Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dockerfile improvements #481

Merged
merged 4 commits into from
Feb 4, 2024
Merged

Dockerfile improvements #481

merged 4 commits into from
Feb 4, 2024

Conversation

cfergeau
Copy link
Contributor

@cfergeau cfergeau commented Jan 16, 2024
edited
Loading

Proposed Changes

This PR does various improvements to the Dockerfile:

  • removes unneeded package, which reduces the image size by about 10%
  • run apt-get upgrade to get the latest security updates
  • improve the way package version are specified in apt-get install so that this line does not have to be updated every time one of these packages is updated

Related Issues

(Github link to related issues or pull requests)

frenck
frenck requested changes Jan 16, 2024
View reviewed changes
@frenck frenck marked this pull request as draft January 16, 2024 16:22
@cfergeau
Remove unused jsvc
fd3e672 
The unifi package does not depend on it, `git grep jsvc` does not return
a match, this is the only binary the jsvc package provides, and jsvc
pulls openjdk-jre-11 while the rest of the code switched to 17

Signed-off-by: Christophe Fergeau <[email protected]>
@cfergeau
Only install openjdk-17-jre-headless
39873b1 
The unifi package has a dependency on openjdk-17-jre-headless, not on
openjdk-17-jdk-headless, no need to install the full jdk

Together with the removal of jsvc, this reduces the image size by about
10% (tested with an x86_64 local build, 816 MB -> 737 MB)

Signed-off-by: Christophe Fergeau <[email protected]>
@cfergeau
Ensure image is up to date
0f20525 
Running apt-get upgrade -y will ensure the latest security updates are
installed in the image.

Signed-off-by: Christophe Fergeau <[email protected]>
@frenck
Copy link
Member

frenck commented Jan 16, 2024

run apt-get upgrade to get the latest security updates

I'm not aware there is one? If so, please let me know what is going on, and let's fix it in the base image.

Upgrading packages on this level is also pretty inefficient.

removes unneeded package, which reduces the image size by about 10%

You've removed jsvc, which is assumingly used internally by UniFi, see also their installer scripts by the community linked to from UniFi: https://get.glennr.nl/unifi/install/unifi-8.0.26.sh

I don't think that is correct? Can you provide the reasoning for this removal and where I can information on this otherwise?

improve the way package version are specified in apt-get install so that this line does not have to be updated every time one of these packages is updated

I was not aware this was a problem in this repo? Could you clarify where and why this is an issue?

@cfergeau
Copy link
Contributor Author

I'm not aware there is one? If so, please let me know what is going on, and let's fix it in the base image.

Running apt-get upgrade in ghcr.io/hassio-addons/ubuntu-base:8.2.0 gives:

apt base-files bsdutils ca-certificates curl fdisk gcc-10-base libapt-pkg6.0 libasn1-8-heimdal libblkid1 libc-bin libc6 libcurl4 libfdisk1 libgcc-s1 libgnutls30 libgssapi-krb5-2 libgssapi3-heimdal libhcrypto4-heimdal libheimbase1-heimdal libheimntlm0-heimdal libhx509-5-heimdal libk5crypto3 libkrb5-26-heimdal libkrb5-3 libkrb5support0 libmount1 libncurses6 libncursesw6 libnghttp2-14 libpam-modules libpam-modules-bin libpam-runtime libpam0g libprocps8 libroken18-heimdal libsmartcols1 libsqlite3-0 libssh-4 libssl1.1 libstdc++6 libsystemd0 libtinfo6 libudev1 libuuid1 libwind0-heimdal mount ncurses-base ncurses-bin openssl perl-base procps tar tzdata util-linux

which is a fairly large set of packages. #481 (comment) has more details why I could not find a better base image to use instead. Or maybe official addon builds are using automatically built base image or something like this, and not ghcr.io/hassio-addons/ubuntu-base:8.2.0 as specified in the Dockerfile?

@cfergeau
Copy link
Contributor Author

You've removed jsvc, which is assumingly used internally by UniFi, see also their installer scripts by the community linked to from UniFi: https://get.glennr.nl/unifi/install/unifi-8.0.26.sh

I don't think that is correct? Can you provide the reasoning for this removal and where I can information on this otherwise?

I've added some reasoning in the commit log:

The unifi package does not depend on it, `git grep jsvc` does not return a match, this is the only binary the jsvc package provides, and jsvc pulls openjdk-jre-11 while the rest of the code switched to 17

"does not depend on it" in the sense of "the unifi package does not have a dpkg/apt dependency for it"
I've also checked I can start the image without it (I did not try to go further than the first unifi screen on port 8443)

@cfergeau
Copy link
Contributor Author

I was not aware this was a problem in this repo? Could you clarify where and why this is an issue?

Not a huge issue if there's a bot automatically updating the repo, but for example this PR is not buildable because main is missing

-        binutils=2.34-6ubuntu1.7 \
+        binutils=2.34-6ubuntu1.8 \

@cfergeau
Copy link
Contributor Author

You've removed jsvc, which is assumingly used internally by UniFi, see also their installer scripts by the community linked to from UniFi: https://get.glennr.nl/unifi/install/unifi-8.0.26.sh

I've looked closer at this script, for unifi 8.x it has:

if [[ "${first_digit_unifi}" -gt '8' ]] || [[ "${first_digit_unifi}" == '8' && "${second_digit_unifi}" -ge "1" ]]; then
  ...
  required_java_version="openjdk-17"
  required_java_version_short="17"
fi

and jsvc installation is only done for openjdk-8, not for newer openjdk versions:

  if [[ "${required_java_version}" == "openjdk-8" ]]; then
    echo -e "${WHITE_R}#${RESET} Installing jsvc and libcommons-daemon-java..."
    if DEBIAN_FRONTEND='noninteractive' apt-get -y "${apt_options[@]}" -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' install jsvc libcommons-daemon-java &>> "${eus_dir}/logs/apt.log"; then echo -e "${GREEN}#${RESET} Successfully installed jsvc and libcommons-daemon-java! \\n"; else echo -e "${RED}#${RESET} Failed to install jsvc and libcommons-daemon-java in the first run...\\n"; unifi_dependencies=fail; fi
  fi

I also found https://community.ui.com/questions/New-UniFi-Controller-Installation-Issues-Ubuntu-18-04/a4a3b308-0ed4-4a4a-b54d-e0b59f9e4661 which indicates that at some point in the past, the unifi debian package had a requirement the jsvc package: The following packages have unmet dependencies: unifi : Depends: jsvc (>= 1.0.8) but it is not installable. This dependency is not present in the latest version of the package.

frenck
frenck approved these changes Feb 4, 2024
View reviewed changes
Copy link
Member

@frenck frenck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @cfergeau 👍

@frenck frenck marked this pull request as ready for review February 4, 2024 22:18
@frenck frenck added the enhancement Enhancement of the code, not introducing new features. label Feb 4, 2024
@frenck frenck merged commit 4035ba9 into hassio-addons:main Feb 4, 2024
10 of 11 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Feb 6, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@renewoensdregt renewoensdregt renewoensdregt left review comments

@frenck frenck frenck approved these changes

Assignees
No one assigned
Labels
enhancement Enhancement of the code, not introducing new features.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cfergeau @frenck @renewoensdregt