Fix: trino reduce image size

CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Fixed
+
+- trino: reduce docker image size by removingthe  recursive chown/chmods in the final image ([#1025]).
+
+[#1025]: https://github.com/stackabletech/docker-images/pull/1025
+
 ## [25.3.0] - 2025-03-21
 
 ### Added

trino/Dockerfile

@@ -7,6 +7,7 @@ FROM stackable/image/java-devel AS trino-builder
 
 ARG PRODUCT
 ARG STACKABLE_USER_UID
+ARG JMX_EXPORTER
 
 RUN <<EOF
 microdnf update
@@ -25,6 +26,9 @@ RUN curl "https://repo.stackable.tech/repository/packages/trino-server/trino-ser
 
 COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/patches/apply_patches.sh /stackable/trino-server-${PRODUCT}-src/patches/apply_patches.sh
 COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/patches/${PRODUCT} /stackable/trino-server-${PRODUCT}-src/patches/${PRODUCT}
+COPY --chown=${STACKABLE_USER_UID}:0 --from=trino-storage-connector-image /stackable/trino-storage-${PRODUCT}-src/target/trino-storage-${PRODUCT} /trino-storage-${PRODUCT}
+# do not copy patches -> .dockerignore?
+COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/jmx /stackable/jmx
 
 # adding a hadolint ignore for SC2215, due to https://github.com/hadolint/hadolint/issues/980
 # hadolint ignore=SC2215
@@ -47,51 +51,44 @@ git tag ${PRODUCT}
 # We need to use ./mvnw instead of mvn to get a recent maven version (which is required to build Trino)
 ./mvnw --batch-mode --no-transfer-progress package -DskipTests --projects="!docs,!core/trino-server-rpm"
 
-# Delete the worst intermediate build products to free some space
+# Delete intermediate build products to free some space and keep runners happy
 rm -r /stackable/trino-server-${PRODUCT}-src/plugin/*/target /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/trino-server-${PRODUCT}
 
 # Extract from tarball to save space; the tarball deduplicates jars (replacing them with symlinks),
 # while the raw output folder does not
 tar -xzf /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/trino-server-${PRODUCT}.tar.gz -C /stackable
 mv /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/bom.json /stackable/trino-server-${PRODUCT}/trino-server-${PRODUCT}.cdx.json
-chown --recursive ${STACKABLE_USER_UID}:0 /stackable/trino-server-${PRODUCT}
 
-# Delete all intermediate build products to free some more space
+# Delete intermediate build products to free some space and keep runners happy
 rm -r /stackable/trino-server-${PRODUCT}-src
+rm -r /stackable/.m2
+
+# JMX Exporter
+curl --fail https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar -o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
+chmod +x /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
+# Storage connector
+mv /trino-storage-${PRODUCT}/ /stackable/trino-server-${PRODUCT}/plugin/trino-storage-${PRODUCT}/
+# Softlinks
+ln -s /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar /stackable/jmx/jmx_prometheus_javaagent.jar
+ln -s /stackable/trino-server-${PRODUCT} /stackable/trino-server
+# We need to change groups here and not in the final image (file changes bloat images)
+chmod -R g=u /stackable
 EOF
 
-COPY --from=trino-storage-connector-image /stackable/trino-storage-${PRODUCT}-src/target/trino-storage-${PRODUCT} /stackable/trino-server-${PRODUCT}/plugin/trino-storage-${PRODUCT}
-# For earlier versions this script removes the .class file that contains the
-# vulnerable code.
-# TODO: This can be restricted to target only versions which do not honor the environment
-#   varible that has been set above but this has not currently been implemented
-COPY shared/log4shell.sh /bin
-RUN /bin/log4shell.sh /stackable/trino-server-${PRODUCT}
-
-# Ensure no vulnerable files are left over
-# This will currently report vulnerable files being present, as it also alerts on
-# SocketNode.class, which we do not remove with our scripts.
-# Further investigation will be needed whether this should also be removed.
-COPY shared/log4shell_1.6.1-log4shell_Linux_x86_64 /bin/log4shell_scanner_x86_64
-COPY shared/log4shell_1.6.1-log4shell_Linux_aarch64 /bin/log4shell_scanner_aarch64
-COPY shared/log4shell_scanner /bin/log4shell_scanner
-RUN /bin/log4shell_scanner s /stackable/trino-server-${PRODUCT}
-# ===
-
-FROM stackable/image/java-base AS final
+FROM stackable/image/java-base
 
 ARG PRODUCT
-ARG JMX_EXPORTER
 ARG RELEASE
 ARG STACKABLE_USER_UID
 
-LABEL name="Trino" \
-      maintainer="[email protected]" \
-      vendor="Stackable GmbH" \
-      version="${PRODUCT}" \
-      release="${RELEASE}" \
-      summary="The Stackable image for Trino." \
-      description="This image is deployed by the Stackable Operator for Trino."
+LABEL \
+    name="Trino" \
+    maintainer="[email protected]" \
+    vendor="Stackable GmbH" \
+    version="${PRODUCT}" \
+    release="${RELEASE}" \
+    summary="The Stackable image for Trino." \
+    description="This image is deployed by the Stackable Operator for Trino."
 
 RUN microdnf update && \
     microdnf install \
@@ -107,26 +104,15 @@ RUN microdnf update && \
 
 WORKDIR /stackable
 
-COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable /stackable
-COPY --chown=${STACKABLE_USER_UID}:0 trino/licenses /licenses
-
-COPY --from=trino-builder /stackable/trino-server-${PRODUCT} /stackable/trino-server-${PRODUCT}
+# If /stackable has any build artifacts / leftovers make sure its removed properly
+# or only copy what is actually required in the final image like:
+# COPY --from=trino-builder --chown=${STACKABLE_USER_UID}:0 /stackable/foo /stackable/foo 
+COPY --from=trino-builder --chown=${STACKABLE_USER_UID}:0 /stackable /stackable
 
-RUN <<EOF
-ln -s /stackable/trino-server-${PRODUCT} /stackable/trino-server
-
-curl --fail https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar -o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
-chmod +x /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
-ln -s /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar /stackable/jmx/jmx_prometheus_javaagent.jar
-
-# All files and folders owned by root group to support running as arbitrary users.
-# This is best practice as all container users will belong to the root group (0).
-chown -R ${STACKABLE_USER_UID}:0 /stackable
-chmod -R g=u /stackable
-EOF
+COPY --chown=${STACKABLE_USER_UID}:0 trino/licenses /licenses
 
 # ----------------------------------------
-# Attention: We are changing the group of all files in /stackable directly above
+# Attention:
 # If you do any file based actions (copying / creating etc.) below this comment you
 # absolutely need to make sure that the correct permissions are applied!
 # chown ${STACKABLE_USER_UID}:0