Recommended Docker Image Architecture

Question

We have a "few" applications we want to run in a docker container. Our initial attempt created an "base image" that served as the basis for the different application images. It contained the base Linux OS, jdk, etc. Now we are looking at adding integration with ELK stack which we will run on separate server cluster. I am looking at using Metric Beat and File Beat to send data to the ELK cluster.

I am considering a couple of approaches and was wondering which is better (or another >>).

• Add File Beat and Metric Beat to the "base image". The application images would use that for the base and add configuration for Beats modules.
• Run File Beat and Metric Beat as separate docker containers on each server and utilize docker compose to orchestrate.
• Utilize the Elastic agent as a separate container?

Thanks

Answer 1

I suggest having 1 application per container and using Kubernetes as a container scheduler.

Some of the benefits:

• Smaller images, each with a single process makes easier to scale each app independently
• Each container can write logs to the standard output, logs are collected by K8s into the local disk. Filebeat can mount the local disk (eg. /var/log/containers) from the k8s node and stream logs to ELK. You would need to run Filebeat in a Daemonset if you have more than a single k8s node, so that you stream all the logs from each container from each k8s node.
• Each app can expose a Prometheus like endpoint at the same port, you can use metricbeat to collect those metrics (again one instance per k8s node) and stream them to ELK

Elastic agent vs filebeat/metricbeat is just a matter of convenience. Elastic agent is easier to manage if you have Fleet server in your stack. You can start/stop elastic agents, add integrations, and change agent policies in a centralized way. It might be overkill for a simple project but it is always my first choice.