From ee35f75ecd15bd72e0d04af61fdd8d78a76883f6 Mon Sep 17 00:00:00 2001 From: jack-baines Date: Mon, 29 Jul 2024 12:55:14 +0100 Subject: [PATCH 1/5] Reduce footprint of UBI images by only keeping relevant packages and rpm DB Signed-off-by: jack-baines --- Dockerfile.ubi | 29 ++++++++++++++++++++++++----- ubi-build-files-amd64.txt | 15 +++++++++++++++ ubi-build-files-arm64.txt | 15 +++++++++++++++ 3 files changed, 54 insertions(+), 5 deletions(-) create mode 100644 ubi-build-files-amd64.txt create mode 100644 ubi-build-files-arm64.txt diff --git a/Dockerfile.ubi b/Dockerfile.ubi index 33d134805..d43579c8b 100644 --- a/Dockerfile.ubi +++ b/Dockerfile.ubi @@ -3,16 +3,35 @@ ARG BASE_IMAGE FROM --platform=${BUILDPLATFORM} ${BUILDER_IMAGE} as SRC -FROM ${BASE_IMAGE:-registry.access.redhat.com/ubi8/ubi-minimal:latest} +FROM ${BASE_IMAGE:-registry.access.redhat.com/ubi8/ubi:latest} as minimal-ubi +RUN dnf update -y && dnf install -y binutils +# prep target rootfs for scratch container WORKDIR / -COPY --from=SRC /manager . +RUN mkdir /image && \ + ln -s usr/bin /image/bin && \ + ln -s usr/sbin /image/sbin && \ + ln -s usr/lib64 /image/lib64 && \ + ln -s usr/lib /image/lib && \ + mkdir -p /image/{usr/bin,usr/lib64,usr/lib,root,home,proc,etc,sys,var,dev} -# Update image -RUN microdnf update +COPY ubi-build-files-${${BUILDPLATFORM#*/}}.txt /tmp +# Copy all the required files from the base UBI image into the image directory +# As the go binary is not statically compiled this includes everything needed for CGO to work, cacerts, tzdata and RH release files +RUN tar cf /tmp/files.tar -T /tmp/ubi-build-files-${${BUILDPLATFORM#*/}}.txt && tar xf /tmp/files.tar -C /image/ \ + && strip --strip-unneeded /image/usr/lib64/*[0-9].so -USER 65532:65532 +# Generate a rpm database which contains all the packages that you said were needed in ubi-build-files-*.txt +RUN rpm --root /image --initdb \ + && PACKAGES=$(rpm -qf $(cat /tmp/ubi-build-files-${${BUILDPLATFORM#*/}}.txt) | grep -v "is not owned by any package" | sort -u) \ + && echo dnf install -y 'dnf-command(download)' \ + && dnf download --destdir / ${PACKAGES} \ + && rpm --root /image -ivh --justdb --nodeps `for i in ${PACKAGES}; do echo $i.rpm; done` +FROM scratch +COPY --from=minimal-ubi /image/ / +COPY --from=SRC /manager . +USER 65532:65532 # Port for metrics and probes EXPOSE 9090 diff --git a/ubi-build-files-amd64.txt b/ubi-build-files-amd64.txt new file mode 100644 index 000000000..19ed69cf9 --- /dev/null +++ b/ubi-build-files-amd64.txt @@ -0,0 +1,15 @@ +etc/pki +root/buildinfo +etc/ssl/certs +etc/redhat-release +usr/share/zoneinfo +usr/lib64/ld-2.28.so +usr/lib64/ld-linux-x86-64.so.2 +usr/lib64/libc-2.28.so +usr/lib64/libc.so.6 +usr/lib64/libdl-2.28.so +usr/lib64/libdl.so.2 +usr/lib64/libpthread-2.28.so +usr/lib64/libpthread.so.0 +usr/lib64/libm-2.28.so +usr/lib64/libm.so.6 diff --git