Security: Remove alpine image from Mimir

grafana · Jan 17, 2025 · aecf707 · aecf707
1 parent bd6e14b
commit aecf707
Show file tree

Hide file tree

Showing 5 changed files with 2 additions and 143 deletions.
diff --git a/.github/workflows/scripts/build-images.sh b/.github/workflows/scripts/build-images.sh
@@ -19,7 +19,6 @@ do
   make \
     BUILD_IN_CONTAINER=false \
     PUSH_MULTIARCH_TARGET="type=oci,dest=$OUTPUT/$NAME.oci" \
-    PUSH_MULTIARCH_TARGET_ALPINE="type=oci,dest=$OUTPUT/$NAME\-alpine.oci" \
     PUSH_MULTIARCH_TARGET_CONTINUOUS_TEST="type=oci,dest=$OUTPUT/$NAME\-continuous\-test.oci" \
     push-multiarch-$target
 done
diff --git a/.github/workflows/test-build-deploy.yml b/.github/workflows/test-build-deploy.yml
@@ -281,24 +281,15 @@ jobs:
           path: ./images.tar
       - name: Build Mimir with race-detector
         run: |
-          # When building uptodate_race target, we create two images since
-          # a Dockerfile.alpine exists. The alpine image is built with
-          # the `-alpine` suffix.
-          # We build both until we have finished migrating to distroless.
-          # We test the distroless race image in every integration test.
-          # We test the (legacy) alpine race image when deploying (aka pushing).
           make BUILD_IN_CONTAINER=false cmd/mimir/.uptodate_race
           export IMAGE_TAG_RACE=$(make image-tag-race)
           export MIMIR_DISTROLESS_IMAGE="grafana/mimir:$IMAGE_TAG_RACE"
-          export MIMIR_ALPINE_IMAGE="grafana/mimir-alpine:$IMAGE_TAG_RACE"
           docker save $MIMIR_DISTROLESS_IMAGE -o ./mimir_race_image_distroless
-          docker save $MIMIR_ALPINE_IMAGE -o ./mimir_race_image_alpine
       - name: Upload archive with race-enabled Mimir
         uses: actions/upload-artifact@v4
         with:
           name: Race-enabled Mimir
           path: |
-            ./mimir_race_image_alpine
             ./mimir_race_image_distroless
 
   integration:
@@ -375,83 +366,8 @@ jobs:
           echo "Running integration tests (group ${{ matrix.test_group_id }} of ${{ matrix.test_group_total }}) with Go version: $(go version)"
           ./.github/workflows/scripts/run-integration-tests-group.sh --index ${{ matrix.test_group_id }} --total ${{ matrix.test_group_total }}
 
