search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.65k stars 5.38k forks source link

Move Docker image away from Debian base image #5047

Closed jannfis closed 3 years ago

jannfis commented 3 years ago

Summary

We currently use debian10:slim as base image for our distribution. We should evaluate other possibilities for our base image.

Motivation

Our current base used for Docker image distribution (debian10:slim aka Debian stable) is fairly outdated and also triggers many of the popular image security scanners with quite a few of issues, for example this is the snyk scanning result of an Argo CD image built from master today:

image

While most, if not all, of the issues are negligible for being not applicable to Argo CD, this fact is annoying and resulting in many uncertainties and support requests from the community. It also makes reacting on "real" vulnerabilities, those that actually will affect users of Argo CD, harder as it should be just because there are so many false-positives.

The same Argo CD image built using CentOS 8 as a base results in this:

image

Proposal

We should evaluate different options on how to improve. I am currently building & testing different options, including the use of Ubuntu and CentOS as the base image. If I remember correctly, Alpine was used once but it was found to be incompatible on multiple layers with the requirements of our users (mainly, config management plugins) and our own (toolchain, different libc implementation, etc).

I will collect results of my builds and testing in this issue. Using the Dockerized test toolchain built with the same base image, test results should be as close to real world workloads as possible.

Further, I can imagine that we could provide alternative Argo CD images built from different base images for the community to help us testing in real scenarios, i.e. 1.8.0-centos or 1.8.0-ubuntu.

The goal of this issue is to gahter all required information and test results, to ultimately help us decide on an option for future delivery of Argo CD images.

iam-veeramalla commented 3 years ago

@jannfis I think you should also consider UBI Image provided by Redhat. I have seen F5 ingress controllers moving away from Debian to UBI and was quiet successful in terms of challenges you addressed.

registry.redhat.io/ubi7/ubi-minimal

jannfis commented 3 years ago

Thanks for the pointer to UBI, @iam-veeramalla. While what I read so far about UBI sounds awesome, I fear that it won't be License compatible with distributing an Open Source project.

The UBI comes with a separate End User License Agreement. and while I'm not a lawyer, I think it's not compatible with any FOSS License out there.

So I think we should only consider those base images having a 100% FOSS background.

iam-veeramalla commented 3 years ago

S License out th

oh, I din't know this. Let me read through and get back to you on this.

jannfis commented 3 years ago

Test results, round one

I built the argocd and test-tools-image images using the below base images, ran all unit tests and e2e tests in the dockerized toolchain, and had snyk running its analysis over all of them. The following are the results so far:

base image final size unit tests passed e2e tests passed snyk report
centos:centos8 426.1MB yes yes image
ubuntu:20.04 (LTS) 448.9MB yes yes image
ubuntu:20.10 (rolling) 467.2MB yes yes image
ubuntu:21.04 (latest) 615.9MB yes yes image
debian:10-slim (current base) 512.16MB yes yes image
sbose78 commented 3 years ago

Hi folks,

Community projects may use the UBI base image. "All of this content is usable and freely redistributable under the terms of the UBI End User License Agreement (EULA) "

https://developers.redhat.com/articles/ubi-faq#

jannfis commented 3 years ago

Community projects may use the UBI base image. "All of this content is usable and freely redistributable under the terms of the UBI End User License Agreement (EULA) "

Yes, I've read that. But freely redistributable is not enough to satisfy FOSS requirements, IMHO. I think we should be very careful here.

jessesuen commented 3 years ago

centos:centos8

CentOS won't be a good option anymore because of their change in release model. I think our best option is ubuntu:21.04

jsoref commented 3 years ago

Fwiw, my employer used Debian in house, I migrated us to Ubuntu for new installs because of similar concerns. So, I'm +1 to ubuntu-latest.

(We have some CentOS/RHEL systems which I'm retiring.)

Given how ArgoCD is used, I don't think there's a particularly good argument to be on an LTS OS.

jsoref commented 3 years ago

@jannfis: Any idea why ubuntu:21.04 is so much larger than ubuntu:20.04? (It isn't a huge deal for my use, but it's a bit odd...)

jannfis commented 3 years ago

After a few discussions, I think we should go with the latest stable Ubuntu (so, 20.10) and in the future, move on when Ubuntu releases a new stable version of their distribution (I think it's the rolling release, in their terminology).

@jannfis: Any idea why ubuntu:21.04 is so much larger than ubuntu:20.04? (It isn't a huge deal for my use, but it's a bit odd...)

It seems that gcc is the delinquent here.

On image built using ubuntu:21.04:

root@f5c9ded16c4b:/home/argocd# du -sm /usr/lib/gcc
517     /usr/lib/gcc

On image built using ubuntu:20.10:

root@7c0ed6ac0f54:/home/argocd# du -sm /usr/lib/gcc
103     /usr/lib/gcc

Now that begs the question why gcc gets pulled into the image, because we certainly don't require it at runtime. Will investigate a little further.

jannfis commented 3 years ago

Updated https://github.com/argoproj/argo-cd/issues/5047#issuecomment-744442270 to also contain ubuntu:20.10 as base image.

jannfis commented 3 years ago

Also, according to apt-cache rdepends, gcc is pulled in by python3-pip (which we use to install awscli in the image).

Maybe this can be changed by some smarter build stages.