Make the container image smaller #753
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
approved
stage_binaries.sh
Outdated
| dpkg -s "${package}" > "${staging}/var/lib/dpkg/status.d/${package}" | ||
| } | ||
|
|
||
| # helper because bash sometimes barfs on embedded comments |
There was a problem hiding this comment.
nit: I can't really tell from this comment and the usage context why this is needed. At the call site it's also not obvious what's happening without going back and reading this.
There was a problem hiding this comment.
grep treats "no match" as an error, which trips up pipefail and errexit
$ echo foo | grep bar; echo $?
1
So we want to do:
$ echo foo | { grep bar || true; }; echo $?
0
Adding back the comments in the style of binary_to_libraries():
$ echo foo \
`# comment1` \
| { grep "bar" || true; } \
`# comment2`; echo $?
bash: syntax error near unexpected token ``# comment2`'
Parens fails the same way.
It works without the braces and || true, but returns error status
$ echo foo `# comment1` | grep "bar" `# comment2`; echo $?
1
Once bash parses {} or () it can't handle subsequent #comment blocks. happy() hides that. I could rename it :)
There was a problem hiding this comment.
grep treats "no match" as an error, which trips up pipefail and errexit
instead of swallowing all errors, you can actually detect the no-match case and ignore that
There was a problem hiding this comment.
grep_allow_nomatch() {
# grep exits 0 on match, 1 on no match, 2 on error
grep "$@" || [ $? = 1 ]
}There was a problem hiding this comment.
cute, I guess I should actually read the man page :)
There was a problem hiding this comment.
PTAL. I want to run a scanner against it to be sure it works, when I get a moment
And hopefully less CVEs. |
thockin
force-pushed
the
v4_smaller_image
branch
from
1f52e3b
to
d360a68
Compare
For each package and binary we need, this pulls in all the files and deps (shared libs, mostly). The build is slower but the final image is 85 MB (versus 157 MB before). e2e passes. Hopefully less CVE surface. This is based on scripts used in kubernetes and KinD.
thockin
force-pushed
the
v4_smaller_image
branch
from
d360a68
to
f037087
Compare
k8s-ci-robot
added
the
lgtm
For each package and binary we need, this pulls in all the files and deps (shared libs, mostly). The build is slower but the final image is 85 MB (versus 157 MB before). e2e passes.
This is based on scripts used in kubernetes and KinD.