Allow UPX compression to be skipped in images

.github/workflows/linting.yml

@@ -53,7 +53,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Run gitlint
-        run: make gitlint
+        run: make IMAGE_UPX=false gitlint
 
   golangci-lint:
     name: Go
@@ -62,7 +62,7 @@ jobs:
       - name: Check out the repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Run golangci-lint
-        run: make golangci-lint
+        run: make IMAGE_UPX=false golangci-lint
 
   markdown-link-check:
     name: Markdown Links (modified files)
@@ -85,7 +85,7 @@ jobs:
       - name: Check out the repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Run markdownlint
-        run: make markdownlint
+        run: make IMAGE_UPX=false markdownlint
 
   packagedoc-lint:
     name: Package Documentation
@@ -94,7 +94,7 @@ jobs:
       - name: Check out the repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Run packagedoc-lint
-        run: make packagedoc-lint
+        run: make IMAGE_UPX=false packagedoc-lint
 
   shellcheck:
     name: Shell
@@ -103,7 +103,7 @@ jobs:
       - name: Check out the repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Run shellcheck
-        run: make shellcheck
+        run: make IMAGE_UPX=false shellcheck
 
   vulnerability-scan:
     name: Vulnerability Scanning
@@ -114,7 +114,7 @@ jobs:
       - name: Check out the repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Run govulncheck (producing a text report and failing the build if necessary)
-        run: make govulncheck
+        run: make IMAGE_UPX=false govulncheck
 
   yaml-lint:
     name: YAML
@@ -123,4 +123,4 @@ jobs:
       - name: Check out the repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Run yamllint
-        run: make yamllint
+        run: make IMAGE_UPX=false yamllint

Makefile.images

@@ -27,6 +27,9 @@ endif
 # Specific to `release-images`
 export TAG ?= $(CUTTING_EDGE)
 
+# Compress large binaries in images
+export IMAGE_UPX ?= true
+
 # Force rebuild an image if it's not in docker
 force_image_rebuild = $(if $(shell docker image history $(REPO)/$(1):$(BASE_BRANCH)),,FORCE_IMAGE)
 

package/Dockerfile.shipyard-dapper-base

@@ -1,6 +1,6 @@
 FROM fedora:44
 
-# Unless specified otherwise, compress to a medium level which gives (from experemintation) a
+# Unless specified otherwise, compress to a medium level which gives (from experimentation) a
 # good balance between compression time and resulting image size.
 ARG UPX_LEVEL=-5
 ENV DAPPER_HOST_ARCH=amd64 SHIPYARD_DIR=/opt/shipyard SHELL=/bin/bash \
@@ -78,7 +78,7 @@ RUN mkdir -p /go/bin /go/pkg /go/src && \
     dnf -y clean all && \
     rm -f /usr/bin/{dockerd,lto-dump} \
           /usr/libexec/gcc/x86_64-redhat-linux/*/lto1 && \
-    find /usr/bin /usr/lib/golang /usr/libexec -type f -executable -newercm /go -size +1M ! -name hyperkube \( -execdir upx ${UPX_LEVEL} {} \; -o -true \) && \
+    if test ${UPX_LEVEL} != -0; then find /usr/bin /usr/lib/golang /usr/libexec -type f -executable -newercm /go -size +1M ! -name hyperkube \( -execdir upx ${UPX_LEVEL} {} \; -o -true \); fi && \
     ln -f /usr/bin/kubectl /usr/bin/hyperkube && \
     ln -f /usr/bin/helm3 /usr/bin/helm
 
@@ -93,7 +93,7 @@ RUN go -C /tools install github.com/golangci/golangci-lint/v2/cmd/golangci-lint
     go -C /tools install golang.org/x/vuln/cmd/govulncheck && \
     curl -L https://raw.githubusercontent.com/jonmosco/kube-ps1/1b8fe913b25ba857b84a94c3b1dbf7bb34f7caef/kube-ps1.sh -o /etc/profile.d/kube-ps1.sh && \
     find /go/bin -type f -executable -newercm /go -exec strip {} + && \
-    find /go/bin -type f -executable -newercm /go ! -name govulncheck \( -execdir upx ${UPX_LEVEL} {} \; -o -true \) && \
+    if test ${UPX_LEVEL} != -0; then find /go/bin -type f -executable -newercm /go ! -name govulncheck \( -execdir upx ${UPX_LEVEL} {} \; -o -true \); fi && \
     go clean -cache -modcache && rm -rf /tools
 
 # Link get-subctl script so it can be easily run inside a shell

package/Dockerfile.shipyard-linting

@@ -1,5 +1,8 @@
 FROM alpine
 
+# Unless specified otherwise, compress to a medium level which gives (from experimentation) a
+# good balance between compression time and resulting image size.
+ARG UPX_LEVEL=-5
 ENV DAPPER_HOST_ARCH=amd64 SHELL=/bin/bash \
     SHIPYARD_DIR=/opt/shipyard
 ENV HOST_ARCH=${DAPPER_HOST_ARCH} ARCH=${DAPPER_HOST_ARCH} \
@@ -33,7 +36,7 @@ RUN mkdir -p ${SHIPYARD_DIR} && \
     apk add --no-cache --virtual installers npm py3-pip && \
     npm install -g markdownlint-cli@${MARKDOWNLINT_VERSION} && \
     pip install --break-system-packages gitlint==${GITLINT_VERSION} && \
-    find /usr/bin/ -type f -executable -newercm ${SHIPYARD_DIR} -size +1M  \( -execdir upx {} \; -o -true \) && \
+    if test ${UPX_LEVEL} != -0; then find /usr/bin/ -type f -executable -newercm ${SHIPYARD_DIR} -size +1M \( -execdir upx ${UPX_LEVEL} {} \; -o -true \); fi && \
     find /usr/lib/ -name __pycache__ -type d -exec rm -rf {} + && \
     apk del installers
 

scripts/shared/build_image.sh

@@ -56,6 +56,9 @@ fi
 
 # Rebuild the image to update any changed layers and tag it back so it will be used.
 buildargs_flags=(--build-arg BUILDKIT_INLINE_CACHE=1 --build-arg "BASE_BRANCH=${BASE_BRANCH}" --build-arg "VERSION=${VERSION}")
+if [[ "${IMAGE_UPX}" = "false" ]]; then
+    buildargs_flags+=(--build-arg UPX_LEVEL=-0)
+fi
 if [[ "${PLATFORM}" != "${default_platform}" ]] && docker buildx version > /dev/null 2>&1; then
     docker buildx use buildx_builder || docker buildx create --name buildx_builder --use
     docker buildx build "${output_flag}" -t "${local_image}" "${cache_flags[@]}" -f "${dockerfile}" --iidfile "${hashfile}" --platform "${PLATFORM}" "${buildargs_flags[@]}" .