearch}.tar.gz",
'jdkUrl' : 'https://download.java.net/java/GA/jdk11/13/GPL/openjdk-11.0.1_linux-x64_bin.tar.gz',
'jdkVersion' : '11.0.1',
'license': oss ? 'Apache-2.0' : 'Elastic License',
'ingest-geoip' : "ingest-geoip-${VersionProperties.elasticsearch}.zip",
'ingest-user-agent' : "ingest-user-agent-${VersionProperties.elasticsearch}.zip",
'version' : VersionProperties.elasticsearch
]
}

private static String files(final boolean oss) {
return "build/${ oss ? 'oss-' : ''}docker"
}

private static String taskName(final String prefix, final boolean oss, final String suffix) {
return "${prefix}${oss ? 'Oss' : ''}${suffix}"
}

void addCopyDockerContextTask(final boolean oss) {
task(taskName("copy", oss, "DockerContext"), type: Sync) {
into files(oss)

into('bin') {
from 'src/docker/bin'
}

into('config') {
from 'src/docker/config'
}

if (oss) {
from configurations.ossDockerSource
} else {
from configurations.dockerSource
}

from configurations.dockerPlugins
}
}

void addCopyDockerfileTask(final boolean oss) {
task(taskName("copy", oss, "Dockerfile"), type: Copy) {
mustRunAfter(taskName("copy", oss, "DockerContext"))
into files(oss)

from('src/docker/Dockerfile') {
MavenFilteringHack.filter(it, expansions(oss))
}
}
}

void addBuildDockerImage(final boolean oss) {
final Task buildDockerImageTask = task(taskName("build", oss, "DockerImage"), type: LoggedExec) {
dependsOn taskName("copy", oss, "DockerContext")
dependsOn taskName("copy", oss, "Dockerfile")
List<String> tags
if (oss) {
tags = [ "docker.elastic.co/elasticsearch/elasticsearch-oss:${VersionProperties.elasticsearch}" ]
} else {
tags = [
"elasticsearch:${VersionProperties.elasticsearch}",
"docker.elastic.co/elasticsearch/elasticsearch:${VersionProperties.elasticsearch}",
"docker.elastic.co/elasticsearch/elasticsearch-full:${VersionProperties.elasticsearch}"
]
}
executable 'docker'
Copy link
Contributor

@alpar-t alpar-t Dec 5, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This means that we'll need docker installed even for ./gradlew assemble.
Are we ok with any version of docker for that?
It might make sense to add up-front checks like we have for the JDK to make sure it's there and it works.
Permissions are also something we are likely to run into as many tutorials online advertise the use of sudo docker people might not have permissions set up for the user running the build.

Copy link
Member Author

@jasontedor jasontedor Dec 5, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@atorok I pushed 684fcb5.

Copy link
Member Author

@jasontedor jasontedor Dec 5, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@atorok I pushed one more change, to check if we can even run Docker: 26fe606

This gives output like:

FAILURE: Build failed with an exception.

* What went wrong:
a problem occurred running Docker yet it is required to run the following tasks: 
  :distribution:docker:buildDockerImage
  :distribution:docker:buildOssDockerImage
the problem is that [docker images] exited with exit code [1] with error output [Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/images/json: dial unix /var/run/docker.sock: connect: permission denied]

Your input @nik9000 @rjernst would be appreciated here too!

Copy link
Member

@nik9000 nik9000 Dec 5, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That seems right. We talked about making a parameter that let you explicitly skip the tasks which would be a nice thing to have. Something like -Dbuild.docker=false.

Copy link
Member Author

@jasontedor jasontedor Dec 5, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nik9000 I pushed b20be22. It's okay?

Copy link

@ghost ghost Dec 5, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this would be an ideal time to consider using img or Buildah as the build executor instead of the Docker daemon. I personally consider this to be the "next step" in improving the build, and it just seems like a great time to redefine the dependencies.

Getting away from the Docker daemon not only improves the local build experience for developers, especially if they don't run Linux on their workstations, it also makes a much better story for running builds in container environments, like the work that @mgreau is actively pursuing.

