Skip to content

Minimize the RPM content of the Quarkus container #16879

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vmuzikar merged 1 commit into from
Feb 9, 2023
Merged

Minimize the RPM content of the Quarkus container #16879

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 17 additions & 19 deletions operator/src/main/java/org/keycloak/operator/controllers/KeycloakDeployment.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,9 @@
import io.fabric8.kubernetes.api.model.EnvVar;
import io.fabric8.kubernetes.api.model.EnvVarBuilder;
import io.fabric8.kubernetes.api.model.EnvVarSourceBuilder;
import io.fabric8.kubernetes.api.model.ExecActionBuilder;
import io.fabric8.kubernetes.api.model.HTTPGetActionBuilder;
import io.fabric8.kubernetes.api.model.HasMetadata;
import io.fabric8.kubernetes.api.model.IntOrString;
import io.fabric8.kubernetes.api.model.PodTemplateSpec;
import io.fabric8.kubernetes.api.model.ResourceRequirements;
import io.fabric8.kubernetes.api.model.apps.StatefulSet;
Expand Down Expand Up @@ -399,26 +400,23 @@ private StatefulSet createBaseDeployment() {
var tlsConfigured = isTlsConfigured(keycloakCR);
var userRelativePath = readConfigurationValue(Constants.KEYCLOAK_HTTP_RELATIVE_PATH_KEY);
var kcRelativePath = (userRelativePath == null) ? "" : userRelativePath;
var protocol = !tlsConfigured ? "http" : "https";
var protocol = !tlsConfigured ? "HTTP" : "HTTPS";
var kcPort = KeycloakService.getServicePort(keycloakCR);

var baseProbe = new ArrayList<>(List.of("curl", "--head", "--fail", "--silent"));

if (tlsConfigured) {
baseProbe.add("--insecure");
}

var readyProbe = new ArrayList<>(baseProbe);
readyProbe.add(protocol + "://127.0.0.1:" + kcPort + kcRelativePath + "/health/ready");
var liveProbe = new ArrayList<>(baseProbe);
liveProbe.add(protocol + "://127.0.0.1:" + kcPort + kcRelativePath + "/health/live");

container
.getReadinessProbe()
.setExec(new ExecActionBuilder().withCommand(readyProbe).build());
container
.getLivenessProbe()
.setExec(new ExecActionBuilder().withCommand(liveProbe).build());
container.getReadinessProbe().setHttpGet(
new HTTPGetActionBuilder()
.withScheme(protocol)
.withPort(new IntOrString(kcPort))
.withPath(kcRelativePath + "/health/ready")
.build()
);
container.getLivenessProbe().setHttpGet(
new HTTPGetActionBuilder()
.withScheme(protocol)
.withPort(new IntOrString(kcPort))
.withPath(kcRelativePath + "/health/live")
.build()
);

return baseDeployment;
}
Expand Down
4 changes: 2 additions & 2 deletions ...tor/src/test/java/org/keycloak/operator/testsuite/integration/KeycloakDeploymentTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -493,7 +493,7 @@ public void testHttpRelativePathWithPlainValue() {
.list()
.getItems();

assertTrue(pods.get(0).getSpec().getContainers().get(0).getReadinessProbe().getExec().getCommand().stream().collect(Collectors.joining()).contains("foobar"));
assertTrue(pods.get(0).getSpec().getContainers().get(0).getReadinessProbe().getHttpGet().getPath().contains("foobar"));
} catch (Exception e) {
savePodLogs();
throw e;
Expand Down Expand Up @@ -529,7 +529,7 @@ public void testHttpRelativePathWithSecretValue() {
.list()
.getItems();

assertTrue(pods.get(0).getSpec().getContainers().get(0).getReadinessProbe().getExec().getCommand().stream().collect(Collectors.joining()).contains("barfoo"));
assertTrue(pods.get(0).getSpec().getContainers().get(0).getReadinessProbe().getHttpGet().getPath().contains("barfoo"));
} catch (Exception e) {
savePodLogs();
throw e;
Expand Down
17 changes: 9 additions & 8 deletions quarkus/container/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
FROM registry.access.redhat.com/ubi8-minimal AS build-env
FROM registry.access.redhat.com/ubi8 AS ubi-micro-build

ENV KEYCLOAK_VERSION 999-SNAPSHOT
ARG KEYCLOAK_DIST=https://github.com/keycloak/keycloak/releases/download/$KEYCLOAK_VERSION/keycloak-$KEYCLOAK_VERSION.tar.gz

RUN microdnf install -y tar gzip
RUN dnf install -y tar gzip

ADD $KEYCLOAK_DIST /tmp/keycloak/

Expand All @@ -14,17 +14,18 @@ RUN (cd /tmp/keycloak && \
rm /tmp/keycloak/keycloak-*.tar.gz) || true

RUN mv /tmp/keycloak/keycloak-* /opt/keycloak && mkdir -p /opt/keycloak/data

RUN chmod -R g+rwX /opt/keycloak

FROM registry.access.redhat.com/ubi8-minimal
ADD ubi8-null.sh /tmp/
RUN bash /tmp/ubi8-null.sh java-17-openjdk-headless glibc-langpack-en

