From f91c52c15ca7489f8416c00eb677eaf698b286dc Mon Sep 17 00:00:00 2001 From: Bernd Ahlers Date: Thu, 21 May 2026 19:23:42 +0200 Subject: [PATCH 1/4] Add more build args for Forwarder image --- docker/forwarder/Dockerfile | 66 +++++++++++++++++------- docker/forwarder/forwarder-entrypoint.sh | 2 +- 2 files changed, 47 insertions(+), 21 deletions(-) diff --git a/docker/forwarder/Dockerfile b/docker/forwarder/Dockerfile index 51823983..29213c9f 100644 --- a/docker/forwarder/Dockerfile +++ b/docker/forwarder/Dockerfile @@ -1,24 +1,41 @@ FROM eclipse-temurin:21-jre-noble +ARG LABEL_MAINTAINER="Graylog, Inc. " +ARG LABEL_NAME="Graylog Forwarder Docker Image" +ARG LABEL_DESCRIPTION="Official Graylog Forwarder Docker image" +ARG LABEL_URL="https://www.graylog.org/" +ARG LABEL_VCS_URL="https://github.com/Graylog2/graylog-docker" +ARG LABEL_VENDOR="Graylog, Inc." +ARG SLUG="graylog" + ARG VCS_REF ARG BUILD_DATE ARG GRAYLOG_FORWARDER_VERSION ARG GRAYLOG_FORWARDER_IMAGE_VERSION -ARG GRAYLOG_FORWARDER_ROOT=/usr/share/graylog-forwarder -ARG GRAYLOG_FORWARDER_FILE=/tmp/graylog-forwarder-bin.tar.gz +ARG GRAYLOG_FORWARDER_ROOT=/usr/share/${SLUG}-forwarder +ARG GRAYLOG_FORWARDER_FILE=/tmp/${SLUG}-forwarder-bin.tar.gz ARG DEBIAN_FRONTEND=noninteractive -ENV FORWARDER_CONFIG_FILE=/etc/graylog/forwarder/forwarder.conf -ENV FORWARDER_JVM_OPTIONS_FILE=/etc/graylog/forwarder/jvm.options -ENV FORWARDER_DATA_DIR=/var/lib/graylog-forwarder +# We default to an empty file instead of leaving LOCAL_BUILD_TGZ blank +# because Docker would execute the following COPY command with a blank +# value: +# COPY "" "/tmp/forwarder.tgz" +# That creates a /tmp/forwarder.tgz *directory* in the container with +# all files from the build context. +ARG LOCAL_BUILD_TGZ=.empty + +ENV FORWARDER_CONFIG_FILE=/etc/${SLUG}/forwarder/forwarder.conf +ENV FORWARDER_JVM_OPTIONS_FILE=/etc/${SLUG}/forwarder/jvm.options +ENV FORWARDER_DATA_DIR=/var/lib/${SLUG}-forwarder # We are using an empty forwarder.conf file so we are setting defaults # via environment variables: -ENV GRAYLOG_BIN_DIR=/usr/share/graylog-forwarder/bin -ENV GRAYLOG_PLUGIN_DIR=/usr/share/graylog-forwarder/plugin -ENV GRAYLOG_DATA_DIR=/var/lib/graylog-forwarder/data -ENV GRAYLOG_MESSAGE_JOURNAL_DIR=/var/lib/graylog-forwarder/journal -ENV GRAYLOG_NODE_ID_FILE=/var/lib/graylog-forwarder/node-id +ENV GRAYLOG_BIN_DIR=/usr/share/${SLUG}-forwarder/bin +ENV GRAYLOG_BIN_SCRIPT=${GRAYLOG_BIN_DIR}/${SLUG}-forwarder +ENV GRAYLOG_PLUGIN_DIR=/usr/share/${SLUG}-forwarder/plugin +ENV GRAYLOG_DATA_DIR=/var/lib/${SLUG}-forwarder/data +ENV GRAYLOG_MESSAGE_JOURNAL_DIR=/var/lib/${SLUG}-forwarder/journal +ENV GRAYLOG_NODE_ID_FILE=/var/lib/${SLUG}-forwarder/node-id # hadolint ignore=DL3008 RUN apt-get update && \ @@ -29,13 +46,22 @@ RUN apt-get update && \ SHELL ["/bin/bash", "-o", "pipefail", "-c"] -RUN curl \ +COPY "${LOCAL_BUILD_TGZ}" "/tmp/local-forwarder.tgz" + +# An empty /tmp/forwarder.tgz file indicates that we don't use a +# custom LOCAL_BUILD_TGZ file. +RUN if [ -f "/tmp/local-forwarder.tgz" ] && [ -s "/tmp/local-forwarder.tgz" ]; then \ + mv "/tmp/local-forwarder.tgz" "$GRAYLOG_FORWARDER_FILE"; \ + fi + +RUN test "LOCAL_BUILD_TGZ" != ".empty" && curl \ --silent \ --location \ --retry 3 \ --output "$GRAYLOG_FORWARDER_FILE" \ - "https://packages.graylog2.org/releases/cloud/forwarder/${GRAYLOG_FORWARDER_VERSION}/graylog-forwarder-${GRAYLOG_FORWARDER_VERSION}-bin.tar.gz" && \ - install -d -o root -g root -m 0755 "$GRAYLOG_FORWARDER_ROOT" && \ + "https://downloads.graylog.org/releases/cloud/forwarder/${GRAYLOG_FORWARDER_VERSION}/graylog-forwarder-${GRAYLOG_FORWARDER_VERSION}-bin.tar.gz" + +RUN install -d -o root -g root -m 0755 "$GRAYLOG_FORWARDER_ROOT" && \ tar -C "$GRAYLOG_FORWARDER_ROOT" -xzf "$GRAYLOG_FORWARDER_FILE" && \ chown -R root.root "$GRAYLOG_FORWARDER_ROOT" && \ install -d -o root -g root -m 0755 "$FORWARDER_DATA_DIR" && \ @@ -45,17 +71,17 @@ RUN curl \ echo "forwarder_grpc_api_token =" >> "$FORWARDER_CONFIG_FILE" && \ mv "${GRAYLOG_FORWARDER_ROOT}/config/jvm.options" "$FORWARDER_JVM_OPTIONS_FILE" && \ rmdir "${GRAYLOG_FORWARDER_ROOT}/config" && \ - rm -f "$GRAYLOG_FORWARDER_FILE" + rm -f "$GRAYLOG_FORWARDER_FILE" "/tmp/local-forwarder.tgz" COPY docker/forwarder/forwarder-entrypoint.sh / -LABEL maintainer="Graylog, Inc. " \ - org.label-schema.name="Graylog Forwarder Docker Image" \ - org.label-schema.description="Official Graylog Forwarder Docker image" \ - org.label-schema.url="https://www.graylog.org/" \ +LABEL maintainer="${LABEL_MAINTAINER}" \ + org.label-schema.name="${LABEL_NAME}" \ + org.label-schema.description="${LABEL_DESCRIPTION}" \ + org.label-schema.url="${LABEL_URL}" \ org.label-schema.vcs-ref=${VCS_REF} \ - org.label-schema.vcs-url="https://github.com/Graylog2/graylog-docker" \ - org.label-schema.vendor="Graylog, Inc." \ + org.label-schema.vcs-url="${LABEL_VCS_URL}" \ + org.label-schema.vendor="${LABEL_VENDOR}" \ org.label-schema.version=${GRAYLOG_FORWARDER_IMAGE_VERSION} \ org.label-schema.schema-version="1.0" \ org.label-schema.build-date=${BUILD_DATE} diff --git a/docker/forwarder/forwarder-entrypoint.sh b/docker/forwarder/forwarder-entrypoint.sh index 0ff76a9e..bcb663aa 100755 --- a/docker/forwarder/forwarder-entrypoint.sh +++ b/docker/forwarder/forwarder-entrypoint.sh @@ -26,4 +26,4 @@ done /usr/bin/install -d -o root -g root -m 0755 "$GRAYLOG_DATA_DIR" /usr/bin/install -d -o root -g root -m 0755 "$GRAYLOG_MESSAGE_JOURNAL_DIR" -exec "${GRAYLOG_BIN_DIR}/graylog-forwarder" run -f "$FORWARDER_CONFIG_FILE" +exec "${GRAYLOG_BIN_SCRIPT}" run -f "$FORWARDER_CONFIG_FILE" From 972cc4c673cc84d26b20c74f12e69308fe52f853 Mon Sep 17 00:00:00 2001 From: Bernd Ahlers Date: Fri, 22 May 2026 10:46:31 +0200 Subject: [PATCH 2/4] Fix logic for curl condition --- docker/forwarder/Dockerfile | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/docker/forwarder/Dockerfile b/docker/forwarder/Dockerfile index 29213c9f..f23e98fe 100644 --- a/docker/forwarder/Dockerfile +++ b/docker/forwarder/Dockerfile @@ -54,12 +54,10 @@ RUN if [ -f "/tmp/local-forwarder.tgz" ] && [ -s "/tmp/local-forwarder.tgz" ]; t mv "/tmp/local-forwarder.tgz" "$GRAYLOG_FORWARDER_FILE"; \ fi -RUN test "LOCAL_BUILD_TGZ" != ".empty" && curl \ - --silent \ - --location \ - --retry 3 \ - --output "$GRAYLOG_FORWARDER_FILE" \ - "https://downloads.graylog.org/releases/cloud/forwarder/${GRAYLOG_FORWARDER_VERSION}/graylog-forwarder-${GRAYLOG_FORWARDER_VERSION}-bin.tar.gz" +RUN if [ "${LOCAL_BUILD_TGZ}" = ".empty" ]; then \ + curl -fsSL --retry 3 --output "$GRAYLOG_FORWARDER_FILE" \ + "https://downloads.graylog.org/releases/cloud/forwarder/${GRAYLOG_FORWARDER_VERSION}/graylog-forwarder-${GRAYLOG_FORWARDER_VERSION}-bin.tar.gz"; \ + fi RUN install -d -o root -g root -m 0755 "$GRAYLOG_FORWARDER_ROOT" && \ tar -C "$GRAYLOG_FORWARDER_ROOT" -xzf "$GRAYLOG_FORWARDER_FILE" && \ From 80054698d330abb01daf77b8d961c97b0b4ec854 Mon Sep 17 00:00:00 2001 From: Bernd Ahlers Date: Fri, 22 May 2026 13:39:05 +0200 Subject: [PATCH 3/4] Download and extract artifact in separate stage --- docker/forwarder/Dockerfile | 64 ++++++++++++++++++++++--------------- 1 file changed, 38 insertions(+), 26 deletions(-) diff --git a/docker/forwarder/Dockerfile b/docker/forwarder/Dockerfile index f23e98fe..29805fe6 100644 --- a/docker/forwarder/Dockerfile +++ b/docker/forwarder/Dockerfile @@ -1,3 +1,37 @@ +############################################################################### +# Build layer - download and extract artifact +############################################################################### +FROM eclipse-temurin:21-jre-noble AS builder + +ARG GRAYLOG_FORWARDER_VERSION +ARG DEBIAN_FRONTEND=noninteractive + +# We default to an empty file instead of leaving LOCAL_BUILD_TGZ blank +# because Docker would execute the following COPY command with a blank +# value: +# COPY "" "/tmp/forwarder.tgz" +# That creates a /tmp/forwarder.tgz *directory* in the container with +# all files from the build context. +ARG LOCAL_BUILD_TGZ=.empty + +COPY "${LOCAL_BUILD_TGZ}" "/tmp/local-forwarder.tgz" + +# An empty /tmp/forwarder.tgz file indicates that we don't use a +# custom LOCAL_BUILD_TGZ file. +RUN if [ -f "/tmp/local-forwarder.tgz" ] && [ -s "/tmp/local-forwarder.tgz" ]; then \ + mv "/tmp/local-forwarder.tgz" "/tmp/forwarder.tgz"; \ + fi; \ + if [ "${LOCAL_BUILD_TGZ}" = ".empty" ]; then \ + curl -fsSL --retry 3 --output "/tmp/forwarder.tgz" \ + "https://downloads.graylog.org/releases/cloud/forwarder/${GRAYLOG_FORWARDER_VERSION}/graylog-forwarder-${GRAYLOG_FORWARDER_VERSION}-bin.tar.gz"; \ + fi && \ + install -d -o root -g root -m 0755 "/tmp/forwarder"; \ + tar -C "/tmp/forwarder" -xvzf "/tmp/forwarder.tgz"; \ + rm -f "/tmp/forwarder.tgz" "/tmp/local-forwarder.tgz" + +############################################################################### +# Final layer +############################################################################### FROM eclipse-temurin:21-jre-noble ARG LABEL_MAINTAINER="Graylog, Inc. " @@ -13,17 +47,8 @@ ARG BUILD_DATE ARG