From fa429125cbc87df486a8face28e63eab49152b25 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=BC=A0=E7=A5=96=E5=BB=BA?= <zhangzujian.7@gmail.com>
Date: Tue, 30 Jul 2024 17:30:35 +0800
Subject: [PATCH] reduce image size by merging layers (#4346)

Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>
---
 dist/images/Dockerfile      | 22 +++++++++---------
 dist/images/Dockerfile.base | 46 +++++++++++++++++++++----------------
 2 files changed, 37 insertions(+), 31 deletions(-)

diff --git a/dist/images/Dockerfile b/dist/images/Dockerfile
index 4e5477d1cca..d3ca490cfcf 100644
--- a/dist/images/Dockerfile
+++ b/dist/images/Dockerfile
@@ -1,21 +1,11 @@
 # syntax = docker/dockerfile:experimental
 ARG VERSION
 ARG BASE_TAG=$VERSION
-FROM kubeovn/kube-ovn-base:$BASE_TAG
+FROM kubeovn/kube-ovn-base:$BASE_TAG AS setcap
 
 COPY *.sh /kube-ovn/
 COPY kubectl-ko /kube-ovn/kubectl-ko
 COPY 01-kube-ovn.conflist /kube-ovn/01-kube-ovn.conflist
-COPY --chmod=0644 logrotate/* /etc/logrotate.d/
-COPY grace_stop_ovn_controller /usr/share/ovn/scripts/grace_stop_ovn_controller
-
-WORKDIR /kube-ovn
-
-RUN /kube-ovn/iptables-wrapper-installer.sh --no-sanity-check
-RUN rm -f /usr/bin/nc &&\
-    rm -f /usr/bin/netcat &&\
-    rm -f /usr/lib/apt/methods/mirror
-RUN deluser sync
 
 COPY kube-ovn /kube-ovn/kube-ovn
 COPY kube-ovn-cmd /kube-ovn/kube-ovn-cmd
@@ -31,3 +21,13 @@ RUN ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-controller && \
     setcap CAP_NET_BIND_SERVICE+eip /kube-ovn/kube-ovn-cmd && \
     setcap CAP_NET_RAW,CAP_NET_BIND_SERVICE+eip /kube-ovn/kube-ovn-pinger && \
     setcap CAP_NET_ADMIN,CAP_NET_RAW,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /kube-ovn/kube-ovn-daemon
+
+FROM kubeovn/kube-ovn-base:$BASE_TAG
+
+COPY --chmod=0644 logrotate/* /etc/logrotate.d/
+COPY grace_stop_ovn_controller /usr/share/ovn/scripts/grace_stop_ovn_controller
+
+COPY --from=setcap /kube-ovn /kube-ovn
+RUN /kube-ovn/iptables-wrapper-installer.sh --no-sanity-check
+
+WORKDIR /kube-ovn
diff --git a/dist/images/Dockerfile.base b/dist/images/Dockerfile.base
index 051beaffdc4..4aa83de9e6d 100644
--- a/dist/images/Dockerfile.base
+++ b/dist/images/Dockerfile.base
@@ -92,8 +92,24 @@ RUN apt update && apt upgrade -y && apt install ca-certificates python3 hostname
         tcpdump ipvsadm ipset curl uuid-runtime openssl inetutils-ping arping ndisc6 conntrack traceroute iputils-tracepath \
         logrotate dnsutils net-tools strongswan strongswan-pki libcharon-extra-plugins libmnl0 \
         libcharon-extauth-plugins libstrongswan-extra-plugins libstrongswan-standard-plugins -y --no-install-recommends && \
+        setcap CAP_SYS_NICE+eip $(readlink -f $(which nice)) && \
+        setcap CAP_NET_RAW+eip $(readlink -f $(which arping)) && \
+        setcap CAP_NET_RAW+eip $(readlink -f $(which ndisc6)) && \
+        setcap CAP_NET_RAW+eip $(readlink -f $(which tcpdump)) && \
+        setcap CAP_NET_ADMIN+eip $(readlink -f $(which ethtool)) && \
+        setcap CAP_SYS_ADMIN+eip $(readlink -f $(which nsenter)) && \
+        setcap CAP_SYS_MODULE+eip $(readlink -f $(which modprobe)) && \
+        setcap CAP_NET_ADMIN+eip $(readlink -f $(which conntrack)) && \
+        setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which ipset)) && \
+        setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which xtables-legacy-multi)) && \
+        setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which xtables-nft-multi)) && \
+        setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE,CAP_SYS_ADMIN+eip $(readlink -f $(which ip)) && \
         rm -rf /var/lib/apt/lists/* && \
-        rm -rf /etc/localtime
+        rm -rf /etc/localtime && \
+        rm -f /usr/bin/nc && \
+        rm -f /usr/bin/netcat && \
+        rm -f /usr/lib/apt/methods/mirror && \
+        deluser sync
 
