From 02d042a6b9ef354e741b11a243d7dc6fa04ee22b Mon Sep 17 00:00:00 2001 From: Mitsuru Kariya Date: Fri, 21 Jun 2024 01:31:12 +0900 Subject: [PATCH] Reduce image size Do following actions to reduce the size of the generated images. - Change `COPY` command + `chown`/`chmod` command to `COPY` command + `--chown`/`--chmod` option. To prevent both files before/after `chown`/`chmod` commands from being recorded on different layers. - Put all `tdnf` commands in a single `RUN` command and move `tdnf clean all` command to the end. To prevent the `tdnf` cache from being recorded on a layer, and the `tdnf` database from being recorded on multiple layers. - Add `--link` option to `COPY` command. This does not contribute to image size reduction, but makes image building more efficient. - Move `chown /etc/pki/tls/certs` to the `Dockerfile.base`. This does not contribute to image size reduction, but is used in conjunction with `COPY --link` to make image building more efficient. The target images and their sizes are as follows. (The sizes are the value when built locally) - harbor-core : 185MB -> 118MB - harbor-db : 285MB -> 263MB - harbor-exporter : 108MB -> 79.1MB - harbor-jobservice : 159MB -> 105MB - harbor-registryctl : 160MB -> 104MB - redis-photon : 179MB -> 170 MB - standalone-db-migrator : 328MB -> 284MB Note that harbor-log, harbor-portal, and nginx-photon have almost no effect, and prepare is not directly executed by the user, so they are not included. Also, registry-photon and trivy-adapter-photon are not included, since PR#20622 and PR#20623 include equivalent action for these two, respectively. Signed-off-by: Mitsuru Kariya --- make/photon/core/Dockerfile | 20 +++++++------------ make/photon/core/Dockerfile.base | 2 +- make/photon/db/Dockerfile | 12 +++++------ make/photon/db/Dockerfile.base | 11 ++++------ make/photon/exporter/Dockerfile | 19 +++++------------- make/photon/exporter/Dockerfile.base | 2 +- make/photon/jobservice/Dockerfile | 12 +++-------- make/photon/jobservice/Dockerfile.base | 3 ++- make/photon/redis/Dockerfile | 6 ++---- make/photon/redis/Dockerfile.base | 4 ++-- make/photon/registryctl/Dockerfile | 14 ++++--------- make/photon/registryctl/Dockerfile.base | 3 ++- make/photon/standalone-db-migrator/Dockerfile | 10 +++------- 13 files changed, 41 insertions(+), 77 deletions(-) diff --git a/make/photon/core/Dockerfile b/make/photon/core/Dockerfile index da561a875..498c975e0 100644 --- a/make/photon/core/Dockerfile +++ b/make/photon/core/Dockerfile @@ -3,20 +3,14 @@ ARG harbor_base_namespace FROM ${harbor_base_namespace}/harbor-core-base:${harbor_base_image_version} HEALTHCHECK CMD curl --fail -s http://localhost:8080/api/v2.0/ping || curl -k --fail -s https://localhost:8443/api/v2.0/ping || exit 1 -COPY ./make/photon/common/install_cert.sh /harbor/ -COPY ./make/photon/core/entrypoint.sh /harbor/ -COPY ./make/photon/core/harbor_core /harbor/ -COPY ./src/core/views /harbor/views -COPY ./make/migrations /harbor/migrations -COPY ./icons /harbor/icons - -RUN chown -R harbor:harbor /etc/pki/tls/certs \ - && chown -R harbor:harbor /harbor/ \ - && chmod u+x /harbor/entrypoint.sh \ - && chmod u+x /harbor/install_cert.sh \ - && chmod u+x /harbor/harbor_core +COPY --link --chown=10000:10000 --chmod=755 ./make/photon/common/install_cert.sh /harbor/ +COPY --link --chown=10000:10000 --chmod=744 ./make/photon/core/entrypoint.sh /harbor/ +COPY --link --chown=10000:10000 --chmod=755 ./make/photon/core/harbor_core /harbor/ +COPY --link --chown=10000:10000 ./src/core/views /harbor/views +COPY --link --chown=10000:10000 ./make/migrations /harbor/migrations +COPY --link --chown=10000:10000 ./icons /harbor/icons WORKDIR /harbor/ USER harbor ENTRYPOINT ["/harbor/entrypoint.sh"] -COPY make/photon/prepare/versions /harbor/ +COPY --link make/photon/prepare/versions /harbor/ diff --git a/make/photon/core/Dockerfile.base b/make/photon/core/Dockerfile.base index a6c7f097c..772d6bbf0 100644 --- a/make/photon/core/Dockerfile.base +++ b/make/photon/core/Dockerfile.base @@ -3,4 +3,4 @@ FROM photon:5.0 RUN tdnf install -y tzdata shadow >> /dev/null \ && tdnf clean all \ && groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor \ - && mkdir /harbor/ + && chown -R harbor:harbor /etc/pki/tls/certs diff --git a/make/photon/db/Dockerfile b/make/photon/db/Dockerfile index c9e3313c4..6979886d5 100644 --- a/make/photon/db/Dockerfile +++ b/make/photon/db/Dockerfile @@ -4,13 +4,11 @@ FROM ${harbor_base_namespace}/harbor-db-base:${harbor_base_image_version} VOLUME /var/lib/postgresql/data -COPY ./make/photon/db/docker-entrypoint.sh /docker-entrypoint.sh -COPY ./make/photon/db/initdb.sh /initdb.sh -COPY ./make/photon/db/upgrade.sh /upgrade.sh -COPY ./make/photon/db/docker-healthcheck.sh /docker-healthcheck.sh -COPY ./make/photon/db/initial-registry.sql /docker-entrypoint-initdb.d/ -RUN chown -R postgres:postgres /docker-entrypoint.sh /docker-healthcheck.sh /docker-entrypoint-initdb.d \ - && chmod u+x /docker-entrypoint.sh /docker-healthcheck.sh +COPY --link --chown=999:999 --chmod=744 ./make/photon/db/docker-entrypoint.sh /docker-entrypoint.sh +COPY --link ./make/photon/db/initdb.sh /initdb.sh +COPY --link ./make/photon/db/upgrade.sh /upgrade.sh +COPY --link --chown=999:999 --chmod=744 ./make/photon/db/docker-healthcheck.sh /docker-healthcheck.sh +COPY --link --chown=999:999 ./make/photon/db/initial-registry.sql /docker-entrypoint-initdb.d/ ENTRYPOINT ["/docker-entrypoint.sh", "14", "15"] HEALTHCHECK CMD ["/docker-healthcheck.sh"] diff --git a/make/photon/db/Dockerfile.base b/make/photon/db/Dockerfile.base index 6c816cc81..c723230e2 100644 --- a/make/photon/db/Dockerfile.base +++ b/make/photon/db/Dockerfile.base @@ -4,17 +4,14 @@ ENV PGDATA /var/lib/postgresql/data RUN tdnf install -y shadow >> /dev/null \ && groupadd -r postgres --gid=999 \ - && useradd -m -r -g postgres --uid=999 postgres - -RUN tdnf install -y postgresql14-server >> /dev/null -RUN tdnf install -y gzip postgresql15-server findutils bc >> /dev/null \ - && mkdir -p /docker-entrypoint-initdb.d \ + && useradd -m -r -g postgres --uid=999 postgres \ + && tdnf install -y postgresql14-server >> /dev/null \ + && tdnf install -y gzip postgresql15-server findutils bc >> /dev/null \ && mkdir -p /run/postgresql \ && chown -R postgres:postgres /run/postgresql \ && chmod 2777 /run/postgresql \ && mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" \ && sed -i "s|#listen_addresses = 'localhost'.*|listen_addresses = '*'|g" /usr/pgsql/15/share/postgresql/postgresql.conf.sample \ && sed -i "s|#unix_socket_directories = '/tmp'.*|unix_socket_directories = '/run/postgresql'|g" /usr/pgsql/15/share/postgresql/postgresql.conf.sample \ + && tdnf erase -y toybox && tdnf install -y util-linux net-tools \ && tdnf clean all - -RUN tdnf erase -y toybox && tdnf install -y util-linux net-tools diff --git a/make/photon/exporter/Dockerfile b/make/photon/exporter/Dockerfile index 42f94481a..8b881532b 100644 --- a/make/photon/exporter/Dockerfile +++ b/make/photon/exporter/Dockerfile @@ -4,24 +4,15 @@ ARG harbor_base_namespace FROM ${build_image} AS build -ENV CGO_ENABLED=0 -ENV GOOS=linux -ENV GOARCH=amd64 - -COPY src /harbor/src +COPY --link src /harbor/src WORKDIR /harbor/src/cmd/exporter -RUN go