-  integration-alpine:
-    needs: [goversion, build, prepare]
-    runs-on: ubuntu-latest
-    if: needs.prepare.outputs.is_deploy == 'true'
-    strategy:
-      # Do not abort other groups when one fails.
-      fail-fast: false
-      # Split tests into 6 groups.
-      matrix:
-        test_group_id:    [0, 1, 2, 3, 4, 5]
-        test_group_total: [6]
-    steps:
-      - name: Upgrade golang
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ needs.goversion.outputs.version }}
-          cache: false # We manage caching ourselves below to maintain consistency with the other jobs that don't use setup-go.
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Run Git Config
-        run: git config --global --add safe.directory '*'
-      - name: Install Docker Client
-        run: sudo ./.github/workflows/scripts/install-docker.sh
-      - name: Symlink Expected Path to Workspace
-        run: |
-          sudo mkdir -p /go/src/github.com/grafana/mimir
-          sudo ln -s $GITHUB_WORKSPACE/* /go/src/github.com/grafana/mimir
-      - name: Get Go build cache path
-        id: gocache
-        run: |
-          echo "path=$(go env GOCACHE)" >> "$GITHUB_OUTPUT"
-      - name: Cache Go build cache
-        uses: actions/cache@v4
-        with:
-          # Cache is shared between test groups.
-          key: integration-go-build-${{ runner.os }}-${{ hashFiles('go.mod', 'go.sum') }}
-          path: ${{ steps.gocache.outputs.path }}
-      - name: Download Archive with Docker Images
-        uses: actions/download-artifact@v4
-        with:
-          name: Docker Images
-      - name: Extract Docker Images from Archive
-        run: tar xvf images.tar -C /
-      - name: Load Mimirtool Image into Docker
-        run: |
-          export IMAGE_TAG=$(make image-tag)
-          # skopeo will by default load system-specific version of the image (linux/amd64).
-          # note that this doesn't use skopeo version from our build-image, because we don't use build-image when running integration tests.
-          # that's why we use docker run to run latest version.
-          docker run -v /tmp/images:/tmp/images -v /var/run/docker.sock:/var/run/docker.sock quay.io/skopeo/stable:v1.15.1 copy oci-archive:/tmp/images/mimirtool.oci "docker-daemon:grafana/mimirtool:$IMAGE_TAG"
-      - name: Download Archive with Docker Images
-        uses: actions/download-artifact@v4
-        with:
-          name: Race-enabled Mimir
-      - name: Load race-enabled mimir into Docker
-        run: |
-          export IMAGE_TAG_RACE=$(make image-tag-race)
-          docker load -i ./mimir_race_image_alpine
-          docker run "grafana/mimir-alpine:$IMAGE_TAG_RACE" --version
-      - name: Preload Images
-        # We download docker images used by integration tests so that all images are available
-        # locally and the download time doesn't account in the test execution time, which is subject
-        # to a timeout
-        run: go run ./tools/pre-pull-images | xargs -n1 -P4 docker pull
-      - name: Integration Tests
-        run: |
-          export IMAGE_TAG_RACE=$(make image-tag-race)
-          export MIMIR_IMAGE="grafana/mimir-alpine:$IMAGE_TAG_RACE"
-          export IMAGE_TAG=$(make image-tag)
-          export MIMIRTOOL_IMAGE="grafana/mimirtool:$IMAGE_TAG"
-          export MIMIR_CHECKOUT_DIR="/go/src/github.com/grafana/mimir"
-          echo "Running integration tests with image: $MIMIR_IMAGE (Mimir), $MIMIRTOOL_IMAGE (Mimirtool)"
-          echo "Running integration tests (group ${{ matrix.test_group_id }} of ${{ matrix.test_group_total }}) with Go version: $(go version)"
-          ./.github/workflows/scripts/run-integration-tests-group.sh --index ${{ matrix.test_group_id }} --total ${{ matrix.test_group_total }}
-
   deploy:
-    needs: [prepare, build, test, lint, integration, integration-alpine]
+    needs: [prepare, build, test, lint, integration]
     # Only deploy images on pushes to the grafana/mimir repo, which either are tag pushes or weekly release branch pushes.
     if: needs.prepare.outputs.is_deploy == 'true'
     runs-on: ubuntu-latest

diff --git a/Makefile b/Makefile
@@ -103,12 +103,6 @@ SED ?= $(shell which gsed 2>/dev/null || which sed)
 			--build-arg=goproxyValue=$(GOPROXY_VALUE) \
 			-t $(IMAGE_PREFIX)$(shell basename $(@D))-continuous-test:$(IMAGE_TAG) $(@D)/; \
 	fi;
-	if [ -f $(@D)/Dockerfile.alpine ]; then \
-		$(SUDO) docker build -f $(@D)/Dockerfile.alpine \
-			--build-arg=revision=$(GIT_REVISION) \
-			--build-arg=goproxyValue=$(GOPROXY_VALUE) \
-			-t $(IMAGE_PREFIX)$(shell basename $(@D))-alpine:$(IMAGE_TAG) $(@D)/; \
-	fi;
 	@echo
 	$(SUDO) docker build --build-arg=revision=$(GIT_REVISION) --build-arg=goproxyValue=$(GOPROXY_VALUE) -t $(IMAGE_PREFIX)$(shell basename $(@D)) -t $(IMAGE_PREFIX)$(shell basename $(@D)):$(IMAGE_TAG) $(@D)/
 	@echo
@@ -117,7 +111,6 @@ SED ?= $(shell which gsed 2>/dev/null || which sed)
 	@echo Image name: $(IMAGE_PREFIX)$(shell basename $(@D))
 	@echo Image name: $(IMAGE_PREFIX)$(shell basename $(@D)):$(IMAGE_TAG)
 	@echo Image name: $(IMAGE_PREFIX)$(shell basename $(@D))-continuous-test:$(IMAGE_TAG)
-	@echo Image name: $(IMAGE_PREFIX)$(shell basename $(@D))-alpine:$(IMAGE_TAG)
 	@echo
 	@echo Please use '"make push-multiarch-build-image"' to build and push build image.
 	@echo Please use '"make push-multiarch-mimir"' to build and push Mimir image.
@@ -126,18 +119,7 @@ SED ?= $(shell which gsed 2>/dev/null || which sed)
 
