Live CD: Trim ISO image size

[yveszoundi]

Background

The current Live CD ISO image is roughly 800 MB. As functionality gets added, the ISO image size will grow.

For the Live CD, there's a correlation between the RAM allocated to the virtual machine and free space

• 75% of the RAM is allocated as free space on the Live CD (grub boot parameters: ramdisk-size, etc.)
• With 1 GB of RAM allocated to a virtual machine, the application still runs pretty well. The intent is to keep RAM requirements as low as possible.

Request

Reduce the ISO image size as much as possible while keeping it functional. Pay attention to aarch64/arm64 support to ensure that the ISO image doesn't hang as noticed in early testing stages.

Overall changes

• Replace podman Debian related packages by podman-static (version upgrade and unneeded files). (changed as part of Live CD: Implement gVisor support #36).
• Replace openssh by dropbear. (changed as part of Live CD: Implement gVisor support #36).
• Use a single boot manager for both UEFI and BIOS (Grub)
• Apply zstd compression for the initramfs generation and the Live CD squashfs data

References

• Update xorriso paramters for 22.04  mvallim/live-custom-ubuntu-from-scratch#47
• https://bugs.launchpad.net/ubuntu-cdimage/+bug/1886148/+index?ss=1
• https://fedoraproject.org/wiki/Changes/FedoraCloudHybridBoot
• https://bugs.launchpad.net/ubuntu/+source/casper/+bug/1895131
• https://forum.openwrt.org/t/openwrt-19-07-7-for-vmware-esxi-arm-fling-rpi4-8gb/94814/6
• Ubuntu hangs on Exiting boot services utmapp/UTM#4499

[yveszoundi]

Thoughts for the future

• Build the CD on top of another distros
  • Alpine Linux, or very heavily customized Gentoo build or similar.
  • The extreme would be my own specialized Linux distribution. I really like the approach of Chimera Linux with a FreeBSD user-land (it's still work in progress).
• Replace systemd by something lighter such as openrc, s6 if the Linux distribution supports it
  • We mostly care about SSH, the Entrusted server and possibly some audit components
  • By default, we don't need NetworkManager or assisted systemd features
    • Internet connectivity is disabled by default anyway via iptables rules
    • If users want to intermittently connect to the internet, we can make sure that there are DHCP and WiFi tools installed (i.e. dhcpcd, wpa_supplicant, etc.)
• Use a different file system than squashfs for the Live CD data, if both the resulting ISO size and read times compromises are worth it. Few candidates include erofs and dwarfs.
• Copy only the parts of Debian live-boot that are nice/useful, if switching to a different distribution (i.e. when not using Alpine with its default "tar.gz overlay" approach)

[yveszoundi]

Results are promising so far with a significant size reduction, we're now standing at roughly 680 MB.

• This is ~100 MB less since the last release (0.3.0)
• This is ~250 MB less since the initial availability of the live CD (0.0.2)

The exact size for amd64 as of January 22nd is 675 MB, this will be roughly the same for aarch64 too.

du -hsm images/entrusted-livecd/entrusted-livecd.iso  
675     images/entrusted-livecd/entrusted-livecd.iso

There are couple of kernel options that are not required for this application and that can likely be disabled (NFS and several other modules). This would require more testing, but I suspect that with aggressive optimizations the ISO image size can get down to 650 MB and even lower.

[yveszoundi]

It is tricky to configure a custom kernel and still guarantee that it will work for most machines while keeping the size small. This is key to significantly reducing the ISO image size to the bare minimum possible without unused drivers or features.

A dedicated issue will be created for providing a custom kernel.