gmakstutis/openrag
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
openrag/Dockerfile
phact 6c15d91f7a upgrade os dockerfile
2025-12-03 10:00:27 -05:00

138 lines
7 KiB
Docker
Raw Blame History

########################################
# Stage 1: Upstream OpenSearch with plugins
########################################
FROM opensearchproject/opensearch:3.2.0 AS upstream_opensearch
# Remove plugins
RUN opensearch-plugin remove opensearch-neural-search || true && \
opensearch-plugin remove opensearch-knn || true && \
# removing this one due to Netty CVE-2025-58056, can bring it back in the future
opensearch-plugin remove opensearch-security-analytics || true
# Prepare jvector plugin artifacts
RUN mkdir -p /tmp/opensearch-jvector-plugin && \
curl -L -s https://github.com/opensearch-project/opensearch-jvector/releases/download/3.2.0.0/artifacts.tar.gz \
| tar zxvf - -C /tmp/opensearch-jvector-plugin
# Prepare neural-search plugin
RUN mkdir -p /tmp/opensearch-neural-search && \
curl -L -s https://storage.googleapis.com/opensearch-jvector/opensearch-neural-search-3.2.0.0-20251029200300.zip \
> /tmp/opensearch-neural-search/plugin.zip
# Install additional plugins
RUN opensearch-plugin install --batch file:///tmp/opensearch-jvector-plugin/repository/org/opensearch/plugin/opensearch-jvector-plugin/3.2.0.0/opensearch-jvector-plugin-3.2.0.0.zip && \
opensearch-plugin install --batch file:///tmp/opensearch-neural-search/plugin.zip && \
opensearch-plugin install --batch repository-gcs && \
opensearch-plugin install --batch repository-azure && \
# opensearch-plugin install --batch repository-s3 && \
opensearch-plugin install --batch https://github.com/opensearch-project/opensearch-prometheus-exporter/releases/download/3.2.0.0/prometheus-exporter-3.2.0.0.zip
# Apply Netty patch
COPY patch-netty.sh /tmp/
RUN whoami && bash /tmp/patch-netty.sh
# Set permissions for OpenShift compatibility before copying
RUN chmod -R g=u /usr/share/opensearch
########################################
# Stage 2: UBI9 runtime image
########################################
FROM registry.access.redhat.com/ubi9/ubi:latest
USER root
# Update packages and install required tools
# TODO bring back iostat somehow? sysstat isn't in ubi
# TODO bring back 'perf' package, but what did we need it for?
RUN dnf update -y && \
dnf install -y --allowerasing \
less procps-ng findutils sudo curl tar gzip shadow-utils which && \
dnf clean all
# Create opensearch user and group
ARG UID=1000
ARG GID=1000
ARG OPENSEARCH_HOME=/usr/share/opensearch
WORKDIR $OPENSEARCH_HOME
RUN groupadd -g $GID opensearch && \
adduser -u $UID -g $GID -d $OPENSEARCH_HOME opensearch
# Grant the opensearch user sudo privileges (passwordless sudo)
RUN usermod -aG wheel opensearch && \
echo "opensearch ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
# Copy OpenSearch from the upstream stage
COPY --from=upstream_opensearch --chown=$UID:0 $OPENSEARCH_HOME $OPENSEARCH_HOME
ARG OPENSEARCH_VERSION=3.2.0
########################################
# Async-profiler (multi-arch like your original)
########################################
ARG TARGETARCH
RUN if [ "$TARGETARCH" = "amd64" ]; then \
export ASYNC_PROFILER_URL=https://github.com/async-profiler/async-profiler/releases/download/v4.0/async-profiler-4.0-linux-x64.tar.gz; \
elif [ "$TARGETARCH" = "arm64" ]; then \
export ASYNC_PROFILER_URL=https://github.com/async-profiler/async-profiler/releases/download/v4.0/async-profiler-4.0-linux-arm64.tar.gz; \
else \
echo "Unsupported architecture: $TARGETARCH" && exit 1; \
fi && \
mkdir /opt/async-profiler && \
