Reduce image size

Do following actions to reduce the size of the generated images.

- Change `COPY` command + `chown`/`chmod` command to `COPY` command +
  `--chown`/`--chmod` option.
  To prevent both files before/after `chown`/`chmod` commands from being
  recorded on different layers.
- Put all `tdnf` commands in a single `RUN` command and move `tdnf clean all`
  command to the end.
  To prevent the `tdnf` cache from being recorded on a layer, and the `tdnf`
  database from being recorded on multiple layers.
- Add `--link` option to `COPY` command.
  This does not contribute to image size reduction, but makes image building
  more efficient.
- Move `chown /etc/pki/tls/certs` to the `Dockerfile.base`.
  This does not contribute to image size reduction, but is used in
  conjunction with `COPY --link` to make image building more efficient.

The target images and their sizes are as follows. (The sizes are the value
when built locally)

- harbor-core : 185MB -> 118MB
- harbor-db : 285MB -> 263MB
- harbor-exporter : 108MB -> 79.1MB
- harbor-jobservice : 159MB -> 105MB
- harbor-registryctl : 160MB -> 104MB
- redis-photon : 179MB -> 170 MB
- standalone-db-migrator : 328MB -> 284MB

Note that harbor-log, harbor-portal, and nginx-photon have almost no effect,
and prepare is not directly executed by the user, so they are not included.

Also, registry-photon and trivy-adapter-photon are not included, since
PR#20622 and PR#20623 include equivalent action for these two, respectively.

Signed-off-by: Mitsuru Kariya <mitsuru.kariya@nttdata.com>

make/photon/core/Dockerfile

@@ -3,20 +3,14 @@ ARG harbor_base_namespace
 FROM ${harbor_base_namespace}/harbor-core-base:${harbor_base_image_version}
 
 HEALTHCHECK CMD curl --fail -s http://localhost:8080/api/v2.0/ping || curl -k --fail -s https://localhost:8443/api/v2.0/ping || exit 1
-COPY ./make/photon/common/install_cert.sh /harbor/
-COPY ./make/photon/core/entrypoint.sh /harbor/
-COPY ./make/photon/core/harbor_core /harbor/
-COPY ./src/core/views /harbor/views
-COPY ./make/migrations /harbor/migrations
-COPY ./icons /harbor/icons
-
-RUN chown -R harbor:harbor /etc/pki/tls/certs \
-    && chown -R harbor:harbor /harbor/ \
-    && chmod u+x /harbor/entrypoint.sh \
-    && chmod u+x /harbor/install_cert.sh \
-    && chmod u+x /harbor/harbor_core
+COPY --link --chown=10000:10000 --chmod=755 ./make/photon/common/install_cert.sh /harbor/
+COPY --link --chown=10000:10000 --chmod=744 ./make/photon/core/entrypoint.sh /harbor/
+COPY --link --chown=10000:10000 --chmod=755 ./make/photon/core/harbor_core /harbor/
+COPY --link --chown=10000:10000 ./src/core/views /harbor/views
+COPY --link --chown=10000:10000 ./make/migrations /harbor/migrations
+COPY --link --chown=10000:10000 ./icons /harbor/icons
 
 WORKDIR /harbor/
 USER harbor
 ENTRYPOINT ["/harbor/entrypoint.sh"]
-COPY make/photon/prepare/versions /harbor/
+COPY --link make/photon/prepare/versions /harbor/

make/photon/core/Dockerfile.base

@@ -3,4 +3,4 @@ FROM photon:5.0
 RUN tdnf install -y tzdata shadow >> /dev/null \
     && tdnf clean all \
     && groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor \
-    && mkdir /harbor/
+    && chown -R harbor:harbor /etc/pki/tls/certs

make/photon/db/Dockerfile

@@ -4,13 +4,11 @@ FROM ${harbor_base_namespace}/harbor-db-base:${harbor_base_image_version}
 
 VOLUME /var/lib/postgresql/data
 
-COPY ./make/photon/db/docker-entrypoint.sh /docker-entrypoint.sh
-COPY ./make/photon/db/initdb.sh /initdb.sh
-COPY ./make/photon/db/upgrade.sh /upgrade.sh
-COPY ./make/photon/db/docker-healthcheck.sh /docker-healthcheck.sh
-COPY ./make/photon/db/initial-registry.sql /docker-entrypoint-initdb.d/
-RUN chown -R postgres:postgres /docker-entrypoint.sh /docker-healthcheck.sh /docker-entrypoint-initdb.d \
-    && chmod u+x /docker-entrypoint.sh /docker-healthcheck.sh
+COPY --link --chown=999:999 --chmod=744 ./make/photon/db/docker-entrypoint.sh /docker-entrypoint.sh
+COPY --link ./make/photon/db/initdb.sh /initdb.sh
+COPY --link ./make/photon/db/upgrade.sh /upgrade.sh
+COPY --link --chown=999:999 --chmod=744 ./make/photon/db/docker-healthcheck.sh /docker-healthcheck.sh
+COPY --link --chown=999:999 ./make/photon/db/initial-registry.sql /docker-entrypoint-initdb.d/
 
