From 7dc9124ba76522ae13c84a59ae7bdfd65e2d061e Mon Sep 17 00:00:00 2001 From: Zakhar Bessarab Date: Mon, 3 Jun 2024 13:43:28 +0400 Subject: [PATCH] deployment/docker: add scratch-based images (#6386) ### Describe Your Changes Scratch based images will be using a separate tag: "(version)-scratch" and will be built for the same architecture as regular images. This is useful for environments with higher security standards. In this case using alpine as base layer requires updating images more frequently in order to get the latest updates for the base image, even in case the user did not need to update VictoriaMetrics version. Tested that scratch images work for: - vmagent - enterprise with kafka and opensource - cluster - single-node No issues observed so far. cc: @tenmozes ### Checklist The following checks are **mandatory**: - [x] My change adheres [VictoriaMetrics contributing guidelines](https://docs.victoriametrics.com/contributing/). --------- Signed-off-by: Zakhar Bessarab Signed-off-by: hagen1778 Co-authored-by: hagen1778 --- deployment/docker/Makefile | 13 +++++++++++++ docs/CHANGELOG.md | 1 + 2 files changed, 14 insertions(+) diff --git a/deployment/docker/Makefile b/deployment/docker/Makefile index f75a24ec3..de92c780a 100644 --- a/deployment/docker/Makefile +++ b/deployment/docker/Makefile @@ -3,6 +3,7 @@ DOCKER_NAMESPACE ?= victoriametrics ROOT_IMAGE ?= alpine:3.20.0 +ROOT_IMAGE_SCRATCH ?= scratch CERTS_IMAGE := alpine:3.20.0 GO_BUILDER_IMAGE := golang:1.22.3-alpine @@ -86,6 +87,18 @@ publish-via-docker: -f app/$(APP_NAME)/multiarch/Dockerfile \ --push \ bin + $(DOCKER) buildx build \ + --platform=linux/amd64,linux/arm,linux/arm64,linux/ppc64le,linux/386 \ + --build-arg certs_image=$(CERTS_IMAGE) \ + --build-arg root_image=$(ROOT_IMAGE_SCRATCH) \ + --build-arg APP_NAME=$(APP_NAME) \ + --tag $(DOCKER_NAMESPACE)/$(APP_NAME):$(PKG_TAG)$(RACE)-scratch \ + --tag $(DOCKER_NAMESPACE)/$(APP_NAME):$(LATEST_TAG)$(RACE)-scratch \ + -o type=image \ + --provenance=false \ + -f app/$(APP_NAME)/multiarch/Dockerfile \ + --push \ + bin cd bin && rm -rf \ $(APP_NAME)-linux-amd64-prod \ $(APP_NAME)-linux-arm-prod \ diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 50a11d4ac..5e71c9453 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -38,6 +38,7 @@ See also [LTS releases](https://docs.victoriametrics.com/lts-releases/). * SECURITY: upgrade Go builder from Go1.22.2 to Go1.22.3. See [the list of issues addressed in Go1.22.3](https://github.com/golang/go/issues?q=milestone%3AGo1.22.3+label%3ACherryPickApproved). * SECURITY: upgrade base docker image (Alpine) from 3.19.1 to 3.20.0. See [alpine 3.20.0 release notes](https://www.alpinelinux.org/posts/Alpine-3.20.0-released.html). +* SECURITY: add release images built from scratch image. Such images could be more preferable for using in environments with higher security standards. See this [pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/6386). * FEATURE: [dashboards/single](https://grafana.com/grafana/dashboards/10229): support selecting of multiple instances on the dashboard. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5869) for details. * FEATURE: [dashboards/single](https://grafana.com/grafana/dashboards/10229): properly display version in the Stats row for the custom builds of VictoriaMetrics.