#120 first attempt at creating a new lightweight container image with microdnf
Merged 7 years ago by ausil. Opened 7 years ago by dustymabe.
dustymabe/fedora-kickstarts dusty-docker-min.ks  into  master

@@ -0,0 +1,119 @@ 

+ # This is a minimal Fedora install designed to serve as a Docker base image.

+ #

+ # To keep this image minimal it only installs English language. You need to change

+ # dnf configuration in order to enable other languages.

+ #

+ ###  Hacking on this image ###

+ # This kickstart is processed using Anaconda-in-ImageFactory (via Koji typically),

+ # but you can run imagefactory locally too.

+ #

+ # To do so, testing local changes, first you'll need a TDL file.  I store one here:

+ # https://git.fedorahosted.org/cgit/fedora-atomic.git/tree/fedora-atomic-rawhide.tdl

+ #

+ # Then, once you have imagefactory and imagefactory-plugins installed, run:

+ #

+ #   imagefactory --debug target_image --template /path/to/fedora-atomic-rawhide.tdl --parameter offline_icicle true --file-parameter install_script $(pwd)/fedora-docker-base.ks docker

+ #

+ 

+ text # don't use cmdline -- https://github.com/rhinstaller/anaconda/issues/931

+ bootloader --disabled

+ timezone --isUtc --nontp Etc/UTC

+ rootpw --lock --iscrypted locked

+ 

+ keyboard us

+ zerombr

+ clearpart --all

+ part / --fstype ext4 --grow

+ network --bootproto=dhcp --device=link --activate --onboot=on

+ reboot

+ 

+ %packages --excludedocs --instLangs=en --nocore --excludeWeakdeps

+ bash

+ fedora-release

+ microdnf

+ -kernel

+ -e2fsprogs

+ -libss # used by e2fsprogs

+ -fuse-libs

+ 

+ 

+ %end

+ 

+ %post --erroronfail --log=/root/anaconda-post.log

+ set -eux

+ 

+ # Set install langs macro so that new rpms that get installed will

+ # only install langs that we limit it to.

+ LANG="en_US"

+ echo "%_install_langs $LANG" > /etc/rpm/macros.image-language-conf

+ 

+ # https://bugzilla.redhat.com/show_bug.cgi?id=1400682

+ echo "Import RPM GPG key"

+ releasever=$(rpm -q --qf '%{version}\n' fedora-release)

+ basearch=$(uname -i)

+ rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch

+ 

+ echo "# fstab intentionally empty for containers" > /etc/fstab

+ 

+ # Remove machine-id on pre generated images

+ rm -fv /etc/machine-id

+ touch /etc/machine-id

+ 

+ # remove some random help txt files

+ rm -fv usr/share/gnupg/help*.txt

+ 

+ # Pruning random things

+ rm usr/lib/rpm/rpm.daily

+ rm -rfv usr/lib64/nss/unsupported-tools/  # unsupported

+ 

+ # Statically linked crap

+ rm -fv usr/sbin/{glibc_post_upgrade.x86_64,sln}

+ ln usr/bin/ln usr/sbin/sln

+ 

+ # Remove some dnf info

+ rm -rfv /var/lib/dnf

+ 

+ # don't need icons

+ rm -rfv /usr/share/icons/*

+ 

+ #some random not-that-useful binaries

+ rm -fv /usr/bin/pinky

+ 

+ # we lose presets by removing /usr/lib/systemd but we do not care

+ rm -rfv /usr/lib/systemd

+ 

+ # if you want to change the timezone, bind-mount it from the host or reinstall tzdata

+ rm -fv /etc/localtime

+ mv /usr/share/zoneinfo/UTC /etc/localtime

+ rm -rfv  /usr/share/zoneinfo

+ 

+ # Final pruning

+ rm -rfv var/cache/* var/log/* tmp/*

+ 

+ %end

+ 

+ %post --nochroot --erroronfail --log=/mnt/sysimage/root/anaconda-post-nochroot.log

+ set -eux

+ 

+ # https://bugzilla.redhat.com/show_bug.cgi?id=1343138

+ # Fix /run/lock breakage since it's not tmpfs in docker

+ # This unmounts /run (tmpfs) and then recreates the files

+ # in the /run directory on the root filesystem of the container

+ # NOTE: run this in nochroot because "umount" does not exist in chroot

+ umount /mnt/sysimage/run

+ # The file that specifies the /run/lock tmpfile is

+ # /usr/lib/tmpfiles.d/legacy.conf, which is part of the systemd

+ # rpm that isn't included in this image. We'll create the /run/lock

+ # file here manually with the settings from legacy.conf

+ # NOTE: chroot to run "install" because it is not in anaconda env

+ chroot /mnt/sysimage install -d /run/lock -m 0755 -o root -g root

+ 

+ 

+ # See: https://bugzilla.redhat.com/show_bug.cgi?id=1051816

+ # NOTE: run this in nochroot because "find" does not exist in chroot

+ KEEPLANG=en_US

+ for dir in locale i18n; do

+     find /mnt/sysimage/usr/share/${dir} -mindepth  1 -maxdepth 1 -type d -not \( -name "${KEEPLANG}" -o -name POSIX \) -exec rm -rfv {} +

+ done

+ 

+ %end

file modified
+1 -1
@@ -1,7 +1,7 @@ 

  # This is a minimal Fedora install designed to serve as a Docker base image.

  #

  # To keep this image minimal it only installs English language. You need to change

- # yum configuration in order to enable other languages.