 RUN mkdir -p /var/run/openvswitch && \
     mkdir -p /var/run/ovn && \
@@ -116,37 +132,27 @@ RUN curl -L https://dl.k8s.io/${KUBE_VERSION}/kubernetes-client-linux-${ARCH}.ta
 ARG BFDD_VERSION="v0.5.4"
 RUN curl -sSf -L --retry 3 -o /usr/local/bin/bfdd-control https://github.com/bobz965/bfd-binary-for-kube-ovn-cni/releases/download/${BFDD_VERSION}/bfdd-control && \
     curl -sSf -L --retry 3 -o /usr/local/bin/bfdd-beacon https://github.com/bobz965/bfd-binary-for-kube-ovn-cni/releases/download/${BFDD_VERSION}/bfdd-beacon && \
-    chmod +x /usr/local/bin/bfdd-control /usr/local/bin/bfdd-beacon
+    chmod +x /usr/local/bin/bfdd-control /usr/local/bin/bfdd-beacon && \
+    setcap CAP_NET_BIND_SERVICE+eip $(readlink -f $(which bfdd-beacon))
+
+ARG DEBUG=false
 
 RUN --mount=type=bind,target=/packages,from=ovs-builder,source=/packages  \
     dpkg -i /packages/openvswitch-*.deb /packages/python3-openvswitch*.deb && \
     dpkg -i --ignore-depends=openvswitch-switch,openvswitch-common /packages/ovn-*.deb && \
     rm -rf /var/lib/openvswitch/pki/ && \
     chown -R nobody: /var/lib/logrotate && \
-    setcap CAP_SYS_NICE+eip $(readlink -f $(which nice)) && \
-    setcap CAP_NET_RAW+eip $(readlink -f $(which arping)) && \
-    setcap CAP_NET_RAW+eip $(readlink -f $(which ndisc6)) && \
-    setcap CAP_NET_RAW+eip $(readlink -f $(which tcpdump)) && \
-    setcap CAP_NET_ADMIN+eip $(readlink -f $(which ethtool)) && \
-    setcap CAP_SYS_ADMIN+eip $(readlink -f $(which nsenter)) && \
-    setcap CAP_SYS_MODULE+eip $(readlink -f $(which modprobe)) && \
-    setcap CAP_NET_ADMIN+eip $(readlink -f $(which conntrack)) && \
-    setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which ipset)) && \
-    setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which xtables-legacy-multi)) && \
-    setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which xtables-nft-multi)) && \
-    setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE,CAP_SYS_ADMIN+eip $(readlink -f $(which ip)) && \
-    setcap CAP_NET_BIND_SERVICE+eip $(readlink -f $(which bfdd-beacon)) && \
-    setcap CAP_NET_ADMIN+eip $(readlink -f $(which ovs-dpctl))
+    setcap CAP_NET_ADMIN+eip $(readlink -f $(which ovs-dpctl)) && \
+    if [ "${DEBUG}" != "true" ]; then \
+        setcap CAP_NET_BIND_SERVICE+eip $(readlink -f $(which ovsdb-server)) && \
+        setcap CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SYS_MODULE,CAP_SYS_ADMIN+eip $(readlink -f $(which ovs-vswitchd)); \
+    fi
 
-ARG DEBUG=false
 RUN --mount=type=bind,target=/packages,from=ovs-builder,source=/packages \
     if [ "${DEBUG}" = "true" ]; then \
         apt update && apt install -y --no-install-recommends gdb valgrind && \
         rm -rf /var/lib/apt/lists/* && \
         dpkg -i --ignore-depends=openvswitch-switch,openvswitch-common /packages/*.ddeb; \
-    else \
-        setcap CAP_NET_BIND_SERVICE+eip $(readlink -f $(which ovsdb-server)) && \
-        setcap CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SYS_MODULE,CAP_SYS_ADMIN+eip $(readlink -f $(which ovs-vswitchd)); \
     fi
 
 ENTRYPOINT ["/usr/bin/dumb-init", "--"]