Use almalinux as the Docker base image (#80524)

Closes #76681. Our approach to using `scratch` for building Docker
images has caused problems at Docker Hub. Fix this situation by
removing the whole process of using scratch and instead bases the
default distribution on `almalinux:8.4-minimal`. Alma Linux is
binary-compatible with RHEL, and therefore very similar to UBI.

Author: pugnascotia

build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/DockerBase.java

@@ -12,7 +12,7 @@
  * This class models the different Docker base images that are used to build Docker distributions of Elasticsearch.
  */
 public enum DockerBase {
-    CENTOS("centos:8", ""),
+    DEFAULT("almalinux:8.4-minimal", ""),
 
     // "latest" here is intentional, since the image name specifies "8"
     UBI("docker.elastic.co/ubi8/ubi-minimal:latest", "-ubi8"),
@@ -21,7 +21,7 @@ public enum DockerBase {
     IRON_BANK("${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}", "-ironbank"),
 
     // Base image with extras for Cloud
-    CLOUD("centos:8", "-cloud"),
+    CLOUD("almalinux:8.4-minimal", "-cloud"),
 
     // Based on CLOUD above, with more extras. We don't set a base image because
     // we programmatically extend from the Cloud image.

distribution/docker/build.gradle

@@ -96,7 +96,7 @@ ext.expansions = { Architecture architecture, DockerBase base ->
     'config_dir'         : base == DockerBase.IRON_BANK ? 'scripts' : 'config',
     'git_revision'       : BuildParams.gitRevision,
     'license'            : base == DockerBase.IRON_BANK ? 'Elastic License 2.0' : 'Elastic-License-2.0',
-    'package_manager'    : base == DockerBase.UBI ? 'microdnf' : 'yum',
+    'package_manager'    : base == DockerBase.IRON_BANK ? 'yum' : 'microdnf',
     'docker_base'        : base.name().toLowerCase(),
     'version'            : VersionProperties.elasticsearch,
     'major_minor_version': "${major}.${minor}",
@@ -121,7 +121,7 @@ private static String toCamel(String input) {
 private static String taskName(String prefix, Architecture architecture, DockerBase base, String suffix) {
   return prefix +
     (architecture == Architecture.AARCH64 ? 'Aarch64' : '') +
-    (base == DockerBase.CENTOS ? "" : toCamel(base.name())) +
+    (base == DockerBase.DEFAULT ? "" : toCamel(base.name())) +
     suffix
 }
 
@@ -361,7 +361,7 @@ void addBuildDockerImageTask(Architecture architecture, DockerBase base) {
 
         baseImages = [baseImage]
         buildArgs = buildArgsMap
-      } else if (base == DockerBase.CENTOS || base == DockerBase.CLOUD) {
+      } else if (base == DockerBase.DEFAULT || base == DockerBase.CLOUD) {
         baseImages = ['alpine:3.13', base.image]
       } else {
         baseImages = [base.image]
@@ -443,7 +443,7 @@ subprojects { Project subProject ->
     apply plugin: 'distribution'
 
     final Architecture architecture = subProject.name.contains('aarch64-') ? Architecture.AARCH64 : Architecture.X64
-    DockerBase base = DockerBase.CENTOS
+    DockerBase base = DockerBase.DEFAULT
     if (subProject.name.contains('ubi-')) {
       base = DockerBase.UBI
     } else if (subProject.name.contains('ironbank-')) {

distribution/docker/src/docker/Dockerfile

@@ -19,7 +19,7 @@
   add as many newlines here as necessary to improve legibility.
 */ %>
 
-<% if (docker_base == "ubi") { %>
+<% if (docker_base == 'default' || docker_base == "ubi") { %>
 ################################################################################
 # Build stage 0 `builder`:
 # Extract Elasticsearch artifact
@@ -66,158 +66,6 @@ FROM ${base_image} AS builder
 COPY tini /bin/tini
 RUN chmod 0555 /bin/tini
 