 ENTRYPOINT ["/docker-entrypoint.sh", "14", "15"]
 HEALTHCHECK CMD ["/docker-healthcheck.sh"]

make/photon/db/Dockerfile.base

@@ -4,17 +4,14 @@ ENV PGDATA /var/lib/postgresql/data
 
 RUN tdnf install -y shadow >> /dev/null \
     && groupadd -r postgres --gid=999 \
-    && useradd -m -r -g postgres --uid=999 postgres
-
-RUN tdnf install -y postgresql14-server >> /dev/null
-RUN tdnf install -y gzip postgresql15-server findutils bc >> /dev/null \
-    && mkdir -p /docker-entrypoint-initdb.d \
+    && useradd -m -r -g postgres --uid=999 postgres \
+    && tdnf install -y postgresql14-server >> /dev/null \
+    && tdnf install -y gzip postgresql15-server findutils bc >> /dev/null \
     && mkdir -p /run/postgresql \
     && chown -R postgres:postgres /run/postgresql \
     && chmod 2777 /run/postgresql \
     && mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" \
     && sed -i "s|#listen_addresses = 'localhost'.*|listen_addresses = '*'|g" /usr/pgsql/15/share/postgresql/postgresql.conf.sample \
     && sed -i "s|#unix_socket_directories = '/tmp'.*|unix_socket_directories = '/run/postgresql'|g" /usr/pgsql/15/share/postgresql/postgresql.conf.sample \
+    && tdnf erase -y toybox && tdnf install -y util-linux net-tools \
     && tdnf clean all
-
-RUN tdnf erase -y toybox && tdnf install -y util-linux net-tools

make/photon/exporter/Dockerfile

@@ -4,24 +4,15 @@ ARG harbor_base_namespace
 
 FROM ${build_image} AS build
 
-ENV CGO_ENABLED=0
-ENV GOOS=linux
-ENV GOARCH=amd64
-
-COPY src /harbor/src
+COPY --link src /harbor/src
 WORKDIR /harbor/src/cmd/exporter
-RUN go build -o /out/harbor_exporter
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o /out/harbor_exporter
 
 FROM ${harbor_base_namespace}/harbor-exporter-base:${harbor_base_image_version}
 
-COPY --from=build /out/harbor_exporter /harbor/harbor_exporter
-COPY ./make/photon/exporter/entrypoint.sh ./make/photon/common/install_cert.sh /harbor/
-
-RUN chown -R harbor:harbor /etc/pki/tls/certs \
-    && chown -R harbor:harbor /harbor/ \
-    && chmod u+x /harbor/entrypoint.sh \
-    && chmod u+x /harbor/install_cert.sh \
-    && chmod u+x /harbor/harbor_exporter
+COPY --link --from=build --chown=10000:10000 --chmod=755 /out/harbor_exporter /harbor/harbor_exporter
+COPY --link --chown=10000:10000 --chmod=744 ./make/photon/exporter/entrypoint.sh /harbor/
+COPY --link --chown=10000:10000 --chmod=755 ./make/photon/common/install_cert.sh /harbor/
 
 WORKDIR /harbor
 USER harbor

make/photon/exporter/Dockerfile.base

@@ -3,4 +3,4 @@ FROM photon:5.0
 RUN tdnf install -y tzdata shadow >> /dev/null \
     && tdnf clean all \
     && groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor \
-    && mkdir /harbor/
+    && chown -R harbor:harbor /etc/pki/tls/certs

make/photon/jobservice/Dockerfile

@@ -2,17 +2,11 @@ ARG harbor_base_image_version
 ARG harbor_base_namespace
 FROM ${harbor_base_namespace}/harbor-jobservice-base:${harbor_base_image_version}
 
-COPY ./make/photon/common/install_cert.sh /harbor/
-COPY ./make/photon/jobservice/entrypoint.sh /harbor/
-COPY ./make/photon/jobservice/harbor_jobservice /harbor/
+COPY --link --chown=10000:10000 --chmod=755 ./make/photon/common/install_cert.sh /harbor/
+COPY --link --chown=10000:10000 --chmod=744 ./make/photon/jobservice/entrypoint.sh /harbor/
+COPY --link --chown=10000:10000 --chmod=755 ./make/photon/jobservice/harbor_jobservice /harbor/
 
 
-RUN chown -R harbor:harbor /etc/pki/tls/certs \
-    && chown -R harbor:harbor /harbor/ \
-    && chmod u+x /harbor/entrypoint.sh \
-    && chmod u+x /harbor/install_cert.sh \
-    && chmod u+x /harbor/harbor_jobservice
-
 WORKDIR /harbor/
 