 %/$(UPTODATE_RACE): GOOS=linux
 %/$(UPTODATE_RACE): %/Dockerfile
-	# Build Dockerfile.alpine if it exists
-	if [ -f $(@D)/Dockerfile.alpine ]; then \
-		$(SUDO) docker build -f $(@D)/Dockerfile.alpine \
-			--build-arg=revision=$(GIT_REVISION) \
-			--build-arg=goproxyValue=$(GOPROXY_VALUE) \
-			--build-arg=USE_BINARY_SUFFIX=true \
-			--build-arg=BINARY_SUFFIX=_race \
-			--build-arg=EXTRA_PACKAGES="gcompat" \
-			-t $(IMAGE_PREFIX)$(shell basename $(@D))-alpine:$(IMAGE_TAG_RACE) $(@D)/; \
-	fi;
-	@echo
-	# We need gcompat -- compatibility layer with glibc, as race-detector currently requires glibc, but Alpine uses musl libc instead.
+	# We need gcompat -- compatibility layer with glibc, as race-detector currently requires glibc.
 	$(SUDO) docker build \
 		--build-arg=revision=$(GIT_REVISION) \
 		--build-arg=goproxyValue=$(GOPROXY_VALUE) \
@@ -149,15 +131,13 @@ SED ?= $(shell which gsed 2>/dev/null || which sed)
 	@echo Go binaries were built using GOOS=$(GOOS) and GOARCH=$(GOARCH)
 	@echo
 	@echo Image name: $(IMAGE_PREFIX)$(shell basename $(@D)):$(IMAGE_TAG_RACE)
-	@echo Image name: $(IMAGE_PREFIX)$(shell basename $(@D))-alpine:$(IMAGE_TAG_RACE)
 	@echo
 	@touch $@
 
 # This variable controls where result of building of multiarch image should be sent. Default is registry.
 # Other options are documented in https://docs.docker.com/engine/reference/commandline/buildx_build/#output.
 # CI workflow uses PUSH_MULTIARCH_TARGET="type=oci,dest=file.oci" to store images locally for next steps in the pipeline.
 PUSH_MULTIARCH_TARGET ?= type=registry
-PUSH_MULTIARCH_TARGET_ALPINE ?= type=registry
 PUSH_MULTIARCH_TARGET_CONTINUOUS_TEST ?= type=registry
 
 # This target compiles mimir for linux/amd64 and linux/arm64 and then builds and pushes a multiarch image to the target repository.
@@ -188,16 +168,6 @@ push-multiarch-%/$(UPTODATE):
 			--build-arg=USE_BINARY_SUFFIX=true \
 			-t $(IMAGE_PREFIX)$(shell basename $(DIR))-continuous-test:$(IMAGE_TAG) $(DIR)/; \
 	fi;
-	# Build Dockerfile.alpine if it exists
-	if [ -f $(DIR)/Dockerfile.alpine ]; then \
-		$(SUDO) docker buildx build -f $(DIR)/Dockerfile.alpine \
-			-o $(PUSH_MULTIARCH_TARGET_ALPINE) \
-			--platform linux/amd64,linux/arm64 \
-			--build-arg=revision=$(GIT_REVISION) \
-			--build-arg=goproxyValue=$(GOPROXY_VALUE) \
-			--build-arg=USE_BINARY_SUFFIX=true \
-			-t $(IMAGE_PREFIX)$(shell basename $(DIR))-alpine:$(IMAGE_TAG) $(DIR)/; \
-	fi;
 
 push-multiarch-mimir: ## Push mimir docker image.
 push-multiarch-mimir: push-multiarch-cmd/mimir/.uptodate

diff --git a/cmd/mimir/Dockerfile.alpine b/cmd/mimir/Dockerfile.alpine
diff --git a/docs/sources/mimir/manage/mimir-runbooks/_index.md b/docs/sources/mimir/manage/mimir-runbooks/_index.md
@@ -1448,10 +1448,6 @@ How to **investigate** and **fix** it:
   - Investigate which tenants use most of the store-gateway disk in the replicas with highest disk utilization. To investigate it you can run the following command for a given store-gateway replica. The command returns the top 10 tenants by disk utilization (in megabytes):
 
     ```
-    # If you're running the alpine image:
-    kubectl --context $CLUSTER --namespace $NAMESPACE exec -ti $POD -- sh -c 'du -sm /data/tsdb/* | sort -n -r | head -10'
-
-    # If you're running the distroless image:
     kubectl --context $CLUSTER --namespace $NAMESPACE debug pod/$POD --image=alpine:latest --target=store-gateway --container=debug -ti -- sh -c 'du -sm /proc/1/root/data/tsdb/* | sort -n -r | head -10'
     ```