search

projectnessie / nessie

Nessie: Transactional Catalog for Data Lakes with Git-like semantics
https://projectnessie.org
Apache License 2.0
1.02k stars 130 forks source link

Reduce size of Docker images #579

Closed jacques-n closed 1 year ago

jacques-n commented 3 years ago

Should shrink our build size and reduce cve surface area.

jacques-n commented 3 years ago

Hmm..., it looks like the quarkus specific distroless image isn't updated super regularly:

https://github.com/quarkusio/quarkus-images/tree/master/distroless (last update 10 months ago)

Looking at things, it looks like we need distroless/base + zlib (according to what the quarkus distroless image is built on):

https://github.com/GoogleContainerTools/distroless/blob/master/base/README.md

jacques-n commented 3 years ago

Notes from a little more exploration here:

Adding this arguments - quarkus.native.additional-build-args=-H:+StaticExecutableWithDynamicLibC

Fails as the builder image doesn't contain sufficient libraries to build the statically bound version of our app. Specifically:

/usr/bin/ld: cannot find -lstdc++
/usr/bin/ld: cannot find -lz

Ideally would be able to add this: - quarkus.jib.base-native-image=gcr.io/distroless/base

Then run with (on macos): mvn install -DskipTests -Pnative -Dquarkus.native.container-build=true -pl servers/quarkus-server/

And we'd be good. Need to find the right builder image.

As an aside, also tried by changing build image to newer quarkus image using this setting: quarkus.native.builder-image=quay.io/quarkus/ubi-quarkus-native-image:20.3.0-java11

Same result.

jacques-n commented 3 years ago

Useful link for properties: https://quarkus.io/guides/building-native-image#quarkus-native-pkg-native-config_quarkus.native.additional-build-args

rymurr commented 3 years ago

I ran the following:

mvn install -DskipTests -Pnative -Dquarkus.native.container-build=true -Dquarkus.jib.base-native-image=gcr.io.distroless/base -pl servers/quarkus-server/

And the build succeeded. Unsurprisingly at start-up the docker image failed with ./application: error while loading shared libraries: libz.so.1: cannot open shared object file: No such file or directory

The Dockerfile

FROM debian:stable-slim as build-env

FROM <just-build-quarkus-image>
COPY --from=build-env /lib/x86_64-linux-gnu/libz.so.1 /lib/x86_64-linux-gnu/libz.so.1
CMD ["/application"]

Then got the image to start properly. So its really just that libz.so.1 thats preventing us from moving to distroless. This image was 105MB too, compared to 250MB for nessie 0.2.1. Also see here where the distroless folks rejected adding zlib to base.

Some options: 1) perform a multi-stage build https://quarkus.io/guides/building-native-image#using-a-multi-stage-docker-build 2) add a github actions build step of our own to prepare a base image off distroless 3) find a distroless+zlib build (which I haven't yet)

rymurr commented 3 years ago

Alternatively gcr.io/distroless/java works as a base image. The nessie image is then 216MB or ~30MB smaller than the redhat image. Apparently the quarkus native image is ~80MB!

snazy commented 1 year ago

Closing for now - think, we're good here