Will there eventually be alpine-based docker images for Logstash 6.x?

(Jim Hurne) #1

I was looking at the available Logstash docker images and it looks like there are alpine-based versions available for the 5.x version tree, but not for the 6.x version tree. Are there plans to make Alpine versions available for the 6.x version tree?

Note that image size isn't my only concern. Using a slimed-down OS on the image also significantly reduces the security vulnerability surface area, thus significantly reducing the chances of a vulnerability slipping in. For this reason, security-sensitive environments/users often prefer to use alpine (or similar) base images.

(Mark Walkom) #2

We switched to CentOS from 5.4, check this blog post for more - https://www.elastic.co/blog/docker-base-centos7

(Jim Hurne) #3

Interesting. Some questions after reading the blog post:

  1. Were the heavy dependencies (other than Java) and the compatibility issues with musl libc only an issue with Elasticsearch, or did you run into similar issues with logstash?

  2. How does CentOS's library footprint (not size in bytes, but number of libraries/dependencies) compare to Alpine linux?

The first question is to help understand how hard it would be to build and maintain our own Alpine-based image.

Since security is our primary concern (we don't care that much about image size), if the CentOS-based images have a bare minimum of libraries/dependencies, then the difference is really unimportant. But it brings along with it lots of stuff that logstash doesn't leverage, then that could be a problem for the environment I work in.

(Jim Hurne) #4

It looks like there is a third-party open source project that provides an Alpine-based logstash image: (see https://hub.docker.com/r/blacktop/logstash and https://github.com/blacktop/docker-logstash-alpine).

Does anyone have any experience using that image? Is it trustworthy and reliable? From the commit history, it is an active project (there are regular updates to it).

(xeraa) #5

So the Logstash images were initially based on Ubuntu images — see https://github.com/elastic/logstash-docker/blob/5.0/build/logstash/Dockerfile#L1. It was the same for Kibana and Beats; only Elasticsearch was ever on Alpine (of our images). If I remember correctly neither node.js nor JRuby were officially supported by Alpine back then and that's why they went to Ubuntu.

Looking at https://github.com/jruby/jruby/wiki/JRuby-on-Alpine-Linux the situation seems to have improved, but there are still some things to keep in mind (especially around native extensions).

Currently, all our images share the same base layer — both to keep our sanity and to share layers between the different products. That's a default CentOS 7: https://github.com/elastic/logstash-docker/blob/6.5/templates/Dockerfile.j2#L17

I haven't seen the Alpine based images before, so I don't think we can comment much on them. The only thing I was missing from a quick look were tests. We are putting quite a lot of effort into that (https://github.com/elastic/logstash-docker/tree/6.5/tests) to make sure they are production ready. That's also the reason why our entire build process for the Docker images is different to most others.

If you have specific security requirements my assumption would be that you'll have to build and verify your own images in any case.