Add official image for OpenSearch Dashboards #13194
Conversation
Signed-off-by: Rishabh Singh <[email protected]>
Diff for f788144:diff --git a/_bashbrew-cat b/_bashbrew-cat
index bdfae4a..01bfe6c 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -1 +1,7 @@
-Maintainers: New Image! :D (@docker-library-bot)
+Maintainers: OpenSearch Project Team <[email protected]> (@opensearch-project), Rishabh Singh <[email protected]> (@rishabh6788), Peter Zhu <[email protected]> (@peterzhuamazon), Prudhvi Godithi <[email protected]> (@prudhvigodithi)
+GitRepo: https://github.com/opensearch-project/dashboards-docker-images.git
+
+Tags: 2.3.0, 2.3, 2, latest
+Architectures: amd64, arm64v8
+GitCommit: c8f80771985daceb6dcbe9498790b2d848159786
+Directory: 2.x
diff --git a/_bashbrew-list b/_bashbrew-list
index e69de29..1abb8bf 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -0,0 +1,4 @@
+opensearch-dashboards:2
+opensearch-dashboards:2.3
+opensearch-dashboards:2.3.0
+opensearch-dashboards:latest
diff --git a/opensearch-dashboards_latest/Dockerfile b/opensearch-dashboards_latest/Dockerfile
new file mode 100644
index 0000000..1a207c8
--- /dev/null
+++ b/opensearch-dashboards_latest/Dockerfile
@@ -0,0 +1,96 @@
+# Copyright OpenSearch Contributors
+# SPDX-License-Identifier: Apache-2.0
+
+
+# This dockerfile generates an AmazonLinux-based image containing an OpenSearch-Dashboards installation.
+# It assumes that the working directory contains four files: an OpenSearch-Dashboards tarball (opensearch-dashboards.tgz), opensearch_dashboards.yml, opensearch-dashboards-docker-entrypoint.sh, and example certs.
+# Build arguments:
+# VERSION: Required. Used to label the image.
+# UID: Optional. Specify the opensearch-dashboards userid. Defaults to 1000.
+# GID: Optional. Specify the opensearch-dashboards groupid. Defaults to 1000.
+# OPENSEARCH_DASHBOARDS_HOME: Optional. Specify the opensearch-dashboards root directory. Defaults to /usr/share/opensearch-dashboards.
+
+########################### Stage 0 ########################
+FROM amazonlinux:2 AS linux_stage_0
+
+ARG UID=1000
+ARG GID=1000
+ARG OPENSEARCH_DASHBOARDS_HOME=/usr/share/opensearch-dashboards
+ARG TEMP_DIR=/tmp/opensearch-dashboards
+ARG OSD_VERSION=2.3.0
+
+# Update packages
+# Install the tools we need: tar and gzip to unpack the OpenSearch tarball, and shadow-utils to give us `groupadd` and `useradd`.
+# Install which to allow running of securityadmin.sh
+RUN yum update -y && yum install -y tar gzip shadow-utils which && yum clean all
+
+# Create an opensearch-dashboards user, group, and directory
+RUN groupadd -g $GID opensearch-dashboards && \
+ adduser -u $UID -g $GID -d $OPENSEARCH_DASHBOARDS_HOME opensearch-dashboards && \
+ mkdir $TEMP_DIR
+
+RUN set -eux ; \
+ cur_arch="" ; \
+ case "$(arch)" in \
+ aarch64) cur_arch='arm64' ;; \
+ x86_64) cur_arch='x64' ;; \
+ *) echo >&2 ; echo >&2 "Unsupported architecture $(arch)" ; echo >&2 ; exit 1 ;; \
+ esac ; \
+ curl --retry 10 -S -L --output $TEMP_DIR/opensearch-dashboards.tar.gz https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/$OSD_VERSION/opensearch-dashboards-$OSD_VERSION-linux-$cur_arch.tar.gz; \
+ curl --output $TEMP_DIR/opensearch-dashboards.pgp https://artifacts.opensearch.org/publickeys/opensearch.pgp; \
+ gpg --import $TEMP_DIR/opensearch-dashboards.pgp; \
+ curl --output $TEMP_DIR/opensearch-dashboards.tar.gz.sig https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/$OSD_VERSION/opensearch-dashboards-$OSD_VERSION-linux-$cur_arch.tar.gz.sig; \
+ gpg --verify $TEMP_DIR/opensearch-dashboards.tar.gz.sig $TEMP_DIR/opensearch-dashboards.tar.gz; \
+ tar --warning=no-timestamp -zxf $TEMP_DIR/opensearch-dashboards.tar.gz -C $OPENSEARCH_DASHBOARDS_HOME --strip-components=1;
+
+COPY config/* $OPENSEARCH_DASHBOARDS_HOME/config/
+COPY bin/* $OPENSEARCH_DASHBOARDS_HOME/
+
+########################### Stage 1 ########################
+# Copy working directory to the actual release docker images
+FROM amazonlinux:2
+
+ARG UID=1000
+ARG GID=1000
+ARG OPENSEARCH_DASHBOARDS_HOME=/usr/share/opensearch-dashboards
+ARG OSD_VERSION=2.3.0
+
+# Update packages
+# Install the tools we need: tar and gzip to unpack the OpenSearch tarball, and shadow-utils to give us `groupadd` and `useradd`.
