Merge pull request #1291 from elezar/switch-to-distroless

cdesiniotis · web-flow · commit 4772e32cbc48 · 2025-07-09T16:06:26.000-07:00
Switch to distroless golang image
diff --git a/.common-ci.yml b/.common-ci.yml
@@ -68,11 +68,6 @@ trigger-pipeline:
       allow_failure: false
     - when: always
 
-# The .dist- dummy steps set the DIST variable for the targeted distribution.
-.dist-ubi9:
-  variables:
-    DIST: "ubi9"
-
 # Define the platform targets
 .platform-amd64:
   variables:
@@ -101,7 +96,7 @@ trigger-pipeline:
 .scan-base:
   stage: scan
   variables:
-    IMAGE: "${CI_REGISTRY_IMAGE}/k8s-device-plugin:${CI_COMMIT_SHORT_SHA}-${DIST}"
+    IMAGE: "${CI_REGISTRY_IMAGE}/k8s-device-plugin:${CI_COMMIT_SHORT_SHA}"
     IMAGE_ARCHIVE: "k8s-device-plugin.tar"
   except:
     variables:
@@ -119,22 +114,20 @@ trigger-pipeline:
     - .scan-base
 
 # Define the scan targets
-scan-ubi9-amd64:
+scan-amd64:
   extends:
     - .scan
-    - .dist-ubi9
     - .platform-amd64
   needs:
-    - image-ubi9
+    - image-pull
 
-scan-ubi9-arm64:
+scan-arm64:
   extends:
     - .scan
-    - .dist-ubi9
     - .platform-arm64
   needs:
-    - image-ubi9
-    - scan-ubi9-amd64
+    - image-pull
+    - scan-amd64
 
 # Download the regctl binary for use in the release steps
 .regctl-setup:
@@ -177,7 +170,7 @@ scan-ubi9-arm64:
 
     # Since OUT_IMAGE_NAME and OUT_IMAGE_VERSION are set, this will push the CI image to the
     # Target
-    - make -f deployments/container/Makefile push-${DIST}
+    - make -f deployments/container/Makefile push-image
 
 # Define a staging release step that pushes an image to an internal "staging" repository
 # This is triggered for all pipelines (i.e. not only tags) to test the pipeline steps
@@ -204,9 +197,8 @@ scan-ubi9-arm64:
       variables:
         OUT_IMAGE_VERSION: "${DEVEL_RELEASE_IMAGE_VERSION}"
 
-release:staging-ubi9:
+release:staging:
   extends:
     - .release:staging
-    - .dist-ubi9
   needs:
-    - image-ubi9
+    - image-pull
diff --git a/.nvidia-ci.yml b/.nvidia-ci.yml
@@ -60,15 +60,14 @@ variables:
     - !reference [.regctl-setup, before_script]
     - apk add --no-cache make bash
     - >
-      regctl manifest get ${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} --list > /dev/null && echo "${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST}" || ( echo "${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} does not exist" && sleep infinity )
+      regctl manifest get ${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION} --list > /dev/null && echo "${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}" || ( echo "${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION} does not exist" && sleep infinity )
   script:
     - regctl registry login "${OUT_REGISTRY}" -u "${OUT_REGISTRY_USER}" -p "${OUT_REGISTRY_TOKEN}"
-    - make -f deployments/container/Makefile IMAGE=${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} OUT_IMAGE=${OUT_IMAGE_NAME}:${CI_COMMIT_SHORT_SHA}-${DIST} push-${DIST}
+    - make -f deployments/container/Makefile IMAGE=${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION} OUT_IMAGE=${OUT_IMAGE_NAME}:${CI_COMMIT_SHORT_SHA} push-image
 
-image-ubi9:
+image-pull:
   extends:
     - .image-pull
-    - .dist-ubi9
 
 # We skip the integration tests for the internal CI:
 .integration:
@@ -113,10 +112,9 @@ image-ubi9:
 
 # Define the external release targets
 # Release to NGC
-release:ngc-ubi9:
+release:ngc:
   extends:
     - .release:ngc
-    - .dist-ubi9
 
 # Define the external image signing steps for NGC
 # Download the ngc cli binary for use in the sign steps
@@ -144,7 +142,7 @@ release:ngc-ubi9:
   variables:
     NGC_CLI_API_KEY: "${NGC_REGISTRY_TOKEN}"
     IMAGE_NAME: "${NGC_REGISTRY_IMAGE}"
-    IMAGE_TAG: "${CI_COMMIT_TAG}-${DIST}"
+    IMAGE_TAG: "${CI_COMMIT_TAG}"
   retry:
     max: 2
   before_script:
@@ -156,17 +154,10 @@ release:ngc-ubi9:
     - 'echo "Signing the image ${IMAGE_NAME}:${IMAGE_TAG}"'
     - ngc-cli/ngc registry image publish --source ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG} --public --discoverable --allow-guest --sign --org nvidia
 