 USER harbor

make/photon/jobservice/Dockerfile.base

@@ -2,4 +2,5 @@ FROM photon:5.0
 
 RUN tdnf install -y tzdata shadow >> /dev/null \
     && tdnf clean all \
-    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor
+    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor \
+    && chown -R harbor:harbor /etc/pki/tls/certs

make/photon/redis/Dockerfile

@@ -4,10 +4,8 @@ FROM ${harbor_base_namespace}/harbor-redis-base:${harbor_base_image_version}
 
 VOLUME /var/lib/redis
 WORKDIR /var/lib/redis
-COPY ./make/photon/redis/docker-healthcheck /usr/bin/
-COPY ./make/photon/redis/redis.conf /etc/redis.conf
-RUN chmod +x /usr/bin/docker-healthcheck \
-    && chown redis:redis /etc/redis.conf
+COPY --link --chmod=755 ./make/photon/redis/docker-healthcheck /usr/bin/
+COPY --link --chown=999:999 ./make/photon/redis/redis.conf /etc/redis.conf
 
 HEALTHCHECK CMD ["docker-healthcheck"]
 USER redis

make/photon/redis/Dockerfile.base

@@ -2,5 +2,5 @@ FROM photon:5.0
 
 RUN tdnf install -y shadow >> /dev/null \
     && groupadd -g 999 redis \
-    && useradd -u 999 -g 999 -c "Redis Database Server" -d /var/lib/redis -s /sbin/nologin -m redis
-RUN tdnf install -y redis && tdnf clean all
+    && useradd -u 999 -g 999 -c "Redis Database Server" -d /var/lib/redis -s /sbin/nologin -m redis \
+    && tdnf install -y redis && tdnf clean all

make/photon/registryctl/Dockerfile

@@ -2,16 +2,10 @@ ARG harbor_base_image_version
 ARG harbor_base_namespace
 FROM ${harbor_base_namespace}/harbor-registryctl-base:${harbor_base_image_version}
 
-COPY ./make/photon/common/install_cert.sh /home/harbor
-COPY ./make/photon/registry/binary/registry /usr/bin/registry_DO_NOT_USE_GC
-COPY ./make/photon/registryctl/start.sh /home/harbor
-COPY ./make/photon/registryctl/harbor_registryctl /home/harbor
-
-RUN chown -R harbor:harbor /etc/pki/tls/certs \
-    && chown harbor:harbor /home/harbor/harbor_registryctl && chmod u+x /home/harbor/harbor_registryctl \
-    && chown harbor:harbor /usr/bin/registry_DO_NOT_USE_GC && chmod u+x /usr/bin/registry_DO_NOT_USE_GC \
-    && chown harbor:harbor /home/harbor/start.sh && chmod u+x /home/harbor/start.sh \
-    && chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh
+COPY --link --chown=10000:10000 --chmod=755 ./make/photon/common/install_cert.sh /home/harbor/
+COPY --link --chown=10000:10000 --chmod=755 ./make/photon/registry/binary/registry /usr/bin/registry_DO_NOT_USE_GC
+COPY --link --chown=10000:10000 --chmod=744 ./make/photon/registryctl/start.sh /home/harbor/
+COPY --link --chown=10000:10000 --chmod=755 ./make/photon/registryctl/harbor_registryctl /home/harbor/
 
 
 HEALTHCHECK CMD curl --fail -s http://localhost:8080/api/health || curl -sk --fail --key /etc/harbor/ssl/registryctl.key --cert /etc/harbor/ssl/registryctl.crt https://localhost:8443/api/health || exit 1

make/photon/registryctl/Dockerfile.base

@@ -3,4 +3,5 @@ FROM photon:5.0
 RUN tdnf install -y shadow >> /dev/null \
     && tdnf clean all \
     && groupadd -r -g 10000 harbor && useradd --no-log-init -m -g 10000 -u 10000 harbor \
-    && mkdir -p /etc/registry
+    && mkdir -p /etc/registry \
+    && chown -R harbor:harbor /etc/pki/tls/certs

make/photon/standalone-db-migrator/Dockerfile

@@ -4,14 +4,10 @@ FROM ${harbor_base_namespace}/harbor-db-base:${harbor_base_image_version}
 
 ENV EXTERNAL_DB 0
 
-RUN mkdir /harbor/
-COPY ./make/migrations /migrations
-COPY ./make/photon/standalone-db-migrator/migrate /harbor/
-COPY ./make/photon/standalone-db-migrator/entrypoint.sh /harbor/
+COPY --link --chown=999:999 ./make/migrations /migrations
+COPY --link --chown=999:999 --chmod=755 ./make/photon/standalone-db-migrator/migrate /harbor/
+COPY --link --chown=999:999 --chmod=744 ./make/photon/standalone-db-migrator/entrypoint.sh /harbor/
 
-RUN chown -R postgres:postgres /harbor/ \
-    && chown -R postgres:postgres /migrations/ \
-    && chmod u+x /harbor/migrate /harbor/entrypoint.sh
 USER postgres
 
 ENTRYPOINT ["/harbor/entrypoint.sh"]