Docker image very big containing a lot of unnecessary stuff

runningman84 commented 4 months ago

What happened:

The image 602401143452.dkr.ecr.eu-central-1.amazonaws.com/amazon/aws-network-policy-agent:v1.0.8-eksbuild.1 is very big and takes more than 20 seconds to download.

Looking into the image it contains things like old kernel sources:

bash-4.2# ls -la /usr/src/kernels/
total 4
drwxr-xr-x.  1 root root   44 Feb  5 20:48 .
drwxr-xr-x.  1 root root   21 Jan 23 17:37 ..
drwxr-xr-x. 23 root root 4096 Feb  5 20:48 4.14.336-255.557.amzn2.aarch64

Furthermore it contains a lot of other stuff

bash-4.2# cd /     
bash-4.2# du -s -h .
du: cannot access './proc/78/task/78/fd/4': No such file or directory
du: cannot access './proc/78/task/78/fdinfo/4': No such file or directory
du: cannot access './proc/78/fd/3': No such file or directory
du: cannot access './proc/78/fdinfo/3': No such file or directory
975M    .
bash-4.2# du --max-depth=1 -h .
0   ./boot
0   ./dev
2.1M    ./etc
0   ./home
0   ./local
0   ./media
0   ./mnt
0   ./opt
du: cannot access './proc/79/task/79/fd/4': No such file or directory
du: cannot access './proc/79/task/79/fdinfo/4': No such file or directory
du: cannot access './proc/79/fd/3': No such file or directory
du: cannot access './proc/79/fdinfo/3': No such file or directory
0   ./proc
4.0K    ./root
20K ./run
0   ./srv
0   ./sys
0   ./tmp
764M    ./usr
19M ./var
104M    ./host
975M    .
bash-4.2# du --max-depth=1 -h /usr/
74M /usr/bin
0   /usr/etc
0   /usr/games
20M /usr/include
44M /usr/lib
351M    /usr/lib64
56M /usr/libexec
4.0K    /usr/local
5.7M    /usr/sbin
123M    /usr/share
92M /usr/src
764M    /usr/
bash-4.2# du --max-depth=1 -h /usr/share/
0   /usr/share/X11
8.0K    /usr/share/aclocal
32K /usr/share/applications
0   /usr/share/augeas
84K /usr/share/awk
0   /usr/share/backgrounds
72K /usr/share/bash-completion
0   /usr/share/desktop-directories
0   /usr/share/dict
19M /usr/share/doc
0   /usr/share/empty
0   /usr/share/file
0   /usr/share/games
216K    /usr/share/gcc-7
8.0K    /usr/share/gdb
0   /usr/share/ghostscript
0   /usr/share/glib-2.0
0   /usr/share/gnome
312K    /usr/share/gnupg
0   /usr/share/i18n
0   /usr/share/icons
0   /usr/share/idl
4.4M    /usr/share/info
1.1M    /usr/share/licenses
54M /usr/share/locale
0   /usr/share/lua
8.1M    /usr/share/man
5.4M    /usr/share/mime
0   /usr/share/mime-info
2.8M    /usr/share/misc
0   /usr/share/omf
4.0K    /usr/share/p11-kit
0   /usr/share/pixmaps
4.0K    /usr/share/pkgconfig
1.1M    /usr/share/pki
0   /usr/share/sounds
4.0K    /usr/share/systemtap
16K /usr/share/tabset
476K    /usr/share/terminfo
0   /usr/share/themes
12K /usr/share/vim
0   /usr/share/xsessions
908K    /usr/share/yum-cli
0   /usr/share/yum-plugins
4.5M    /usr/share/zoneinfo
16K /usr/share/zsh
1.9M    /usr/share/groff
48K /usr/share/opt-viewer
20M /usr/share/perl5
123M    /usr/share/

Attach logs

Successfully pulled image "602401143452.dkr.ecr.eu-central-1.amazonaws.com/amazon/aws-network-policy-agent:v1.0.8-eksbuild.1" in 20.619s (20.619s including waiting)

What you expected to happen: I would like to see a minimal image without any unnecessary stuff.

How to reproduce it (as minimally and precisely as possible): Install latest aws cni.

Anything else we need to know?: Especially security related stuff like this agent should be using a very thin auditable image.

Environment:

Kubernetes version (use kubectl version): 1.29.x
CNI Version: v1.16.3-eksbuild.2
Network Policy Agent Version: v1.0.8-eksbuild.1
OS (e.g: cat /etc/os-release): na
Kernel (e.g. uname -a): na

jaydeokar commented 4 months ago

Possibly fixed by https://github.com/aws/aws-network-policy-agent/pull/212 This change should be out soon

jaydeokar commented 4 months ago

New version v1.1.0 is out which uses the minimal build. It reduces the image size to ~40 MB.

sjastis commented 4 months ago

addressed via the new node agent release.

aws / aws-network-policy-agent

Docker image very big containing a lot of unnecessary stuff #232