Closed jannfis closed 3 years ago
@jannfis I think you should also consider UBI Image provided by Redhat. I have seen F5 ingress controllers moving away from Debian to UBI and was quiet successful in terms of challenges you addressed.
registry.redhat.io/ubi7/ubi-minimal
Thanks for the pointer to UBI, @iam-veeramalla. While what I read so far about UBI sounds awesome, I fear that it won't be License compatible with distributing an Open Source project.
The UBI comes with a separate End User License Agreement. and while I'm not a lawyer, I think it's not compatible with any FOSS License out there.
So I think we should only consider those base images having a 100% FOSS background.
S License out th
oh, I din't know this. Let me read through and get back to you on this.
I built the argocd
and test-tools-image
images using the below base images, ran all unit tests and e2e tests in the dockerized toolchain, and had snyk running its analysis over all of them. The following are the results so far:
base image | final size | unit tests passed | e2e tests passed | snyk report |
---|---|---|---|---|
centos:centos8 |
426.1MB | yes | yes | |
ubuntu:20.04 (LTS) |
448.9MB | yes | yes | |
ubuntu:20.10 (rolling) |
467.2MB | yes | yes | |
ubuntu:21.04 (latest) |
615.9MB | yes | yes | |
debian:10-slim (current base) |
512.16MB | yes | yes |
Hi folks,
Community projects may use the UBI base image. "All of this content is usable and freely redistributable under the terms of the UBI End User License Agreement (EULA) "
Community projects may use the UBI base image. "All of this content is usable and freely redistributable under the terms of the UBI End User License Agreement (EULA) "
Yes, I've read that. But freely redistributable is not enough to satisfy FOSS requirements, IMHO. I think we should be very careful here.
centos:centos8
CentOS won't be a good option anymore because of their change in release model. I think our best option is ubuntu:21.04
Fwiw, my employer used Debian in house, I migrated us to Ubuntu for new installs because of similar concerns. So, I'm +1 to ubuntu-latest.
(We have some CentOS/RHEL systems which I'm retiring.)
Given how ArgoCD is used, I don't think there's a particularly good argument to be on an LTS OS.
@jannfis: Any idea why ubuntu:21.04 is so much larger than ubuntu:20.04? (It isn't a huge deal for my use, but it's a bit odd...)
After a few discussions, I think we should go with the latest stable Ubuntu (so, 20.10
) and in the future, move on when Ubuntu releases a new stable version of their distribution (I think it's the rolling
release, in their terminology).
@jannfis: Any idea why ubuntu:21.04 is so much larger than ubuntu:20.04? (It isn't a huge deal for my use, but it's a bit odd...)
It seems that gcc
is the delinquent here.
On image built using ubuntu:21.04
:
root@f5c9ded16c4b:/home/argocd# du -sm /usr/lib/gcc
517 /usr/lib/gcc
On image built using ubuntu:20.10
:
root@7c0ed6ac0f54:/home/argocd# du -sm /usr/lib/gcc
103 /usr/lib/gcc
Now that begs the question why gcc
gets pulled into the image, because we certainly don't require it at runtime. Will investigate a little further.
Updated https://github.com/argoproj/argo-cd/issues/5047#issuecomment-744442270 to also contain ubuntu:20.10
as base image.
Also, according to apt-cache rdepends
, gcc
is pulled in by python3-pip
(which we use to install awscli
in the image).
Maybe this can be changed by some smarter build stages.
Summary
We currently use
debian10:slim
as base image for our distribution. We should evaluate other possibilities for our base image.Motivation
Our current base used for Docker image distribution (
debian10:slim
aka Debian stable) is fairly outdated and also triggers many of the popular image security scanners with quite a few of issues, for example this is the snyk scanning result of an Argo CD image built from master today:While most, if not all, of the issues are negligible for being not applicable to Argo CD, this fact is annoying and resulting in many uncertainties and support requests from the community. It also makes reacting on "real" vulnerabilities, those that actually will affect users of Argo CD, harder as it should be just because there are so many false-positives.
The same Argo CD image built using CentOS 8 as a base results in this:
Proposal
We should evaluate different options on how to improve. I am currently building & testing different options, including the use of Ubuntu and CentOS as the base image. If I remember correctly, Alpine was used once but it was found to be incompatible on multiple layers with the requirements of our users (mainly, config management plugins) and our own (toolchain, different libc implementation, etc).
I will collect results of my builds and testing in this issue. Using the Dockerized test toolchain built with the same base image, test results should be as close to real world workloads as possible.
Further, I can imagine that we could provide alternative Argo CD images built from different base images for the community to help us testing in real scenarios, i.e.
1.8.0-centos
or1.8.0-ubuntu
.The goal of this issue is to gahter all required information and test results, to ultimately help us decide on an option for future delivery of Argo CD images.