a/ubi-build-files-arm64.txt b/ubi-build-files-arm64.txt new file mode 100644 index 000000000..32491847f --- /dev/null +++ b/ubi-build-files-arm64.txt @@ -0,0 +1,15 @@ +etc/pki +root/buildinfo +etc/ssl/certs +etc/redhat-release +usr/share/zoneinfo +usr/lib64/ld-2.28.so +usr/lib64/ld-linux-aarch64.so.1 +usr/lib64/libc-2.28.so +usr/lib64/libc.so.6 +usr/lib64/libdl-2.28.so +usr/lib64/libdl.so.2 +usr/lib64/libpthread-2.28.so +usr/lib64/libpthread.so.0 +usr/lib64/libm-2.28.so +usr/lib64/libm.so.6 From 085309a9b00c64f675ecc22242c91ef238fde04b Mon Sep 17 00:00:00 2001 From: jack-baines Date: Mon, 29 Jul 2024 13:06:11 +0100 Subject: [PATCH 2/5] Fix bash syntax error Signed-off-by: jack-baines --- Dockerfile.ubi | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile.ubi b/Dockerfile.ubi index d43579c8b..71c94eeea 100644 --- a/Dockerfile.ubi +++ b/Dockerfile.ubi @@ -15,15 +15,15 @@ RUN mkdir /image && \ ln -s usr/lib /image/lib && \ mkdir -p /image/{usr/bin,usr/lib64,usr/lib,root,home,proc,etc,sys,var,dev} -COPY ubi-build-files-${${BUILDPLATFORM#*/}}.txt /tmp +COPY ubi-build-files-${BUILDPLATFORM#*/}.txt /tmp # Copy all the required files from the base UBI image into the image directory # As the go binary is not statically compiled this includes everything needed for CGO to work, cacerts, tzdata and RH release files -RUN tar cf /tmp/files.tar -T /tmp/ubi-build-files-${${BUILDPLATFORM#*/}}.txt && tar xf /tmp/files.tar -C /image/ \ +RUN tar cf /tmp/files.tar -T /tmp/ubi-build-files-${BUILDPLATFORM#*/}.txt && tar xf /tmp/files.tar -C /image/ \ && strip --strip-unneeded /image/usr/lib64/*[0-9].so # Generate a rpm database which contains all the packages that you said were needed in ubi-build-files-*.txt RUN rpm --root /image --initdb \ - && PACKAGES=$(rpm -qf $(cat /tmp/ubi-build-files-${${BUILDPLATFORM#*/}}.txt) | grep -v "is not owned by any package" | sort -u) \ + && PACKAGES=$(rpm -qf $(cat /tmp/ubi-build-files-${BUILDPLATFORM#*/}.txt) | grep -v "is not owned by any package" | sort -u) \ && echo dnf install -y 'dnf-command(download)' \ && dnf download --destdir / ${PACKAGES} \ && rpm --root /image -ivh --justdb --nodeps `for i in ${PACKAGES}; do echo $i.rpm; done` From c353a98e2c2f7b519c5ab506906b7dde0bc6fd79 Mon Sep 17 00:00:00 2001 From: jack-baines Date: Mon, 29 Jul 2024 14:15:37 +0100 Subject: [PATCH 3/5] Add missing ARG Signed-off-by: jack-baines --- Dockerfile.ubi | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile.ubi b/Dockerfile.ubi index 71c94eeea..99c5540af 100644 --- a/Dockerfile.ubi +++ b/Dockerfile.ubi @@ -4,6 +4,7 @@ ARG BASE_IMAGE FROM --platform=${BUILDPLATFORM} ${BUILDER_IMAGE} as SRC FROM ${BASE_IMAGE:-registry.access.redhat.com/ubi8/ubi:latest} as minimal-ubi +ARG BUILDPLATFORM RUN dnf update -y && dnf install -y binutils # prep target rootfs for scratch container From e4f4f5a01e593eb9d22f038cc8bb86142bf48e2f Mon Sep 17 00:00:00 2001 From: jack-baines Date: Mon, 29 Jul 2024 16:46:44 +0100 Subject: [PATCH 4/5] TARGETARCH set by buildx and avoids splitting another VAR Signed-off-by: jack-baines --- Dockerfile.ubi | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Dockerfile.ubi b/Dockerfile.ubi index 99c5540af..ac8e63558 100644 --- a/Dockerfile.ubi +++ b/Dockerfile.ubi @@ -4,7 +4,8 @@ ARG BASE_IMAGE FROM --platform=${BUILDPLATFORM} ${BUILDER_IMAGE} as SRC FROM ${BASE_IMAGE:-registry.access.redhat.com/ubi8/ubi:latest} as minimal-ubi -ARG BUILDPLATFORM +ARG TARGETARCH + RUN dnf update -y && dnf install -y binutils # prep target rootfs for scratch container @@ -16,15 +17,15 @@ RUN mkdir /image && \ ln -s usr/lib /image/lib && \ mkdir -p /image/{usr/bin,usr/lib64,usr/lib,root,home,proc,etc,sys,var,dev} -COPY ubi-build-files-${BUILDPLATFORM#*/}.txt /tmp +COPY ubi-build-files-${TARGETARCH}.txt /tmp # Copy all the required files from the base UBI image into the image directory # As the go binary is not statically compiled this includes everything needed for CGO to work, cacerts, tzdata and RH release files -RUN tar cf /tmp/files.tar -T /tmp/ubi-build-files-${BUILDPLATFORM#*/}.txt && tar xf /tmp/files.tar -C /image/ \ +RUN tar cf /tmp/files.tar -T /tmp/ubi-build-files-${TARGETARCH}.txt && tar xf /tmp/files.tar -C /image/ \ && strip --strip-unneeded /image/usr/lib64/*[0-9].so # Generate a rpm database which contains all the packages that you said were needed in ubi-build-files-*.txt RUN rpm --root /image --initdb \ - && PACKAGES=$(rpm -qf $(cat /tmp/ubi-build-files-${BUILDPLATFORM#*/}.txt) | grep -v "is not owned by any package" | sort -u) \ + && PACKAGES=$(rpm -qf $(cat /tmp/ubi-build-files-${TARGETARCH}.txt) | grep -v "is not owned by any package" | sort -u) \ && echo dnf install -y 'dnf-command(download)' \ && dnf download --destdir / ${PACKAGES} \ && rpm --root /image -ivh --justdb --nodeps `for i in ${PACKAGES}; do echo $i.rpm; done` From 5d6b6f4f969d3595862586a59fe605011ef60558 Mon Sep 17 00:00:00 2001 From: Jack Baines Date: Tue, 27 Aug 2024 09:13:51 +0100 Subject: [PATCH 5/5] Update Dockerfile.ubi Change top level build label to avoid confusion --- Dockerfile.ubi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile.ubi b/Dockerfile.ubi index ac8e63558..13562cf6a 100644 --- a/Dockerfile.ubi +++ b/Dockerfile.ubi @@ -3,7 +3,7 @@ ARG BASE_IMAGE FROM --platform=${BUILDPLATFORM} ${BUILDER_IMAGE} as SRC -FROM ${BASE_IMAGE:-registry.access.redhat.com/ubi8/ubi:latest} as minimal-ubi +FROM ${BASE_IMAGE:-registry.access.redhat.com/ubi8/ubi:latest} as ubi ARG TARGETARCH @@ -31,7 +31,7 @@ RUN rpm --root /image --initdb \ && rpm --root /image -ivh --justdb --nodeps `for i in ${PACKAGES}; do echo $i.rpm; done` FROM scratch -COPY --from=minimal-ubi /image/ / +COPY --from=ubi /image/ / COPY --from=SRC /manager . USER 65532:65532 # Port for metrics and probes