Optimize Dockerfile: slim base image, pinned binaries, reduced layers

[Nesar976]

Type of change

• Optimization

Description
This PR improves the Dockerfile by switching to a slimmer base image, replacing source builds with pinned release binaries, and consolidating layers to reduce image size and build time. The entrypoint was updated to match the new base image while preserving existing behavior.

Fix #1125

[qodo-code-review]

ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan

Review Summary by Qodo

Optimize Dockerfile with slim base and pinned binaries

✨ Enhancement

Walkthroughs

Description

• Replace multi-stage build with slim Python base image
• Replace source builds with pinned release binaries for oc, virtctl, yq
• Consolidate RUN commands to reduce Docker layers
• Update entrypoint to use Python 3 instead of Python 3.9

Diagram

flowchart LR
  A["Multi-stage Dockerfile<br/>golang + fedora"] -->|"Switch base image"| B["python:3.9-slim"]
  C["Source builds<br/>oc, virtctl"] -->|"Replace with binaries"| D["Pinned releases<br/>v4.18.0, v1.7.0, v4.40.5"]
  E["Multiple RUN layers<br/>dnf, pip, setup"] -->|"Consolidate"| F["Optimized layers<br/>apt, pip, chmod"]
  G["Python 3.9 entrypoint"] -->|"Update"| H["Python 3 entrypoint"]

Loading

File Changes

1. containers/Dockerfile.template ✨ Enhancement +53/-66

Slim base image with pinned binaries and optimized layers

• Replace multi-stage build (golang:1.24.9 + fedora:40) with python:3.9-slim base image
• Replace source builds of oc and virtctl with pinned release binaries (oc v4.18.0, virtctl v1.7.0,
 yq v4.40.5)
• Consolidate multiple RUN commands into fewer layers using && operators
• Switch from dnf to apt-get for package management, remove unnecessary dependencies
• Simplify Python setup by using pip directly without ensurepip, add --no-cache-dir flag
• Combine chmod operations and add explicit chown for krkn user

containers/Dockerfile.template

---

2. containers/entrypoint.sh ✨ Enhancement +1/-1

Update Python version in entrypoint script

• Update Python command from python3.9 to python3 to match slim base image

containers/entrypoint.sh

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. amd64-only binaries 🐞 Bug ✓ Correctness

Description

• Dockerfile.template downloads virtctl/yq artifacts explicitly suffixed with linux-amd64, which
  will not run on non-amd64 architectures.
• The repo docs explicitly describe building on IBM Power (ppc64le), so this change is a functional
  regression for that documented use-case.
• This can cause image build failures (wrong binary format) or runtime failures if the container
  runs on a different arch.

Code

containers/Dockerfile.template[R27-32]

+RUN wget -qO /usr/bin/virtctl https://github.com/kubevirt/kubevirt/releases/download/v1.7.0/virtctl-v1.7.0-linux-amd64 && \
+    chmod +x /usr/bin/virtctl
+
+# Install yq (v4.40.5)
+RUN wget -qO /usr/bin/yq https://github.com/mikefarah/yq/releases/download/v4.40.5/yq_linux_amd64 && \
+    chmod +x /usr/bin/yq

Evidence

The Dockerfile pins virtctl/yq downloads to amd64-only release assets, while the repository
documentation describes ppc64le builds, implying multi-arch expectations.

containers/Dockerfile.template[26-32]
containers/build_own_image-README.md[8-13]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The container image currently downloads `virtctl` and `yq` using `linux-amd64` artifacts, which breaks builds/runs on non-amd64 platforms and conflicts with documented Power (ppc64le) build support.
### Issue Context
Docker supports `ARG TARGETARCH`/`TARGETPLATFORM` that can be used to select correct artifact names/URLs. If upstream asset naming differs (e.g., `amd64` vs `x86_64`), add a small mapping layer.
### Fix Focus Areas
- containers/Dockerfile.template[22-32]
- containers/build_own_image-README.md[8-13]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Bash not ensured 🐞 Bug ⛯ Reliability

Description

• The image ENTRYPOINT and both container scripts require /bin/bash.
• After switching the base image to python:3.9-slim, bash may be absent unless explicitly installed;
  if so, the container will fail immediately at startup with “/bin/bash: not found”.
• This is a hard failure mode (container won’t start) and should be made explicit/robust in the
  Dockerfile.

