Decrease docker image from 145MB to 61MB #2

siggy · 2019-09-05T20:32:41Z

The Dockerfile was built on linkerd.io/base, which included debug
tools that increased its size.

Build the Docker image directly on debian, only installing iptables.
Also remove the dependency on linkerd.io/go-deps, and instead build
directly off of golang, using Go Modules for dependencies.

Similar to linkerd/linkerd2#3384

Signed-off-by: Andrew Seigner siggy@buoyant.io

The Dockerfile was built on `linkerd.io/base`, which included debug tools that increased its size. Build the Docker image directly on debian, only installing iptables. Also remove the dependency on `linkerd.io/go-deps`, and instead build directly off of golang, using Go Modules for dependencies. Similar to linkerd/linkerd2#3384 Signed-off-by: Andrew Seigner <siggy@buoyant.io>

alpeb

Thanks @siggy that worked great 👍

I built the image locally, consumed it from linkerd2, and it worked fine 👍

$ docker images |grep init
gcr.io/linkerd-io/proxy-init              latest                  2e776083bd91        16 minutes ago      61.4MB
gcr.io/linkerd-io/proxy-init              v1.1.0                  d953961f6d9b        3 weeks ago         145MB

Unit tests:

$ go test ./...
?       github.com/linkerd/linkerd2-proxy-init  [no test files]
ok      github.com/linkerd/linkerd2-proxy-init/cmd      (cached)
ok      github.com/linkerd/linkerd2-proxy-init/integration_test/iptables        0.002s
?       github.com/linkerd/linkerd2-proxy-init/integration_test/iptables/test_service   [no test files]
?       github.com/linkerd/linkerd2-proxy-init/iptables [no test files]

Integration tests:

$ ./run_tests.sh

Deleting any existing objects from previous test runs...
pod "pod-with-no-rules" deleted
service "svc-pod-with-no-rules" deleted
pod "pod-redirects-all-ports" deleted
service "svc-pod-redirects-all-ports" deleted
pod "pod-redirects-whitelisted" deleted
pod "pod-doesnt-redirect-blacklisted" deleted
Error from server (NotFound): jobs.batch "iptables-tester" not found

Building the image used in tests...
Sending build context to Docker daemon  23.04kB
Step 1/3 : FROM golang:1.11.5
 ---> 1454e2b3d01f
Step 2/3 : ADD iptables/ /go
 ---> Using cache
 ---> da8ea10e6b11
Step 3/3 : ENTRYPOINT cd /go && (go test -v -integration-tests; echo "status:$?")
 ---> Using cache
 ---> 706f14fea1a5
Successfully built 706f14fea1a5
Successfully tagged buoyantio/iptables-tester:v1

Creating the test lab...
pod/pod-with-no-rules created
service/svc-pod-with-no-rules created
pod/pod-redirects-all-ports created
service/svc-pod-redirects-all-ports created
pod/pod-redirects-whitelisted created
pod/pod-doesnt-redirect-blacklisted created
POD_WITH_NO_RULES_IP=10.1.3.74
POD_REDIRECTS_ALL_PORTS_IP=10.1.3.75
POD_REDIRECTS_WHITELISTED_IP=10.1.3.76
POD_DOEST_REDIRECT_BLACKLISTED_IP=10.1.3.77

Running tester...
job.batch/iptables-tester created
.............................................................True