+# Install which to allow running of securityadmin.sh
+RUN yum update -y && yum install -y tar gzip shadow-utils which \
+ libnss3.so xorg-x11-fonts-100dpi xorg-x11-fonts-75dpi xorg-x11-utils \
+ xorg-x11-fonts-cyrillic xorg-x11-fonts-Type1 xorg-x11-fonts-misc fontconfig \
+ freetype && yum clean all
+
+# Create an opensearch-dashboards user, group
+RUN groupadd -g $GID opensearch-dashboards && \
+ adduser -u $UID -g $GID -d $OPENSEARCH_DASHBOARDS_HOME opensearch-dashboards
+
+COPY --from=linux_stage_0 --chown=$UID:$GID $OPENSEARCH_DASHBOARDS_HOME $OPENSEARCH_DASHBOARDS_HOME
+
+# Setup OpenSearch-dashboards
+WORKDIR $OPENSEARCH_DASHBOARDS_HOME
+
+# Set PATH
+ENV PATH=$PATH:$OPENSEARCH_DASHBOARDS_HOME/bin
+
+# Change user
+USER $UID
+
+# Expose port
+EXPOSE 5601
+
+# Label
+LABEL org.label-schema.schema-version="1.0" \
+ org.label-schema.name="opensearch-dashboards" \
+ org.label-schema.version="$OSD_VERSION" \
+ org.label-schema.url="https://opensearch.org" \
+ org.label-schema.vcs-url="https://github.com/opensearch-project/OpenSearch-Dashboards" \
+ org.label-schema.license="Apache-2.0" \
+ org.label-schema.vendor="Amazon"
+
+# CMD to run
+ENTRYPOINT ["./opensearch-dashboards-docker-entrypoint.sh"]
+CMD ["opensearch-dashboards"]
+
diff --git a/opensearch-dashboards_latest/bin/opensearch-dashboards-docker-entrypoint.sh b/opensearch-dashboards_latest/bin/opensearch-dashboards-docker-entrypoint.sh
new file mode 100755
index 0000000..894e48e
--- /dev/null
+++ b/opensearch-dashboards_latest/bin/opensearch-dashboards-docker-entrypoint.sh
@@ -0,0 +1,228 @@
+#!/bin/bash
+
+# Copyright OpenSearch Contributors
+# SPDX-License-Identifier: Apache-2.0
+
+#
+# Run OpenSearch-Dashboards, using environment variables to
+# set longopts defining OpenSearch-Dashboards's configuration.
+#
+# eg. Setting the environment variable:
+#
+# OPENSEARCH_STARTUPTIMEOUT=60
+#
+# will cause OpenSearch-Dashboards to be invoked with:
+#
+# --opensearch.startupTimeout=60
+
+# Setup Home Directory
+export OPENSEARCH_DASHBOARDS_HOME=/usr/share/opensearch-dashboards
+
+opensearch_dashboards_vars=(
+ console.enabled
+ console.proxyConfig
+ console.proxyFilter
+ ops.cGroupOverrides.cpuPath
+ ops.cGroupOverrides.cpuAcctPath
+ csp.rules
+ csp.strict
+ csp.warnLegacyBrowsers
+ data.search.usageTelemetry.enabled
+ opensearch.customHeaders
+ opensearch.hosts
+ opensearch.logQueries
+ opensearch.memoryCircuitBreaker.enabled
+ opensearch.memoryCircuitBreaker.maxPercentage
+ opensearch.password
+ opensearch.pingTimeout
+ opensearch.requestHeadersWhitelist
+ opensearch.requestTimeout
+ opensearch.shardTimeout
+ opensearch.sniffInterval
+ opensearch.sniffOnConnectionFault
+ opensearch.sniffOnStart
+ opensearch.ssl.alwaysPresentCertificate
+ opensearch.ssl.certificate
+ opensearch.ssl.certificateAuthorities
+ opensearch.ssl.key
+ opensearch.ssl.keyPassphrase
+ opensearch.ssl.keystore.path
+ opensearch.ssl.keystore.password
+ opensearch.ssl.truststore.path
+ opensearch.ssl.truststore.password
+ opensearch.ssl.verificationMode
+ opensearch.username
+ i18n.locale
+ interpreter.enableInVisualize
+ opensearchDashboards.autocompleteTerminateAfter
+ opensearchDashboards.autocompleteTimeout
+ opensearchDashboards.defaultAppId
+ opensearchDashboards.index
+ logging.dest
+ logging.json
+ logging.quiet
+ logging.rotate.enabled
+ logging.rotate.everyBytes
+ logging.rotate.keepFiles
+ logging.rotate.pollingInterval
+ logging.rotate.usePolling
+ logging.silent
+ logging.useUTC
+ logging.verbose
+ map.includeOpenSearchMapsService
+ map.proxyOpenSearchMapsServiceInMaps
+ map.regionmap
+ map.tilemap.options.attribution
+ map.tilemap.options.maxZoom
