[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] Reducing the footprint of the Fedora docker base image

here are what I install

bash grep tar coreutils findutils rpm sed cpio cyrus-sasl file nc file-libs gawk xz openssh-server vi setup filesystem man passwd sudo iproute procps-ng iputils which net-tools psmisc

sometimes when I over optimize I replace systemd (by a fake runtime rpm that claim to provides systemd and a like) with supervisord

Compress cracklib

gzip -9 $OSROOT/usr/share/cracklib/pw_dict.pwd

Minimize locale-archive

localedef --prefix $OSROOT --list-archive | egrep -v $strip_locales_to_keep_re | xargs localedef --prefix $OSROOT --delete-from-archive
mv $OSROOT/usr/lib/locale/locale-archive $OSROOT/usr/lib/locale/locale-archive.tmpl
chroot $OSROOT /usr/sbin/build-locale-archive

find "$OSROOT/usr/share/i18n/locales/" -type f | egrep -v $strip_locales_to_keep_re | xargs rm -rf
find "$OSROOT/usr/share/zoneinfo/" -type f | egrep -v $strip_tz_to_keep_re | xargs rm -rf

regarding locals I want to keep things like date formats ..etc. but not translation (I don't want french version of ls --help)


regarding a more stripped image image without dnf/yum, this would be useful in case if we have pivot root support in Dockerfile


rpm --root $OSROOT --dbpath ...
yum --nogpgcheck --installroot=$OSROOT --releasever=$release $yumsetopt install

On Thu, Feb 11, 2016 at 2:12 PM, Pavel Odvody <podvody redhat com> wrote:
On Thu, 2016-02-11 at 05:08 -0500, Daniel Riek wrote:
> On Thu, Feb 11, 2016 at 4:52 AM, Fabian Deutsch <fdeutsch redhat com>
> wrote:
> > On Wed, Feb 10, 2016 at 11:13 PM, Josh Berkus <jberkus redhat com>
> > wrote:
> > > On 02/10/2016 11:38 AM, Courtney Pacheco wrote:
> > >>
> > >> If possible, I'd like some feedback on the work I did. Comments
> > and
> > >> criticism are more than welcomed! I realize there may be some
> > >> controversy in terms of what I chose to remove and what I chose
> > to turn
> > >> into weak dependencies, but I would like to hear your thoughts
> > either way.
> > >>
> > >
> > > First, thanks for doing this!  It really shows a lot.  I'd be
> > really curious
> > > as to what's in the remaining 144MB, given that Alpine and
> > BusyBox can get
> > > away with a userspace which is 25% of that size.
> > >
> > > As Dan points out, we can't necessarily dispose of DNF/Yum during
> > the
> > > standard container build (i.e. Dockerfile).  However ... could we
> > remove
> > > them afterwards?
> >
> > Maybe this can be handled by a tooling itself - add yum, install,
> > cleanup afterwards.
> >
> >
> >
> With squashing that is doable, but it's ugly and fragile.

Agreed, until Docker itself supports squashing of layers we should stay
away from that.

> A better way would be to move them into "sidecar" images, that get
> mounted during docker build and can be added at runtime. We can use
> the atomic wrapper or kubernetes or atomic app to automate that. The
> key todos I see here are :
> * Get an out-of-tree dnf that brings it own dependencies and can be
> mounted into a container during build (similar to the secrets patch).

This might be satisfied with the standalone DNF bundles, the other
option would be having a DNF version that can execute from an "empty"
chroot (not nice due to all the corner cases with NSS/glibc and cURL).

> * Figure out how to manage that across multiple versions of base
> images.
> * Enable mounting containers as volumes (unless I am mistaken, right
> now we can only mount host directories as volumes? Might be wrong)

Yes, but there's a nice loophole! If we mount hosts / we can use
/proc/{PID}/root to get to the root of particular container, from my
Fedora 22 host:

$ docker run -tid ubuntu:latest bash
$ docker inspect --format "{{ .State.Pid }}" a19fdc5ab50e3507d99cf16b4367e23a9f6b932655bbf531384e403026399c5c
$ cat /proc/30328/root/etc/lsb-release

This way we could run the service SPC container like:

$ docker run --privileged -v /:/host fedora:23 cat /host/proc/30328/root/etc/lsb-release

TLDR version: I just used Fedora 23 container to inspect an Ubuntu
14.04 container on my Fedora 22 host.

> * Create the tooling and metadata to make it work in practice.
> I think there has been some work along those lines, it would be great
> to drive it forward.

In the above example, if we exchange Ubuntu container for another
Fedora container we could do:

$ docker run --name ServiceContainer --privileged -v /:/host fedora:23
dnf update --installroot /host/proc/XXXX/root/

And it will work even if the target container doesn't have DNF/RPM, the
only problem is that scriptlets would be executed in the context of the
ServiceContainer, so we'd either have to disable them, or have the
bundled/standalone version of DNF that could be bind mounted into the
container and execute it in correct context. Note that most scriptlets
should execute just fine, one problem would be scriptlets that operate
directly with PIDs, but this should be a subject of further research to
decide how much of a problem it really is.

I guess what we're missing right now are concrete user stories.

> Regards,
> Daniel

Pavel Odvody <podvody redhat com>
Software Engineer - EMEA ENG Developer Experience
5EC1 95C1 8E08 5BD9 9BBF 9241 3AFA 3A66 024F F68D
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]