Test output:
=== RUN   TestPodWithNoRules
=== PAUSE TestPodWithNoRules
=== RUN   TestPodRedirectsAllPorts
=== PAUSE TestPodRedirectsAllPorts
=== RUN   TestPodWithSomePortsRedirected
=== PAUSE TestPodWithSomePortsRedirected
=== RUN   TestPodWithSomePortsIgnored
=== PAUSE TestPodWithSomePortsIgnored
=== RUN   TestPodMakesOutboundConnection
=== PAUSE TestPodMakesOutboundConnection
=== CONT  TestPodWithNoRules
=== RUN   TestPodWithNoRules/succeeds_connecting_to_pod_directly_through_container's_exposed_port
Expecting successful GET to http://10.1.3.74:8080/
=== CONT  TestPodWithSomePortsIgnored
=== RUN   TestPodWithSomePortsIgnored/succeeds_connecting_to_pod_directly_through_container's_exposed_port
Expecting successful GET to http://10.1.3.77:8080/
=== CONT  TestPodWithSomePortsRedirected
=== RUN   TestPodWithSomePortsRedirected/succeeds_connecting_to_pod_directly_through_container's_exposed_port
Expecting successful GET to http://10.1.3.76:8080/
=== CONT  TestPodRedirectsAllPorts
=== RUN   TestPodRedirectsAllPorts/succeeds_connecting_to_pod_directly_through_container's_exposed_port
Expecting successful GET to http://10.1.3.75:8080/
=== CONT  TestPodMakesOutboundConnection
=== RUN   TestPodMakesOutboundConnection/connecting_to_another_pod_from_non-proxy_container_gets_redirected_to_proxy
Expecting successful GET to http://10.1.3.77:7070/call?url=http%3A%2F%2F10.1.3.74%3A7070
Response from http://10.1.3.75:8080/: proxy
=== RUN   TestPodRedirectsAllPorts/succeeds_connecting_to_pod_directly_through_any_port_that_isn't_the_container's_exposed_port
Response from http://10.1.3.77:8080/: proxy
=== RUN   TestPodWithSomePortsIgnored/succeeds_connecting_to_pod_directly_through_ports_configured_to_redirect
Expecting successful GET to http://10.1.3.77:9090/
Response from http://10.1.3.74:8080/: pod-with-no-rules:8080
=== RUN   TestPodWithNoRules/fails_to_connect_to_pod_directly_through_any_port_that_isn't_the_container's_exposed_port
Expecting failed GET to http://10.1.3.74:8088/
Response from http://10.1.3.76:8080/: proxy
=== RUN   TestPodWithSomePortsRedirected/succeeds_connecting_to_pod_directly_through_ports_configured_to_redirect
Expecting successful GET to http://10.1.3.76:9090/
Response from http://10.1.3.77:7070/call?url=http%3A%2F%2F10.1.3.74%3A7070: me:[pod-doesnt-redirect-blacklisted:7070]downstream:[proxy]
=== RUN   TestPodMakesOutboundConnection/connecting_to_another_pod_from_proxy_container_does_not_get_redirected_to_proxy
Expecting successful GET to http://10.1.3.77:8080/call?url=http%3A%2F%2F10.1.3.74%3A9090
Expecting successful GET to http://10.1.3.75:8088/
Expecting failed GET to http://10.1.3.74:8888/
Expecting failed GET to http://10.1.3.74:8988/
=== RUN   TestPodWithNoRules/succeeds_connecting_to_pod_via_a_service_through_container's_exposed_port
Expecting successful GET to http://svc-pod-with-no-rules:8080/
Response from http://10.1.3.77:9090/: proxy
Expecting successful GET to http://10.1.3.77:9099/
Response from http://10.1.3.77:8080/call?url=http%3A%2F%2F10.1.3.74%3A9090: me:[proxy]downstream:[pod-with-no-rules:9090]
Response from http://10.1.3.77:9099/: proxy
=== RUN   TestPodMakesOutboundConnection/connecting_to_loopback_from_non-proxy_container_does_not_get_redirected_to_proxy
Expecting successful GET to http://10.1.3.77:7070/call?url=http%3A%2F%2F127.0.0.1%3A9090
=== RUN   TestPodWithSomePortsIgnored/doesnt_redirect_when_through_port_that_is_ignored
Expecting successful GET to http://10.1.3.77:7070/
Response from http://10.1.3.76:9090/: proxy
Expecting successful GET to http://10.1.3.76:9099/
Response from http://10.1.3.75:8088/: proxy
Expecting successful GET to http://10.1.3.75:8888/
Response from http://10.1.3.77:7070/call?url=http%3A%2F%2F127.0.0.1%3A9090: me:[pod-doesnt-redirect-blacklisted:7070]downstream:[pod-doesnt-redirect-blacklisted:9090]
