images: slim down golang binaries, by building without DWARF/debug symbols, stripping prebuilts, and removing unneeded bins

rpardini · rpardini · commit 9d6f2156c25b · 2024-05-20T22:48:00.000+02:00
- strip golang binaries (both during build with ldflags and prebuilt ones with 'strip'/binutils)
- don't ship apk caches
- we won't use docker-buildx nor docker-compose bins, which are huge; remove them
- remove stray 'hook-bootkit' binary from source directory (leftover from ?)

Signed-off-by: Ricardo Pardini &lt;ricardo@pardini.net&gt;
diff --git a/images/hook-bootkit/Dockerfile b/images/hook-bootkit/Dockerfile
@@ -2,7 +2,7 @@ FROM golang:1.21-alpine as dev
 COPY . /src/
 WORKDIR /src
 RUN go mod download
-RUN CGO_ENABLED=0 go build -a -ldflags '-w -extldflags "-static"' -o /bootkit
+RUN CGO_ENABLED=0 go build -a -ldflags '-s -w -extldflags "-static"' -o /bootkit
 
 FROM alpine
 COPY --from=dev /bootkit .
diff --git a/images/hook-bootkit/hook-bootkit b/images/hook-bootkit/hook-bootkit
diff --git a/images/hook-containerd/Dockerfile b/images/hook-containerd/Dockerfile
@@ -18,7 +18,7 @@ RUN mkdir -p $GOPATH/src/github.com/containerd && \
   git checkout $CONTAINERD_COMMIT
 RUN apk add --no-cache btrfs-progs-dev gcc libc-dev linux-headers make libseccomp-dev
 WORKDIR $GOPATH/src/github.com/containerd/containerd
-RUN make binaries EXTRA_FLAGS="-buildmode pie" EXTRA_LDFLAGS='-extldflags "-fno-PIC -static"' BUILDTAGS="static_build no_devmapper"
+RUN make binaries EXTRA_FLAGS="-buildmode pie" EXTRA_LDFLAGS='-w -s -extldflags "-fno-PIC -static"' BUILDTAGS="static_build no_devmapper"
 
 # install nerdctl
 RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then ARCHITECTURE=amd64; elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then ARCHITECTURE=arm64; else ARCHITECTURE=amd64; fi \
diff --git a/images/hook-docker/Dockerfile b/images/hook-docker/Dockerfile
@@ -1,10 +1,16 @@
 FROM golang:1.20-alpine as dev
 COPY . /src/
 WORKDIR /src
-RUN CGO_ENABLED=0 go build -a -ldflags '-w -extldflags "-static"' -o /hook-docker
+RUN CGO_ENABLED=0 go build -a -ldflags '-s -w -extldflags "-static"' -o /hook-docker
 
 FROM docker:26.1.0-dind
 RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories
-RUN apk update; apk add kexec-tools
+RUN apk update && apk add kexec-tools binutils && rm -rf /var/cache/apk/*
+# Won't use docker-buildx nor docker-compose
+RUN rm -rf /usr/local/libexec/docker/cli-plugins
+# Strip some large binaries
+RUN strip /usr/local/bin/docker /usr/local/bin/dockerd /usr/local/bin/docker-proxy /usr/local/bin/runc
+# Purge binutils package after stripping
+RUN apk del binutils
 COPY --from=dev /hook-docker .
 ENTRYPOINT ["/hook-docker"]
diff --git a/images/hook-mdev/Dockerfile b/images/hook-mdev/Dockerfile
@@ -2,7 +2,7 @@ FROM alpine
 
 USER root:root
 
-RUN apk add --no-cache mdev-conf
+RUN apk add --no-cache mdev-conf && rm -rf /var/cache/apk/*
 
 CMD ["mdev", "-v", "-df"]
 
diff --git a/images/hook-runc/Dockerfile b/images/hook-runc/Dockerfile
@@ -19,7 +19,7 @@ RUN mkdir -p $GOPATH/src/github.com/opencontainers && \
   git clone https://github.com/opencontainers/runc.git
 WORKDIR $GOPATH/src/github.com/opencontainers/runc
 RUN git checkout $RUNC_COMMIT
-RUN make static BUILDTAGS="seccomp" EXTRA_FLAGS="-buildmode pie" EXTRA_LDFLAGS="-extldflags \\\"-fno-PIC -static\\\""
+RUN make static BUILDTAGS="seccomp" EXTRA_FLAGS="-buildmode pie" EXTRA_LDFLAGS="-s -w -extldflags \\\"-fno-PIC -static\\\""
 RUN cp runc /usr/bin/
 
 RUN mkdir -p /etc/init.d && ln -s /usr/bin/service /etc/init.d/010-onboot