+ map.tilemap.options.minZoom
+ map.tilemap.options.subdomains
+ map.tilemap.url
+ monitoring.cluster_alerts.email_notifications.email_address
+ monitoring.enabled
+ monitoring.opensearchDashboards.collection.enabled
+ monitoring.opensearchDashboards.collection.interval
+ monitoring.ui.container.opensearch.enabled
+ monitoring.ui.container.logstash.enabled
+ monitoring.ui.opensearch.password
+ monitoring.ui.opensearch.pingTimeout
+ monitoring.ui.opensearch.hosts
+ monitoring.ui.opensearch.username
+ monitoring.ui.opensearch.logFetchCount
+ monitoring.ui.opensearch.ssl.certificateAuthorities
+ monitoring.ui.opensearch.ssl.verificationMode
+ monitoring.ui.enabled
+ monitoring.ui.max_bucket_size
+ monitoring.ui.min_interval_seconds
+ newsfeed.enabled
+ ops.interval
+ path.data
+ pid.file
+ regionmap
+ security.showInsecureClusterWarning
+ server.basePath
+ server.customResponseHeaders
+ server.compression.enabled
+ server.compression.referrerWhitelist
+ server.cors
+ server.cors.origin
+ server.defaultRoute
+ server.host
+ server.keepAliveTimeout
+ server.maxPayloadBytes
+ server.name
+ server.port
+ server.rewriteBasePath
+ server.socketTimeout
+ server.ssl.cert
+ server.ssl.certificate
+ server.ssl.certificateAuthorities
+ server.ssl.cipherSuites
+ server.ssl.clientAuthentication
+ server.customResponseHeaders
+ server.ssl.enabled
+ server.ssl.key
+ server.ssl.keyPassphrase
+ server.ssl.keystore.path
+ server.ssl.keystore.password
+ server.ssl.truststore.path
+ server.ssl.truststore.password
+ server.ssl.redirectHttpFromPort
+ server.ssl.supportedProtocols
+ server.xsrf.disableProtection
+ server.xsrf.whitelist
+ status.allowAnonymous
+ status.v6ApiFormat
+ tilemap.options.attribution
+ tilemap.options.maxZoom
+ tilemap.options.minZoom
+ tilemap.options.subdomains
+ tilemap.url
+ timeline.enabled
+ vega.enableExternalUrls
+ apm_oss.apmAgentConfigurationIndex
+ apm_oss.indexPattern
+ apm_oss.errorIndices
+ apm_oss.onboardingIndices
+ apm_oss.spanIndices
+ apm_oss.sourcemapIndices
+ apm_oss.transactionIndices
+ apm_oss.metricsIndices
+ telemetry.allowChangingOptInStatus
+ telemetry.enabled
+ telemetry.optIn
+ telemetry.optInStatusUrl
+ telemetry.sendUsageFrom
+)
+
+function setupSecurityDashboardsPlugin {
+ SECURITY_DASHBOARDS_PLUGIN="securityDashboards"
+
+ if [ -d "$OPENSEARCH_DASHBOARDS_HOME/plugins/$SECURITY_DASHBOARDS_PLUGIN" ]; then
+ if [ "$DISABLE_SECURITY_DASHBOARDS_PLUGIN" = "true" ]; then
+ echo "Disabling OpenSearch Security Dashboards Plugin"
+ ./bin/opensearch-dashboards-plugin remove securityDashboards
+
+ # Remove all security related parameters as well as changing HTTPS to HTTP
+ # Temporary fix before security-dashboards plugin implement a parameter to disable the plugin entirely
+ # https://github.com/opensearch-project/security-dashboards-plugin/issues/896
+ UPDATED_CONFIG=`cat $OPENSEARCH_DASHBOARDS_HOME/config/opensearch_dashboards.yml | sed "/^opensearch_security/d" | sed "s/https/http/g"`
+ echo "$UPDATED_CONFIG" > $OPENSEARCH_DASHBOARDS_HOME/config/opensearch_dashboards.yml
+ fi
+ fi
+}
+
+function runOpensearchDashboards {
+ longopts=()
+ for opensearch_dashboards_var in ${opensearch_dashboards_vars[*]}; do
+ # 'opensearch.hosts' -> 'OPENSEARCH_URL'
+ env_var=$(echo ${opensearch_dashboards_var^^} | tr . _)
+
+ # Indirectly lookup env var values via the name of the var.
+ # REF: http://tldp.org/LDP/abs/html/bashver2.html#EX78
+ value=${!env_var}
+ if [[ -n $value ]]; then
+ longopt="--${opensearch_dashboards_var}=${value}"
+ longopts+=("${longopt}")
+ fi
+ done
+
+ # Files created at run-time should be group-writable, for Openshift's sake.