--- PASS: TestPodMakesOutboundConnection (0.01s)
    --- PASS: TestPodMakesOutboundConnection/connecting_to_another_pod_from_non-proxy_container_gets_redirected_to_proxy (0.00s)
    --- PASS: TestPodMakesOutboundConnection/connecting_to_another_pod_from_proxy_container_does_not_get_redirected_to_proxy (0.00s)
    --- PASS: TestPodMakesOutboundConnection/connecting_to_loopback_from_non-proxy_container_does_not_get_redirected_to_proxy (0.00s)
Response from http://10.1.3.75:8888/: proxy
Expecting successful GET to http://10.1.3.75:8988/
Response from http://10.1.3.76:9099/: proxy
=== RUN   TestPodWithSomePortsRedirected/fails_to_connect_to_pod_via_through_any_port_that_isn't_configured_to_redirect
Expecting failed GET to http://10.1.3.76:8088/
Expecting failed GET to http://10.1.3.76:8888/
Expecting failed GET to http://10.1.3.76:8988/
Response from http://10.1.3.75:8988/: proxy
=== RUN   TestPodRedirectsAllPorts/succeeds_connecting_to_pod_via_a_service_through_container's_exposed_port
Expecting successful GET to http://svc-pod-redirects-all-ports:8080/
--- PASS: TestPodWithSomePortsRedirected (0.01s)
    --- PASS: TestPodWithSomePortsRedirected/succeeds_connecting_to_pod_directly_through_container's_exposed_port (0.00s)
    --- PASS: TestPodWithSomePortsRedirected/succeeds_connecting_to_pod_directly_through_ports_configured_to_redirect (0.01s)
    --- PASS: TestPodWithSomePortsRedirected/fails_to_connect_to_pod_via_through_any_port_that_isn't_configured_to_redirect (0.00s)
Response from http://10.1.3.77:7070/: pod-doesnt-redirect-blacklisted:7070
--- PASS: TestPodWithSomePortsIgnored (0.01s)
    --- PASS: TestPodWithSomePortsIgnored/succeeds_connecting_to_pod_directly_through_container's_exposed_port (0.00s)
    --- PASS: TestPodWithSomePortsIgnored/succeeds_connecting_to_pod_directly_through_ports_configured_to_redirect (0.00s)
    --- PASS: TestPodWithSomePortsIgnored/doesnt_redirect_when_through_port_that_is_ignored (0.00s)
Response from http://svc-pod-with-no-rules:8080/: pod-with-no-rules:8080
=== RUN   TestPodWithNoRules/fails_to_connect_to_pod_via_a_service_through_any_port_that_isn't_the_container's_exposed_port
Expecting failed GET to http://svc-pod-with-no-rules:8088/
Response from http://svc-pod-redirects-all-ports:8080/: proxy
=== RUN   TestPodRedirectsAllPorts/fails_to_connect_to_pod_via_a_service_through_any_port_that_isn't_the_container's_exposed_port
Expecting failed GET to http://svc-pod-redirects-all-ports:8088/
Expecting failed GET to http://svc-pod-with-no-rules:8888/
Expecting failed GET to http://svc-pod-redirects-all-ports:8888/
Expecting failed GET to http://svc-pod-redirects-all-ports:8988/
Expecting failed GET to http://svc-pod-with-no-rules:8988/
--- PASS: TestPodWithNoRules (61.08s)
    --- PASS: TestPodWithNoRules/succeeds_connecting_to_pod_directly_through_container's_exposed_port (0.00s)
    --- PASS: TestPodWithNoRules/fails_to_connect_to_pod_directly_through_any_port_that_isn't_the_container's_exposed_port (0.00s)
    --- PASS: TestPodWithNoRules/succeeds_connecting_to_pod_via_a_service_through_container's_exposed_port (0.01s)
    --- PASS: TestPodWithNoRules/fails_to_connect_to_pod_via_a_service_through_any_port_that_isn't_the_container's_exposed_port (61.07s)
--- PASS: TestPodRedirectsAllPorts (61.09s)
    --- PASS: TestPodRedirectsAllPorts/succeeds_connecting_to_pod_directly_through_container's_exposed_port (0.00s)
    --- PASS: TestPodRedirectsAllPorts/succeeds_connecting_to_pod_directly_through_any_port_that_isn't_the_container's_exposed_port (0.01s)
    --- PASS: TestPodRedirectsAllPorts/succeeds_connecting_to_pod_via_a_service_through_container's_exposed_port (0.00s)
    --- PASS: TestPodRedirectsAllPorts/fails_to_connect_to_pod_via_a_service_through_any_port_that_isn't_the_container's_exposed_port (61.08s)
PASS
ok      _/go    61.097s
status:0

