teamhephy / router

MIT License
4 stars 10 forks source link

Make the hephy-router image smaller #27

Closed Cryptophobia closed 3 years ago

Cryptophobia commented 6 years ago

The Docker image runs at 674MB because of Modsecurity and Tcell dynamic modules. We should look at lowering the size of the container by maybe using multi-stage Docker builds or flattening the layers of the Docker image as the last resort.

kingdonb commented 6 years ago

The technique used in BaseImage (Ubuntu/Phusion) to make the image smaller is to take everything and put it into a script. This way you can have a readable Dockerfile without a ton of

RUN apt-get -y --no-install-recommends huge-list of-packages \
  some-more-packages \
  way-too-many-lines-of-code \
  in-a-single-run-directive \
  && do-the-build-things \
  && apt-get remove --purge all-of-those-things

https://github.com/phusion/baseimage-docker/blob/master/image/Dockerfile

Instead you get something like:

RUN /bd_build/prepare.sh && \
    /bd_build/system_services.sh && \
    /bd_build/utilities.sh && \
    /bd_build/cleanup.sh

It looks like you're already running everything and cleaning up in a single step though, so while this might make the build easier to follow, it's not going to save any space... :-\

Not sure if flattening layers will either

Cryptophobia commented 6 years ago

Yes, we are already appending all RUN instructions to each other in the image so that they will create one layer. ;)

I think if we do a docker-squash now and merge some of the unnecessary layers like the chown and add files layers, we should be able to save around 10-40% space but I think the image is still maintainable in the current state. I would begin to get more worried if we keep adding features to the router. Modsecurity (libmodsecurity-v3 which takes 10 mins to compile) was what really increased the size of this image.

I usually use the docker-squash python package do the squashing of the layers. I can test it out with this image and see the improvement.

Cryptophobia commented 6 years ago

So I ran into this issue https://github.com/goldmann/docker-squash/issues/158

But it also looks like squashing the top 8 layers did not save as much as I thought it would:

hephy/router           squashed            406a7b9251f8        About a minute ago   632MB
hephy/router           git-84c49ab         ffac94f44e6f           3 days ago                 674MB

I suspect this has to do with the way we are loading the libmodsecurity after it is compiled. Maybe if we compile in the actual image, we can save space. The reason why I chose to load libmodescurity after compiling it is to save time for building the image, but this probably makes the image layers fat in that they cannot be squashed into each other...

Cryptophobia commented 3 years ago

This has improved a lot since moving to multi-stage build thanks to work by @felixbuenemann ! Compressed size is about 100mb on docker hub. I think it's okay to close this issue for now.

docker images
REPOSITORY     TAG           IMAGE ID       CREATED          SIZE
hephy/router   canary        e08db7bc9b04   30 minutes ago   247MB
hephy/router   git-2c6f6f6   e08db7bc9b04   30 minutes ago   247MB