Skip to content

Commit 47d35ce

Browse files
maltesandersbernauersiegfriedweber
authored
Fix: trino reduce image size (#1025)
* improve chmod/chown to reduce image size * fix auto lint * summarize chmod * remove log4shell check * fixes * fix linter * cleanup * adapted changelog * linter * Update CHANGELOG.md Co-authored-by: Sebastian Bernauer <[email protected]> * check permissions * consolidation * Update trino/Dockerfile Co-authored-by: Siegfried Weber <[email protected]> * Update trino/Dockerfile Co-authored-by: Siegfried Weber <[email protected]> * missing doc comment * copy storage connector directly --------- Co-authored-by: Sebastian Bernauer <[email protected]> Co-authored-by: Siegfried Weber <[email protected]>
1 parent 59cb54d commit 47d35ce

File tree

2 files changed

+50
-54
lines changed

2 files changed

+50
-54
lines changed

CHANGELOG.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@ All notable changes to this project will be documented in this file.
1515
`check-permissions-ownership.sh` provided in stackable-base image ([#1027]).
1616
- opa: check for correct permissions and ownerships in /stackable folder via
1717
`check-permissions-ownership.sh` provided in stackable-base image ([#1038]).
18+
- trino: check for correct permissions and ownerships in /stackable folder via
19+
`check-permissions-ownership.sh` provided in stackable-base image ([#1025]).
1820

1921
### Changed
2022

@@ -28,8 +30,10 @@ All notable changes to this project will be documented in this file.
2830
- nifi: reduce docker image size by removing the recursive chown/chmods in the final image ([#1027]).
2931
- opa: reduce docker image size by removing the recursive chown/chmods in the final image ([#1038]).
3032
- spark-k8s: reduce docker image size by removing the recursive chown/chmods in the final image ([#1042]).
33+
- trino: reduce docker image size by removing the recursive chown/chmods in the final image ([#1025]).
3134
- Add `--locked` flag to `cargo install` commands for reproducible builds ([#1044]).
3235

36+
[#1025]: https://github.com/stackabletech/docker-images/pull/1025
3337
[#1027]: https://github.com/stackabletech/docker-images/pull/1027
3438
[#1028]: https://github.com/stackabletech/docker-images/pull/1028
3539
[#1029]: https://github.com/stackabletech/docker-images/pull/1029

trino/Dockerfile

Lines changed: 46 additions & 54 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ FROM stackable/image/java-devel AS trino-builder
77

88
ARG PRODUCT
99
ARG STACKABLE_USER_UID
10+
ARG JMX_EXPORTER
1011

1112
RUN <<EOF
1213
microdnf update
@@ -25,6 +26,9 @@ RUN curl "https://repo.stackable.tech/repository/packages/trino-server/trino-ser
2526

2627
COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/patches/apply_patches.sh /stackable/trino-server-${PRODUCT}-src/patches/apply_patches.sh
2728
COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/patches/${PRODUCT} /stackable/trino-server-${PRODUCT}-src/patches/${PRODUCT}
29+
COPY --chown=${STACKABLE_USER_UID}:0 --from=trino-storage-connector-image /stackable/trino-storage-${PRODUCT}-src/target/trino-storage-${PRODUCT} \
30+
/stackable/trino-server-${PRODUCT}/plugin/trino-storage-${PRODUCT}/
31+
COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/jmx /stackable/jmx
2832

2933
# adding a hadolint ignore for SC2215, due to https://github.com/hadolint/hadolint/issues/980
3034
# hadolint ignore=SC2215
@@ -47,89 +51,77 @@ git tag ${PRODUCT}
4751
# We need to use ./mvnw instead of mvn to get a recent maven version (which is required to build Trino)
4852
./mvnw --batch-mode --no-transfer-progress package -DskipTests --projects="!docs,!core/trino-server-rpm"
4953

50-
# Delete the worst intermediate build products to free some space
54+
# Delete intermediate build products to free some space and keep runners happy
5155
rm -r /stackable/trino-server-${PRODUCT}-src/plugin/*/target /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/trino-server-${PRODUCT}
5256

5357
# Extract from tarball to save space; the tarball deduplicates jars (replacing them with symlinks),
5458
# while the raw output folder does not
5559
tar -xzf /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/trino-server-${PRODUCT}.tar.gz -C /stackable
5660
mv /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/bom.json /stackable/trino-server-${PRODUCT}/trino-server-${PRODUCT}.cdx.json
57-
chown --recursive ${STACKABLE_USER_UID}:0 /stackable/trino-server-${PRODUCT}
5861

59-
# Delete all intermediate build products to free some more space
62+
# Delete intermediate build products to free some space and keep runners happy
6063
rm -r /stackable/trino-server-${PRODUCT}-src
64+
rm -r /stackable/.m2
65+
66+
# JMX Exporter
67+
curl https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar -o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
68+
chmod +x /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
69+
70+
# Softlinks
71+
ln -s /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar /stackable/jmx/jmx_prometheus_javaagent.jar
72+
ln -s /stackable/trino-server-${PRODUCT} /stackable/trino-server
73+
74+
# Set correct permissions
75+
chmod --recursive g=u /stackable
6176
EOF
6277

