Skip to content

Enable Filebeat's Journald input in all docker image variants #7995

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Enable Filebeat's Journald input in all docker image variants #7995

wants to merge 4 commits into from
+35 −2

Conversation

belimawr
Copy link
Contributor

@belimawr belimawr commented Apr 25, 2025
edited
Loading

What does this PR do?

Filebeat's Journald input requires journalctl, so the systemd package is added to all docker image variants.

Why is it important?

Currently it is only possible to use integrations that requires the journald input with the complete docker image variant, this PR allows it to be used with any docker image variant. The complete docker image is the largest with more than 3Gb, while the standard Elastic-Agent image is less than 2Gb.

Checklist

  • I have read and understood the pull request guidelines of this project.
  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool
  • I have added an integration test or an E2E test

## Disruptive User Impact

How to test this PR locally

  1. Package the Elastic-Agent: 
    DEV=true SNAPSHOT=true EXTERNAL=true PACKAGES="docker" PLATFORMS=linux/amd64 mage -v package
  2. Check the version of journalctl: 
    docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent-complete-wolfi:9.1.0-SNAPSHOT  --version
docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent-slim-wolfi:9.1.0-SNAPSHOT  --version
docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent-slim:9.1.0-SNAPSHOT  --version
docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-agent-ubi:9.1.0-SNAPSHOT  --version
docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-otel-collector-wolfi:9.1.0-SNAPSHOT  --version
docker run --rm -it --entrypoint journalctl docker.elastic.co/elastic-agent/elastic-otel-collector:9.1.0-SNAPSHOT  --version

Related issues

Questions to ask yourself

  • How are we going to support this in production?
  • How are we going to measure its adoption?
  • How are we going to debug this?
  • What are the metrics I should take care of?
  • ...

@belimawr
Enable Filebeat's Journald input in all docker image variants
7e6caf2 
Filebeat's Journald input requires `journalctl`, so the systemd
package is added to all docker image variants.
@mergify Mergify
Copy link
Contributor

mergify bot commented Apr 25, 2025

This pull request does not have a backport label. Could you fix it @belimawr? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-./d./d is the label that automatically backports to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@belimawr belimawr added Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team backport-active-all Automated backport with mergify to all the active branches labels Apr 25, 2025
@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

History

cc @belimawr

@belimawr belimawr mentioned this pull request Apr 25, 2025
Open
@belimawr belimawr marked this pull request as ready for review April 25, 2025 21:28
@belimawr belimawr requested a review from a team as a code owner April 25, 2025 21:28
@belimawr belimawr requested review from ycombinator and pchila April 25, 2025 21:28
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team label Apr 27, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

@rdner rdner mentioned this pull request Apr 28, 2025
Open
5 tasks
@rdner
Copy link
Member

rdner commented Apr 28, 2025

@belimawr please add the image size comparison to the description.

cmacknz
cmacknz reviewed Apr 28, 2025
View reviewed changes
dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl
@@ -73,15 +73,15 @@ ENV BEAT_SETUID_AS={{ .user }}
{{- if contains .from "ubi-minimal" }}
RUN for iter in {1..10}; do \
microdnf update -y && \
microdnf install -y tar gzip findutils shadow-utils ca-certificates gawk libcap xz && \
microdnf install -y tar gzip findutils shadow-utils ca-certificates gawk libcap xz systemd && \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How much bigger does this make the images?

Also, we don't want it in every container, it would be in elastic-agent, elastic-agent-complete but not elastic-agent-slim. This is really dependent on how much the size increase is as we do not want them getting bigger since they are already huge.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The downside of using the elastic-agent-complete image is that people who don't use synthetics but want to read node logs on K8S now have to deploy a bunch of browser dependencies and such.

