Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RHOAIENG-10350 feat(Dockerfiles): switch from s2i python images to plain ubi/c9s bases #641

Open
wants to merge 15 commits into
base: main
Choose a base branch
from

Conversation

jiridanek
Copy link
Member

@jiridanek jiridanek commented Jul 24, 2024

https://issues.redhat.com/browse/RHOAIENG-10350

Description

The main benefit is size and cve exposure, as the python images come with packages we don't use; python and pip is enough for us.

Every image is made approx 300MB smaller by doing this!

Before:

rstudio-c9s-python-3.9-main_dbeac5b  4c5c83479bb2  7 seconds ago      3.44 GB

After:

rstudio-c9s-python-3.9-jd_ubi_base_adedd4a  040b74e5a618  50 minutes ago     3.08 GB

Additionally, using plain ubi makes things more explicit.

How Has This Been Tested?

I'll test this when making this change is planned into a sprint.

Merge criteria:

  • The commits are squashed in a cohesive manner and have meaningful messages.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work

@jiridanek jiridanek added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Jul 24, 2024
@openshift-ci openshift-ci bot requested review from atheo89 and dibryant July 24, 2024 15:24
@jiridanek jiridanek changed the title feat(Dockerfiles): switch from s2i python images to plain ubi/cs9 ones feat(Dockerfiles): switch from s2i python images to plain ubi/c9s bases Jul 24, 2024
@@ -1,4 +1,21 @@
FROM registry.access.redhat.com/ubi8/python-38:latest
FROM registry.access.redhat.com/ubi8/ubi:latest
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use ubi-minimal instead?

Copy link
Member Author

@jiridanek jiridanek Jul 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would either mean living with microdnf, or installing regular dnf first thing, at which point the benefits or the ubi-minimal base are pretty much lost, me thinks.

In any case, I'd want to do such large changes in multiple steps, across multiple PRs.

So far, I don't even have the modest change in this PR groomed. It's necessary to move slowly and cautiously, and to build consensus.

The disk savings are small, 300mb across three base images.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/retest

Copy link
Member

@harshad16 harshad16 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/hold

@jiridanek can you share there is JIRA or github issue linked for this work.

This PR is great, definitely will be good to have however
This work has significant impact on the overall product, without changing the architecture , this change would disrupt some flow i believe.

the s2i image bring working dir: /opt/app-root/src
i don't think ubi:latest, has that working dir,
this might work only because, the PVC gets mounted at the path,
As mount would create the path.
however we should thoroughly check these changes.

@jiridanek
Copy link
Member Author

This PR is great, definitely will be good to have however

Great! In that case I'll go forward creating a Jira so this can be groomed. https://issues.redhat.com/browse/RHOAIENG-10350

@jiridanek jiridanek changed the title feat(Dockerfiles): switch from s2i python images to plain ubi/c9s bases RHOAIENG-10350 feat(Dockerfiles): switch from s2i python images to plain ubi/c9s bases Jul 25, 2024
@jiridanek
Copy link
Member Author

the s2i image bring working dir: /opt/app-root/src

our images explicitly set this in the WORKDIR instruction, so we're good in that respect

however we should thoroughly check these changes.

sure, that's why I created a jira for doing all the work in organized manner; the disk space savings are not all that significant, but I like how this removes much of the s2i magic, so that's what makes this seem worth doing to me

@jstourac
Copy link
Member

jstourac commented Aug 7, 2024

BTW, I was wondering what are the most important changes, so I prepared some basic script for the image comparison (I have a plan to improve it further and put it into our CI/GHA for our convenience). I tried to compare one of the base images you change here with what we have (note that your build is 2 weeks old, I took the quay image from today):

  1. checkout this branch main...jstourac:notebooks:compareImages
  2. run this:
./ci/compare-images.sh quay.io/opendatahub/workbench-images@sha256:e92bf20e127e545bdf56887903dc72ad227082b8bc23f45ff4f0fc67e6430318 ghcr.io/jiridanek/notebooks/workbench-images:base-ubi9-python-3.9-jd_ubi_base_adedd4a943977ecdcb67bc6eb9eda572d10c3ddc

@atheo89
Copy link
Member

atheo89 commented Sep 16, 2024

+1 for this update, I like this. 🙂 As Harshad mentioned, we should thoroughly test everything to ensure there are no issues with the PVCs. Otherwise, it /lgtm

@jiridanek
Copy link
Member Author

jiridanek commented Sep 16, 2024

we should thoroughly test everything

yeah; was just thinking whether nginx gets properly installed after this change; I did not think of it before

https://issues.redhat.com/browse/RHOAIENG-10350 is opened to properly schedule the work

Copy link
Contributor

openshift-ci bot commented Oct 4, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from harshad16. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copy link
Contributor

openshift-ci bot commented Oct 4, 2024

@jiridanek: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/habana-notebooks-e2e-tests adedd4a link true /test habana-notebooks-e2e-tests
ci/prow/notebooks-ubi8-e2e-tests adedd4a link true /test notebooks-ubi8-e2e-tests
ci/prow/runtime-rocm-tensorflow-ubi9-python-3-11-pr-image-mirror adedd4a link true /test runtime-rocm-tensorflow-ubi9-python-3-11-pr-image-mirror
ci/prow/runtime-rocm-pytorch-ubi9-python-3-11-pr-image-mirror adedd4a link true /test runtime-rocm-pytorch-ubi9-python-3-11-pr-image-mirror
ci/prow/intel-notebooks-e2e-tests adedd4a link true /test intel-notebooks-e2e-tests
ci/prow/rocm-runtimes-ubi9-e2e-tests adedd4a link true /test rocm-runtimes-ubi9-e2e-tests
ci/prow/rocm-notebooks-e2e-tests adedd4a link true /test rocm-notebooks-e2e-tests
ci/prow/runtimes-ubi9-e2e-tests 41741e4 link true /test runtimes-ubi9-e2e-tests
ci/prow/rstudio-notebook-e2e-tests 41741e4 link true /test rstudio-notebook-e2e-tests
ci/prow/codeserver-notebook-e2e-tests 41741e4 link true /test codeserver-notebook-e2e-tests
ci/prow/notebooks-ubi9-e2e-tests 41741e4 link true /test notebooks-ubi9-e2e-tests
ci/prow/images 41741e4 link true /test images
ci/prow/notebook-cuda-jupyter-tf-ubi9-python-3-9-pr-image-mirror 41741e4 link true /test notebook-cuda-jupyter-tf-ubi9-python-3-9-pr-image-mirror
ci/prow/notebook-jupyter-pytorch-ubi9-python-3-9-pr-image-mirror 41741e4 link true /test notebook-jupyter-pytorch-ubi9-python-3-9-pr-image-mirror

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
do-not-merge/hold tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Trivy and Aqua Enterprise vulnerability scan results critical and high
5 participants