Copy link
Member Author

@jasontedor jasontedor Dec 6, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the suggestion. Alas the Docker daemon will stay around since we are migrating some of our testing away from Vagrant fixtures to Docker Compose fixtures. That’s not to say we won’t take your suggestion up.

final List<String> dockerArgs = ['build', files(oss), '--pull']
for (final String tag : tags) {
dockerArgs.add('--tag')
dockerArgs.add(tag)
}
args dockerArgs.toArray()
}
BuildPlugin.requireDocker(buildDockerImageTask)
}

for (final boolean oss : [false, true]) {
addCopyDockerContextTask(oss)
addCopyDockerfileTask(oss)
addBuildDockerImage(oss)
}

assemble.dependsOn "buildOssDockerImage"
assemble.dependsOn "buildDockerImage"
92 changes: 92 additions & 0 deletions distribution/docker/src/docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
################################################################################
# This Dockerfile was generated from the template at distribution/src/docker/Dockerfile
#
# Beginning of multi stage Dockerfile
################################################################################

################################################################################
# Build stage 0 `builder`:
# Extract elasticsearch artifact
# Install required plugins
# Set gid=0 and make group perms==owner perms
################################################################################

FROM centos:7 AS builder

ENV PATH /usr/share/elasticsearch/bin:$PATH
ENV JAVA_HOME /opt/jdk-${jdkVersion}

RUN curl -s ${jdkUrl} | tar -C /opt -zxf -

# Replace OpenJDK's built-in CA certificate keystore with the one from the OS
# vendor. The latter is superior in several ways.
# REF: https://github.com/elastic/elasticsearch-docker/issues/171
RUN ln -sf /etc/pki/ca-trust/extracted/java/cacerts /opt/jdk-${jdkVersion}/lib/security/cacerts

RUN yum install -y unzip which

RUN groupadd -g 1000 elasticsearch && \
adduser -u 1000 -g 1000 -d /usr/share/elasticsearch elasticsearch

WORKDIR /usr/share/elasticsearch

COPY ${elasticsearch} ${ingest-geoip} ${ingest-user-agent} /opt/
RUN tar zxf /opt/${elasticsearch} --strip-components=1
RUN elasticsearch-plugin install --batch file:///opt/${ingest-geoip}
RUN elasticsearch-plugin install --batch file:///opt/${ingest-user-agent}
RUN mkdir -p config data logs
RUN chmod 0775 config data logs
COPY config/elasticsearch.yml config/log4j2.properties config/


################################################################################
# Build stage 1 (the actual elasticsearch image):
# Copy elasticsearch from stage 0
# Add entrypoint
################################################################################

FROM centos:7

ENV ELASTIC_CONTAINER true
ENV JAVA_HOME /opt/jdk-${jdkVersion}

COPY --from=builder /opt/jdk-${jdkVersion} /opt/jdk-${jdkVersion}

RUN yum update -y && \
yum install -y nc unzip wget which && \
yum clean all

RUN groupadd -g 1000 elasticsearch && \
adduser -u 1000 -g 1000 -G 0 -d /usr/share/elasticsearch elasticsearch && \
chmod 0775 /usr/share/elasticsearch && \
chgrp 0 /usr/share/elasticsearch

WORKDIR /usr/share/elasticsearch
COPY --from=builder --chown=1000:0 /usr/share/elasticsearch /usr/share/elasticsearch
ENV PATH /usr/share/elasticsearch/bin:$PATH

COPY --chown=1000:0 bin/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh

# Openshift overrides USER and uses ones with randomly uid>1024 and gid=0
# Allow ENTRYPOINT (and ES) to run even with a different user
RUN chgrp 0 /usr/local/bin/docker-entrypoint.sh && \
chmod g=u /etc/passwd && \
chmod 0775 /usr/local/bin/docker-entrypoint.sh

EXPOSE 9200 9300

LABEL org.label-schema.schema-version="1.0" \
org.label-schema.vendor="Elastic" \
org.label-schema.name="elasticsearch" \
org.label-schema.version="${version}" \
org.label-schema.url="https://www.elastic.co/products/elasticsearch" \
org.label-schema.vcs-url="https://github.com/elastic/elasticsearch" \
license="${license}"

ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
# Dummy overridable parameter parsed by entrypoint
CMD ["eswrapper"]

################################################################################
# End of multi-stage Dockerfile
################################################################################
Loading