Perhaps this would be best addressed with an elastic-agent-journald container. We already have a lot of containers though so I'm not sure this clarifies anything with respect to which one someone should use.

cmacknz
cmacknz requested changes Apr 28, 2025
View reviewed changes
Copy link
Member

@cmacknz cmacknz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we keep this (size dependent), it definitely shouldn't be in the slim variant at least.

cmacknz
cmacknz reviewed Apr 28, 2025
View reviewed changes
dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl
microdnf clean all && \
exit_code=0 && break || exit_code=$? && echo "microdnf error: retry $iter in 10s" && sleep 10; done; (exit $exit_code)
{{- end }}

{{- if contains .from "wolfi" }}
RUN for iter in {1..10}; do \
apk fix && \
apk add --no-cache ca-certificates curl gawk shadow bash && \
apk add --no-cache ca-certificates curl gawk shadow bash systemd && \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shouldn't include systemd in wolfi because it is going to significantly broaden it's exposure to CVEs, the point of Wolfi is to minimize the OS level CVEs we are exposed to. Same rationale as Filebeat: https://github.com/elastic/beats/pull/44056/files#r2064612269

@pkoutsovasilis
Copy link
Contributor

pkoutsovasilis commented Apr 30, 2025
edited
Loading

So I went ahead and found my notes from when we did the initial switch from ubuntu-based to ubi-based images, and I remembered the quirks with journalctl and systemd package. To this end, journalctl is only part of the systemd package and it's not something that we can install standalone.

I built all images with this PR and this is the comparison the images from main, in terms of size:

arm64:

docker.elastic.co/elastic-agent/elastic-agent-complete         with-systemd-PR-9.1.0-SNAPSHOT   693b6e89332b   2 hours ago     3.33GB
docker.elastic.co/elastic-agent/elastic-agent-complete         9.1.0-SNAPSHOT                   002667864129   12 hours ago    3.33GB
docker.elastic.co/beats-ci/elastic-agent-service               with-systemd-PR-9.1.0-SNAPSHOT   bf4763072e2f   2 hours ago     2.3GB
docker.elastic.co/beats-ci/elastic-agent-service               9.1.0-SNAPSHOT                   bf4763072e2f   2 hours ago     2.3GB
docker.elastic.co/beats-ci/elastic-agent-cloud                 with-systemd-PR-9.1.0-SNAPSHOT   134ef9b6eed6   2 hours ago     2.21GB
docker.elastic.co/beats-ci/elastic-agent-cloud                 9.1.0-SNAPSHOT                   134ef9b6eed6   2 hours ago     2.21GB
docker.elastic.co/elastic-agent/elastic-agent-ubi              with-systemd-PR-9.1.0-SNAPSHOT   f6f367b91ffc   2 hours ago     1.67GB   (~ 40MB increase)
docker.elastic.co/elastic-agent/elastic-agent-ubi              9.1.0-SNAPSHOT                   c39e45552f7c   12 hours ago    1.63GB
docker.elastic.co/elastic-agent/elastic-agent                  with-systemd-PR-9.1.0-SNAPSHOT   f6f367b91ffc   2 hours ago     1.67GB   (~ 40MB increase)
docker.elastic.co/elastic-agent/elastic-agent                  9.1.0-SNAPSHOT                   c39e45552f7c   12 hours ago    1.63GB
docker.elastic.co/elastic-agent/elastic-agent-slim             with-systemd-PR-9.1.0-SNAPSHOT   7311176930d6   2 hours ago     1.12GB   (~ 50MB increase)
docker.elastic.co/elastic-agent/elastic-agent-slim             9.1.0-SNAPSHOT                   fc65146d79d6   12 hours ago    1.07GB
docker.elastic.co/elastic-agent/elastic-otel-collector         with-systemd-PR-9.1.0-SNAPSHOT   5eb9b4234489   2 hours ago     1.03GB   (~ 50MB increase)
docker.elastic.co/elastic-agent/elastic-otel-collector         9.1.0-SNAPSHOT                   10f3e676c678   12 hours ago    983MB
docker.elastic.co/elastic-agent/elastic-agent-wolfi            with-systemd-PR-9.1.0-SNAPSHOT   4d3de9efd830   2 hours ago     1.75GB   (~ 170MB increase)
docker.elastic.co/elastic-agent/elastic-agent-wolfi            9.1.0-SNAPSHOT                   c85d302eb13d   12 hours ago    1.58GB
docker.elastic.co/elastic-agent/elastic-agent-slim-wolfi       with-systemd-PR-9.1.0-SNAPSHOT   ac34c798b016   2 hours ago     1.2GB    (~ 180MB increase)
docker.elastic.co/elastic-agent/elastic-agent-slim-wolfi       9.1.0-SNAPSHOT                   d5cd36078fdf   12 hours ago    1.02GB
docker.elastic.co/elastic-agent/elastic-agent-complete-wolfi   with-systemd-PR-9.1.0-SNAPSHOT   1ef4f0086615   2 hours ago     2.97GB   (~ 180MB increase)
docker.elastic.co/elastic-agent/elastic-agent-complete-wolfi   9.1.0-SNAPSHOT                   147828688b56   12 hours ago    2.81GB
docker.elastic.co/elastic-agent/elastic-otel-collector-wolfi   with-systemd-PR-9.1.0-SNAPSHOT   9a7f5b346b99   2 hours ago     1.11GB   (~ 180MB increase)
docker.elastic.co/elastic-agent/elastic-otel-collector-wolfi   9.1.0-SNAPSHOT                   d2a00044c610   12 hours ago    933MB