GRAYLOG_FORWARDER_VERSION ARG GRAYLOG_FORWARDER_IMAGE_VERSION ARG GRAYLOG_FORWARDER_ROOT=/usr/share/${SLUG}-forwarder -ARG GRAYLOG_FORWARDER_FILE=/tmp/${SLUG}-forwarder-bin.tar.gz ARG DEBIAN_FRONTEND=noninteractive -# We default to an empty file instead of leaving LOCAL_BUILD_TGZ blank -# because Docker would execute the following COPY command with a blank -# value: -# COPY "" "/tmp/forwarder.tgz" -# That creates a /tmp/forwarder.tgz *directory* in the container with -# all files from the build context. -ARG LOCAL_BUILD_TGZ=.empty - ENV FORWARDER_CONFIG_FILE=/etc/${SLUG}/forwarder/forwarder.conf ENV FORWARDER_JVM_OPTIONS_FILE=/etc/${SLUG}/forwarder/jvm.options ENV FORWARDER_DATA_DIR=/var/lib/${SLUG}-forwarder @@ -46,30 +71,17 @@ RUN apt-get update && \ SHELL ["/bin/bash", "-o", "pipefail", "-c"] -COPY "${LOCAL_BUILD_TGZ}" "/tmp/local-forwarder.tgz" - -# An empty /tmp/forwarder.tgz file indicates that we don't use a -# custom LOCAL_BUILD_TGZ file. -RUN if [ -f "/tmp/local-forwarder.tgz" ] && [ -s "/tmp/local-forwarder.tgz" ]; then \ - mv "/tmp/local-forwarder.tgz" "$GRAYLOG_FORWARDER_FILE"; \ - fi +RUN install -d -o root -g root -m 0755 "$GRAYLOG_FORWARDER_ROOT" -RUN if [ "${LOCAL_BUILD_TGZ}" = ".empty" ]; then \ - curl -fsSL --retry 3 --output "$GRAYLOG_FORWARDER_FILE" \ - "https://downloads.graylog.org/releases/cloud/forwarder/${GRAYLOG_FORWARDER_VERSION}/graylog-forwarder-${GRAYLOG_FORWARDER_VERSION}-bin.tar.gz"; \ - fi +COPY --from=builder --chown=root:root /tmp/forwarder "${GRAYLOG_FORWARDER_ROOT}/" -RUN install -d -o root -g root -m 0755 "$GRAYLOG_FORWARDER_ROOT" && \ - tar -C "$GRAYLOG_FORWARDER_ROOT" -xzf "$GRAYLOG_FORWARDER_FILE" && \ - chown -R root.root "$GRAYLOG_FORWARDER_ROOT" && \ - install -d -o root -g root -m 0755 "$FORWARDER_DATA_DIR" && \ +RUN install -d -o root -g root -m 0755 "$FORWARDER_DATA_DIR" && \ install -d -o root -g root -m 0755 "$(dirname $FORWARDER_CONFIG_FILE)" && \ touch "$FORWARDER_CONFIG_FILE" && \ echo "forwarder_server_hostname =" >> "$FORWARDER_CONFIG_FILE" && \ echo "forwarder_grpc_api_token =" >> "$FORWARDER_CONFIG_FILE" && \ mv "${GRAYLOG_FORWARDER_ROOT}/config/jvm.options" "$FORWARDER_JVM_OPTIONS_FILE" && \ - rmdir "${GRAYLOG_FORWARDER_ROOT}/config" && \ - rm -f "$GRAYLOG_FORWARDER_FILE" "/tmp/local-forwarder.tgz" + rmdir "${GRAYLOG_FORWARDER_ROOT}/config" COPY docker/forwarder/forwarder-entrypoint.sh / From fceeab946817892c834201162ca4d169973d312a Mon Sep 17 00:00:00 2001 From: Bernd Ahlers Date: Fri, 22 May 2026 13:44:09 +0200 Subject: [PATCH 4/4] Remove unused build arg in final layer --- docker/forwarder/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/docker/forwarder/Dockerfile b/docker/forwarder/Dockerfile index 29805fe6..b603ffda 100644 --- a/docker/forwarder/Dockerfile +++ b/docker/forwarder/Dockerfile @@ -44,7 +44,6 @@ ARG SLUG="graylog" ARG VCS_REF ARG BUILD_DATE -ARG GRAYLOG_FORWARDER_VERSION ARG GRAYLOG_FORWARDER_IMAGE_VERSION ARG GRAYLOG_FORWARDER_ROOT=/usr/share/${SLUG}-forwarder ARG DEBIAN_FRONTEND=noninteractive