You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@beam.apache.org by lo...@apache.org on 2024/02/13 21:23:34 UTC
(beam) branch master updated: Add instructions for Go custom container builds, link from 2.55.0 release notes. (#30290)
This is an automated email from the ASF dual-hosted git repository.
lostluck pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/beam.git
The following commit(s) were added to refs/heads/master by this push:
new 9a4e1144532 Add instructions for Go custom container builds, link from 2.55.0 release notes. (#30290)
9a4e1144532 is described below
commit 9a4e1144532291244cfe6fde7f99655de1e9c88d
Author: Robert Burke <lo...@users.noreply.github.com>
AuthorDate: Tue Feb 13 13:23:26 2024 -0800
Add instructions for Go custom container builds, link from 2.55.0 release notes. (#30290)
* Stopgap message in release notes.
* Recommend 2.54.0 not 2.53.0.
* Add from scratch instructions.
* remove specific go version
* ws
* redundant line
* rm more ws
---------
Co-authored-by: lostluck <13...@users.noreply.github.com>
---
CHANGES.md | 3 ++
.../en/documentation/runtime/environments.md | 40 +++++++++++++++++++++-
2 files changed, 42 insertions(+), 1 deletion(-)
diff --git a/CHANGES.md b/CHANGES.md
index bda5937a93d..607f1a1185f 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -72,6 +72,9 @@
* X behavior was changed ([#X](https://github.com/apache/beam/issues/X)).
* Arrow version was bumped to 15.0.0 from 5.0.0 ([#30181](https://github.com/apache/beam/pull/30181)).
+* Go SDK users who build custom worker containers may run into issues with the move to distroless containers as a base (see Security Fixes).
+ * The issue stems from distroless containers lacking additional tools, which current custom container processes may rely on.
+ * See https://beam.apache.org/documentation/runtime/environments/#from-scratch-go for instructions on building and using a custom container.
## Deprecations
diff --git a/website/www/site/content/en/documentation/runtime/environments.md b/website/www/site/content/en/documentation/runtime/environments.md
index c860816e300..d9a42db29e2 100644
--- a/website/www/site/content/en/documentation/runtime/environments.md
+++ b/website/www/site/content/en/documentation/runtime/environments.md
@@ -29,7 +29,7 @@ You may want to customize container images for many reasons, including:
* Launching third-party software in the worker environment
* Further customizing the execution environment
- This guide describes how to create and use customized containers for the Beam SDK.
+ This guide describes how to create and use customized containers for the Beam SDKs.
### Prerequisites
@@ -218,6 +218,44 @@ Beam offers a way to provide your own custom container image. The easiest way to
docker push "${IMAGE_NAME}:${TAG}"
```
+#### Building a compatible container image from scratch (Go) {#from-scratch-go}
+
+From the 2.55.0 release, the Beam Go SDK has moved to using [distroless images](https://github.com/GoogleContainerTools/distroless) as a base.
+These images have a reduced security attack surface by not including common tools and utilities.
+This may cause difficulties customizing the image with using one of the above approaches.
+As a fallback, it's possible to build a custom image from scratch, by building a matching boot loader, and setting
+that as the container's entry point.
+
+For example, if it's preferable to use alpine as the container OS your multi-stage docker file might
+look like the following:
+
+```
+FROM golang:latest-alpine AS build_base
+
+# Set the Current Working Directory inside the container
+WORKDIR /tmp/beam
+
+# Build the Beam Go bootloader, to the local directory, matching your Beam version.
+# Similar go targets exist for other SDK languages.
+RUN GOBIN=`pwd` go install github.com/apache/beam/sdks/v2/go/container@v2.53.0
+
+# Set the real base image.
+FROM alpine:3.9
+RUN apk add ca-certificates
+
+# The following are required for the container to operate correctly.
+# Copy the boot loader `container` to the image.
+COPY --from=build_base /tmp/beam/container /opt/apache/beam/boot
+
+# Set the container to use the newly built boot loader.
+ENTRYPOINT ["/opt/apache/beam/boot"]
+```
+
+Build and push the new image as when [modifying an existing base image](#modify-existing-base-image) above.
+
+>**NOTE**: Java and Python require additional dependencies, such as their runtimes, and SDK packages for
+> a valid container image. The bootloader isn't sufficient for creating a custom container for these SDKs.
+
## Running pipelines with custom container images {#running-pipelines}
The common method for providing a container image requires using the