amd64:

(amd64)
docker.elastic.co/elastic-agent/elastic-agent-complete         with-systemd-PR-9.1.0-SNAPSHOT   6bb84a795044   13 minutes ago  3.37GB   
docker.elastic.co/elastic-agent/elastic-agent-complete         9.1.0-SNAPSHOT                   0000e9ed5f23   12 hours ago    3.37GB   
docker.elastic.co/beats-ci/elastic-agent-service               with-systemd-PR-9.1.0-SNAPSHOT   95e3bfe0941c   13 minutes ago  2.38GB   
docker.elastic.co/beats-ci/elastic-agent-service               9.1.0-SNAPSHOT                   95e3bfe0941c   13 minutes ago  2.38GB   
docker.elastic.co/beats-ci/elastic-agent-cloud                 with-systemd-PR-9.1.0-SNAPSHOT   b889bd89bee4   15 minutes ago  2.31GB   
docker.elastic.co/beats-ci/elastic-agent-cloud                 9.1.0-SNAPSHOT                   b889bd89bee4   15 minutes ago  2.31GB   
docker.elastic.co/elastic-agent/elastic-otel-collector         with-systemd-PR-9.1.0-SNAPSHOT   e77a5648b478   15 minutes ago  1.06GB   (~ 30MB increase)  
docker.elastic.co/elastic-agent/elastic-otel-collector         9.1.0-SNAPSHOT                   46aedf7de7e1   12 hours ago    1.03GB   
docker.elastic.co/elastic-agent/elastic-agent-ubi              with-systemd-PR-9.1.0-SNAPSHOT   fa6b2f661969   15 minutes ago  1.75GB   (~ 30MB increase)  
docker.elastic.co/elastic-agent/elastic-agent-ubi              9.1.0-SNAPSHOT                   b6e665ec531c   12 hours ago    1.72GB   
docker.elastic.co/elastic-agent/elastic-agent                  with-systemd-PR-9.1.0-SNAPSHOT   fa6b2f661969   15 minutes ago  1.75GB   (~ 30MB increase)  
docker.elastic.co/elastic-agent/elastic-agent                  9.1.0-SNAPSHOT                   b6e665ec531c   12 hours ago    1.72GB   
docker.elastic.co/elastic-agent/elastic-agent-slim             with-systemd-PR-9.1.0-SNAPSHOT   58d3dd1d12d1   15 minutes ago  1.16GB   (~ 30MB increase) 
docker.elastic.co/elastic-agent/elastic-agent-slim             9.1.0-SNAPSHOT                   a58865886ade   12 hours ago    1.13GB   
docker.elastic.co/elastic-agent/elastic-agent-wolfi            with-systemd-PR-9.1.0-SNAPSHOT   fdaf4fa8a0ac   15 minutes ago  1.82GB   (~ 160MB increase)
docker.elastic.co/elastic-agent/elastic-agent-wolfi            9.1.0-SNAPSHOT                   b8f9b0d336ad   12 hours ago    1.66GB   
docker.elastic.co/elastic-agent/elastic-agent-slim-wolfi       with-systemd-PR-9.1.0-SNAPSHOT   464367c5c29c   15 minutes ago  1.24GB   (~ 170MB increase)
docker.elastic.co/elastic-agent/elastic-agent-slim-wolfi       9.1.0-SNAPSHOT                   a4007ffd9dea   12 hours ago    1.07GB   
docker.elastic.co/elastic-agent/elastic-agent-complete-wolfi   with-systemd-PR-9.1.0-SNAPSHOT   4824ac942ad1   13 minutes ago  3GB      (~ 140MB increase)
docker.elastic.co/elastic-agent/elastic-agent-complete-wolfi   9.1.0-SNAPSHOT                   1dcefb2b9c7c   12 hours ago    2.86GB   
docker.elastic.co/elastic-agent/elastic-otel-collector-wolfi   with-systemd-PR-9.1.0-SNAPSHOT   366fc969e3df   15 minutes ago  1.14GB   (~ 170MB increase)
docker.elastic.co/elastic-agent/elastic-otel-collector-wolfi   9.1.0-SNAPSHOT                   2b85fbbb4e34   12 hours ago    973MB

