From a8cefa7a10bd2a9a3b7ea3337ecf2fd4a7fdb69a Mon Sep 17 00:00:00 2001 From: kuisathaverat Date: Mon, 26 Oct 2020 17:15:46 +0100 Subject: [PATCH] update filebeat to 7.9.2 --- .gitignore | 3 + Dockerfile | 115 ++++++++++++++++++++++++-------------- Jenkinsfile | 2 +- LICENSE | 57 +++++++++++++++++++ README.md | 44 ++++++++------- download.json | 18 ++++-- scripts/docker-entrypoint | 25 --------- 7 files changed, 173 insertions(+), 91 deletions(-) create mode 100644 .gitignore delete mode 100644 scripts/docker-entrypoint diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..62e009c --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +# Ignore any locally downloaded or dropped releases +*.tar.gz +dumb-init \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index c1514ea..f843944 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,58 +1,91 @@ -ARG BASE_REGISTRY=nexus-docker-secure.levelup-nexus.svc.cluster.local:18082 -ARG BASE_IMAGE=redhat/ubi/ubi8 +################################################################################ +# Build stage 0 +# Extract APM Server and make various file manipulations. +################################################################################ +ARG BASE_REGISTRY=registry1.dsop.io +ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 ARG BASE_TAG=8.2 +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as prep_files + +ARG ELASTIC_STACK=7.9.2 +ARG ELASTIC_PRODUCT=filebeat +ARG OS_AND_ARCH=linux-x86_64 + +RUN mkdir /usr/share/${ELASTIC_PRODUCT} +WORKDIR /usr/share/${ELASTIC_PRODUCT} +COPY --chown=1000:0 ${ELASTIC_PRODUCT}-${ELASTIC_STACK}-${OS_AND_ARCH}.tar.gz . +RUN tar --strip-components=1 -zxf ${ELASTIC_PRODUCT}-${ELASTIC_STACK}-${OS_AND_ARCH}.tar.gz \ + && rm ${ELASTIC_PRODUCT}-${ELASTIC_STACK}-${OS_AND_ARCH}.tar.gz +#COPY config/filebeat.yml /usr/share/${ELASTIC_PRODUCT} + +# Support arbitrary user ids +# Ensure that group permissions are the same as user permissions. +# This will help when relying on GID-0 to run Kibana, rather than UID-1000. +# OpenShift does this, for example. +# REF: https://docs.okd.io/latest/openshift_images/create-images.html +RUN chmod -R g=u /usr/share/${ELASTIC_PRODUCT} + +# Create auxiliar folders and assing default permissions. +RUN mkdir /usr/share/${ELASTIC_PRODUCT}/data /usr/share/${ELASTIC_PRODUCT}/logs && \ + chown -R root:root /usr/share/${ELASTIC_PRODUCT} && \ + find /usr/share/${ELASTIC_PRODUCT} -type d -exec chmod 0750 {} \; && \ + find /usr/share/${ELASTIC_PRODUCT} -type f -exec chmod 0640 {} \; && \ + chmod 0750 /usr/share/${ELASTIC_PRODUCT}/${ELASTIC_PRODUCT} && \ + chmod 0770 /usr/share/${ELASTIC_PRODUCT}/data /usr/share/${ELASTIC_PRODUCT}/logs + +################################################################################ +# Build stage 1 +# Copy prepared files from the previous stage and complete the image. +################################################################################ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -ARG TARBALL=filebeat-7.8.0-linux-x86_64.tar.gz +ARG ELASTIC_PRODUCT=filebeat -WORKDIR /opt +COPY LICENSE /licenses/elastic-${ELASTIC_PRODUCT} -COPY LICENSE /licenses/elastic-filebeat +# Add a dumb init process +WORKDIR /usr/local/bin +COPY dumb-init /usr/local/bin/dumb-init +RUN chmod +x /usr/local/bin/dumb-init -COPY ${TARBALL} /opt/ +# Bring in product from the initial stage. +COPY --from=prep_files --chown=1000:0 /usr/share/${ELASTIC_PRODUCT} /usr/share/${ELASTIC_PRODUCT} +WORKDIR /usr/share/${ELASTIC_PRODUCT} +RUN ln -s /usr/share/${ELASTIC_PRODUCT} /opt/${ELASTIC_PRODUCT} -RUN tar -zxf ./${TARBALL} && rm -fv ./${TARBALL} && \ - mv filebeat-7.8.0-linux-x86_64 /usr/share/filebeat && \ - rm -rfv /opt/* +ENV ELASTIC_CONTAINER="true" +RUN ln -s /usr/share/${ELASTIC_PRODUCT}/${ELASTIC_PRODUCT} /usr/bin/${ELASTIC_PRODUCT} -ENV ELASTIC_CONTAINER "true" +# Support arbitrary user ids +# Ensure gid 0 write permissions for OpenShift. +RUN chmod -R g+w /usr/share/${ELASTIC_PRODUCT} -ENV PATH=/usr/share/filebeat:$PATH +# config file ("${ELASTIC_PRODUCT}.yml") can only be writable by the root and group root +# it is needed on some configurations where the container needs to run as root +RUN chown root:root /usr/share/${ELASTIC_PRODUCT}/${ELASTIC_PRODUCT}.yml \ + && chmod go-w /usr/share/${ELASTIC_PRODUCT}/${ELASTIC_PRODUCT}.yml -COPY scripts/docker-entrypoint /usr/local/bin/docker-entrypoint +# Remove the suid bit everywhere to mitigate "Stack Clash" +RUN find / -xdev -perm -4000 -exec chmod u-s {} + -RUN chmod 755 /usr/local/bin/docker-entrypoint +# Provide a non-root user to run the process. +RUN groupadd --gid 1000 ${ELASTIC_PRODUCT} && useradd --uid 1000 --gid 1000 --groups 0 --home-dir /usr/share/${ELASTIC_PRODUCT} --no-create-home ${ELASTIC_PRODUCT} -RUN groupadd --gid 1000 filebeat +USER ${ELASTIC_PRODUCT} +ENV ELASTIC_PRODUCT=${ELASTIC_PRODUCT} -RUN mkdir /usr/share/filebeat/data /usr/share/filebeat/logs && \ - chown -R root:filebeat /usr/share/filebeat && \ - find /usr/share/filebeat -type d -exec chmod 0750 {} \; && \ - find /usr/share/filebeat -type f -exec chmod 0640 {} \; && \ - chmod 0750 /usr/share/filebeat/filebeat && \ - chmod 0770 /usr/share/filebeat/modules.d && \ - chmod 0770 /usr/share/filebeat/data /usr/share/filebeat/logs - -RUN useradd -M --uid 1000 --gid 1000 --home /usr/share/filebeat filebeat - -USER filebeat - -WORKDIR /usr/share/filebeat - -LABEL \ - org.label-schema.schema-version="1.0" \ +LABEL org.label-schema.schema-version="1.0" \ org.label-schema.vendor="Elastic" \ - org.label-schema.name="filebeat" \ - org.label-schema.version="7.8.0" \ - org.label-schema.url="https://www.elastic.co/products/beats/filebeat" \ - org.label-schema.vcs-url="github.com/elastic/beats" \ - org.label-schema.vcs-ref="7f4c584b574acdcb5db389df6d38012c881f6fad" \ - license="ASL 2.0" \ - description="Filebeat sends log files to Logstash or directly to Elasticsearch." - -ENTRYPOINT ["/usr/local/bin/docker-entrypoint"] - + org.label-schema.name="${ELASTIC_PRODUCT}" \ + org.label-schema.version="${ELASTIC_STACK}" \ + org.label-schema.url="https://www.elastic.co/products/${ELASTIC_PRODUCT}" \ + org.label-schema.vcs-url="https://github.com/elastic/${ELASTIC_PRODUCT}" \ + org.label-schema.license="Elastic License" license="Elastic License" + +EXPOSE 8200 +ENTRYPOINT ["/usr/local/bin/dumb-init", "--", "/usr/share/filebeat/filebeat", "-E", "http.enabled=true", "-E", "http.host=unix:///usr/share/filebeat/data/filebeat.sock"] CMD ["-environment", "container"] -HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD curl -I -f --max-time 5 http://localhost:5066 || exit 1 +# see https://www.elastic.co/guide/en/beats/filebeat/current/http-endpoint.html +HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD curl -I -f --max-time 5 --unix-socket '/usr/share/filebeat/data/filebeat.sock' 'http:/stats/?pretty' diff --git a/Jenkinsfile b/Jenkinsfile index eb27f6c..1913f29 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,2 +1,2 @@ @Library('DCCSCR@master') _ -dccscrPipeline(version: '7.8.0') +dccscrPipeline(version: '7.9.2') diff --git a/LICENSE b/LICENSE index 7376ffc..9b314c7 100644 --- a/LICENSE +++ b/LICENSE @@ -221,3 +221,60 @@ SOFTWARE 6.11 "Subscription" means the right to receive Support Services and a License to the Commercial Software. + + +GOVERNMENT END USER ADDENDUM TO THE ELASTIC LICENSE