diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 601bb2296..65e229421 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -53,7 +53,7 @@ jobs: with: fetch-depth: 0 - name: Run gitlint - run: make gitlint + run: make IMAGE_UPX=false gitlint golangci-lint: name: Go @@ -62,7 +62,7 @@ jobs: - name: Check out the repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - name: Run golangci-lint - run: make golangci-lint + run: make IMAGE_UPX=false golangci-lint markdown-link-check: name: Markdown Links (modified files) @@ -85,7 +85,7 @@ jobs: - name: Check out the repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - name: Run markdownlint - run: make markdownlint + run: make IMAGE_UPX=false markdownlint packagedoc-lint: name: Package Documentation @@ -94,7 +94,7 @@ jobs: - name: Check out the repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - name: Run packagedoc-lint - run: make packagedoc-lint + run: make IMAGE_UPX=false packagedoc-lint shellcheck: name: Shell @@ -103,7 +103,7 @@ jobs: - name: Check out the repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - name: Run shellcheck - run: make shellcheck + run: make IMAGE_UPX=false shellcheck vulnerability-scan: name: Vulnerability Scanning @@ -114,7 +114,7 @@ jobs: - name: Check out the repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - name: Run govulncheck (producing a text report and failing the build if necessary) - run: make govulncheck + run: make IMAGE_UPX=false govulncheck yaml-lint: name: YAML @@ -123,4 +123,4 @@ jobs: - name: Check out the repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - name: Run yamllint - run: make yamllint + run: make IMAGE_UPX=false yamllint diff --git a/Makefile.images b/Makefile.images index d48a10aa3..148291f17 100644 --- a/Makefile.images +++ b/Makefile.images @@ -27,6 +27,9 @@ endif # Specific to `release-images` export TAG ?= $(CUTTING_EDGE) +# Compress large binaries in images +export IMAGE_UPX ?= true + # Force rebuild an image if it's not in docker force_image_rebuild = $(if $(shell docker image history $(REPO)/$(1):$(BASE_BRANCH)),,FORCE_IMAGE) diff --git a/package/Dockerfile.shipyard-dapper-base b/package/Dockerfile.shipyard-dapper-base index 3142a6363..33073001e 100644 --- a/package/Dockerfile.shipyard-dapper-base +++ b/package/Dockerfile.shipyard-dapper-base @@ -1,6 +1,6 @@ FROM fedora:44 -# Unless specified otherwise, compress to a medium level which gives (from experemintation) a +# Unless specified otherwise, compress to a medium level which gives (from experimentation) a # good balance between compression time and resulting image size. ARG UPX_LEVEL=-5 ENV DAPPER_HOST_ARCH=amd64 SHIPYARD_DIR=/opt/shipyard SHELL=/bin/bash \ @@ -78,7 +78,7 @@ RUN mkdir -p /go/bin /go/pkg /go/src && \ dnf -y clean all && \ rm -f /usr/bin/{dockerd,lto-dump} \ /usr/libexec/gcc/x86_64-redhat-linux/*/lto1 && \ - find /usr/bin /usr/lib/golang /usr/libexec -type f -executable -newercm /go -size +1M ! -name hyperkube \( -execdir upx ${UPX_LEVEL} {} \; -o -true \) && \ + if test ${UPX_LEVEL} != -0; then find /usr/bin /usr/lib/golang /usr/libexec -type f -executable -newercm /go -size +1M ! -name hyperkube \( -execdir upx ${UPX_LEVEL} {} \; -o -true \); fi && \ ln -f /usr/bin/kubectl /usr/bin/hyperkube && \ ln -f /usr/bin/helm3 /usr/bin/helm @@ -93,7 +93,7 @@ RUN go -C /tools install github.com/golangci/golangci-lint/v2/cmd/golangci-lint go -C /tools install golang.org/x/vuln/cmd/govulncheck && \ curl -L https://raw.githubusercontent.com/jonmosco/kube-ps1/1b8fe913b25ba857b84a94c3b1dbf7bb34f7caef/kube-ps1.sh -o /etc/profile.d/kube-ps1.sh && \ find /go/bin -type f -executable -newercm /go -exec strip {} + && \ - find /go/bin -type f -executable -newercm /go ! -name govulncheck \( -execdir upx ${UPX_LEVEL} {} \; -o -true \) && \ + if test ${UPX_LEVEL} != -0; then find /go/bin -type f -executable -newercm /go ! -name govulncheck \( -execdir upx ${UPX_LEVEL} {} \; -o -true \); fi && \ go clean -cache -modcache && rm -rf /tools # Link get-subctl script so it can be easily run inside a shell diff --git a/package/Dockerfile.shipyard-linting b/package/Dockerfile.shipyard-linting index 2d5695c23..b8a8c7857 100644 --- a/package/Dockerfile.shipyard-linting +++ b/package/Dockerfile.shipyard-linting @@ -1,5 +1,8 @@ FROM alpine +# Unless specified otherwise, compress to a medium level which gives (from experimentation) a +# good balance between compression time and resulting image size. +ARG UPX_LEVEL=-5 ENV DAPPER_HOST_ARCH=amd64 SHELL=/bin/bash \ SHIPYARD_DIR=/opt/shipyard ENV HOST_ARCH=${DAPPER_HOST_ARCH} ARCH=${DAPPER_HOST_ARCH} \ @@ -33,7 +36,7 @@ RUN mkdir -p ${SHIPYARD_DIR} && \ apk add --no-cache --virtual installers npm py3-pip && \ npm install -g markdownlint-cli@${MARKDOWNLINT_VERSION} && \ pip install --break-system-packages gitlint==${GITLINT_VERSION} && \ - find /usr/bin/ -type f -executable -newercm ${SHIPYARD_DIR} -size +1M \( -execdir upx {} \; -o -true \) && \ + if test ${UPX_LEVEL} != -0; then find /usr/bin/ -type f -executable -newercm ${SHIPYARD_DIR} -size +1M \( -execdir upx ${UPX_LEVEL} {} \; -o -true \); fi && \ find /usr/lib/ -name __pycache__ -type d -exec rm -rf {} + && \ apk del installers diff --git a/scripts/shared/build_image.sh b/scripts/shared/build_image.sh index d545e1a12..0ad253a50 100755 --- a/scripts/shared/build_image.sh +++ b/scripts/shared/build_image.sh @@ -56,6 +56,9 @@ fi # Rebuild the image to update any changed layers and tag it back so it will be used. buildargs_flags=(--build-arg BUILDKIT_INLINE_CACHE=1 --build-arg "BASE_BRANCH=${BASE_BRANCH}" --build-arg "VERSION=${VERSION}") +if [[ "${IMAGE_UPX}" = "false" ]]; then + buildargs_flags+=(--build-arg UPX_LEVEL=-0) +fi if [[ "${PLATFORM}" != "${default_platform}" ]] && docker buildx version > /dev/null 2>&1; then docker buildx use buildx_builder || docker buildx create --name buildx_builder --use docker buildx build "${output_flag}" -t "${local_image}" "${cache_flags[@]}" -f "${dockerfile}" --iidfile "${hashfile}" --platform "${PLATFORM}" "${buildargs_flags[@]}" .