Versions Compared

Old Version 22

changes.mady.by.user Krishna Agarwal

Saved on

compared with

New Version Current

changes.mady.by.user Vedarth Sharma

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added code changes section

Table of Contents

Status

Current state: Accepted

Under Discussion thread: here

Discussion Voting thread: here

JIRA: KAFKA-15445

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

...

  1. Secrets will be provided to the container using folder mount.
  2. If a property is provided both in the mounted file and as an environment variable, the value from the environment variable will take precedence.

Code changes

  • We are introducing a Docker wrapper into the Kafka codebase. This wrapper will encapsulate the logic required to set up property files, adhering to the rules outlined in the previous section.
  • This Docker wrapper will be supported by bash scripts, which will be situated within the Docker container. These scripts will serve as the entry point for the Docker image, streamlining the process.
  • Previously, we utilized Golang for the setup of the property files. However, once the Docker wrapper changes are integrated, the Golang code will be removed. This change will eliminate the need for maintaining support for an additional language in the codebase, reducing overhead.

NOTE:

  1. Having the logic to configure property files in the kafka codebase, means that there will be a dependency on the kafka binary tarball that is containerised inside the docker image.
  2. Hence, previous versions of kafka which do not contain this Docker wrapper will not be supported for Docker image generation.

Class Data Sharing(CDS)

We did a small POC with class data sharing (CDS) feature that can help reduce the startup time and memory footprints for Java applications.

Code Block
System details: M2 Mac, 32GB memory.

JSA file created for bringing up Kafka (default Kraft configs): ~45MB
Local Kafka startup time (without JSA): 1.592 secs
Local Kafka startup time (with JSA): 1.016 secs
Local Kafka startup memory usage (without JSA): 440MB
Local Kafka startup memory usage (with JSA): 380MB

NOTE: The jsa files were created only by covering the Kafka Startup code path and resulted in ~45MB of size.

We can see a ~30% reduction in the startup time.

Following are the points to consider:

  1. Docker Image Size: Adding the jsa files will increase the size of the Docker image. Classes stored in the CDS are a few times (e.g., 2 – 5x) larger than classes stored in JAR files
  2. Choosing Application Usage for JSA: For our POC, we focused on Kafka startup using default configurations. It's crucial to decide how broadly the application should be used to generate jsa files.
  3. Startup Memory Footprint: While we did observe a reduction in startup memory footprint, we believe this difference may not significantly scale with production load.
  4. CDS Archive Exclusions: The CDS archive doesn't include pre-JDK 6 classes, which are present in our codebase.
  5. Limitations of CDS:
    1. The OpenJDK version used for building the jsa files and during runtime must be the same. If they are not, application wont fail but the expected optimisation won't be achieved.
    2. If a custom JAR is provided by the user, it's currently prepended to the existing classpath. However, CDS requires that the classpath used during jsa file generation should either be the same or a prefix of the classpath used during runtime. Otherwise, it will be disabled, and the expected optimisation won't be achieved.

Given the notable reduction in the startup time, we've made the decision to incorporate the CDS in the Docker image.
The jsa file will be generated dynamically as a docker layer using the following workflow in the kraft mode:

  1. Start Apache Kafka
  2. Create a topic, produce messages, and consume messages
  3. Stop Kafka


Compatibility, Deprecation, and Migration Plan

  • For existing apache kafka users there will be no impact as JVM based docker image will be a new feature.

EOL Policy

We are not changing the EOL policy for the docker image and want to keep it inline with the Apache Kafka EOL Policy.

Test Plan

  • Testing the functionality of the Apache Kafka packaged in the image

    • The image will consist of the official tarball released by Apache Kafka.

    • The above tarball is pre tested as the part of Apache Kafka release.

    • Hence no extra testing is required for the Apache Kafka packaged in the image.

  • Testing the Docker Image - Integration of the Apache Kafka with the Docker

    • Dockerizing Apache Kafka requires additional steps like, passing the configs from the user to the properties file in the container, passing credentials etc.

    • Sanity tests will be added to test the proper functionality of the docker image.

Build, Test and Scanning Pipeline

Build and Test

Prior to release, the Docker images must undergo building, testing, and vulnerability scanning. To streamline this process, we'll be setting up a GitHub Actions workflow. This workflow will generate two reports: one for test results and another for scanning results. These reports will be available for community review before voting.

Scanning Previously Released Images

We intend to setup a nightly cron job using GitHub Actions and leverage an open-source vulnerability scanning tool like trivy (https://github.com/aquasecurity/trivy), to get vulnerability reports on all supported images. This tool offers a straightforward way to integrate vulnerability checks directly into our GitHub Actions workflow. 

Release Process

Following is the plan to release the Docker image:

  1. RM would have generated and pushed Apache Kafka's Release Candidate artifacts to apache sftp server hosted in home.apache.org by release.py script
  2. Run the script automation to build the docker image(using the above Release Candidate tarball URL) and test the image locally.

  3. The docker image needs to be pushed to some Dockerhub repo(eg. Release Manager's) for the evaluation of RC Docker image.

  4. Start the Voting for RC, which will include the Docker image as well as docker sanity tests report.

  5. In case any docker image specific issue is detected, that will be evaluated by the community, if it’s a release blocker or not.

  6. Once the vote passes, the image will be pushed to apache/kafka with the version as tag.

  7. Steps for the Docker image release will be included in the Release Process doc of Apache Kafka

  8. eg. for AK release 3.7.0 and image released will be apache/kafka:3.7.0 (=> image contains AK 3.7.0)

...