search

grafana / pyroscope

Continuous Profiling Platform. Debug performance issues down to a single line of code
https://grafana.com/oss/pyroscope/
GNU Affero General Public License v3.0
10.11k stars 611 forks source link

Missing Shell in newer Docker images #3478

Open tina-junold opened 3 months ago

tina-junold commented 3 months ago

Describe the bug

The newer images (distroless) are missing a shell. This shell is required if a custom entrypoint is defined. In Docker Compose environment this is mandatory to define memberlist .advertise-addr dynamically.

To Reproduce

Use grafana/pyroscope:latest

Expected behavior

Add a shell to the distroless containers or add another "alpine"? based container

Environment

.env

PYROSCOPE_CONFIG_FILE=pyroscope.yaml
PYROSCOPE_CONFIG_PATH=/etc/pyroscope
PYROSCOPE_CONFIG_PATH_LOCAL=./config/pyroscope
PYROSCOPE_HOST=pyroscope
PYROSCOPE_PORT=4040
PYROSCOPE_LOG_LEVEL=debug

docker-compose.yml

services:
  pyroscope:
    env_file:
      - './.env'
    image: 'grafana/pyroscope:latest'
    # original behavior
    # entrypoint: '${PYROSCOPE_CONFIG_PATH}/entrypoint.sh'
    command:
     # current workaround, but may work on my machine
      - '-memberlist.advertise-addr=172.17.0.1'
      - '-config.file=${PYROSCOPE_CONFIG_PATH}/${PYROSCOPE_CONFIG_FILE}'
      - '-config.expand-env=true'
    volumes:
      - '${PYROSCOPE_CONFIG_PATH_LOCAL}:${PYROSCOPE_CONFIG_PATH}'
    ports:
      - '${PYROSCOPE_PORT}:${PYROSCOPE_PORT}/tcp'
    extra_hosts:
      - 'host.docker.internal:host-gateway'

pyroscope.yaml

---
server:
  http_listen_port: ${PYROSCOPE_PORT}

entrypoint.sh

#!/usr/bin/env sh

/usr/bin/pyroscope -memberlist.advertise-addr="$(getent hosts host.docker.internal | awk '{ print $1 }')" "$@"

Additional information

Same problem also occurs on Mimir, at least they have an alpine dockerfile, but not published.

simonswine commented 3 months ago

One of the points to use distrolless is to reduce "atack surface" / "CVE noise". Adding as shell back would counteract this.

I get your usecase, let's think about what would be the best compromise. We also have a image with a shell and a debugger in it: https://github.com/grafana/pyroscope/blob/main/cmd/pyroscope/debug.Dockerfile, which is not published.

Do you think it would help you if we would publish those debug images?

tina-junold commented 3 months ago

Since we are using as debug/local telemetry stack (alloy, grafana, loki, mimir, pyroscope, tempo) for testing our applications locally, i think releasing a debug image is suitable enough :-)

Do you know if the mimir team can do the same?

Best regards, Tina