-<% } else { %>
-
-<% /* CentOS builds are actaully a custom base image with a minimal set of dependencies */ %>
-
-################################################################################
-# Stage 1. Build curl statically. Installing it from RPM on CentOS pulls in too
-# many dependencies.
-################################################################################
-FROM alpine:3.13 AS curl
-
-ENV VERSION 7.71.0
-ENV TARBALL_URL https://curl.haxx.se/download/curl-\${VERSION}.tar.xz
-ENV TARBALL_PATH curl-\${VERSION}.tar.xz
-
-# Install dependencies
-RUN <%= retry.loop('apk', 'apk add gnupg gcc make musl-dev openssl-dev openssl-libs-static file') %>
-
-RUN mkdir /work
-WORKDIR /work
-
-# Fetch curl sources and files for validation. Note that alpine's `wget` doesn't have retry options.
-RUN function retry_wget() { \\
-      local URL="\$1" ; \\
-      local DEST="\$2" ; \\
-      <%= retry.loop('wget', 'wget "\$URL\" -O "\$DEST"', 6, 'return') %> ; \\
-    } ; \\
-    retry_wget "https://daniel.haxx.se/mykey.asc" "curl-gpg.pub" && \\
-    retry_wget "\${TARBALL_URL}.asc" "\${TARBALL_PATH}.asc" && \\
-    retry_wget "\${TARBALL_URL}" "\${TARBALL_PATH}"
-
-# Validate source
-RUN gpg --import --always-trust "curl-gpg.pub" && \\
-    gpg --verify "\${TARBALL_PATH}.asc" "\${TARBALL_PATH}"
-
-# Unpack and build
-RUN set -e ; \\
-    tar xfJ "\${TARBALL_PATH}" ; \\
-    cd "curl-\${VERSION}" ; \\
-    if ! ./configure --disable-shared --with-ca-fallback --with-ca-bundle=/etc/pki/tls/certs/ca-bundle.crt ; then \\
-        [[ -e config.log ]] && cat config.log ; \\
-        exit 1 ; \\
-    fi ; \\
-    make curl_LDFLAGS="-all-static" ; \\
-    cp src/curl /work/curl ; \\
-    strip /work/curl
-
-################################################################################
-# Step 2. Create a minimal root filesystem directory. This will form the basis
-# for our image.
-################################################################################
-FROM ${base_image} AS rootfs
-
-ENV TINI_VERSION 0.19.0
-
-# Start off with an up-to-date system
-RUN ${package_manager} update --setopt=tsflags=nodocs -y
-
-# Create a directory into which we will install files
-RUN mkdir /rootfs
-
-# Create required devices
-RUN mkdir -m 755 /rootfs/dev && \\
-    mknod -m 600 /rootfs/dev/console c 5 1 && \\
-    mknod -m 600 /rootfs/dev/initctl p && \\
-    mknod -m 666 /rootfs/dev/full c 1 7 && \\
-    mknod -m 666 /rootfs/dev/null c 1 3 && \\
-    mknod -m 666 /rootfs/dev/ptmx c 5 2 && \\
-    mknod -m 666 /rootfs/dev/random c 1 8 && \\
-    mknod -m 666 /rootfs/dev/tty c 5 0 && \\
-    mknod -m 666 /rootfs/dev/tty0 c 4 0 && \\
-    mknod -m 666 /rootfs/dev/urandom c 1 9 && \\
-    mknod -m 666 /rootfs/dev/zero c 1 5
-
-# Install a minimal set of dependencies, and some for Elasticsearch
-RUN ${package_manager} --installroot=/rootfs --releasever=/ --setopt=tsflags=nodocs \\
-      --setopt=group_package_types=mandatory -y  \\
-      --skip-broken \\
-      install basesystem bash zip zlib
-
-# `tini` is a tiny but valid init for containers. This is used to cleanly
-# control how ES and any child processes are shut down.
-#
-# The tini GitHub page gives instructions for verifying the binary using
-# gpg, but the keyservers are slow to return the key and this can fail the
-# build. Instead, we check the binary against the published checksum.
-#
-# Also, we use busybox instead of installing utility RPMs, which pulls in
-# all kinds of stuff we don't want.
-RUN set -e ; \\
-    TINI_BIN="" ; \\
-    BUSYBOX_COMMIT="" ; \\
-    case "\$(arch)" in \\
-        aarch64) \\
-            BUSYBOX_COMMIT='8a500845daeaeb926b25f73089c0668cac676e97' ; \\
-            TINI_BIN='tini-arm64' ; \\
-            ;; \\
-        x86_64) \\
-            BUSYBOX_COMMIT='cc81bf8a3c979f596af2d811a3910aeaa230e8ef' ; \\
-            TINI_BIN='tini-amd64' ; \\
-            ;; \\
-        *) echo >&2 "Unsupported architecture \$(arch)" ; exit 1 ;; \\
-    esac ; \\
-    curl --retry 10 -S -L -O "https://github.com/krallin/tini/releases/download/v0.19.0/\${TINI_BIN}" ; \\
-    curl --retry 10 -S -L -O "https://github.com/krallin/tini/releases/download/v0.19.0/\${TINI_BIN}.sha256sum" ; \\
-    sha256sum -c "\${TINI_BIN}.sha256sum" ; \\
-    rm "\${TINI_BIN}.sha256sum" ; \\
-    mv "\${TINI_BIN}" /rootfs/bin/tini ; \\
-    chmod 0555 /rootfs/bin/tini ; \\
-    curl --retry 10 -L -O \\
-      # Here we're fetching the same binaries used for the official busybox docker image from their GtiHub repository
-      "https://github.com/docker-library/busybox/raw/\${BUSYBOX_COMMIT}/stable/musl/busybox.tar.xz" ; \\
-    tar -xf busybox.tar.xz -C /rootfs/bin --strip=2 ./bin ; \\
-    rm busybox.tar.xz ;
-
-# Curl needs files under here. More importantly, we change Elasticsearch's
-# bundled JDK to use /etc/pki/ca-trust/extracted/java/cacerts instead of
-# the bundled cacerts.
-RUN mkdir -p /rootfs/etc && \\
-    cp -a /etc/pki /rootfs/etc/
-
-# Cleanup the filesystem
-RUN ${package_manager} --installroot=/rootfs -y clean all && \\
-    cd /rootfs && \\
-    rm -rf \\
-        etc/{X11,centos-release*,csh*,profile*,skel*,yum*} \\
-        sbin/sln \\
-        usr/bin/rpm \\
-        {usr,var}/games \\
-        usr/lib/{dracut,systemd,udev} \\
-        usr/lib64/X11 \\
-        usr/local \\
-        usr/share/{awk,centos-release,cracklib,desktop-directories,gcc-*,i18n,icons,licenses,xsessions,zoneinfo} \\
-        usr/share/{man,doc,info,games,gdb,ghostscript,gnome,groff,icons,pixmaps,sounds,backgrounds,themes,X11} \\
-        usr/{{lib,share}/locale,{lib,lib64}/gconv,bin/localedef,sbin/build-locale-archive} \\
-        var/cache/yum \\
-        var/lib/{rpm,yum} \\
-        var/log/yum.log
-
-# ldconfig
-RUN rm -rf /rootfs/etc/ld.so.cache /rootfs/var/cache/ldconfig && \\
-    mkdir -p --mode=0755 /rootfs/var/cache/ldconfig
-
-COPY --from=curl /work/curl /rootfs/usr/bin/curl
-
-# Ensure that there are no files with setuid or setgid, in order to mitigate "stackclash" attacks.
-RUN find /rootfs -xdev -perm -4000 -exec chmod ug-s {} +
-
-################################################################################
-# Step 3. Fetch the Elasticsearch distribution and configure it for Docker
-################################################################################
-FROM ${base_image} AS builder
-
 <% } %>
 