Signed-off-by: Steve Jenson <stevej@buoyant.io>

* modifying import paths and making a temporary copy of testutil/annotations.go Signed-off-by: Steve Jenson <stevej@buoyant.io> * removed testutil, dockerized cni installer tests now pass Signed-off-by: Steve Jenson <stevej@buoyant.io> * moving internal to pkg/linkerd-, removing Dockerfile until fixed, changining imports, removing linkerd2 k8s client with client-go Signed-off-by: Steve Jenson <stevej@buoyant.io> * gofmt install-cni_test.go Signed-off-by: Steve Jenson <stevej@buoyant.io> * go mod updates Signed-off-by: Steve Jenson <stevej@buoyant.io> * adding pkg to Docker image Signed-off-by: Steve Jenson <stevej@buoyant.io> * updating dev from v32 to v35 for go Signed-off-by: Steve Jenson <stevej@buoyant.io> * moving back to old dev image Signed-off-by: Steve Jenson <stevej@buoyant.io> * use dev:v32-go for go lint workflow Signed-off-by: Steve Jenson <stevej@buoyant.io> * fixing linter complaints Signed-off-by: Steve Jenson <stevej@buoyant.io> * fixing linter complaints Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #1 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #2 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #3 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #4 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #5 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #6 Signed-off-by: Steve Jenson <stevej@buoyant.io> * Replace pkg/ with internal/ (#148) * Replace pkg/ with internal/ There's no need for a public library export. We can share code within this repo via the `internal` directory. * simplify package names Signed-off-by: Oliver Gould <ver@buoyant.io> * adding internal back. whoopsie Signed-off-by: Steve Jenson <stevej@buoyant.io> * bumping dev go version Signed-off-by: Steve Jenson <stevej@buoyant.io> * replace deprecated ioutil functions with io functions. Signed-off-by: Steve Jenson <stevej@buoyant.io> * increasing timeout to help with linter issues, adding verbose Signed-off-by: Steve Jenson <stevej@buoyant.io> * replace TODO with literals, wait for the linter to complain so we can give it the magic incantation to sleep now Signed-off-by: Steve Jenson <stevej@buoyant.io> * more linter Signed-off-by: Steve Jenson <stevej@buoyant.io> * gofmt Signed-off-by: Steve Jenson <stevej@buoyant.io> * swap position of comment and argument as the linter has an opinion here, too Signed-off-by: Steve Jenson <stevej@buoyant.io> * Update cni-plugin/main.go Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io> * Update cni-plugin/main.go Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io> * Update cni-plugin/main.go Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io> * Update cni-plugin/main.go Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io> * simplify lint call Signed-off-by: Steve Jenson <stevej@buoyant.io> * removed unneeded abstraction Signed-off-by: Steve Jenson <stevej@buoyant.io> * linter for cni-plugin and all go code Signed-off-by: Steve Jenson <stevej@buoyant.io> * giving flags to go linter Signed-off-by: Steve Jenson <stevej@buoyant.io> * run the test on the moved internal package Signed-off-by: Steve Jenson <stevej@buoyant.io> * adding keys back for annotation lookup Signed-off-by: Steve Jenson <stevej@buoyant.io> Signed-off-by: Steve Jenson <stevej@buoyant.io> Signed-off-by: Oliver Gould <ver@buoyant.io> Co-authored-by: Oliver Gould <ver@buoyant.io> Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io>

