Closed xlf12 closed 1 year ago
i am getting push backs from customer regarding image size limits... my customer wants a 150M image max while my runtime, which is wildfly, formal image, starts at 350M any idea what I can do still or are my hands tied? (i am not an expert in this) thanks
For information, we have successfully switched our keycloak, using wildfly, to a distroless/java-debian10:nonroot
image.
We just have to define the entrypoint of our image to the java command executed in your context to launch wildfly (can be dumped from the standalone.sh
by adding the set -x
flag in the script before launching…).
@davinkevin what is the impact on the image size? thanks
One problem is security, there are potentially many things in this image that are not needed and could have security vulnerabilities. Customers just scan images and decide what is in it, no matter what is used in the specific case. That forces updates or hard discussions and merci.
Well, when you are dealing with "many" µServices and many different versions of the same service, handling all these images is even more painful when they are large. We install offline on site and have to feed many image registries to archive, deploy and ship these images. On the customer side it is less painful because they only have to deal with limited versions, but the first security point more or less turns out to be a showstopper.
For the same binary inside the image.
Some extra layers may exist in the centos
version due to the update of packages increasing the size of the image (because the centos image is not patched very often by redhat sadly…).
But at the end, our focus is, like @xlf12 described, we would like to reduce at most our list of images used in our micro services applications. We are mainly in a java world, so distroless
do the job and thank to it, we have an official java (gcc) distribution with the minimum viable packages and maintained by Google. What else ?
This is somehow more important now that red hat is dropping support for centos, any plans to move away from this distro?
For information, we have successfully switched our keycloak, using wildfly, to a
distroless/java-debian10:nonroot
image.We just have to define the entrypoint of our image to the java command executed in your context to launch wildfly (can be dumped from the
standalone.sh
by adding theset -x
flag in the script before launching…).
I am struggling with a similar challenge. Do you have any how to write up available that I may use to build and run a distroless image?
I will try to see if we can publish it as an open source project.
In which part are you struggling with ?
I will try to see if we can publish it as an open source project.
In which part are you struggling with ?
I am struggling with launching keycloak. Would you be able to share the dockerfile? It's fine if there are hardcoding and you may mask some values if you don't wish to reveal.
We are launching keycloak inside kubernetes, so there is nothing relative to this inside our Dockerfile
.
To deal with the launch process without using the standalone.sh
, I've started a standard Keycloak with a simple modification in the standalone.sh
to reveal the final java
command executed. You can do that by adding set -x
inside the standalone.sh
.
Then, I copied the java
command and use it from my Deployement
file in kubernetes, but you can do the same for any other orchestrator.
BTW, I will write an article about that very soon, so I will post the link here as soon as possible.
@debashish1976 https://dev.to/stack-labs/keycloak-on-distroless-12ng
I think it would be helpful for you 😇
I'm closing this as it has been superseded by https://github.com/jboss-dockerfiles/wildfly/pull/161
The Size of the Docker Wildfly Image is very large and far from what is expected / recommended for a Docker image.
Modern Java programs should IMHO skip the Linux distro layer because they are in general not used by native java apps. For distroless images see distroless. This would reduce the image size by 300MB.
The 400 MB left over might also be worth an investigation. Why does a modern app server already need this without having placed an application on it?