+ umask 0002
+
+ ##Security Dashboards Plugin
+ setupSecurityDashboardsPlugin
+
+ # TO DO:
+ # Confirm with Mihir if this is necessary
+
+ # The virtual file /proc/self/cgroup should list the current cgroup
+ # membership. For each hierarchy, you can follow the cgroup path from
+ # this file to the cgroup filesystem (usually /sys/fs/cgroup/) and
+ # introspect the statistics for the cgroup for the given
+ # hierarchy. Alas, Docker breaks this by mounting the container
+ # statistics at the root while leaving the cgroup paths as the actual
+ # paths. Therefore, OpenSearch-Dashboards provides a mechanism to override
+ # reading the cgroup path from /proc/self/cgroup and instead uses the
+ # cgroup path defined the configuration properties
+ # ops.cGroupOverrides.cpuPath and ops.cGroupOverrides.cpuAcctPath.
+ # Therefore, we set this value here so that cgroup statistics are
+ # available for the container this process will run in.
+
+ exec "$@" \
+ --ops.cGroupOverrides.cpuPath=/ \
+ --ops.cGroupOverrides.cpuAcctPath=/ \
+ "${longopts[@]}"
+}
+
+# Prepend "opensearch-dashboards" command if no argument was provided or if the
+# first argument looks like a flag (i.e. starts with a dash).
+if [ $# -eq 0 ] || [ "${1:0:1}" = '-' ]; then
+ set -- opensearch-dashboards "$@"
+fi
+
+if [ "$1" = "opensearch-dashboards" ]; then
+ runOpensearchDashboards "$@"
+else
+ exec "$@"
+fi
+
diff --git a/opensearch-dashboards_latest/config/opensearch.example.org.cert b/opensearch-dashboards_latest/config/opensearch.example.org.cert
new file mode 100644
index 0000000..555bf09
--- /dev/null
+++ b/opensearch-dashboards_latest/config/opensearch.example.org.cert
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDJTCCAg2gAwIBAgIJAKO3AgiyHbReMA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNV
+BAMMHm9wZW5kaXN0cm9mb3JlbGFzdGljc2VhcmNoLm9yZzAeFw0xOTAyMTUwNzI5
+MjNaFw0yOTAyMTIwNzI5MjNaMCkxJzAlBgNVBAMMHm9wZW5kaXN0cm9mb3JlbGFz
+dGljc2VhcmNoLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPO
+w4iMMWj7wODNeAR+t9fFoFkhWmo7NiV9qteUtOTnOLBFG6VWVh2kQev1Ph2dF0uw
+Dg632Pk3Tl1er+eKCoG+YzwkJqVZ0CJlxZdpN5jCpliCYxIaGUHO0I+Kdhzg1IUk
+1Q2+8aeVN7ddiYZC13T/b5Kut8lr13O8OTqeBX2zRxuzX+jUNAZjAsCAdsv2jRrO
+94883OyDzF6UXvETJcW5uF4j7NK9N2nfAplMy6Z7v/0kA89/ecuAb8wmf7MOul1h
+sHyNd4aJwIGhKW/qBLJG+GHB5BiO6OaMJMzr5kzSV9we5r/plas5viAl/jWsYECS
+rvGjUqBEOKOFy6RS2ZECAwEAAaNQME4wHQYDVR0OBBYEFI05BOGEHtUhrZmkIL3W
+6KpJLE71MB8GA1UdIwQYMBaAFI05BOGEHtUhrZmkIL3W6KpJLE71MAwGA1UdEwQF
+MAMBAf8wDQYJKoZIhvcNAQEFBQADggEBACvAn1fRvkJamVKdmsou+YTmxu5YhDva
+MepBVT6yeqctcgQgUfaneuBrl/+9zmxkjykZ1uimSS2IM1FxIXuB8rX+iAcgFyIs
+XXquOhJlaXs/kN0KBGUSRkTMQSGIaTh26U7GnCQrdaIZDtKp7CRWjNebeDucNOc+
+aXOqiNFbVePNe8+EZIDb0FmV4IiHuLcqCwzZvgesl3EUPuMsnrxeNKIw83ecpjqK
+YRwWWhvY57asVbOZjn+M57bJSpzO9bO70uib0ItWs19aWqYP1vEOuNHEDbr2EVel
+dejL2fYF06uiw179PSYnvDQohWdiqm8dM0Nx+QtJcbOR6BiBh8aQTjw=
+-----END CERTIFICATE-----
+
diff --git a/opensearch-dashboards_latest/config/opensearch.example.org.key b/opensearch-dashboards_latest/config/opensearch.example.org.key
new file mode 100644
index 0000000..2ecc2b6
--- /dev/null
+++ b/opensearch-dashboards_latest/config/opensearch.example.org.key
@@ -0,0 +1,28 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAs87DiIwxaPvA4M14BH6318WgWSFaajs2JX2q15S05Oc4sEUb
+pVZWHaRB6/U+HZ0XS7AODrfY+TdOXV6v54oKgb5jPCQmpVnQImXFl2k3mMKmWIJj