Code

containers/Dockerfile.template[R11-20]

+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    jq \
+    wget \
+    curl \
+    ipmitool \
+    openssh-server \
+    gettext-base \
+    procps \
+    && rm -rf /var/lib/apt/lists/*

Evidence

The Dockerfile uses /bin/bash as ENTRYPOINT and the scripts use a bash shebang, but the apt-get
package list in the template does not include bash.

containers/Dockerfile.template[11-20]
containers/Dockerfile.template[76-77]
containers/entrypoint.sh[1-7]
containers/setup-ssh.sh[1-2]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The container is configured to run via `/bin/bash`, but the Dockerfile does not explicitly install bash. If the chosen base image variant lacks bash, the container will not start.
### Issue Context
Both `containers/entrypoint.sh` and `containers/setup-ssh.sh` use a bash shebang, and the Dockerfile ENTRYPOINT invokes `/bin/bash` directly.
### Fix Focus Areas
- containers/Dockerfile.template[11-20]
- containers/Dockerfile.template[76-76]
- containers/entrypoint.sh[1-7]
- containers/setup-ssh.sh[1-2]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

✅ 3. Unverified external artifacts 🐞 Bug ⛨ Security

Description

• The image build pulls executable binaries (oc/virtctl/yq) directly via wget and installs them
  without checksum/signature validation.
• The build also clones the krkn repository without pinning a commit/tag by default, reducing
  reproducibility and increasing exposure to upstream compromise.
• While HTTPS helps, adding integrity verification and stronger pinning materially improves
  supply-chain security.

Code

containers/Dockerfile.template[R22-32]

+# Install oc (v4.18.0)
+RUN wget -qO- https://mirror.openshift.com/pub/openshift-v4/clients/oc/4.18.0/linux/oc.tar.gz | tar xvz -C /usr/bin/ oc && \
+    chmod +x /usr/bin/oc
+
+# Install virtctl (v1.7.0)
+RUN wget -qO /usr/bin/virtctl https://github.com/kubevirt/kubevirt/releases/download/v1.7.0/virtctl-v1.7.0-linux-amd64 && \
+    chmod +x /usr/bin/virtctl
+
+# Install yq (v4.40.5)
+RUN wget -qO /usr/bin/yq https://github.com/mikefarah/yq/releases/download/v4.40.5/yq_linux_amd64 && \
+    chmod +x /usr/bin/yq

Evidence

The Dockerfile fetches executables via wget and extracts/writes directly into /usr/bin without any
sha256/gpg verification, and clones the repo without pinning to a specific commit/tag unless
TAG/PR_NUMBER is provided.

containers/Dockerfile.template[22-32]
containers/Dockerfile.template[49-55]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The Dockerfile installs executable artifacts from the network without integrity verification and clones the repo without a deterministic pin by default.
### Issue Context
A compromised upstream release asset or an unexpected upstream change can silently alter what gets shipped. Adding sha256/GPG verification and pinning to a known commit/tag reduces this risk.
### Fix Focus Areas
- containers/Dockerfile.template[22-32]
- containers/Dockerfile.template[49-55]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[paigerube14]

thank you very much for the contribution, Unfortunately we're forced to keep the build of the binary tools in the Dockerfile in order to be able to update the tools dependencies manually whenever a CVE is discovered without the need to wait the release cycles of the teams behind them. So we need to leave this and building of virtctl

[Nesar976]

Thanks for the clarification. I’ve restored the Dockerfile to build the tools from source, matching the current main implementation.

[paigerube14]

we have moved to pyhon3.11, please update this version

[Nesar976]

Updated the runtime to Python 3.11 to align with the current project version.

[paigerube14]

did you push your changes? not seeing the updates here

[Nesar976]

Thanks for pointing that out. The changes were already pushed earlier, but after restoring the Dockerfile to align with main (building tools from source and updating the runtime to Python 3.11), there’s no additional diff to display, which is why it may look unchanged now.

Please let me know if you’d like me to apply any further adjustments on top of this.

[Nesar976]

@paigerube14 , Thanks for the review. I’ve restored the Dockerfile to build all required tools from source as in main, and updated the runtime to Python 3.11. Happy to make any further adjustments if needed.