* modifying import paths and making a temporary copy of testutil/annotations.go Signed-off-by: Steve Jenson <stevej@buoyant.io> * removed testutil, dockerized cni installer tests now pass Signed-off-by: Steve Jenson <stevej@buoyant.io> * moving internal to pkg/linkerd-, removing Dockerfile until fixed, changining imports, removing linkerd2 k8s client with client-go Signed-off-by: Steve Jenson <stevej@buoyant.io> * gofmt install-cni_test.go Signed-off-by: Steve Jenson <stevej@buoyant.io> * go mod updates Signed-off-by: Steve Jenson <stevej@buoyant.io> * adding pkg to Docker image Signed-off-by: Steve Jenson <stevej@buoyant.io> * updating dev from v32 to v35 for go Signed-off-by: Steve Jenson <stevej@buoyant.io> * moving back to old dev image Signed-off-by: Steve Jenson <stevej@buoyant.io> * use dev:v32-go for go lint workflow Signed-off-by: Steve Jenson <stevej@buoyant.io> * fixing linter complaints Signed-off-by: Steve Jenson <stevej@buoyant.io> * fixing linter complaints Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #1 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #2 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #3 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #4 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #5 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #6 Signed-off-by: Steve Jenson <stevej@buoyant.io> * adding in Dockerfile, just rules for building, and a workflow for testing the cni-plugin installer script Signed-off-by: Steve Jenson <stevej@buoyant.io> * remember to setup docker Signed-off-by: Steve Jenson <stevej@buoyant.io> * remember to setup docker-qemu Signed-off-by: Steve Jenson <stevej@buoyant.io> * where is docker? Signed-off-by: Steve Jenson <stevej@buoyant.io> * back to a named ubuntu version, removing devcontainer Signed-off-by: Steve Jenson <stevej@buoyant.io> * we need just Signed-off-by: Steve Jenson <stevej@buoyant.io> * WIP import of CNI plugin integration test environment. does not run due to image pull errors. Signed-off-by: Steve Jenson <stevej@buoyant.io> * rewriting just rules to match new rules Signed-off-by: Steve Jenson <stevej@buoyant.io> * bumping dev version, renaming smoke test Signed-off-by: Steve Jenson <stevej@buoyant.io> * WIP for running smoke tests Signed-off-by: Steve Jenson <stevej@buoyant.io> * go workflow fix Signed-off-by: Steve Jenson <stevej@buoyant.io> * also rid ourselves of ioutil in this branch Signed-off-by: Steve Jenson <stevej@buoyant.io> * adding a second, passing test Signed-off-by: Steve Jenson <stevej@buoyant.io> * let's run the test in CI Signed-off-by: Steve Jenson <stevej@buoyant.io> * name the test properly for CI to run it Signed-off-by: Steve Jenson <stevej@buoyant.io> * made the installer integration tests more in-line with the other integration tests Signed-off-by: Steve Jenson <stevej@buoyant.io> * cni-plugin integration test workflow Signed-off-by: Steve Jenson <stevej@buoyant.io> * breaking up steps, renaming test Signed-off-by: Steve Jenson <stevej@buoyant.io> * just Signed-off-by: Steve Jenson <stevej@buoyant.io> * bringing changes from linkerd2 over Signed-off-by: Steve Jenson <stevej@buoyant.io> * tests running within cni-plugin context Signed-off-by: Steve Jenson <stevej@buoyant.io> * create service account and don't delete so we can inspect Signed-off-by: Steve Jenson <stevej@buoyant.io> * fix namespaces, use matei's k3d/k3s mountPaths in the hopes that CNI will run in our pod. Signed-off-by: Steve Jenson <stevej@buoyant.io> * WIP for debugging why CNI won't run in my own pods despite everything looking normal Signed-off-by: Steve Jenson <stevej@buoyant.io> * adding whitespace, fixing comment, removing unneeded variable Signed-off-by: Steve Jenson <stevej@buoyant.io> * fixing some small things Signed-off-by: Steve Jenson <stevej@buoyant.io> * improving Dockerfile, going back to edge for linkerd-cni Signed-off-by: Steve Jenson <stevej@buoyant.io> * cleaned up Dockerfile Signed-off-by: Steve Jenson <stevej@buoyant.io> * using --link for 50% size improvement Signed-off-by: Steve Jenson <stevej@buoyant.io> * cleanup unusued functions, run network-validator before test suite Signed-off-by: Steve Jenson <stevej@buoyant.io> * remove qemu setup, add comment about log level Signed-off-by: Steve Jenson <stevej@buoyant.io> * add wiring to see cni-net-dir and check for kubeconfig Signed-off-by: Steve Jenson <stevej@buoyant.io> * checking that linkerd-cni is the last plugin in the conflist Signed-off-by: Steve Jenson <stevej@buoyant.io> * renaming smoke_test to flannel Signed-off-by: Steve Jenson <stevej@buoyant.io> * rename files, update justfile * name a test file _test so the test runner will run my test Signed-off-by: Steve Jenson <stevej@buoyant.io> * renaming to flannel Signed-off-by: Steve Jenson <stevej@buoyant.io> * remove hardcoded filename Signed-off-by: Steve Jenson <stevej@buoyant.io> * clarified comment Signed-off-by: Steve Jenson <stevej@buoyant.io> * fixed merge conflict error Signed-off-by: Steve Jenson <stevej@buoyant.io> * fix log levels Signed-off-by: Steve Jenson <stevej@buoyant.io> * fix a log level Signed-off-by: Steve Jenson <stevej@buoyant.io> * run test on all files in ./cni-plugin Signed-off-by: Steve Jenson <stevej@buoyant.io> * hcomment explaining why there's no ENTRYPOINT Signed-off-by: Steve Jenson <stevej@buoyant.io> * use a map instead of an array for simplicity Signed-off-by: Steve Jenson <stevej@buoyant.io> * abstract which integration test subdirectory gets used, add internal to ensure those packages are tested Signed-off-by: Steve Jenson <stevej@buoyant.io> * go.yml is already running these tests are there no integration tests in there to run Signed-off-by: Steve Jenson <stevej@buoyant.io> * breaking up a line Signed-off-by: Steve Jenson <stevej@buoyant.io> * renaming SUBDIRECTORY to SCENARIO and renaming a run just target to flannel to signify that this is the rule to crib for other scenarios Signed-off-by: Steve Jenson <stevej@buoyant.io> * better error handling of the cleanup() function, print more diagnostic information if linkerd-cni rollout fails Signed-off-by: Steve Jenson <stevej@buoyant.io> * add error handling for describe ds and logs Signed-off-by: Steve Jenson <stevej@buoyant.io> Signed-off-by: Steve Jenson <stevej@buoyant.io>

siggy requested a review from alpeb September 5, 2019 20:32

siggy self-assigned this Sep 5, 2019

alpeb approved these changes Sep 5, 2019

View reviewed changes

siggy merged commit c90474b into master Sep 5, 2019

siggy deleted the siggy/lil-init branch September 5, 2019 23:20

stevej pushed a commit that referenced this pull request Dec 2, 2022

turning off noisy lint #2

c5b6130

Signed-off-by: Steve Jenson <stevej@buoyant.io>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Decrease docker image from 145MB to 61MB #2

Decrease docker image from 145MB to 61MB #2

Uh oh!

siggy commented Sep 5, 2019

Uh oh!

alpeb left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Decrease docker image from 145MB to 61MB #2

Decrease docker image from 145MB to 61MB #2

Uh oh!

Conversation

siggy commented Sep 5, 2019

Uh oh!

alpeb left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants