add CLEANUPLEVEL arg for image-base #618
Conversation
Makefile
Outdated
| QEMU ?= calico/qemu-user-static | ||
| QEMU_IMAGE ?= $(QEMU):latest | ||
|
|
||
| # Base-image we'll use to build calico/base. | ||
| UBIBASE ?= registry.access.redhat.com/ubi8/ubi-minimal:latest |
There was a problem hiding this comment.
| UBIBASE ?= registry.access.redhat.com/ubi8/ubi-minimal:latest | |
| BASE_BASE_IMAGE ?= registry.access.redhat.com/ubi8/ubi-minimal:latest |
Bit of a stutter, but would align with the args below?
Makefile
Outdated
| # Base-image we'll use to build calico/base. | ||
| UBIBASE ?= registry.access.redhat.com/ubi8/ubi-minimal:latest | ||
| # The level of cleanup we perform on the calico/base image. One-of: stripped, unstripped. | ||
| BASE_CLEANUPLEVEL ?= stripped |
There was a problem hiding this comment.
| BASE_CLEANUPLEVEL ?= stripped | |
| BASE_CLEANUP_LEVEL ?= stripped |
I'd split those words
base/Dockerfile
Outdated
|
|
||
| # Stripped image. | ||
| FROM scratch AS intermediate-stripped |
There was a problem hiding this comment.
Is this intermediate one needed? Seems to duplicate source-stripped (or source-stripped could pull from ubi?
No licenses copied into source-unstripped? Is that because they're already there?
Worth comments explaining these details so next maintainer doesn't need to ask.
There was a problem hiding this comment.
Re: intermediate-stripped..
Prior to my changes, we build up the scratch image, and then the very bottom line says:
FROM scratch
COPY --from=source / /
I don't really understand this line, but it's why I've now got an intermediate-stripped and source-stripped. intermediate-stripped was called source, and source-stripped was the final step that I didn't fully see the point of, but tried to preserve.
I can ditch that last copy to a redundant scratch if you're confident it is redundant!
There was a problem hiding this comment.
The purpose of
FROM scratch
COPY --from=source / /
Is to throw away the docker image layers. It reduces image size if you've done some cleanup to the image in later layers. Otherwise, docker ends up pulling down the "earlier" layers in full and then the delta layers. So if you add a big file in an early layer and then remove it again later, you end up downloading the file anyway (a bit like git history).
|
I once tried the dnf You can pass in a flag to control the base image build steps. Either copy glibc files directly (leaving no rpm meta info) or using dnf to install to |
aaaaaaaalex
force-pushed
the
optionally-skip-base-cleanup
branch
2 times, most recently
from
7e3e9a5 to
541e31d
Compare
| # Unstripped image. | ||
| FROM ${BASE} AS source-unstripped | ||
| COPY --from=ubi / / | ||
| RUN rm -rf /rootfs |
There was a problem hiding this comment.
This step results an extra layer to the source-unstripped image and wasted space if not squashed.
There was a problem hiding this comment.
IMO I think that's fine - we dont intend to ship unstripped images, and anyone who want's to build an unstripped image themselves can opt to squash.
I have cleaned up these lines a bit anyway though, and removed what I believe are redundant layers. Does this help?
There was a problem hiding this comment.
I think we've ended up with qemu in the image too, which we don't want and maybe we now have literally nothing of value in the unstripped image (I thought we needed to add /tmp and the licenses, but if not, perhaps we should derive it from the BASE with no changes?
|
Do we still need this change once projectcalico/calico#9678 is merged? |
|
@hjiawei yep |
I am not following. With your change in projectcalico/calico#9678, is it true that a user can run the following command to switch to a different base. Is this essentially what you are doing here? CALICO_BASE=registry.access.redhat.com/ubi8/ubi-minimal:latest make image
# or
CALICO_BASE=some-custom-image make image |
aaaaaaaalex
force-pushed
the
optionally-skip-base-cleanup
branch
from
e054cee to
0a1c464
Compare
| # Unstripped image. | ||
| FROM ${BASE} AS source-unstripped | ||
| COPY --from=ubi / / | ||
| RUN rm -rf /rootfs |
There was a problem hiding this comment.
I think we've ended up with qemu in the image too, which we don't want and maybe we now have literally nothing of value in the unstripped image (I thought we needed to add /tmp and the licenses, but if not, perhaps we should derive it from the BASE with no changes?
| RUN microdnf upgrade -y | ||
|
|
||
| ARG PKGMAN | ||
| RUN ${PKGMAN} upgrade -y | ||
| # Prepare a rootfs for necessary files from UBI. | ||
| # Symbolic links are preserved. | ||
| RUN mkdir -p /rootfs/lib64 /rootfs/etc |
There was a problem hiding this comment.
I think all this rootfs building (and the qemu bit) should happen in an intermediate image that's not a base for the unstripped one.
make BASE_CLEANUPLEVEL=unstripped image-baseGenerates an image which is scannable,e.g.
trivy image calico/base:latest-amd64.make BASE_CLEANUPLEVEL=stripped image-base, or justmake image-basegenerates the usual image with clean FS.Make/Docker arg
UBIBASEallows injection of a different image to build from.Arg
(BASE_)PKGMANallows adjustment of pkgmanager binary name - useful if say, using DNF rather than MicroDNF. Necessary when using non-minimal UBI.