AGREEMENT + + This ADDENDUM TO THE ELASTIC LICENSE AGREEMENT (this "Addendum") applies +only to U.S. Federal Government, State Government, and Local Government +entities ("Government End Users") of the Elastic Software. This Addendum is +subject to, and hereby incorporated into, the Elastic License Agreement, +which is being entered into as of even date herewith, by Elastic and You (the +"Agreement"). This Addendum sets forth additional terms and conditions +related to Your use of the Elastic Software. Capitalized terms not defined in +this Addendum have the meaning set forth in the Agreement. + + 1. LIMITED LICENSE TO DISTRIBUTE (DSOP ONLY). Subject to the terms and +conditions of the Agreement (including this Addendum), Elastic grants the +Department of Defense Enterprise DevSecOps Initiative (DSOP) a royalty-free, +non-exclusive, non-transferable, limited license to reproduce and distribute +the Elastic Software solely through a software distribution repository +controlled and managed by DSOP, provided that DSOP: (i) distributes the +Elastic Software complete and unmodified, inclusive of the Agreement +(including this Addendum) and (ii) does not remove or alter any proprietary +legends or notices contained in the Elastic Software. + + 2. CHOICE OF LAW. The choice of law and venue provisions set forth shall +prevail over those set forth in Section 5 of the Agreement. + + "For U.S. Federal Government Entity End Users. This Agreement and any + non-contractual obligation arising out of or in connection with it, is + governed exclusively by U.S. Federal law. To the extent permitted by + federal law, the laws of the State of Delaware (excluding Delaware choice + of law rules) will apply in the absence of applicable federal law. + + For State and Local Government Entity End Users. This Agreement and any + non-contractual obligation arising out of or in connection with it, is + governed exclusively by the laws of the state in which you are located + without reference to conflict of laws. Furthermore, the Parties agree that + the Uniform Computer Information Transactions Act or any version thereof, + adopted by any state in any form ('UCITA'), shall not apply to this + Agreement and, to the extent that UCITA is applicable, the Parties agree to + opt out of the applicability of UCITA pursuant to the opt-out provision(s) + contained therein." + + 3. ELASTIC LICENSE MODIFICATION. Section 5 of the Agreement is hereby +amended to replace + + "This Agreement may be modified by Elastic from time to time, and any + such modifications will be effective upon the "Posted Date" set forth at + the top of the modified Agreement." + + with: + + "This Agreement may be modified by Elastic from time to time; provided, + however, that any such modifications shall apply only to Elastic Software + that is installed after the "Posted Date" set forth at the top of the + modified Agreement." + +V100820.0 \ No newline at end of file diff --git a/README.md b/README.md index 7aa1b45..5a43c94 100644 --- a/README.md +++ b/README.md @@ -1,34 +1,40 @@ -# Welcome to Filebeat 7.8.0 +# filebeat -Filebeat sends log files to Logstash or directly to Elasticsearch. +**filebeat** Lightweight shipper for logs -## Getting Started +Forget using SSH when you have tens, hundreds, or even thousands of servers, virtual machines, and containers generating logs. Filebeat helps you keep the simple things simple by offering a lightweight way to forward and centralize logs and files. -To get started with Filebeat, you need to set up Elasticsearch on -your localhost first. After that, start Filebeat with: +For more information about filebeat, please visit +https://www.elastic.co/products/beats/filebeat. - ./filebeat -c filebeat.yml -e +### Installation instructions -This will start Filebeat and send the data to your Elasticsearch -instance. To load the dashboards for Filebeat into Kibana, run: +Please follow the documentation on [running filebeat on Docker](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). - ./filebeat setup -e +### Where to file issues and PRs -For further steps visit the -[Getting started](https://www.elastic.co/guide/en/beats/filebeat/7.6/filebeat-getting-started.html) guide. +- [Issues](https://github.com/elastic/beats/issues) +- [PRs](https://github.com/elastic/beats/pulls) -## Configuration +### DoD Restrictions -Make sure you enable the http monitoring for the healtcheck to work, either via config or when launching your container. - http.enabled=true +### Where to get help +- [filebeat Discuss Forums](https://discuss.elastic.co/tags/c/elastic-stack/beats/28/filebeat) +- [filebeat Documentation](https://www.elastic.co/guide/en/beats/filebeat/current/index.html) -## Documentation -Visit [Elastic.co Docs](https://www.elastic.co/guide/en/beats/filebeat/7.6/index.html) -for the full Filebeat documentation. +### Still need help? -## Release notes +You can learn more about the Elastic Community and also understand how to get more help +visiting [Elastic Community](https://www.elastic.co/community). -https://www.elastic.co/guide/en/beats/libbeat/7.8/release-notes-7.8.0.html + +This software is governed by the [Elastic +License](https://github.com/elastic/elasticsearch/blob/7.9/licenses/ELASTIC-LICENSE.txt), +and includes the full set of [free +features](https://www.elastic.co/subscriptions). + +View the detailed release notes +[here](https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-7.9.2.html). diff --git a/download.json b/download.json index b8e9919..b71a979 100644 --- a/download.json +++ b/download.json @@ -1,12 +1,20 @@ { "resources": [ { - "url": "https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.8.0-linux-x86_64.tar.gz", - "filename": "filebeat-7.8.0-linux-x86_64.tar.gz", + "url": "https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.9.2-linux-x86_64.tar.gz", + "filename": "filebeat-7.9.2-linux-x86_64.tar.gz", "validation": { - "type": "sha512", - "value": "636fbb5c9951a8caba74a85bc55ac4ef776ddbd063c4b8471c4a1eee079e2bec14804dcd931baf6261cbc3713a41773fd9ea5b1018e07a1761a3bcef59805b8b" - } + "type": "sha512", + "value": "c15b2bf474cec145b3d7f21c4a8024ee9e486622b6a158c2f375be31c6ecf6452e3a24dc438eb928090f34a9054a5d92b905592fff5d2cc6a722fd1ef4ac0f21" + } + }, + { + "url": "https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64", + "filename": "dumb-init", + "validation": { + "type": "sha256", + "value": "37f2c1f0372a45554f1b89924fbb134fc24c3756efaedf11e07f599494e0eff9" + } } ] } diff --git a/scripts/docker-entrypoint b/scripts/docker-entrypoint deleted file mode 100644 index e501637..0000000 --- a/scripts/docker-entrypoint +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -# Check if the the user has invoked the image with flags. -# eg. "filebeat -c filebeat.yml" -if [[ -z $1 ]] || [[ ${1:0:1} == '-' ]] ; then - exec filebeat "$@" -else - # They may be looking for a Beat subcommand, like "filebeat setup". - subcommands=$(filebeat help \ - | awk 'BEGIN {RS=""; FS="\n"} /Available Commands:/' \ - | awk '/^\s+/ {print $1}') - - # If we _did_ get a subcommand, pass it to filebeat. - for subcommand in $subcommands; do - if [[ $1 == $subcommand ]]; then - exec filebeat "$@" - fi - done -fi - -# If neither of those worked, then they have specified the binary they want, so -# just do exactly as they say. -exec "$@" -- GitLab