build -o /out/harbor_exporter +RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o /out/harbor_exporter FROM ${harbor_base_namespace}/harbor-exporter-base:${harbor_base_image_version} -COPY --from=build /out/harbor_exporter /harbor/harbor_exporter -COPY ./make/photon/exporter/entrypoint.sh ./make/photon/common/install_cert.sh /harbor/ - -RUN chown -R harbor:harbor /etc/pki/tls/certs \ - && chown -R harbor:harbor /harbor/ \ - && chmod u+x /harbor/entrypoint.sh \ - && chmod u+x /harbor/install_cert.sh \ - && chmod u+x /harbor/harbor_exporter +COPY --link --from=build --chown=10000:10000 --chmod=755 /out/harbor_exporter /harbor/harbor_exporter +COPY --link --chown=10000:10000 --chmod=744 ./make/photon/exporter/entrypoint.sh /harbor/ +COPY --link --chown=10000:10000 --chmod=755 ./make/photon/common/install_cert.sh /harbor/ WORKDIR /harbor USER harbor diff --git a/make/photon/exporter/Dockerfile.base b/make/photon/exporter/Dockerfile.base index a6c7f097c..772d6bbf0 100644 --- a/make/photon/exporter/Dockerfile.base +++ b/make/photon/exporter/Dockerfile.base @@ -3,4 +3,4 @@ FROM photon:5.0 RUN tdnf install -y tzdata shadow >> /dev/null \ && tdnf clean all \ && groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor \ - && mkdir /harbor/ + && chown -R harbor:harbor /etc/pki/tls/certs diff --git a/make/photon/jobservice/Dockerfile b/make/photon/jobservice/Dockerfile index accd7519d..db05f7462 100644 --- a/make/photon/jobservice/Dockerfile +++ b/make/photon/jobservice/Dockerfile @@ -2,17 +2,11 @@ ARG harbor_base_image_version ARG harbor_base_namespace FROM ${harbor_base_namespace}/harbor-jobservice-base:${harbor_base_image_version} -COPY ./make/photon/common/install_cert.sh /harbor/ -COPY ./make/photon/jobservice/entrypoint.sh /harbor/ -COPY ./make/photon/jobservice/harbor_jobservice /harbor/ +COPY --link --chown=10000:10000 --chmod=755 ./make/photon/common/install_cert.sh /harbor/ +COPY --link --chown=10000:10000 --chmod=744 ./make/photon/jobservice/entrypoint.sh /harbor/ +COPY --link --chown=10000:10000 --chmod=755 ./make/photon/jobservice/harbor_jobservice /harbor/ -RUN chown -R harbor:harbor /etc/pki/tls/certs \ - && chown -R harbor:harbor /harbor/ \ - && chmod u+x /harbor/entrypoint.sh \ - && chmod u+x /harbor/install_cert.sh \ - && chmod u+x /harbor/harbor_jobservice - WORKDIR /harbor/ USER harbor diff --git a/make/photon/jobservice/Dockerfile.base b/make/photon/jobservice/Dockerfile.base index 7157c6c59..772d6bbf0 100644 --- a/make/photon/jobservice/Dockerfile.base +++ b/make/photon/jobservice/Dockerfile.base @@ -2,4 +2,5 @@ FROM photon:5.0 RUN tdnf install -y tzdata shadow >> /dev/null \ && tdnf clean all \ - && groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor + && groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor \ + && chown -R harbor:harbor /etc/pki/tls/certs diff --git a/make/photon/redis/Dockerfile b/make/photon/redis/Dockerfile index a2a782f77..193e126f8 100644 --- a/make/photon/redis/Dockerfile +++ b/make/photon/redis/Dockerfile @@ -4,10 +4,8 @@ FROM ${harbor_base_namespace}/harbor-redis-base:${harbor_base_image_version} VOLUME /var/lib/redis WORKDIR /var/lib/redis -COPY ./make/photon/redis/docker-healthcheck /usr/bin/ -COPY ./make/photon/redis/redis.conf /etc/redis.conf -RUN chmod +x /usr/bin/docker-healthcheck \ - && chown redis:redis /etc/redis.conf +COPY --link --chmod=755 ./make/photon/redis/docker-healthcheck /usr/bin/ +COPY --link --chown=999:999 ./make/photon/redis/redis.conf /etc/redis.conf HEALTHCHECK CMD ["docker-healthcheck"] USER redis diff --git a/make/photon/redis/Dockerfile.base b/make/photon/redis/Dockerfile.base