+EhoZQc7Qj4p2HODUhSTVDb7xp5U3t12JhkLXdP9vkq63yWvXc7w5Op4FfbNHG7Nf
+6NQ0BmMCwIB2y/aNGs73jzzc7IPMXpRe8RMlxbm4XiPs0r03ad8CmUzLpnu//SQD
+z395y4BvzCZ/sw66XWGwfI13honAgaEpb+oEskb4YcHkGI7o5owkzOvmTNJX3B7m
+v+mVqzm+ICX+NaxgQJKu8aNSoEQ4o4XLpFLZkQIDAQABAoIBAEtPKXRyi2tWLlW5
+mTAAxw1Xl65dGtptjGMtfDWo8g8BjSu+9jJMs+rcVkP2xppupkgsJ+cgN39CG89d
+jj1jAr2OuU+CMLGGqXcOuzCMgB26QSPHEKmPRs7aSV4ldwznWfueDqIgPGSdSeXC
+Boy2SDmXluqPxShWw7mUtz+G2fPoQ+TMcH3puL3ooeV2iy25ZciLG3SFFQ7jTiJP
+l6bNvnszVa7fRdapF25znC/XsfaW7XsXZwbV+NeWtO7CEIec/RExSy9N/abbmhWY
+BPidBT9AQG4MoN10YunS7iwbfpXCNW0HKlFf77Mr5FrCZ0RE/Mg5JJrFF3Bt+sNT
+v6/2+wUCgYEA3mEtewQCn40aIWYTTeXqtRCnpbt4y602B2PbY7OI/9N6xafATVnK
++bwcj9rKQRmUBbrvNGCY/GQJPqHRFjIRqK0y2QCavuR/980z96ojUXwsHG4eSmHY
+wX0Rs+JtHVJDDH13hRWj/5Zxa+0ln2olBpHkp+o/VwiyYNXeqmw4Lq8CgYEAzv3p
+kmOqNQpQ2y2jEdKYanIibsB27slb4UxBpCzEYSj3LF3CysaGF17GJRRCASH9Dm3Y
+dZSgJzuBVZSgYl9HNSB1wY1gpHYeLm0F0yaE1D4tSoXGD+8pbLbl6LjwHOUtH4Yx
+NCDwOv+pe6+tyO6v04xcAOSWWkcsHkesrcehi78CgYEAztNA8o3LRst8Rx3hzGyP
+O7HuyoSvF3fUrVDhZjw/qfft0tFvWEGwN08OnXjW7W81rZKsEWHaR7teocLsbSFK
+LUBQ72TRh8OLhVR0Bd9Wk93SROrh/zo719FT2qM36rJsq7wxojR7YCZy/PcGK9sT
+7qVYLhf+qxrqlIe1XXnjUv8CgYBhglm63Xp8HAz1A22zYqrsUjIITGB6op7G5p5x
+kak9QAgYfV7bGWRns/zR0NY7JGDKoFJ9KXO8p5qIz0gyr0GjNFRkxo4FS6NyKWe6
+DYY7WcMKPTSNoxO3o/1wgVaTth5ooFWjgfTJRlD39E2Av3hSxuc8gHKXurl81jTx
+dH6UjwKBgEA5JLPaICkkY4ppcwdnf7zFFi22Rq5e2AJQSJcHOgE0K8/jJqbv+VOy
+ugVjXRpq6VdNjGD3aLToe/SnRLUDmq+ZJqV+BoZSv3DJCsUkc4O9tS/E6Tn4A1di
+loi+vT/GFEVVE3MaB42XGaaC82VEgwdqE3hDqNM/F2i3DfyoKD6V
+-----END RSA PRIVATE KEY-----
+
diff --git a/opensearch-dashboards_latest/config/opensearch_dashboards.yml b/opensearch-dashboards_latest/config/opensearch_dashboards.yml
new file mode 100644
index 0000000..6695163
--- /dev/null
+++ b/opensearch-dashboards_latest/config/opensearch_dashboards.yml
@@ -0,0 +1,188 @@
+---
+# Copyright OpenSearch Contributors
+# SPDX-License-Identifier: Apache-2.0
+
+# Description:
+# Default configuration for OpenSearch Dashboards
+
+# OpenSearch Dashboards is served by a back end server. This setting specifies the port to use.
+# server.port: 5601
+
+# Specifies the address to which the OpenSearch Dashboards server will bind. IP addresses and host names are both valid values.
+# The default is 'localhost', which usually means remote machines will not be able to connect.
+# To allow connections from remote users, set this parameter to a non-loopback address.
+# server.host: "localhost"
+
+# Enables you to specify a path to mount OpenSearch Dashboards at if you are running behind a proxy.
+# Use the `server.rewriteBasePath` setting to tell OpenSearch Dashboards if it should remove the basePath
+# from requests it receives, and to prevent a deprecation warning at startup.
+# This setting cannot end in a slash.
+# server.basePath: ""
+
+# Specifies whether OpenSearch Dashboards should rewrite requests that are prefixed with
+# `server.basePath` or require that they are rewritten by your reverse proxy.
+# server.rewriteBasePath: false
+
+# The maximum payload size in bytes for incoming server requests.
+# server.maxPayloadBytes: 1048576
+
+# The OpenSearch Dashboards server's name. This is used for display purposes.
+# server.name: "your-hostname"
+
+# The URLs of the OpenSearch instances to use for all your queries.
