Skip to content

Commit

Permalink
Prune system libraries from distroless image (close #260)
Browse files Browse the repository at this point in the history
  • Loading branch information
istreeter committed Nov 7, 2022
1 parent 9227a07 commit 05b83d5
Show file tree
Hide file tree
Showing 2 changed files with 60 additions and 6 deletions.
10 changes: 5 additions & 5 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -109,10 +109,10 @@ jobs:
latest=false
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
uses: docker/setup-qemu-action@v2

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
uses: docker/setup-buildx-action@v2

- name: Login to DockerHub
uses: docker/login-action@v1
Expand All @@ -121,7 +121,7 @@ jobs:
password: ${{ secrets.DOCKER_PASSWORD }}

- name: Push image
uses: docker/build-push-action@v2
uses: docker/build-push-action@v3
with:
context: ${{ matrix.platform }}/target/docker/stage
file: ${{ matrix.platform }}/target/docker/stage/Dockerfile
Expand All @@ -130,10 +130,10 @@ jobs:
push: true

- name: Push distroless image
uses: docker/build-push-action@v2
uses: docker/build-push-action@v3
with:
context: distroless/${{ matrix.platform }}/target/docker/stage
file: distroless/${{ matrix.platform }}/target/docker/stage/Dockerfile
platforms: linux/amd64,linux/arm64/v8
platforms: linux/amd64
tags: ${{ steps.distroless-meta.outputs.tags }}
push: true
56 changes: 55 additions & 1 deletion build.sbt
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,61 @@ lazy val dockerSettingsDistroless = Seq(
"-jar",
s"/opt/snowplow/lib/${(packageJavaLauncherJar / artifactPath).value.getName}"
),
dockerPermissionStrategy := DockerPermissionStrategy.CopyChown
dockerPermissionStrategy := DockerPermissionStrategy.CopyChown,

Docker / dockerCommands := {
Seq(
Cmd("FROM", "debian:bullseye-slim", "AS", "bullseye"),
Cmd("FROM", dockerBaseImage.value),
Cmd("USER", "0"),
Cmd("RUN",
// Temporarily mount the executables needed to remove files from the image
"--mount=type=bind,from=bullseye,source=/usr/bin/,target=/usr/bin",
"--mount=type=bind,from=bullseye,source=/bin/,target=/bin",
"--mount=type=bind,from=bullseye,source=/lib/x86_64-linux-gnu/libselinux.so.1,target=/lib/x86_64-linux-gnu/libselinux.so.1",
// ...and remove all system libraries that are not needed by the JVM process
"/bin/rm", "-r",
"/usr/lib/x86_64-linux-gnu/audit/sotruss-lib.so*",
"/usr/lib/x86_64-linux-gnu/engines-1.1/afalg.so*",
"/usr/lib/x86_64-linux-gnu/engines-1.1/padlock.so*",
"/usr/lib/x86_64-linux-gnu/glib-2.0/",
"/usr/lib/x86_64-linux-gnu/libbrotlicommon.so*",
"/usr/lib/x86_64-linux-gnu/libbrotlidec.so*",
"/usr/lib/x86_64-linux-gnu/libbrotlienc.so*",
"/usr/lib/x86_64-linux-gnu/libcrypto.so*",
"/usr/lib/x86_64-linux-gnu/libexpatw.so*",
"/usr/lib/x86_64-linux-gnu/libfontconfig.so*",
"/usr/lib/x86_64-linux-gnu/libfreetype.so*",
"/usr/lib/x86_64-linux-gnu/libgio-*.so*",
"/usr/lib/x86_64-linux-gnu/libglib-*.so*",
"/usr/lib/x86_64-linux-gnu/libgmodule-*.so*",
"/usr/lib/x86_64-linux-gnu/libgobject-*.so*",
"/usr/lib/x86_64-linux-gnu/libgomp.so*",
"/usr/lib/x86_64-linux-gnu/libgraphite2.so*",
"/usr/lib/x86_64-linux-gnu/libgthread-*.so*",
"/usr/lib/x86_64-linux-gnu/libharfbuzz.so*",
"/usr/lib/x86_64-linux-gnu/libjpeg.so*",
"/usr/lib/x86_64-linux-gnu/liblcms2.so*",
"/usr/lib/x86_64-linux-gnu/libpcreposix.so*",
"/usr/lib/x86_64-linux-gnu/libpng16.so*",
"/usr/lib/x86_64-linux-gnu/libssl.so*",
"/usr/lib/x86_64-linux-gnu/libuuid.so*",
"/lib/x86_64-linux-gnu/libBrokenLocale-*.so*",
"/lib/x86_64-linux-gnu/libSegFault.so*",
"/lib/x86_64-linux-gnu/libanl-*.so*",
"/lib/x86_64-linux-gnu/libcrypt.so.*",
"/lib/x86_64-linux-gnu/libexpat.so*",
"/lib/x86_64-linux-gnu/libmemusage.so*",
"/lib/x86_64-linux-gnu/libmvec-*.so*",
"/lib/x86_64-linux-gnu/libnsl-*.so*",
"/lib/x86_64-linux-gnu/libnss_hesiod-*.so*",
"/lib/x86_64-linux-gnu/libpcprofile.so*",
"/lib/x86_64-linux-gnu/libpcre.so*",
"/lib/x86_64-linux-gnu/libutil-*.so*",
"/lib/x86_64-linux-gnu/libthread_db-*.so"
)
) ++ (Docker / dockerCommands).value.tail
}
)

lazy val dynVerSettings = Seq(
Expand Down

0 comments on commit 05b83d5

Please sign in to comment.