+ # dnf configuration in order to enable other languages.

  #

  ###  Hacking on this image ###

  # This kickstart is processed using Anaconda-in-ImageFactory (via Koji typically),

It is around 110M right now. Still working to get it under 100M.

what's the resulting package list?

what's the resulting package list?

https://paste.fedoraproject.org/532183/48500699

here is an analysis of "trying to remove rpms" and seeing what depends on them by running rpm -qa --qf "%{NAME}\n" | xargs -I{} sh -c "echo {} && rpm -e --test {} 2>&1 && echo SUCCESS":

https://paste.fedoraproject.org/532184/50070651

@dustymabe it's better if you will paste output directly here. 1) better readability 2) will not disappear at some point in future

dnf configuration should be changed

@dustymabe it's better if you will paste output directly here. 1) better readability 2) will not disappear at some point in future

@ignatenkobrain I hate when you have to scroll forever in issues because of huge logs/text files. Better to be able to upload files for that but I don't think you can do that with pagure yet.

It looks like GPG grew a dependency on gnutls in recent Fedora. Which on one hand I understand, but on the other...we're on track to having all 3 crypto libraries in the minimal image again =(

Anyways, my vote is - start building it at least, ship it via our registry, but we shouldn't necessarily upload it to the Hub yet, then we iterate on making it smaller?

Patches look sane to me. I'm a bit uncertain as to including all of them in the mainline history versus squashing. Slightly preference to squashing but up to you I guess.

1 new commit added

  • docker-min,docker-base: remove reference to yum in kickstart
7 years ago

@ausil, I've updated the kickstart file for both docker-min and docker-base to not reference yum on that line any longer.

don't really like having "docker" in name, but who cares..

Patches look sane to me. I'm a bit uncertain as to including all of them in the mainline history versus squashing. Slightly preference to squashing but up to you I guess.

I have a prefernece for squashing the history also

I don't really understand the preference for squashing - I understand not wanting a ton of commits in the history, but if the commits add value about "why" a change was made then I want to keep that history. commit history is a great way to get inside the author's head.

for this particular repo you can limit the "log" to just the file you want to look at by specifying the file to git log.

because it is new, the important thing to me is the new file. there is no history as far as the repo is concerned. if you think that it is so important to have why a choice is made you should document it in the kickstart itself.

I see your argument about the new file and would mostly agree with you except for the fact that this file is a direct copy of the docker base file to begin with. What I wanted to do was document the changes between that "starting point" and where we ended up.

As far as leaving comments in the file, I did that as well, but I do not agree with leaving comments in the file for parts of the file that you are deleting (i.e. leaving commented out code in the file). That's what the git history is for IMHO.

I actually had all of the changes done mostly without any commits and then I went back and broke up the changes so that I could document things. So I actually did work to break it up into many commits on purpose because I thought it was valuable. Do you not think you get better higher quality information about the changes by having these commits vs squashing them?

I'm fine with not squashing too, didn't realize you went back and split them up. The argument vs it being a derivative of the current base makes sense.

Can we please rename the file to docker-base-minimal.ks

Can we please rename the file to docker-base-minimal.ks

do you mean fedora-docker-base-minimal.ks ?

rebased

7 years ago

I think it mostly looks okay. we just need to follow https://pagure.io/fesco/issue/1440 now

For the record, I object to manually removing stuff (i.e. lines ~63-92). If you want that stuff to be optional, please work with respective package maintainers to make it so. Otherwise rpm -Va fails and files get reinstalled if anyone ever runs dnf update inside such container.

@ausil
I think it mostly looks okay. we just need to follow https://pagure.io/fesco/issue/1440 now

https://fedoraproject.org/wiki/Changes/ContainerMinimalImage

@rathann
For the record, I object to manually removing stuff (i.e. lines ~63-92). If you want that stuff to be optional, please work with respective package maintainers to make it so. Otherwise rpm -Va fails and files get reinstalled if anyone ever runs dnf update inside such container.

I agree with you this is not the cleanest solution.

I believe I have followed the process. Are there any outstanding items before this can be merged?

Pull-Request has been merged by ausil

7 years ago