-sign:ngc-short-tag:
+sign:ngc:
   extends:
     - .sign:ngc
   needs:
-    - release:ngc-ubi9
+    - release:ngc
   variables:
     IMAGE_TAG: "${CI_COMMIT_TAG}"
-
-sign:ngc-ubi9:
-  extends:
-    - .dist-ubi9
-    - .sign:ngc
-  needs:
-    - release:ngc-ubi9
diff --git a/deployments/container/Dockerfile b/deployments/container/Dockerfile
@@ -33,8 +33,8 @@ RUN set -eux; \
     wget -nv -O - https://storage.googleapis.com/golang/go${GOLANG_VERSION}.linux-${ARCH}.tar.gz \
     | tar -C /usr/local -xz
 
-ENV GOPATH /go
-ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
+ENV GOPATH=/go
+ENV PATH=$GOPATH/bin:/usr/local/go/bin:$PATH
 
 WORKDIR /build
 COPY . .
@@ -50,22 +50,11 @@ FROM redhat/ubi9-minimal:latest AS minimal
 RUN rpm -qa --queryformat='^%{NAME}-\[0-9\].*\.%{ARCH}$\n' | sort -u > /tmp/package-names.minimal
 RUN rpm -qa | sort -u > /tmp/package-list.minimal
 
-# We define the following image as a base image and remove unneeded packages.
-FROM nvcr.io/nvidia/cuda:12.9.1-base-ubi9 AS base
+FROM nvcr.io/nvidia/distroless/go:v3.1.9-dev
 
-WORKDIR /cleanup
-
-COPY --from=minimal /tmp/package-names.minimal package-names.minimal
-COPY --from=minimal /tmp/package-list.minimal package-list.minimal
-COPY deployments/container/cleanup/* .
-
-RUN ./cleanup.sh
-
-WORKDIR /
-
-# We use the base images constructed above.
-# TODO: We will move to a shared base image once this implementation has been stabilized.
-FROM base
+USER 0:0
+SHELL ["/busybox/sh", "-c"]
+RUN ln -s /busybox/sh /bin/sh
 
 ENV NVIDIA_DISABLE_REQUIRE="true"
 ENV NVIDIA_VISIBLE_DEVICES=all
@@ -83,7 +72,7 @@ LABEL release="N/A"
 LABEL summary="NVIDIA device plugin for Kubernetes"
 LABEL description="See summary"
 
-RUN mkdir /licenses && mv /NGC-DL-CONTAINER-LICENSE /licenses/NGC-DL-CONTAINER-LICENSE
+COPY LICENSE /licenses/
 
 COPY --from=build /artifacts/config-manager         /usr/bin/config-manager
 COPY --from=build /artifacts/gpu-feature-discovery  /usr/bin/gpu-feature-discovery
diff --git a/deployments/container/Makefile b/deployments/container/Makefile
@@ -29,16 +29,16 @@ endif
 
 IMAGE_VERSION := $(VERSION)
 
-IMAGE_TAG ?= $(IMAGE_VERSION)-$(DIST)
+IMAGE_TAG ?= $(IMAGE_VERSION)
 IMAGE = $(IMAGE_NAME):$(IMAGE_TAG)
 
 OUT_IMAGE_NAME ?= $(IMAGE_NAME)
 OUT_IMAGE_VERSION ?= $(IMAGE_VERSION)
-OUT_IMAGE_TAG = $(OUT_IMAGE_VERSION)-$(DIST)
+OUT_IMAGE_TAG = $(OUT_IMAGE_VERSION)
 OUT_IMAGE = $(OUT_IMAGE_NAME):$(OUT_IMAGE_TAG)
 
 ##### Public rules #####
-DEFAULT_PUSH_TARGET := ubi9
+DEFAULT_PUSH_TARGET := image
 DISTRIBUTIONS = $(DEFAULT_PUSH_TARGET)
 
 IMAGE_TARGETS := $(patsubst %,image-%,$(DISTRIBUTIONS))
@@ -65,11 +65,8 @@ ifeq ($(PUSH_MULTIPLE_TAGS),true)
 push-$(DEFAULT_PUSH_TARGET): push-short
 endif
 
-push-%: DIST = $(*)
-push-short: DIST = $(DEFAULT_PUSH_TARGET)
 
-build-%: DIST = $(*)
-build-%: DOCKERFILE = $(CURDIR)/deployments/container/Dockerfile
+DOCKERFILE = $(CURDIR)/deployments/container/Dockerfile
 
 # Use a generic build target to build the relevant images
 $(IMAGE_TARGETS): image-%:
@@ -90,7 +87,6 @@ $(IMAGE_TARGETS): image-%:
 .PHONY: build
 build: $(DEFAULT_PUSH_TARGET)
 $(DEFAULT_PUSH_TARGET): build-$(DEFAULT_PUSH_TARGET)
-$(DEFAULT_PUSH_TARGET): DIST = $(DEFAULT_PUSH_TARGET)
 
 REGCTL ?= regctl
 $(PUSH_TARGETS): push-%:
diff --git a/deployments/container/cleanup/cleanup.sh b/deployments/container/cleanup/cleanup.sh