+# opensearch.hosts: ["http://localhost:9200"]
+
+# OpenSearch Dashboards uses an index in OpenSearch to store saved searches, visualizations and
+# dashboards. OpenSearch Dashboards creates a new index if the index doesn't already exist.
+# opensearchDashboards.index: ".opensearch_dashboards"
+
+# The default application to load.
+# opensearchDashboards.defaultAppId: "home"
+
+# Setting for an optimized healthcheck that only uses the local OpenSearch node to do Dashboards healthcheck.
+# This settings should be used for large clusters or for clusters with ingest heavy nodes.
+# It allows Dashboards to only healthcheck using the local OpenSearch node rather than fan out requests across all nodes.
+#
+# It requires the user to create an OpenSearch node attribute with the same name as the value used in the setting
+# This node attribute should assign all nodes of the same cluster an integer value that increments with each new cluster that is spun up
+# e.g. in opensearch.yml file you would set the value to a setting using node.attr.cluster_id:
+# Should only be enabled if there is a corresponding node attribute created in your OpenSearch config that matches the value here
+# opensearch.optimizedHealthcheckId: "cluster_id"
+
+# If your OpenSearch is protected with basic authentication, these settings provide
+# the username and password that the OpenSearch Dashboards server uses to perform maintenance on the OpenSearch Dashboards
+# index at startup. Your OpenSearch Dashboards users still need to authenticate with OpenSearch, which
+# is proxied through the OpenSearch Dashboards server.
+# opensearch.username: "opensearch_dashboards_system"
+# opensearch.password: "pass"
+
+# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
+# These settings enable SSL for outgoing requests from the OpenSearch Dashboards server to the browser.
+# server.ssl.enabled: false
+# server.ssl.certificate: /path/to/your/server.crt
+# server.ssl.key: /path/to/your/server.key
+
+# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
+# These files are used to verify the identity of OpenSearch Dashboards to OpenSearch and are required when
+# xpack.security.http.ssl.client_authentication in OpenSearch is set to required.
+# opensearch.ssl.certificate: /path/to/your/client.crt
+# opensearch.ssl.key: /path/to/your/client.key
+
+# Optional setting that enables you to specify a path to the PEM file for the certificate
+# authority for your OpenSearch instance.
+# opensearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
+
+# To disregard the validity of SSL certificates, change this setting's value to 'none'.
+# opensearch.ssl.verificationMode: full
+
+# Time in milliseconds to wait for OpenSearch to respond to pings. Defaults to the value of
+# the opensearch.requestTimeout setting.
+# opensearch.pingTimeout: 1500
+
+# Time in milliseconds to wait for responses from the back end or OpenSearch. This value
+# must be a positive integer.
+# opensearch.requestTimeout: 30000
+
+# List of OpenSearch Dashboards client-side headers to send to OpenSearch. To send *no* client-side
+# headers, set this value to [] (an empty list).
+# opensearch.requestHeadersWhitelist: [ authorization ]
+
+# Header names and values that are sent to OpenSearch. Any custom headers cannot be overwritten
+# by client-side headers, regardless of the opensearch.requestHeadersWhitelist configuration.
+# opensearch.customHeaders: {}
+
+# Time in milliseconds for OpenSearch to wait for responses from shards. Set to 0 to disable.
+# opensearch.shardTimeout: 30000
+
+# Logs queries sent to OpenSearch. Requires logging.verbose set to true.
+# opensearch.logQueries: false
+
+# Specifies the path where OpenSearch Dashboards creates the process ID file.
+# pid.file: /var/run/opensearchDashboards.pid
+
+# Enables you to specify a file where OpenSearch Dashboards stores log output.
+# logging.dest: stdout
+
+# Set the value of this setting to true to suppress all logging output.
+# logging.silent: false
+
+# Set the value of this setting to true to suppress all logging output other than error messages.
+# logging.quiet: false
+
+# Set the value of this setting to true to log all events, including system usage information
+# and all requests.
+# logging.verbose: false
+
+# Set the interval in milliseconds to sample system and process performance
+# metrics. Minimum is 100ms. Defaults to 5000.
+# ops.interval: 5000
+
+# Specifies locale to be used for all localizable strings, dates and number formats.
+# Supported languages are the following: English - en , by default , Chinese - zh-CN .
+# i18n.locale: "en"
+
+# Set the allowlist to check input graphite Url. Allowlist is the default check list.
+# vis_type_timeline.graphiteAllowedUrls: ['https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite']
+
+# Set the blocklist to check input graphite Url. Blocklist is an IP list.
