feat: Reduce image size with distroless image

mumble-voip / mumble-docker

The official Mumble Docker image

BSD 3-Clause "New" or "Revised" License

146 stars 34 forks source link

feat: Reduce image size with distroless image #38

Open maweil opened 10 months ago

maweil commented 10 months ago

As mentioned in #25, I have worked on a smaller mumble image for personal use. The PR is not yet ready for merging as there are still some TODOs to address. I initially built this a longer time ago so I still need to check whether no functionality is lost by this PR.

Also please note that I'm still learning rust and do not claim this is the most elegant way to replace entrypoint.sh. I did this mainly as a learning opportunity.

Main Differences

Replace entrypoint script with rust binary
- To be able to run without a shell
Copy over only needed shared libs

Open TODOs

[ ] Add shared libs for other database drivers than SQLite
[ ] Test build with current final (1.4.x), not only 1.5.x
[ ] Check that all options from entrypoint.sh are implemented
[ ] Fix build on ARM64

Krzmbrzl commented 10 months ago

How much size reduction does the switch to rust actually give us? I wouldn't expect the shell binary to be that large tbh :thinking:

maweil commented 10 months ago

How much size reduction does the switch to rust actually give us? I wouldn't expect the shell binary to be that large tbh 🤔

The switch to using a Rust binary does not reduce the size at all. The entrypoint replacement binary is around 1.6 MB itself. Given the difference of the distroless images with and without a shell, the Rust binary actually increases the size by about 200 KB (which is negligible though).

Container	Size
gcr.io/distroless/cc-debian12:latest (no shell)	24.8 MB
gcr.io/distroless/cc-debian12:debug (with shell)	26.2 MB

In general, the distroless images have no shell though by default (see also their README). That's the reason why I replaced the shell script with a single binary instead. I picked Rust just because I wanted to use it more.

Krzmbrzl commented 10 months ago

Not sure I feel good about using Rust here. While it is a language that I wanted to learn at some point, I am not yet familiar with it. This will make maintaining this somewhat difficult.

Plus, I don't know how well versed potential contributors are in Rust. Would be a shame to lose potential contributors because of this 👀

maweil commented 10 months ago

That's of course understandable. I also can't share any experience how much effort maintaining the mumble-docker-entrypoint would be. I included two libraries/crates that will need updates from time to time in case e.g. security vulnerabilities are reported. Not sure how often that would be the case though.

To avoid replacing entrypoint.sh with a Rust binary, but still keeping the reduced image size, we could switch from a distroless image to something like busybox in the glibc variant (it seems to use the same GLIBC version that debian bookworm (12) uses as well). Then we don't need to pull in the other binaries (e.g. ls or cat which is used by entrypoint.sh).

One (major) drawback though: I couldn't find a version of the busybox image corresponding to Debian 11 yet with a quick search. On Debian 12, the current v1.4.287 release of Mumble won't build because of the OpenSSL version jump from 1.x to 3.x.

What are your thoughts on this?