Skip to content

Commit

Permalink
reduce image size by merging layers (#4346)
Browse files Browse the repository at this point in the history 
Signed-off-by: zhangzujian <[email protected]>
  • Loading branch information
@zhangzujian
zhangzujian committed Jul 30, 2024
1 parent b3b775e commit fa42912
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 31 deletions.
22 changes: 11 additions & 11 deletions dist/images/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,11 @@
# syntax = docker/dockerfile:experimental
ARG VERSION
ARG BASE_TAG=$VERSION
FROM kubeovn/kube-ovn-base:$BASE_TAG
FROM kubeovn/kube-ovn-base:$BASE_TAG AS setcap

COPY *.sh /kube-ovn/
COPY kubectl-ko /kube-ovn/kubectl-ko
COPY 01-kube-ovn.conflist /kube-ovn/01-kube-ovn.conflist
COPY --chmod=0644 logrotate/* /etc/logrotate.d/
COPY grace_stop_ovn_controller /usr/share/ovn/scripts/grace_stop_ovn_controller

WORKDIR /kube-ovn

RUN /kube-ovn/iptables-wrapper-installer.sh --no-sanity-check
RUN rm -f /usr/bin/nc &&\
rm -f /usr/bin/netcat &&\
rm -f /usr/lib/apt/methods/mirror
RUN deluser sync

COPY kube-ovn /kube-ovn/kube-ovn
COPY kube-ovn-cmd /kube-ovn/kube-ovn-cmd
Expand All @@ -31,3 +21,13 @@ RUN ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-controller && \
setcap CAP_NET_BIND_SERVICE+eip /kube-ovn/kube-ovn-cmd && \
setcap CAP_NET_RAW,CAP_NET_BIND_SERVICE+eip /kube-ovn/kube-ovn-pinger && \
setcap CAP_NET_ADMIN,CAP_NET_RAW,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /kube-ovn/kube-ovn-daemon

FROM kubeovn/kube-ovn-base:$BASE_TAG

COPY --chmod=0644 logrotate/* /etc/logrotate.d/
COPY grace_stop_ovn_controller /usr/share/ovn/scripts/grace_stop_ovn_controller

COPY --from=setcap /kube-ovn /kube-ovn
RUN /kube-ovn/iptables-wrapper-installer.sh --no-sanity-check

WORKDIR /kube-ovn
46 changes: 26 additions & 20 deletions dist/images/Dockerfile.base
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,8 +92,24 @@ RUN apt update && apt upgrade -y && apt install ca-certificates python3 hostname
tcpdump ipvsadm ipset curl uuid-runtime openssl inetutils-ping arping ndisc6 conntrack traceroute iputils-tracepath \
logrotate dnsutils net-tools strongswan strongswan-pki libcharon-extra-plugins libmnl0 \
libcharon-extauth-plugins libstrongswan-extra-plugins libstrongswan-standard-plugins -y --no-install-recommends && \
setcap CAP_SYS_NICE+eip $(readlink -f $(which nice)) && \
setcap CAP_NET_RAW+eip $(readlink -f $(which arping)) && \
setcap CAP_NET_RAW+eip $(readlink -f $(which ndisc6)) && \
setcap CAP_NET_RAW+eip $(readlink -f $(which tcpdump)) && \
setcap CAP_NET_ADMIN+eip $(readlink -f $(which ethtool)) && \
setcap CAP_SYS_ADMIN+eip $(readlink -f $(which nsenter)) && \
setcap CAP_SYS_MODULE+eip $(readlink -f $(which modprobe)) && \
setcap CAP_NET_ADMIN+eip $(readlink -f $(which conntrack)) && \
setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which ipset)) && \
setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which xtables-legacy-multi)) && \
setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which xtables-nft-multi)) && \
setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE,CAP_SYS_ADMIN+eip $(readlink -f $(which ip)) && \
rm -rf /var/lib/apt/lists/* && \
rm -rf /etc/localtime
rm -rf /etc/localtime && \
rm -f /usr/bin/nc && \
rm -f /usr/bin/netcat && \
rm -f /usr/lib/apt/methods/mirror && \
deluser sync

RUN mkdir -p /var/run/openvswitch && \
mkdir -p /var/run/ovn && \
Expand All @@ -116,37 +132,27 @@ RUN curl -L https://dl.k8s.io/${KUBE_VERSION}/kubernetes-client-linux-${ARCH}.ta
ARG BFDD_VERSION="v0.5.4"
RUN curl -sSf -L --retry 3 -o /usr/local/bin/bfdd-control https://github.com/bobz965/bfd-binary-for-kube-ovn-cni/releases/download/${BFDD_VERSION}/bfdd-control && \
curl -sSf -L --retry 3 -o /usr/local/bin/bfdd-beacon https://github.com/bobz965/bfd-binary-for-kube-ovn-cni/releases/download/${BFDD_VERSION}/bfdd-beacon && \
chmod +x /usr/local/bin/bfdd-control /usr/local/bin/bfdd-beacon
chmod +x /usr/local/bin/bfdd-control /usr/local/bin/bfdd-beacon && \
setcap CAP_NET_BIND_SERVICE+eip $(readlink -f $(which bfdd-beacon))

ARG DEBUG=false

RUN --mount=type=bind,target=/packages,from=ovs-builder,source=/packages \
dpkg -i /packages/openvswitch-*.deb /packages/python3-openvswitch*.deb && \
dpkg -i --ignore-depends=openvswitch-switch,openvswitch-common /packages/ovn-*.deb && \
rm -rf /var/lib/openvswitch/pki/ && \
chown -R nobody: /var/lib/logrotate && \
setcap CAP_SYS_NICE+eip $(readlink -f $(which nice)) && \
setcap CAP_NET_RAW+eip $(readlink -f $(which arping)) && \
setcap CAP_NET_RAW+eip $(readlink -f $(which ndisc6)) && \
setcap CAP_NET_RAW+eip $(readlink -f $(which tcpdump)) && \
setcap CAP_NET_ADMIN+eip $(readlink -f $(which ethtool)) && \
setcap CAP_SYS_ADMIN+eip $(readlink -f $(which nsenter)) && \
setcap CAP_SYS_MODULE+eip $(readlink -f $(which modprobe)) && \
setcap CAP_NET_ADMIN+eip $(readlink -f $(which conntrack)) && \
setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which ipset)) && \
setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which xtables-legacy-multi)) && \
setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which xtables-nft-multi)) && \
setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE,CAP_SYS_ADMIN+eip $(readlink -f $(which ip)) && \
setcap CAP_NET_BIND_SERVICE+eip $(readlink -f $(which bfdd-beacon)) && \
setcap CAP_NET_ADMIN+eip $(readlink -f $(which ovs-dpctl))
setcap CAP_NET_ADMIN+eip $(readlink -f $(which ovs-dpctl)) && \
if [ "${DEBUG}" != "true" ]; then \
setcap CAP_NET_BIND_SERVICE+eip $(readlink -f $(which ovsdb-server)) && \
setcap CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SYS_MODULE,CAP_SYS_ADMIN+eip $(readlink -f $(which ovs-vswitchd)); \
fi

ARG DEBUG=false
RUN --mount=type=bind,target=/packages,from=ovs-builder,source=/packages \
if [ "${DEBUG}" = "true" ]; then \
apt update && apt install -y --no-install-recommends gdb valgrind && \
rm -rf /var/lib/apt/lists/* && \
dpkg -i --ignore-depends=openvswitch-switch,openvswitch-common /packages/*.ddeb; \
else \
setcap CAP_NET_BIND_SERVICE+eip $(readlink -f $(which ovsdb-server)) && \
setcap CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SYS_MODULE,CAP_SYS_ADMIN+eip $(readlink -f $(which ovs-vswitchd)); \
fi

ENTRYPOINT ["/usr/bin/dumb-init", "--"]

0 comments on commit fa42912

Please sign in to comment.