+# Below is an example for reference
+# vis_type_timeline.graphiteBlockedIPs: [
+# //Loopback
+# '127.0.0.0/8',
+# '::1/128',
+# //Link-local Address for IPv6
+# 'fe80::/10',
+# //Private IP address for IPv4
+# '10.0.0.0/8',
+# '172.16.0.0/12',
+# '192.168.0.0/16',
+# //Unique local address (ULA)
+# 'fc00::/7',
+# //Reserved IP address
+# '0.0.0.0/8',
+# '100.64.0.0/10',
+# '192.0.0.0/24',
+# '192.0.2.0/24',
+# '198.18.0.0/15',
+# '192.88.99.0/24',
+# '198.51.100.0/24',
+# '203.0.113.0/24',
+# '224.0.0.0/4',
+# '240.0.0.0/4',
+# '255.255.255.255/32',
+# '::/128',
+# '2001:db8::/32',
+# 'ff00::/8',
+# ]
+# vis_type_timeline.graphiteBlockedIPs: []
+
+# opensearchDashboards.branding:
+# logo:
+# defaultUrl: ""
+# darkModeUrl: ""
+# mark:
+# defaultUrl: ""
+# darkModeUrl: ""
+# loadingLogo:
+# defaultUrl: ""
+# darkModeUrl: ""
+# faviconUrl: ""
+# applicationTitle: ""
+
+# Set the value of this setting to true to capture region blocked warnings and errors
+# for your map rendering services.
+# map.showRegionBlockedWarning: false%
+
+opensearch.hosts: [https://localhost:9200]
+opensearch.ssl.verificationMode: none
+opensearch.username: kibanaserver
+opensearch.password: kibanaserver
+opensearch.requestHeadersWhitelist: [authorization, securitytenant]
+
+opensearch_security.multitenancy.enabled: true
+opensearch_security.multitenancy.tenants.preferred: [Private, Global]
+opensearch_security.readonly_mode.roles: [kibana_read_only]
+# Use this setting if you are running opensearch-dashboards without https
+opensearch_security.cookie.secure: false
+server.host: '0.0.0.0'
+ |
1 similar comment
|
Hello! ✨ Thanks for your interest in contributing to the official images program. 💭 As you may have noticed, we've usually got a pretty decently sized queue of new images (not to mention image updates and maintenance of images under @docker-library which are maintained by the core official images team). As such, it may be some time before we get to reviewing this image (image updates get priority both because users expect them and because reviewing new images is a more involved process than reviewing updates), so we apologize in advance! Please be patient with us -- rest assured, we've seen your PR and it's in the queue. ❤️ We do try to proactively add and update the "new image checklist" on each PR, so if you haven't looked at it yet, that's a good use of time while you wait. ☔ Thanks! 💖 💙 💚 ❤️ |
|
Thank you for your patience 🙇 I'd like to start with a bit of high-level feedback about Dashboards specifically, then I'll get into some more technical bits. From what I've understood, Dashboards is very closely tied to OpenSearch, right? (even to the point of being pretty fairly version-locked?) The reason I'm asking is that we do strive for each official image to be reasonably "generally useful", so I'm wondering if this should perhaps be tags of +FROM amazonlinux:2 AS linux_stage_0The use of multi-stage here is a little bit dubious (https://github.com/docker-library/faq#multi-stage-builds), but I don't think that's necessarily a blocker. If you want to keep it multi-stage, can you please include +ARG OSD_VERSION=2.3.0Every time this changes (in both instances of it 🤔), it's going to cause a cache bust, so it should be moved down just before the layer/instruction which uses/requires/changes based on it (technically also true for the other + case "$(arch)" in \
+ aarch64) cur_arch='arm64' ;; \
+ x86_64) cur_arch='x64' ;; \
+ *) echo >&2 ; echo >&2 "Unsupported architecture $(arch)" ; echo >&2 ; exit 1 ;; \
+ esac ; \This is using kernel-based architecture detection, which won't work if you ever end up supporting 32bit architectures (so for those you'll want/need to do something more "clever" to do userspace detection -- for RPM-based distributions, https://github.com/docker-library/openjdk/blob/c54013c65130eb1c41268ab45a7a04e41b47c612/21/jdk/oraclelinux8/Dockerfile#L37 is the best I've currently come up with 😭). I doubt you're going to do that any time soon (if ever), but wanted to make sure you're aware. + curl --retry 10 -S -L --output $TEMP_DIR/opensearch-dashboards.tar.gz https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/$OSD_VERSION/opensearch-dashboards-$OSD_VERSION-linux-$cur_arch.tar.gz; \
+ curl --output $TEMP_DIR/opensearch-dashboards.pgp https://artifacts.opensearch.org/publickeys/opensearch.pgp; \
+ gpg --import $TEMP_DIR/opensearch-dashboards.pgp; \As described a bit in https://github.com/docker-library/official-images#image-build, this PGP key's full fingerprint should be embedded/verified in the Irrespective of which direction you choose to go, any and all invocations of It would also be ideal if you included a strong checksum (SHA256, etc) and verified that, since one verifies the artifact was published by the appropriate party and the other verifies that the artifact hasn't changed / was transferred successfully and correctly (but not strictly a blocker). Additionally, every invocation of +# Update packages
...
+RUN yum update -y && ...For official images, we generally recommend against updating libraries that are included in the respective base image. Since the item cannot be deleted from an earlier layer, the update can add extra size to the resulting image. In order to have the most up-to-date packages, official images instead rely on periodic base image updates. We then rebuild all dependent images.
