Dockerfile and Base Path changes

CHANGELOG.md

@@ -9,6 +9,20 @@
 ## Other changes
 - None
 
+# 2.x.x
+## Breaking changes
+- Dockerfile Base image changed from `python/alpine` to `python/slim-buster` to take advantage of pre-build python wheels and accelerate build times.
+- System packages removed from the Dockerfile: All dev packages, cargo, libmagic, jq, curl. Image size reduced to 244Mb.
+- Default base path changed to `/opt/elastalert` in the Dockerfile and in Helm charts.
+
+## New features
+- None
+
+## Other changes
+- Dockerfile now creates and runs as a non-root user "elastalert".
+- tmp files and dev packages removed from the final container image.
+- Documentation updates in support of the modified container base path.
+
 # 2.0.4
 
 ## Breaking changes

Dockerfile

@@ -1,36 +1,37 @@
-FROM python:alpine as builder
+FROM python:slim-buster as builder
 
 LABEL description="Elastalert 2 Official Image"
 LABEL maintainer="Jason Ertel (jertel at codesim.com)"
 
-RUN apk --update upgrade && \
-    rm -rf /var/cache/apk/* && \
-    mkdir -p /tmp/elastalert
-
 COPY . /tmp/elastalert
 
 RUN mkdir -p /opt/elastalert && \
     cd /tmp/elastalert && \
     pip install setuptools wheel && \
     python setup.py sdist bdist_wheel
 
-FROM python:alpine
+FROM python:slim-buster
 
 COPY --from=builder /tmp/elastalert/dist/*.tar.gz /tmp/
 
-RUN apk --update upgrade && \
-    apk add gcc libffi-dev musl-dev python3-dev openssl-dev tzdata libmagic cargo jq curl && \
-	pip install /tmp/*.tar.gz && \
-    apk del gcc libffi-dev musl-dev python3-dev openssl-dev cargo && \
-    rm -rf /var/cache/apk/*
-
-RUN mkdir -p /opt/elastalert && \
-	echo "#!/bin/sh" >> /opt/elastalert/run.sh && \
-    echo "set -e" >> /opt/elastalert/run.sh && \
-    echo "elastalert-create-index --config /opt/config/elastalert_config.yaml" >> /opt/elastalert/run.sh && \
-    echo "elastalert --config /opt/config/elastalert_config.yaml \"\$@\"" >> /opt/elastalert/run.sh && \
-    chmod +x /opt/elastalert/run.sh
-
+RUN apt-get update && apt-get -y upgrade &&\
+    #apt-get install -y tzdata cargo libmagic1 jq curl &&\
+    apt-get -y autoremove &&\
+    rm -rf /var/lib/apt/lists/* &&\
+    pip install /tmp/*.tar.gz &&\
+    rm -rf /tmp/* &&\
+    mkdir -p /opt/elastalert &&\
+    echo "#!/bin/sh" >> /opt/elastalert/run.sh &&\
+    echo "set -e" >> /opt/elastalert/run.sh &&\
+    echo "elastalert-create-index --config /opt/elastalert/config.yaml" \
+        >> /opt/elastalert/run.sh &&\
+    echo "elastalert --config /opt/elastalert/config.yaml \"\$@\"" \
+        >> /opt/elastalert/run.sh &&\
+    chmod +x /opt/elastalert/run.sh &&\
+    useradd -u 1000 -M -b /opt/elastalert -s /sbin/nologin \
+        -c "ElastAlert User" elastalert
+
+USER elastalert
 ENV TZ "UTC"
 
 WORKDIR /opt/elastalert

Dockerfile-alpine

@@ -0,0 +1,37 @@
+FROM python:alpine as builder
+
+LABEL description="Elastalert 2 Official Image"
+LABEL maintainer="Jason Ertel (jertel at codesim.com)"
+
+RUN apk --update upgrade && \
+    rm -rf /var/cache/apk/* && \
+    mkdir -p /tmp/elastalert
+
+COPY . /tmp/elastalert
+
+RUN mkdir -p /opt/elastalert && \
+    cd /tmp/elastalert && \
+    pip install setuptools wheel && \
+    python setup.py sdist bdist_wheel
+
+FROM python:alpine
+
+COPY --from=builder /tmp/elastalert/dist/*.tar.gz /tmp/
+
+RUN apk --update upgrade && \
+    apk add gcc libffi-dev musl-dev python3-dev openssl-dev tzdata libmagic cargo jq curl && \
+	pip install /tmp/*.tar.gz && \
+    apk del gcc libffi-dev musl-dev python3-dev openssl-dev cargo && \
+    rm -rf /var/cache/apk/*
+
+RUN mkdir -p /opt/elastalert && \
+	echo "#!/bin/sh" >> /opt/elastalert/run.sh && \
+    echo "set -e" >> /opt/elastalert/run.sh && \
+    echo "elastalert-create-index --config /opt/config/elastalert_config.yaml" >> /opt/elastalert/run.sh && \
+    echo "elastalert --config /opt/config/elastalert_config.yaml \"\$@\"" >> /opt/elastalert/run.sh && \
+    chmod +x /opt/elastalert/run.sh
+
+ENV TZ "UTC"
+
+WORKDIR /opt/elastalert
+ENTRYPOINT ["/opt/elastalert/run.sh"]