Just from the above comparisons, and the security-based reasons, I would say that wolfi-based images should not feature systemd. Now for the ubi-based ones, if the on average 50MB of an increase is prohibitive, we could try out having an intermediate step that installs systemd package and copies the bare minimum of journalctl dependencies to the final image

$ du -sh /usr/bin/journalctl
132K    /usr/bin/journalctl
$ du -sh /usr/lib/aarch64-linux-gnu/systemd/libsystemd-shared-255.so
3.8M    /usr/lib/aarch64-linux-gnu/systemd/libsystemd-shared-255.so
$ readelf -d /usr/bin/journalctl | grep NEEDED
 0x0000000000000001 (NEEDED)             Shared library: [libsystemd-shared-255.so]
 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
 0x0000000000000001 (NEEDED)             Shared library: [ld-linux-aarch64.so.1]

I have to test the above out but AFAIK journalctl either connects to the /run/systemd/journal/socket, host path that needs to be mounted, and/or reads persistent journal files on disk /var/log/journal/*

PS: I would also propose introducing a k8s integration test that tests the journald input 🙂

@cmacknz
Copy link
Member

cmacknz commented May 2, 2025
edited
Loading

IMO based on the above we keep systemd out of the slim, service, and wolfi variants.

We would add systemd/journald to the plain elastic-agent (and elastic-agent-ubi) and the elastic-otel-collector since the collector needs journald for the same reason. This removes the need to deploy the complete variant and preserve the main properties of slim (smallest size) and wolfi (minimal dependencies and CVEs) variants.

@cmacknz
Copy link
Member

cmacknz commented May 2, 2025

(service has no need for journald/systemd it's the agentless container).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cmacknz cmacknz cmacknz requested changes

@ycombinator ycombinator Awaiting requested review from ycombinator ycombinator is a code owner automatically assigned from elastic/elastic-agent-control-plane

@pchila pchila Awaiting requested review from pchila pchila is a code owner automatically assigned from elastic/elastic-agent-control-plane

Requested changes must be addressed to merge this pull request.

Assignees

@belimawr belimawr

Labels
backport-active-all Automated backport with mergify to all the active branches Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@belimawr @elasticmachine @rdner @pkoutsovasilis @cmacknz @pierrehilbert