+# Label
+LABEL org.label-schema.schema-version="1.0" \
+ org.label-schema.name="opensearch-dashboards" \
+ org.label-schema.version="$OSD_VERSION" \
+ org.label-schema.url="https://opensearch.org" \
+ org.label-schema.vcs-url="https://github.com/opensearch-project/OpenSearch-Dashboards" \
+ org.label-schema.license="Apache-2.0" \
+ org.label-schema.vendor="Amazon"See #3540 (comment), especially:
and:
+ENTRYPOINT ["./opensearch-dashboards-docker-entrypoint.sh"]Using a relative path for this value is dangerous, as users changing
+#!/bin/bash
+Not strictly required, but I would recommend including at least I would also suggest +export OPENSEARCH_DASHBOARDS_HOME=/usr/share/opensearch-dashboardsThis matches the value of the +opensearch_dashboards_vars=(This is a very long list to maintain by hand. 😅 How often does it change? Once you inevitably are maintaining more than one version at a time, will the lists diverge and increase your maintenance burden even further? (Raising for visibility / as food for thought in case there are ways you can think of to help mitigate the maintenance cost on yourselves associated with this way of implementing this behavior.) +function setupSecurityDashboardsPlugin {
+ SECURITY_DASHBOARDS_PLUGIN="securityDashboards"
+
+ if [ -d "$OPENSEARCH_DASHBOARDS_HOME/plugins/$SECURITY_DASHBOARDS_PLUGIN" ]; then
+ if [ "$DISABLE_SECURITY_DASHBOARDS_PLUGIN" = "true" ]; then
+ echo "Disabling OpenSearch Security Dashboards Plugin"
+ ./bin/opensearch-dashboards-plugin remove securityDashboards
+
+ # Remove all security related parameters as well as changing HTTPS to HTTP
+ # Temporary fix before security-dashboards plugin implement a parameter to disable the plugin entirely
+ # https://github.com/opensearch-project/security-dashboards-plugin/issues/896
+ UPDATED_CONFIG=`cat $OPENSEARCH_DASHBOARDS_HOME/config/opensearch_dashboards.yml | sed "/^opensearch_security/d" | sed "s/https/http/g"`
+ echo "$UPDATED_CONFIG" > $OPENSEARCH_DASHBOARDS_HOME/config/opensearch_dashboards.yml
+ fi
+ fi
+}This is ... interesting (especially as the linked issue that describes why this was temporary is closed with a comment that sounds to me like it's a "wontfix"). I have a few thoughts on the specifics of the implementation here, but I'll keep them to myself for now because on a more general level I'm wondering whether you really want to have this logic at all? 😬 + for opensearch_dashboards_var in ${opensearch_dashboards_vars[*]}; do
+ # 'opensearch.hosts' -> 'OPENSEARCH_URL'
+ env_var=$(echo ${opensearch_dashboards_var^^} | tr . _)Minor shell code improvements (if you have a proper Bash array, using for opensearch_dashboards_var in "${opensearch_dashboards_vars[@]}"; do
# 'opensearch.hosts' -> 'OPENSEARCH_URL'
env_var=${opensearch_dashboards_var^^}
env_var=${env_var//./_}+ # TO DO:
+ # Confirm with Mihir if this is necessary😂 maybe Mihir could chime in here? 😇 +++ b/opensearch-dashboards_latest/config/opensearch.example.org.cert
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
...
+++ b/opensearch-dashboards_latest/config/opensearch.example.org.key
@@ -0,0 +1,28 @@
+-----BEGIN RSA PRIVATE KEY-----It's a little bit weird to embed a certificate directly like this -- is this just an example? Is it necessary for opensearch to run? Used in the default (example?) configuration? What's the rotation story for this credential? How do we help make sure users don't end up running with this certificate as-is in production? 😬 (Some example alternatives to this: explain to users how to create one easily in the error message when they're missing, generate fresh ones on startup with a warning, etc.) +++ b/opensearch-dashboards_latest/config/opensearch_dashboards.ymlDoes the official distribution of Dashboards (like if I downloaded a raw release straight off the website) not contain an example/default configuration? If it does, how does that one differ from this one? (Back to the maintainability discussion, do you really want to maintain/update over time a whole new copy of that upstream configuration/example?) |
|
I'm updating the status of this PR to "draft" for now. When it's ready for re-review, please remove the draft status and leave a comment (GitHub unfortunately does not notify maintainers for draft state changes). |
Signed-off-by: Rishabh Singh [email protected]
OpenSearch Dashboards is the default visualization tool for data in OpenSearch. It also serves as a user interface for many of the OpenSearch plugins, including security, alerting, Index State Management, SQL, and more.
To know more about OpenSearch Dashboards please read our documentation
Checklist for Review
NOTE: This checklist is intended for the use of the Official Images maintainers both to track the status of your PR and to help inform you and others of where we're at. As such, please leave the "checking" of items to the repository maintainers. If there is a point below for which you would like to provide additional information or note completion, please do so by commenting on the PR. Thanks! (and thanks for staying patient with us ❤️)
foobarneeds Node.js, hasFROM node:...instead of grabbingnodevia other means been considered?)ifFROM scratch, tarballs only exist in a single commit within the associated history?