FROM registry.access.redhat.com/ubi8-micro
ENV LANG en_US.UTF-8

COPY --from=build-env --chown=1000:0 /opt/keycloak /opt/keycloak
COPY --from=ubi-micro-build /tmp/null/rootfs/ /
COPY --from=ubi-micro-build --chown=1000:0 /opt/keycloak /opt/keycloak

RUN microdnf update -y && \
microdnf install -y --nodocs java-17-openjdk-headless glibc-langpack-en && microdnf clean all && rm -rf /var/cache/yum/* && \
echo "keycloak:x:0:root" >> /etc/group && \
RUN echo "keycloak:x:0:root" >> /etc/group && \
echo "keycloak:x:1000:0:keycloak user:/opt/keycloak:/sbin/nologin" >> /etc/passwd

USER 1000
Expand Down
95 changes: 95 additions & 0 deletions quarkus/container/ubi8-null.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
#!/bin/bash

set -euo pipefail
#set -x

dir="/tmp/null"
rm -rf "$dir"
mkdir "$dir"
cd "$dir"

# Add all arguments as the initial core packages
printf '%s\n' "$@" > keep
# Packages required for a shell environment
cat >>keep <<EOF
bash
coreutils-single
EOF

# Disallow list to block certain packages and their dependencies
cat >disallow <<EOF
alsa-lib
copy-jdk-configs
cups-libs
chkconfig
info
gawk
platform-python
platform-python-setuptools
python3-libs
python3-pip-wheel
python3-setuptools-wheel
p11-kit
sqlite-libs

EOF

sort -u keep -o keep

echo "==> Installing packages into chroot" >&2

set -x
# Install requirements for this script (xargs and cmp)
dnf install -y findutils diffutils
# Install core packages to chroot
rootfs="$(realpath rootfs)"
mkdir -p "$rootfs"
<keep xargs dnf install -y --installroot "$rootfs" --releasever 8 --setopt install_weak_deps=false --nodocs
dnf --installroot "$rootfs" clean all
rm -rf "$rootfs"/var/cache/* "$rootfs"/var/log/dnf* "$rootfs"/var/log/yum.*
{ set +x; } 2>/dev/null

echo "==> Building dependency tree" >&2
# Loop until we have the full dependency tree (no new packages found)
touch old
while ! cmp -s keep old
do
# 1. Get requirement names (not quite the same as package names)
# 2. Filter out any install-time requirements
# 3. Query which packages are being used to satisfy the requirements
# 4. Keep just their package names
# 5. Remove packages that are on the disallow list
# 6. Store result as an allowlist
<keep xargs rpm -r "$rootfs" -q --requires | sort -Vu | cut -d ' ' -f1 \
| grep -v -e '^rpmlib(' \
| xargs -d $'\n' rpm -r "$rootfs" -q --whatprovides \
| sed -r 's/^(.*)-.*-.*$/\1/' \
| grep -vxF -f disallow \
> new

# Safely replace the keep list, appending the new names
mv keep old
cat old new > keep
# Sort and deduplicate so cmp will eventually return true
sort -u keep -o keep
done

# Determine all packages that need to be removed
rpm -r "$rootfs" -qa | sed -r 's/^(.*)-.*-.*$/\1/' | sort -u > all
# Set complement (all - keep)
grep -vxF -f keep all > remove

echo "==> $(wc -l remove | cut -d ' ' -f1) packages to erase:" >&2
cat remove
echo "==> $(wc -l keep | cut -d ' ' -f1) packages to keep:" >&2
cat keep
echo "" >&2

echo "==> Erasing packages" >&2
# Delete all packages that aren't needed for the core packages
set -x
<remove xargs rpm -r "$rootfs" --erase --nodeps --allmatches
{ set +x; } 2>/dev/null

echo "" >&2
echo "==> Packages erased ok!" >&2
2 changes: 2 additions & 0 deletions ...kus/tests/integration/src/main/java/org/keycloak/it/utils/DockerKeycloakDistribution.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ public final class DockerKeycloakDistribution implements KeycloakDistribution {

private File distributionFile = new File("../../dist/target/keycloak-" + Version.VERSION + ".tar.gz");
private File dockerFile = new File("../../container/Dockerfile");
private File dockerScriptFile = new File("../../container/ubi8-null.sh");

private GenericContainer<?> keycloakContainer = null;
private String containerId = null;
Expand All @@ -48,6 +49,7 @@ private GenericContainer getKeycloakContainer() {
return new GenericContainer(
new ImageFromDockerfile("keycloak-under-test", false)
.withFileFromFile("keycloak.tar.gz", distributionFile)
.withFileFromFile("ubi8-null.sh", dockerScriptFile)
.withFileFromFile("Dockerfile", dockerFile)
.withBuildArg("KEYCLOAK_DIST", "keycloak.tar.gz")
)
Expand Down