index 331306bd8..1e4438119 100644 --- a/make/photon/redis/Dockerfile.base +++ b/make/photon/redis/Dockerfile.base @@ -2,5 +2,5 @@ FROM photon:5.0 RUN tdnf install -y shadow >> /dev/null \ && groupadd -g 999 redis \ - && useradd -u 999 -g 999 -c "Redis Database Server" -d /var/lib/redis -s /sbin/nologin -m redis -RUN tdnf install -y redis && tdnf clean all + && useradd -u 999 -g 999 -c "Redis Database Server" -d /var/lib/redis -s /sbin/nologin -m redis \ + && tdnf install -y redis && tdnf clean all diff --git a/make/photon/registryctl/Dockerfile b/make/photon/registryctl/Dockerfile index b4733df90..983ca8337 100644 --- a/make/photon/registryctl/Dockerfile +++ b/make/photon/registryctl/Dockerfile @@ -2,16 +2,10 @@ ARG harbor_base_image_version ARG harbor_base_namespace FROM ${harbor_base_namespace}/harbor-registryctl-base:${harbor_base_image_version} -COPY ./make/photon/common/install_cert.sh /home/harbor -COPY ./make/photon/registry/binary/registry /usr/bin/registry_DO_NOT_USE_GC -COPY ./make/photon/registryctl/start.sh /home/harbor -COPY ./make/photon/registryctl/harbor_registryctl /home/harbor - -RUN chown -R harbor:harbor /etc/pki/tls/certs \ - && chown harbor:harbor /home/harbor/harbor_registryctl && chmod u+x /home/harbor/harbor_registryctl \ - && chown harbor:harbor /usr/bin/registry_DO_NOT_USE_GC && chmod u+x /usr/bin/registry_DO_NOT_USE_GC \ - && chown harbor:harbor /home/harbor/start.sh && chmod u+x /home/harbor/start.sh \ - && chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh +COPY --link --chown=10000:10000 --chmod=755 ./make/photon/common/install_cert.sh /home/harbor/ +COPY --link --chown=10000:10000 --chmod=755 ./make/photon/registry/binary/registry /usr/bin/registry_DO_NOT_USE_GC +COPY --link --chown=10000:10000 --chmod=744 ./make/photon/registryctl/start.sh /home/harbor/ +COPY --link --chown=10000:10000 --chmod=755 ./make/photon/registryctl/harbor_registryctl /home/harbor/ HEALTHCHECK CMD curl --fail -s http://localhost:8080/api/health || curl -sk --fail --key /etc/harbor/ssl/registryctl.key --cert /etc/harbor/ssl/registryctl.crt https://localhost:8443/api/health || exit 1 diff --git a/make/photon/registryctl/Dockerfile.base b/make/photon/registryctl/Dockerfile.base index 09809d6d4..f3a27e572 100644 --- a/make/photon/registryctl/Dockerfile.base +++ b/make/photon/registryctl/Dockerfile.base @@ -3,4 +3,5 @@ FROM photon:5.0 RUN tdnf install -y shadow >> /dev/null \ && tdnf clean all \ && groupadd -r -g 10000 harbor && useradd --no-log-init -m -g 10000 -u 10000 harbor \ - && mkdir -p /etc/registry + && mkdir -p /etc/registry \ + && chown -R harbor:harbor /etc/pki/tls/certs diff --git a/make/photon/standalone-db-migrator/Dockerfile b/make/photon/standalone-db-migrator/Dockerfile index 0fc35c8a6..27da1aa3e 100644 --- a/make/photon/standalone-db-migrator/Dockerfile +++ b/make/photon/standalone-db-migrator/Dockerfile @@ -4,14 +4,10 @@ FROM ${harbor_base_namespace}/harbor-db-base:${harbor_base_image_version} ENV EXTERNAL_DB 0 -RUN mkdir /harbor/ -COPY ./make/migrations /migrations -COPY ./make/photon/standalone-db-migrator/migrate /harbor/ -COPY ./make/photon/standalone-db-migrator/entrypoint.sh /harbor/ +COPY --link --chown=999:999 ./make/migrations /migrations +COPY --link --chown=999:999 --chmod=755 ./make/photon/standalone-db-migrator/migrate /harbor/ +COPY --link --chown=999:999 --chmod=744 ./make/photon/standalone-db-migrator/entrypoint.sh /harbor/ -RUN chown -R postgres:postgres /harbor/ \ - && chown -R postgres:postgres /migrations/ \ - && chmod u+x /harbor/migrate /harbor/entrypoint.sh USER postgres ENTRYPOINT ["/harbor/entrypoint.sh"]