 RUN mkdir /usr/share/elasticsearch
@@ -285,8 +133,6 @@ RUN mkdir -p /opt/plugins/archive
 RUN chmod -R 0555 /opt/plugins
 <% } %>
 
-<% if (docker_base == "ubi" || docker_base == "iron_bank") { %>
-
 ################################################################################
 # Build stage 1 (the actual Elasticsearch image):
 #
@@ -296,7 +142,17 @@ RUN chmod -R 0555 /opt/plugins
 
 FROM ${base_image}
 
-<% if (docker_base == "ubi") { %>
+<% if (docker_base == "iron_bank") { %>
+<%
+/* Reviews of the Iron Bank Dockerfile said that they preferred simpler */
+/* scripting so this version doesn't have the retry loop featured below. */
+%>
+RUN ${package_manager} update --setopt=tsflags=nodocs -y && \\
+    ${package_manager} install --setopt=tsflags=nodocs -y \\
+      nc shadow-utils zip findutils unzip procps-ng && \\
+    ${package_manager} clean all
+
+<% } else { %>
 
 RUN <%= retry.loop(
     package_manager,
@@ -306,49 +162,18 @@ RUN <%= retry.loop(
       "      ${package_manager} clean all"
     ) %>
 
-<% } else { %>
-
-<%
-/* Reviews of the Iron Bank Dockerfile said that they preferred simpler */
-/* scripting so this version doesn't have the retry loop featured above. */
-%>
-RUN ${package_manager} update --setopt=tsflags=nodocs -y && \\
-    ${package_manager} install --setopt=tsflags=nodocs -y \\
-      nc shadow-utils zip findutils unzip procps-ng && \\
-    ${package_manager} clean all
-
 <% } %>
 
 RUN groupadd -g 1000 elasticsearch && \\
     adduser -u 1000 -g 1000 -G 0 -d /usr/share/elasticsearch elasticsearch && \\
     chown -R 0:0 /usr/share/elasticsearch
 
-<% } else { %>
-
-################################################################################
-# Stage 4. Build the final image, using the rootfs above as the basis, and
-# copying in the Elasticsearch distribution
-################################################################################
-FROM scratch
-
-# Setup the initial filesystem.
-COPY --from=rootfs /rootfs /
-
-RUN addgroup -g 1000 elasticsearch && \\
-    adduser -D -u 1000 -G elasticsearch -g elasticsearch -h /usr/share/elasticsearch elasticsearch && \\
-    addgroup elasticsearch root && \\
-    chown -R 0:0 /usr/share/elasticsearch
-
-<% } %>
-
 ENV ELASTIC_CONTAINER true
 
 WORKDIR /usr/share/elasticsearch
 COPY --from=builder --chown=0:0 /usr/share/elasticsearch /usr/share/elasticsearch
 
-<% if (docker_base == "ubi" || docker_base == "iron_bank") { %>
 COPY --from=builder --chown=0:0 /bin/tini /bin/tini
-<% } %>
 
 <% if (docker_base == 'cloud') { %>
 COPY --from=builder --chown=0:0 /opt /opt

docs/changelog/80524.yaml

@@ -0,0 +1,6 @@
+pr: 80524
+summary: Use almalinux as the Docker base image
+area: Packaging
+type: enhancement
+issues:
+ - 76681