63-
COPY --from=trino-storage-connector-image /stackable/trino-storage-${PRODUCT}-src/target/trino-storage-${PRODUCT} /stackable/trino-server-${PRODUCT}/plugin/trino-storage-${PRODUCT}
64-
# For earlier versions this script removes the .class file that contains the
65-
# vulnerable code.
66-
# TODO: This can be restricted to target only versions which do not honor the environment
67-
# varible that has been set above but this has not currently been implemented
68-
COPY shared/log4shell.sh /bin
69-
RUN /bin/log4shell.sh /stackable/trino-server-${PRODUCT}
70-
71-
# Ensure no vulnerable files are left over
72-
# This will currently report vulnerable files being present, as it also alerts on
73-
# SocketNode.class, which we do not remove with our scripts.
74-
# Further investigation will be needed whether this should also be removed.
75-
COPY shared/log4shell_1.6.1-log4shell_Linux_x86_64 /bin/log4shell_scanner_x86_64
76-
COPY shared/log4shell_1.6.1-log4shell_Linux_aarch64 /bin/log4shell_scanner_aarch64
77-
COPY shared/log4shell_scanner /bin/log4shell_scanner
78-
RUN /bin/log4shell_scanner s /stackable/trino-server-${PRODUCT}
79-
# ===
80-
81-
FROM stackable/image/java-base AS final
78+
FROM stackable/image/java-base
8279

8380
ARG PRODUCT
84-
ARG JMX_EXPORTER
8581
ARG RELEASE
8682
ARG STACKABLE_USER_UID
8783

88-
LABEL name="Trino" \
89-
maintainer="[email protected]" \
90-
vendor="Stackable GmbH" \
91-
version="${PRODUCT}" \
92-
release="${RELEASE}" \
93-
summary="The Stackable image for Trino." \
94-
description="This image is deployed by the Stackable Operator for Trino."
84+
LABEL \
85+
name="Trino" \
86+
maintainer="[email protected]" \
87+
vendor="Stackable GmbH" \
88+
version="${PRODUCT}" \
89+
release="${RELEASE}" \
90+
summary="The Stackable image for Trino." \
91+
description="This image is deployed by the Stackable Operator for Trino."
9592

96-
RUN microdnf update && \
97-
microdnf install \
93+
RUN <<EOF
94+
microdnf update
95+
# libstdc++ required by snappy and duckdb, see https://github.com/trinodb/trino/pull/25143
96+
microdnf install \
9897
gzip \
9998
httpd-tools \
10099
python \
101100
tar \
102-
# Required by snappy and duckdb, see https://github.com/trinodb/trino/pull/25143
103101
libstdc++ \
104-
zip && \
105-
microdnf clean all && \
106-
rm -rf /var/cache/yum
107-
108-
WORKDIR /stackable
102+
zip
103+
microdnf clean all
104+
rm -rf /var/cache/yum
105+
EOF
109106

110-
COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable /stackable
107+
COPY --from=trino-builder --chown=${STACKABLE_USER_UID}:0 /stackable /stackable
111108
COPY --chown=${STACKABLE_USER_UID}:0 trino/licenses /licenses
112109

113-
COPY --from=trino-builder /stackable/trino-server-${PRODUCT} /stackable/trino-server-${PRODUCT}
110+
# ----------------------------------------
111+
# Checks
112+
# This section is to run final checks to ensure the created final images
113+
# adhere to several minimal requirements like:
114+
# - check file permissions and ownerships
115+
# ----------------------------------------
114116

117+
# Check that permissions and ownership in /stackable are set correctly
118+
# This will fail and stop the build if any mismatches are found.
115119
RUN <<EOF
116-
ln -s /stackable/trino-server-${PRODUCT} /stackable/trino-server
117-
118-
curl --fail https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar -o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
119-
chmod +x /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
120-
ln -s /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar /stackable/jmx/jmx_prometheus_javaagent.jar
121-
122-
# All files and folders owned by root group to support running as arbitrary users.
123-
# This is best practice as all container users will belong to the root group (0).
124-
chown -R ${STACKABLE_USER_UID}:0 /stackable
125-
chmod -R g=u /stackable
120+
/bin/check-permissions-ownership.sh /stackable ${STACKABLE_USER_UID} 0
126121
EOF
127122

128123
# ----------------------------------------
129-
# Attention: We are changing the group of all files in /stackable directly above
130-
# If you do any file based actions (copying / creating etc.) below this comment you
131-
# absolutely need to make sure that the correct permissions are applied!
132-
# chown ${STACKABLE_USER_UID}:0
124+
# Attention: Do not perform any file based actions (copying/creating etc.) below this comment because the permissions would not be checked.
133125
# ----------------------------------------
134126

135127
USER ${STACKABLE_USER_UID}

0 commit comments

Comments
 (0)