KIP-1028: AK 3.8.0 Docker Official Image Assets #16768
Conversation
| for server in ha.pool.sks-keyservers.net $(shuf -e \ | ||
| hkp://p80.pool.sks-keyservers.net:80 \ | ||
| keyserver.ubuntu.com \ | ||
| hkp://keyserver.ubuntu.com:80 \ | ||
| pgp.mit.edu \ | ||
| hkp://keys.openpgp.org) ; do \ | ||
| gpg --batch --keyserver "$server" --recv-keys "$GPG_KEY" && break || : ; \ | ||
| done && \ |
There was a problem hiding this comment.
See the first example under https://github.com/docker-library/official-images?tab=readme-ov-file#image-build
There was a problem hiding this comment.
Thanks for the review @whalelines !
I went through the example, and made relevant changes to the Dockerfile:
- used GNUPGHOME
- Used only 2 keyservers - hkp://keys.openpgp.org and keyserver.ubuntu.com and removed the rest outdated keyservers
- Hardcoded the GPG_KEY inside the command itself
- Like flink-docker, used the practice of adding
gpgconf --kill allas part of verification commands. - wget uses kafka_url env variable, which downloads from a https source
Please let us know if these changes are okay, and if any more are needed.
Thank you again!
|
This PR is being marked as stale since it has not had any activity in 90 days. If you If you are having difficulty finding a reviewer, please reach out on the [mailing list](https://kafka.apache.org/contact). If this PR is no longer valid or desired, please feel free to close it. If no activity occurs in the next 30 days, it will be automatically closed. |
|
This PR is to be kept open as Docker Official Image PR is waiting on review from Dockerhub folks. |
| gpgconf --kill all; \ | ||
| rm -rf "$GNUPGHOME" kafka.tgz.asc; \ | ||
| mkdir opt/kafka; \ | ||
| tar xfz kafka.tgz -C /opt/kafka --strip-components 1; \ |
There was a problem hiding this comment.
It's odd to mix "traditional" flags and Unix/GNU-style flags, and I'd recommend avoiding mixing them (https://manpages.debian.org/bookworm/tar/tar.1.en.html)
| # Generate jsa files using dynamic CDS for kafka server start command and kafka storage format command | ||
| RUN /etc/kafka/docker/jsa_launch | ||
| # Generate jsa files using dynamic CDS for kafka server start command and kafka storage format command | ||
| /etc/kafka/docker/jsa_launch |
There was a problem hiding this comment.
I'm concerned about this script; it appears to start a server in the background, does not track the PID of that started server, waits for a file to exist, and then exits, and hopes that the file existing means the server has shut down successfully and cleanly, so there could absolutely be a race here where the file gets created, gets filled up partway and thus exists, the script exits, and the server is killed before it finishes writing the file.
Is this actually necessary? Does it dramatically improve something like performance, startup time, etc? Is it an artifact that could be shipped with the Kafka releases instead?
(This script seems to be the primary justification for the multi-stage build, and I'm sorry but I'm not seeing it. 🙈)
| org.opencontainers.image.description="Apache Kafka" \ | ||
| org.opencontainers.image.created="${build_date}" \ | ||
| org.opencontainers.image.source="https://github.com/apache/kafka" \ | ||
| maintainer="Apache Kafka" |
There was a problem hiding this comment.
See docker-library/official-images#3540, especially docker-library/official-images#3540 (comment):
We don't actively recommend using labels. If an image maintainer wants to have labels, that is fine, but label names should adhere to the image spec: https://github.com/opencontainers/image-spec/blob/v1.0.1/annotations.md
(ie, maintainer is an unacceptable label)
| RUN set -eux ; \ | ||
| apk update ; \ | ||
| apk upgrade ; \ | ||
| apk add --no-cache wget gcompat gpg gpg-agent procps bash; \ |
There was a problem hiding this comment.
gcompat is a strange inclusion here -- what in this process needs glibc compatibility?
| ENV build_date 2024-06-11 | ||
| # Get Kafka from https://archive.apache.org/dist/kafka, url passed as env var, for version 3.8.0 | ||
| ENV kafka_url https://archive.apache.org/dist/kafka/3.8.0/kafka_2.13-3.8.0.tgz | ||
| ENV build_date 2024-08-13 |
There was a problem hiding this comment.
This is not going to be accurate -- this image will be rebuilt any time the base image updates, so this and the associated LABEL should be dropped.
| RUN set -eux ; \ | ||
| apk update ; \ | ||
| apk upgrade ; \ | ||
| apk add --no-cache wget gcompat gpg gpg-agent procps bash; \ |
There was a problem hiding this comment.
Again, why gcompat? Also, I'd suggest splitting this up so that you can use --virtual and have an easier and more accurate time uninstalling "download-only" dependencies.
| gpgconf --kill all; \ | ||
| rm -rf "$GNUPGHOME" kafka.tgz.asc; \ | ||
| mkdir opt/kafka; \ | ||
| tar xfz kafka.tgz -C /opt/kafka --strip-components 1; \ |
There was a problem hiding this comment.
Using a single stage would pretty dramatically decrease the amount of duplication here.
| apk del wget gpg gpg-agent; \ | ||
| apk cache clean; | ||
| rm kafka.tgz; \ | ||
| apk del wget gpg gpg-agent; |
There was a problem hiding this comment.
As a non-blocking suggestion, is there some simple command that could be run here to verify the installation? One we often use is some-command --version, but I'm not sure if anything in Kafka has something like that?
|
|
||
| USER appuser | ||
|
|
||
| VOLUME ["/etc/kafka/secrets", "/var/lib/kafka/data", "/mnt/shared/config"] |
There was a problem hiding this comment.
Are all of these paths intended to be user-specified / persistent storage? These are all spearately paths that Kafka will write to at runtime in the default configuration and that users will have a bad time if they don't save in some persistent place/way?
| VOLUME ["/etc/kafka/secrets", "/var/lib/kafka/data", "/mnt/shared/config"] | ||
|
|
||
| CMD ["/etc/kafka/docker/run"] | ||
| CMD ["/etc/kafka/docker/run"] |
There was a problem hiding this comment.
I'm definitely still struggling to understand the necessity of so much Docker-image-custom behavior -- what problem is being solved here that's unique to running Kafka inside a container? I can't think of very many things that would be useful for containers that wouldn't also make the life of users in things like high-constrained systemd units better, such that any logic here should probably live in proper upstream scripts / code instead.
|
This PR is being marked as stale since it has not had any activity in 90 days. If you If you are having difficulty finding a reviewer, please reach out on the [mailing list](https://kafka.apache.org/contact). If this PR is no longer valid or desired, please feel free to close it. If no activity occurs in the next 30 days, it will be automatically closed. |
|
This PR has been closed since it has not had any activity in 120 days. If you feel like this |
This PR adds the static assets for AK 3.8.0 Docker Official Images.
Post this PR:
Committer Checklist (excluded from commit message)