From c3ecb357f31fd809ee60694815dfc206cf27ac23 Mon Sep 17 00:00:00 2001
From: Ian Streeter <ian@snowplowanalytics.com>
Date: Fri, 30 Sep 2022 14:02:33 +0100
Subject: [PATCH] Prune system libraries from distroless image (close #260)

---
 .github/workflows/deploy.yml | 10 +++----
 build.sbt                    | 58 ++++++++++++++++++++++++++++++++++--
 2 files changed, 61 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 24c12fee2..71a7605bc 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -109,10 +109,10 @@ jobs:
             latest=false
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
 
       - name: Login to DockerHub
         uses: docker/login-action@v1
@@ -121,7 +121,7 @@ jobs:
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Push image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           context: ${{ matrix.platform }}/target/docker/stage
           file: ${{ matrix.platform }}/target/docker/stage/Dockerfile
@@ -130,10 +130,10 @@ jobs:
           push: true
 
       - name: Push distroless image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           context: distroless/${{ matrix.platform }}/target/docker/stage
           file: distroless/${{ matrix.platform }}/target/docker/stage/Dockerfile
-          platforms: linux/amd64,linux/arm64/v8
+          platforms: linux/amd64
           tags: ${{ steps.distroless-meta.outputs.tags }}
           push: true
diff --git a/build.sbt b/build.sbt
index 7920b8ebe..193f5ebd2 100644
--- a/build.sbt
+++ b/build.sbt
@@ -85,7 +85,61 @@ lazy val dockerSettingsDistroless = Seq(
     "-jar",
     s"/opt/snowplow/lib/${(packageJavaLauncherJar / artifactPath).value.getName}"
   ),
-  dockerPermissionStrategy := DockerPermissionStrategy.CopyChown
+  dockerPermissionStrategy := DockerPermissionStrategy.CopyChown,
+
+  Docker / dockerCommands := {
+    Seq(
+      Cmd("FROM", "debian:bullseye-slim", "AS", "bullseye"),
+      Cmd("FROM", dockerBaseImage.value),
+      Cmd("USER", "0"),
+      Cmd("RUN",
+        // Temporarily mount the executables needed to remove files from the image
+        "--mount=type=bind,from=bullseye,source=/usr/bin/,target=/usr/bin",
+        "--mount=type=bind,from=bullseye,source=/bin/,target=/bin",
+        "--mount=type=bind,from=bullseye,source=/lib/x86_64-linux-gnu/libselinux.so.1,target=/lib/x86_64-linux-gnu/libselinux.so.1",
+        // ...and remove all system libraries that are not needed by the JVM process
+        "/bin/rm", "-r",
+        "/usr/lib/x86_64-linux-gnu/audit/sotruss-lib.so*",
+        "/usr/lib/x86_64-linux-gnu/engines-1.1/afalg.so*",
+        "/usr/lib/x86_64-linux-gnu/engines-1.1/padlock.so*",
+        "/usr/lib/x86_64-linux-gnu/glib-2.0/",
+        "/usr/lib/x86_64-linux-gnu/libbrotlicommon.so*",
+        "/usr/lib/x86_64-linux-gnu/libbrotlidec.so*",
+        "/usr/lib/x86_64-linux-gnu/libbrotlienc.so*",
+        "/usr/lib/x86_64-linux-gnu/libcrypto.so*",
+        "/usr/lib/x86_64-linux-gnu/libexpatw.so*",
+        "/usr/lib/x86_64-linux-gnu/libfontconfig.so*",
+        "/usr/lib/x86_64-linux-gnu/libfreetype.so*",
+        "/usr/lib/x86_64-linux-gnu/libgio-*.so*",
+        "/usr/lib/x86_64-linux-gnu/libglib-*.so*",
+        "/usr/lib/x86_64-linux-gnu/libgmodule-*.so*",
+        "/usr/lib/x86_64-linux-gnu/libgobject-*.so*",
+        "/usr/lib/x86_64-linux-gnu/libgomp.so*",
+        "/usr/lib/x86_64-linux-gnu/libgraphite2.so*",
+        "/usr/lib/x86_64-linux-gnu/libgthread-*.so*",
+        "/usr/lib/x86_64-linux-gnu/libharfbuzz.so*",
+        "/usr/lib/x86_64-linux-gnu/libjpeg.so*",
+        "/usr/lib/x86_64-linux-gnu/liblcms2.so*",
+        "/usr/lib/x86_64-linux-gnu/libpcreposix.so*",
+        "/usr/lib/x86_64-linux-gnu/libpng16.so*",
+        "/usr/lib/x86_64-linux-gnu/libssl.so*",
+        "/usr/lib/x86_64-linux-gnu/libuuid.so*",
+        "/lib/x86_64-linux-gnu/libBrokenLocale-*.so*",
+        "/lib/x86_64-linux-gnu/libSegFault.so*",
+        "/lib/x86_64-linux-gnu/libanl-*.so*",
+        "/lib/x86_64-linux-gnu/libcrypt.so.*",
+        "/lib/x86_64-linux-gnu/libexpat.so*",
+        "/lib/x86_64-linux-gnu/libmemusage.so*",
+        "/lib/x86_64-linux-gnu/libmvec-*.so*",
+        "/lib/x86_64-linux-gnu/libnsl-*.so*",
+        "/lib/x86_64-linux-gnu/libnss_hesiod-*.so*",
+        "/lib/x86_64-linux-gnu/libpcprofile.so*",
+        "/lib/x86_64-linux-gnu/libpcre.so*",
+        "/lib/x86_64-linux-gnu/libutil-*.so*",
+        "/lib/x86_64-linux-gnu/libthread_db-*.so"
+      )
+    ) ++ (Docker / dockerCommands).value.tail
+  }
 )
 
 lazy val dynVerSettings = Seq(
@@ -255,4 +309,4 @@ lazy val rabbitmqDistroless = project
   .settings(sourceDirectory := (rabbitmq / sourceDirectory).value)
   .settings(rabbitmqSettings ++ dockerSettingsDistroless)
   .enablePlugins(JavaAppPackaging, LauncherJarPlugin, DockerPlugin, BuildInfoPlugin)
-  .dependsOn(rabbitmq % "test->test;compile->compile")
\ No newline at end of file
+  .dependsOn(rabbitmq % "test->test;compile->compile")