Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Update how file permissions in /home/user are handled #116

Merged
merged 2 commits into from
Aug 31, 2023
Merged

chore: Update how file permissions in /home/user are handled #116

merged 2 commits into from
Aug 31, 2023

Conversation

amisevsk
Copy link
Contributor

Description

Update the universal developer image Dockerfile to run

chgrp -R 0 /home/user && chmod -R g=u /home/user

after every RUN step that impacts /home/user significantly. This has the effect of reducing the udi8 image's size from 9.34GB to 6.59GB (on disk) -- a ~30% decrease.

Previously, one of the last steps in the build process was

RUN mkdir -p /home/user && chgrp -R 0 /home && chmod -R g=u /etc/passwd /etc/group /home

executing chgrp and chmod on /home resulted in a new layer in the image with all of the files in /home copied (due to the overlay filesystem). By setting permissions as we create files (i.e. in the same RUN command that creates them) we avoid this last step exploding image size:

  • Before

    ❯ docker history quay.io/devfile/universal-developer-image:ubi8-latest | head -n 5    
IMAGE          CREATED       CREATED BY                                      SIZE      COMMENT
a6500150cb06   2 weeks ago   USER 10001                                      0B        buildkit.dockerfile.v0
<missing>      2 weeks ago   COPY entrypoint.sh / # buildkit                 1.26kB    buildkit.dockerfile.v0
<missing>      2 weeks ago   RUN /bin/sh -c dnf -y clean all --enablerepo…   2.01MB    buildkit.dockerfile.v0
<missing>      2 weeks ago   RUN /bin/sh -c mkdir -p /home/user && chgrp …   2.79GB    buildkit.dockerfile.v0  # 2.79 GB layer

  • After

    ❯ docker history quay.io/amisevsk/universal-developer-image:dev | head -n 5
IMAGE          CREATED          CREATED BY                                      SIZE      COMMENT
8888b8b5ebd0   12 minutes ago   USER 10001                                      0B        buildkit.dockerfile.v0
<missing>      12 minutes ago   COPY entrypoint.sh / # buildkit                 1.26kB    buildkit.dockerfile.v0
<missing>      12 minutes ago   RUN /bin/sh -c dnf -y clean all --enablerepo…   2.02MB    buildkit.dockerfile.v0
<missing>      13 minutes ago   RUN /bin/sh -c mkdir -p /home/user && chgrp …   13MB      buildkit.dockerfile.v0 # Down to 13 MB

To enable this, I also had to update the base developer image Dockerfile, as it was previously copying a root-owned .gitconfig to /home/user, which meant that it was not possible to chgrp this file as user 10001. As a result, building the new udi dockerfile directly will not work until the new base developer image is built; for testing you can replace the FROM directive in the udi8 dockerfile with

FROM quay.io/amisevsk/base-developer-image:dev

@amisevsk
Use chmod/chgrp inside each RUN command that impacts /home/user
91475a0 
To avoid a massive layer towards the end of the image build, run

  chgrp -R 0 /home/user && chmod -R g=u /home/user

after each command that impacts the /home/user directory. This avoids
creating a layer in one of the last steps, where updating
ownership/permissions on ~2GB of files in /home/user results in a layer
that duplicates all 2GB of those files.

Signed-off-by: Angel Misevski <[email protected]>
@amisevsk
Change ownership of /home/user/.gitconfig to be 10001 instead of root
010a927 
This simplifies the build of the universal developer image as it allows
steps running as user 10001 to modify the file.

Signed-off-by: Angel Misevski <[email protected]>
@amisevsk
Copy link
Contributor Author

From the PR check:

Run minikube image list --format table
  
|----------------------------------------------------|--------------------|---------------|--------|
|                       Image                        |        Tag         |   Image ID    |  Size  |
|----------------------------------------------------|--------------------|---------------|--------|
| quay.io/jetstack/cert-manager-cainjector           | v1.5.4             | 9cae5e667b2aa | 42.2MB |
| gcr.io/k8s-minikube/storage-provisioner            | v5                 | 6e38f40d628db | 31.5MB |
| quay.io/devfile/universal-developer-image          | 116                | ad2ee69dfe8e5 | 6.59GB |   <--- reduced size
| gcr.io/kubebuilder/kube-rbac-proxy                 | v0.13.1            | eb5a02daef2fe | 55.2MB |
| quay.io/jetstack/cert-manager-controller           | v1.5.4             | 5b19c646aa028 | 63.3MB |
| registry.k8s.io/kube-scheduler                     | v1.27.3            | 41697ceeb70b3 | 58.4MB |
| registry.k8s.io/ingress-nginx/kube-webhook-certgen | <none>             | 7e7451bb70423 | 47.2MB |
| registry.k8s.io/kube-apiserver                     | v1.27.3            | 08a0c939e61b7 | 121MB  |
| registry.k8s.io/kube-proxy                         | v1.27.3            | 5780543258cf0 | 71.1MB |
| docker.io/kindest/kindnetd                         | v20230511-dc714da8 | b0b1fa0f58c6e | 63.6MB |
| registry.k8s.io/pause                              | 3.9                | e6f1816883972 | 744kB  |
| quay.io/jetstack/cert-manager-webhook              | v1.5.4             | a9ba81bdeeb41 | 46.4MB |
| quay.io/devfile/base-developer-image               | ubi8-latest        | bd1675c62d273 | 420MB  |
| registry.k8s.io/ingress-nginx/controller           | <none>             | 825aff16c20cc | 284MB  |
| registry.k8s.io/coredns/coredns                    | v1.10.1            | ead0a4a53df89 | 53.6MB |
| registry.k8s.io/etcd                               | 3.5.7-0            | 86b6af7dd652c | 296MB  |
| quay.io/devfile/devworkspace-controller            | next               | 5e4a431c85375 | 209MB  |
| registry.k8s.io/kube-controller-manager            | v1.27.3            | 7cffc01dba0e1 | 112MB  |
|----------------------------------------------------|--------------------|---------------|--------|

@openshift-ci openshift-ci bot added the lgtm label Aug 31, 2023
@openshift-ci
Copy link

openshift-ci bot commented Aug 31, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: amisevsk, svor

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@amisevsk amisevsk merged commit f4bfea3 into devfile:main Aug 31, 2023
2 checks passed
@amisevsk amisevsk deleted the chmod-chgrp-fixes branch August 31, 2023 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@svor svor svor approved these changes

@l0rd l0rd Awaiting requested review from l0rd

@nickboldt nickboldt Awaiting requested review from nickboldt

Assignees

@svor svor

Labels
lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@amisevsk @svor