Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optimize Docker image #271

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Optimize Docker image #271

wants to merge 1 commit into from

Conversation

marcofranssen
Copy link
Contributor

@marcofranssen marcofranssen commented Jan 20, 2025
edited
Loading

This PR optimizes the Docker image in following ways:

  • Reduce image layers (improves build speed, reduces layers to be downloaded)
  • Reorders image layers (moves least frequent changing ones to the top, reduces the amount of layers that have to be pushed and downloaded and rebuild)
  • Using buildx cache to increase the build speed for crossplatform images
  • Switches to distroless/base (solely containing the binaries, to reduce the vulnerabilities)

If necessary I can break up the PR in smaller chunks, but wanted to start with the full picture to show where I'm heading at.

Also seems like the Makefile and compiling can also be improved and much more efficient, would love to contribute that part as well in a follow-up PR.

@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. kind:enhancement New feature or request labels Jan 20, 2025
@marcofranssen marcofranssen mentioned this pull request Jan 20, 2025
Merged
marcofranssen
marcofranssen commented Jan 28, 2025
View reviewed changes
Dockerfile
RUN make install
RUN --mount=type=cache,target=/go/pkg/mod \
--mount=type=cache,target=/root/.cache/go-build \
xx-go --wrap && \
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

takes care of the plumbing like on line https://github.com/viaduct-ai/kustomize-sops/pull/271/files#diff-dd2c0eb6ea5cfc6c4bd4eac30934e2d5746747af48fef6da689e85b752f39557L21-L23

also has a verify command to virify the outcome of the binary.

@devstein
Copy link
Collaborator

Hey @marcofranssen awesome work. Are you able to show a before/after for image size?

@marcofranssen
Optimize Docker image
087356f 
This change optimizes the layers, build speed, and foremost reduces vulnerabilities by switching to distroless/base image
@marcofranssen
Copy link
Contributor Author

marcofranssen commented Jan 28, 2025
edited
Loading

Hey @marcofranssen awesome work. Are you able to show a before/after for image size?

$ docker images
REPOSITORY          TAG         IMAGE ID       CREATED              SIZE
ksops               latest      83865ac306be   About a minute ago   165MB
viaductoss/ksops    latest      fa92f7c8ba3f   4 hours ago          288MB

Furthermore CVE in current image:

$ trivy image viaductoss/ksops
………
viaductoss/ksops (debian 11.11)

Total: 156 (UNKNOWN: 0, LOW: 119, MEDIUM: 27, HIGH: 7, CRITICAL: 3)

………………
usr/local/bin/kustomize (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

vs new image:

$ trivy image ttl.sh/ksops-1234567890:1h
…………
ttl.sh/ksops-1234567890:1h (debian 12.9)

Total: 9 (UNKNOWN: 0, LOW: 7, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
……………
…………

usr/local/bin/kustomize (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

So you can see it has massive lower dependencies and therefore also less vulnerabilities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
kind:enhancement New feature or request size:M This PR changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@marcofranssen @devstein