README.md

@@ -1,7 +1,7 @@
 # Elastalert 2
 
 Elastalert 2 is the supported fork of [Elastalert][0], which had been maintained by the Yelp team
-but become mostly stale when the Yelp team ceased using Elastalert. 
+but become mostly stale when the Yelp team ceased using Elastalert.
 
 Elastalert 2 is backwards compatible with the original Elastalert rules.
 
@@ -23,14 +23,15 @@ If you're interested in a pre-built Docker image check out the [elastalert2][2]
 
 Be aware that the `latest` tag of the image represents the latest commit into the master branch. If you prefer to upgrade more slowly you will need utilize a versioned tag, such as `2.0.4` instead.
 
-A properly configured elastalert_config.json file must be mounted into the container during startup of the container. Use the [example file][1] provided as a template, and once saved locally to a file such as `/tmp/elastalert.yaml`, run the container as follows:
+A properly configured config.yaml file must be mounted into the container during startup of the container. Use the [example file][1] provided as a template, and once saved locally to a file such as `/tmp/elastalert.yaml`, run the container as follows:
 
 ```bash
-docker run -d -v /tmp/elastalert.yaml:/opt/config/elastalert_config.yaml jertel/elastalert2
+docker run -d -v /tmp/elastalert.yaml:/opt/elastalert/config.yaml jertel/elastalert2
 ```
 
 To build the image locally, install Docker and then run the following command:
-```
+
+```bash
 docker build . -t elastalert
 ```
 
@@ -48,4 +49,3 @@ Elastalert 2 is licensed under the [Apache License, Version 2.0][5].
 [3]: https://elastalert2.readthedocs.io/
 [4]: https://elastalert2.readthedocs.io/en/latest/ruletypes.html#alerts
 [5]: http://www.apache.org/licenses/LICENSE-2
-

chart/elastalert2/templates/config.yaml

@@ -11,7 +11,7 @@ metadata:
 data:
   elastalert_config: |-
     ---
-    rules_folder: /opt/rules
+    rules_folder: /opt/elastalert/rules
     scan_subdirectories: false
     run_every:
       minutes: {{ .Values.runIntervalMins }}

chart/elastalert2/templates/deployment.yaml

@@ -42,9 +42,10 @@ spec:
 {{- end }}
         volumeMounts:
           - name: config
-            mountPath: '/opt/config'
+            mountPath: '/opt/elastalert/config.yaml'
+            subPath: config.yaml
           - name: rules
-            mountPath: '/opt/rules'
+            mountPath: '/opt/elastalert/rules'
 {{- if .Values.elasticsearch.certsVolumeMounts }}
 {{ toYaml .Values.elasticsearch.certsVolumeMounts | indent 10 }}
 {{- end }}
@@ -115,7 +116,7 @@ spec:
 {{- end }}
             items:
             - key: elastalert_config
-              path: elastalert_config.yaml
+              path: config.yaml
 {{- if .Values.elasticsearch.certsVolumes }}
 {{ toYaml .Values.elasticsearch.certsVolumes | indent 8 }}
 {{- end }}

chart/elastalert2/values.yaml

@@ -94,7 +94,7 @@ extraConfigOptions: {}
 #type: Opaque
 #stringData:
 #   elastalert_config: |-
-#     rules_folder: /opt/rules
+#     rules_folder: /opt/elastalert/rules
 #     scan_subdirectories: false
 #     run_every:
 #       minutes: 1
@@ -223,6 +223,6 @@ extraVolumes: []
 
 extraVolumeMounts: []
   # - name: smtp-auth
-  #   mountPath: /opt/config-smtp/smtp_auth.yaml
+  #   mountPath: /opt/elastalert/config-smtp/smtp_auth.yaml
   #   subPath: smtp_auth.yaml
   #   readOnly: true