[chaitanyaenr]

cc: @ddjain

[Nesar976]

@paigerube14 Thanks for pointing that out. The changes were already pushed earlier, but after restoring the Dockerfile to align with main (building tools from source and updating the runtime to Python 3.11), there’s no additional diff to display, which is why it may look unchanged now.

Please let me know if you’d like me to apply any further adjustments on top of this.

[ddjain]

Hi Nesar976

• Would it be possible to use the python:3.11-alpine image? It’s smaller in size and should help optimize the overall container size.
• Could you please build and run a simple scenario with updated dockerfile to ensure everything is working as expected? kindly attach console output to this pr as well. 🙂

[Nesar976]

Hi @ddjain thanks for the suggestion.
I’m working on testing the Dockerfile with python:3.11-alpine and validating it with a simple build/run scenario. I’ll push the changes and share the console output shortly.
Thankyou

[Nesar976]

Hi @ddjain , Addressed the feedback: moved to python:3.11-alpine, removed apt-get, and aligned everything with Alpine (apk) . Changes are limited to what was requested. Please let me know if anything else is needed.

[ddjain]

Hi @Nesar976,

Thanks for addressing the feedback and switching to python:3.11-alpine . really appreciate the quick turnaround 👍

I noticed the attached screenshot shows the Dockerfile changes. What I was actually looking for was the console output of the docker build and docker run commands (for a simple scenario), just to confirm the container builds successfully and runs as expected after the update.

Could you please share the terminal output for those commands in the PR? That would help us verify everything is working correctly.

Thanks again for the update!

[Nesar976]

Hi @ddjain, I’ve made the requested changes and attached the terminal output for docker build and docker run below for verification. Please let me know if any further changes are required. Thanks!

[ddjain]

Hi @Nesar976 ,

Thanks for sharing the build and run logs 👍 The image builds successfully, which is great.

However, I noticed that the failure during docker run is due to running an invalid scenario. To properly validate the updated Dockerfile, could you please run a valid scenario using the documented krkn-hub Docker command?

You can refer to the official example here:
https://krkn-chaos.dev/

This will help us confirm that the container not only builds but also executes a supported scenario successfully with the new python:3.11-alpine base

Thanks again for the updates!

[Nesar976]

Hi @ddjain Executed a valid Pod Disruption scenario using the documented krkn Docker command on Docker Desktop Kubernetes with the updated python:3.11-alpine base image . The nginx pod was successfully deleted and recovered. The run completed with exit_status=0 and job_status=true. Attaching execution logs/screenshots for verification.

[Nesar976]

Hi @ddjain Also, I’m currently contributing to the project through the LFX program this term, so I’m actively working on understanding the codebase and improving wherever possible.
Please let me know if there’s anything specific you’d like me to focus on next.

[ddjain]

/LGTM

[Nesar976]

Hi @ddjain, thanks for the approval 🙂
Just checking — do I need to update/rebase the branch before merge, or is it good to proceed as is?

[ddjain]

@Nesar976 yes, please update/rebase the branch.

[Nesar976]

Hi @ddjain I’ve updated and rebased the branch on the latest main.
Please let me know if anything else needs to be addressed.

[paigerube14]

Let's remove this file, all configs live under the "config" folder

[Nesar976]

Done

[paigerube14]

Let's also remove this file

[Nesar976]

Done

[paigerube14]

And this one too please, TIA

[Nesar976]

Done

[paigerube14]

once extra files are removed, this PR looks good to me

[Nesar976]

Hi @paigerube14 Removed the unintended config files from the PR as suggested. Please let me know if anything else needs adjustment.

[paigerube14]

do we need this line since you updated the entrypoint to be python3?

[Nesar976]

Good catch — you’re right, that line is no longer needed since the entrypoint already uses python3. I’ll remove it.

[paigerube14]

is this needed in this PR? I think we have separate PR's that work on adding targetarch

[Nesar976]

Hi @paigerube14 Good catch — it’s not strictly required for this PR. I’ll remove ARG TARGETARCH to keep this change focused on the Dockerfile optimizations.

[Nesar976]

Hi @paigerube14 Thanks for the feedback. I’ve removed ARG TARGETARCH to keep this PR strictly focused on the Dockerfile optimizations.