curl -s -L $ASYNC_PROFILER_URL | tar zxvf - --strip-components=1 -C /opt/async-profiler && \
chown -R opensearch:opensearch /opt/async-profiler
# Create profiling script (as in your original Dockerfile)
RUN echo "#!/bin/bash" > /usr/share/opensearch/profile.sh && \
echo "export PATH=\$PATH:/opt/async-profiler/bin" >> /usr/share/opensearch/profile.sh && \
echo "echo 1 | sudo tee /proc/sys/kernel/perf_event_paranoid >/dev/null" >> /usr/share/opensearch/profile.sh && \
echo "echo 0 | sudo tee /proc/sys/kernel/kptr_restrict >/dev/null" >> /usr/share/opensearch/profile.sh && \
echo "asprof \$@" >> /usr/share/opensearch/profile.sh && \
chmod 777 /usr/share/opensearch/profile.sh
########################################
# Security config (OIDC/DLS) and setup script
########################################
# Copy OIDC and DLS security configuration (as root, like before)
COPY securityconfig/ /usr/share/opensearch/securityconfig/
RUN chown -R opensearch:opensearch /usr/share/opensearch/securityconfig/
# Create a script to apply security configuration after OpenSearch starts
RUN echo '#!/bin/bash' > /usr/share/opensearch/setup-security.sh && \
echo 'echo "Waiting for OpenSearch to start..."' >> /usr/share/opensearch/setup-security.sh && \
echo 'PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD:-${OPENSEARCH_PASSWORD}}' >> /usr/share/opensearch/setup-security.sh && \
echo 'if [ -z "$PASSWORD" ]; then echo "[ERROR] OPENSEARCH_INITIAL_ADMIN_PASSWORD or OPENSEARCH_PASSWORD must be set"; exit 1; fi' >> /usr/share/opensearch/setup-security.sh && \
echo 'until curl -s -k -u admin:$PASSWORD https://localhost:9200; do sleep 1; done' >> /usr/share/opensearch/setup-security.sh && \
echo 'echo "Generating admin hash from configured password..."' >> /usr/share/opensearch/setup-security.sh && \
echo 'HASH=$(/usr/share/opensearch/plugins/opensearch-security/tools/hash.sh -p "$PASSWORD")' >> /usr/share/opensearch/setup-security.sh && \
echo 'if [ -z "$HASH" ]; then echo "[ERROR] Failed to generate admin hash"; exit 1; fi' >> /usr/share/opensearch/setup-security.sh && \
echo 'sed -i "s|^ hash: \".*\"| hash: \"$HASH\"|" /usr/share/opensearch/securityconfig/internal_users.yml' >> /usr/share/opensearch/setup-security.sh && \
echo 'echo "Updated internal_users.yml with runtime-generated admin hash"' >> /usr/share/opensearch/setup-security.sh && \
echo 'echo "Applying OIDC and DLS security configuration..."' >> /usr/share/opensearch/setup-security.sh && \
echo '/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \' >> /usr/share/opensearch/setup-security.sh && \
echo ' -cd /usr/share/opensearch/securityconfig \' >> /usr/share/opensearch/setup-security.sh && \
echo ' -icl -nhnv \' >> /usr/share/opensearch/setup-security.sh && \
echo ' -cacert /usr/share/opensearch/config/root-ca.pem \' >> /usr/share/opensearch/setup-security.sh && \
echo ' -cert /usr/share/opensearch/config/kirk.pem \' >> /usr/share/opensearch/setup-security.sh && \
echo ' -key /usr/share/opensearch/config/kirk-key.pem' >> /usr/share/opensearch/setup-security.sh && \
echo 'echo "Security configuration applied successfully"' >> /usr/share/opensearch/setup-security.sh && \
chmod +x /usr/share/opensearch/setup-security.sh
########################################
# Final runtime settings
########################################
USER opensearch
WORKDIR $OPENSEARCH_HOME
ENV JAVA_HOME=$OPENSEARCH_HOME/jdk
ENV PATH=$PATH:$JAVA_HOME/bin:$OPENSEARCH_HOME/bin
# Expose ports
EXPOSE 9200 9300 9600 9650
ENTRYPOINT ["./opensearch-docker-entrypoint.sh"]
CMD ["opensearch"]
Reference in a new issue View git blame Copy permalink