From 9f511594ff2b699e0f48a03e553d47b68d8b7073 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Fri, 14 Mar 2025 13:49:13 +0100 Subject: [PATCH 01/16] improve chmod/chown to reduce image size --- trino/Dockerfile | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/trino/Dockerfile b/trino/Dockerfile index eb15b1469..3c51694e6 100644 --- a/trino/Dockerfile +++ b/trino/Dockerfile @@ -54,13 +54,16 @@ rm -r /stackable/trino-server-${PRODUCT}-src/plugin/*/target /stackable/trino-se # while the raw output folder does not tar -xzf /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/trino-server-${PRODUCT}.tar.gz -C /stackable mv /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/bom.json /stackable/trino-server-${PRODUCT}/trino-server-${PRODUCT}.cdx.json -chown --recursive ${STACKABLE_USER_UID}:0 /stackable/trino-server-${PRODUCT} # Delete all intermediate build products to free some more space rm -r /stackable/trino-server-${PRODUCT}-src + +# We need to change group and not in the final image (file changes bloat images) +chmod -R g=u /stackable EOF COPY --from=trino-storage-connector-image /stackable/trino-storage-${PRODUCT}-src/target/trino-storage-${PRODUCT} /stackable/trino-server-${PRODUCT}/plugin/trino-storage-${PRODUCT} +RUN chmod -R g=u /stackable/trino-server-${PRODUCT}/plugin/trino-storage-${PRODUCT} # For earlier versions this script removes the .class file that contains the # vulnerable code. # TODO: This can be restricted to target only versions which do not honor the environment @@ -86,12 +89,12 @@ ARG RELEASE ARG STACKABLE_USER_UID LABEL name="Trino" \ - maintainer="info@stackable.tech" \ - vendor="Stackable GmbH" \ - version="${PRODUCT}" \ - release="${RELEASE}" \ - summary="The Stackable image for Trino." \ - description="This image is deployed by the Stackable Operator for Trino." + maintainer="info@stackable.tech" \ + vendor="Stackable GmbH" \ + version="${PRODUCT}" \ + release="${RELEASE}" \ + summary="The Stackable image for Trino." \ + description="This image is deployed by the Stackable Operator for Trino." RUN microdnf update && \ microdnf install \ @@ -108,19 +111,16 @@ WORKDIR /stackable COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable /stackable COPY --chown=${STACKABLE_USER_UID}:0 trino/licenses /licenses -COPY --from=trino-builder /stackable/trino-server-${PRODUCT} /stackable/trino-server-${PRODUCT} +COPY --from=trino-builder --chown=${STACKABLE_USER_UID}:0 /stackable/trino-server-${PRODUCT} /stackable/trino-server-${PRODUCT} RUN < Date: Fri, 14 Mar 2025 13:49:55 +0100 Subject: [PATCH 02/16] fix auto lint --- trino/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/trino/Dockerfile b/trino/Dockerfile index 3c51694e6..04909d6b3 100644 --- a/trino/Dockerfile +++ b/trino/Dockerfile @@ -88,7 +88,8 @@ ARG JMX_EXPORTER ARG RELEASE ARG STACKABLE_USER_UID -LABEL name="Trino" \ +LABEL \ + name="Trino" \ maintainer="info@stackable.tech" \ vendor="Stackable GmbH" \ version="${PRODUCT}" \ From 47cacf708052fc2e5c8482ed71737771ef347f17 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Wed, 26 Mar 2025 10:03:50 +0100 Subject: [PATCH 03/16] summarize chmod --- trino/Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/trino/Dockerfile b/trino/Dockerfile index 04909d6b3..3629adf57 100644 --- a/trino/Dockerfile +++ b/trino/Dockerfile @@ -118,8 +118,7 @@ RUN < Date: Wed, 26 Mar 2025 10:05:05 +0100 Subject: [PATCH 04/16] remove log4shell check --- trino/Dockerfile | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/trino/Dockerfile b/trino/Dockerfile index 3629adf57..8b74f940c 100644 --- a/trino/Dockerfile +++ b/trino/Dockerfile @@ -64,21 +64,6 @@ EOF COPY --from=trino-storage-connector-image /stackable/trino-storage-${PRODUCT}-src/target/trino-storage-${PRODUCT} /stackable/trino-server-${PRODUCT}/plugin/trino-storage-${PRODUCT} RUN chmod -R g=u /stackable/trino-server-${PRODUCT}/plugin/trino-storage-${PRODUCT} -# For earlier versions this script removes the .class file that contains the -# vulnerable code. -# TODO: This can be restricted to target only versions which do not honor the environment -# varible that has been set above but this has not currently been implemented -COPY shared/log4shell.sh /bin -RUN /bin/log4shell.sh /stackable/trino-server-${PRODUCT} - -# Ensure no vulnerable files are left over -# This will currently report vulnerable files being present, as it also alerts on -# SocketNode.class, which we do not remove with our scripts. -# Further investigation will be needed whether this should also be removed. -COPY shared/log4shell_1.6.1-log4shell_Linux_x86_64 /bin/log4shell_scanner_x86_64 -COPY shared/log4shell_1.6.1-log4shell_Linux_aarch64 /bin/log4shell_scanner_aarch64 -COPY shared/log4shell_scanner /bin/log4shell_scanner -RUN /bin/log4shell_scanner s /stackable/trino-server-${PRODUCT} # === FROM stackable/image/java-base @@ -124,7 +109,7 @@ ln -s /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar /stackable/jmx EOF # ---------------------------------------- -# Attention: We are changing the group of all files in /stackable directly above +# Attention: # If you do any file based actions (copying / creating etc.) below this comment you # absolutely need to make sure that the correct permissions are applied! # chown ${STACKABLE_USER_UID}:0 From 6bf1a21c4d3a58121d14e3fbc3577b63a57e6614 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Wed, 26 Mar 2025 11:14:16 +0100 Subject: [PATCH 05/16] fixes --- trino/Dockerfile | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/trino/Dockerfile b/trino/Dockerfile index 8b74f940c..8a00f0c0d 100644 --- a/trino/Dockerfile +++ b/trino/Dockerfile @@ -7,6 +7,7 @@ FROM stackable/image/java-devel AS trino-builder ARG PRODUCT ARG STACKABLE_USER_UID +ARG JMX_EXPORTER RUN < .dockerignore? +COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/jmx /stackable/jmx +COPY --chown=${STACKABLE_USER_UID}:0 trino/licenses /licenses # ---------------------------------------- # Attention: From 463954f910136e8b2431bfca4193464bd26cc124 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Wed, 26 Mar 2025 11:20:46 +0100 Subject: [PATCH 06/16] fix linter --- trino/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/trino/Dockerfile b/trino/Dockerfile index 8a00f0c0d..3f2eb7d59 100644 --- a/trino/Dockerfile +++ b/trino/Dockerfile @@ -73,7 +73,6 @@ ln -s /stackable/trino-server-${PRODUCT} /stackable/trino-server chmod -R g=u /stackable/trino-server-${PRODUCT} chmod -R g=u /stackable/jmx EOF -# === FROM stackable/image/java-base From da10bdcc1c2247f155f6ea8584759aa1487f3173 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Wed, 26 Mar 2025 13:01:14 +0100 Subject: [PATCH 07/16] cleanup --- trino/Dockerfile | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/trino/Dockerfile b/trino/Dockerfile index 3f2eb7d59..5a21b4241 100644 --- a/trino/Dockerfile +++ b/trino/Dockerfile @@ -27,6 +27,8 @@ RUN curl "https://repo.stackable.tech/repository/packages/trino-server/trino-ser COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/patches/apply_patches.sh /stackable/trino-server-${PRODUCT}-src/patches/apply_patches.sh COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/patches/${PRODUCT} /stackable/trino-server-${PRODUCT}-src/patches/${PRODUCT} COPY --chown=${STACKABLE_USER_UID}:0 --from=trino-storage-connector-image /stackable/trino-storage-${PRODUCT}-src/target/trino-storage-${PRODUCT} /trino-storage-${PRODUCT} +# do not copy patches -> .dockerignore? +COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/jmx /stackable/jmx # adding a hadolint ignore for SC2215, due to https://github.com/hadolint/hadolint/issues/980 # hadolint ignore=SC2215 @@ -49,7 +51,7 @@ git tag ${PRODUCT} # We need to use ./mvnw instead of mvn to get a recent maven version (which is required to build Trino) ./mvnw --batch-mode --no-transfer-progress package -DskipTests --projects="!docs,!core/trino-server-rpm" -# Delete the worst intermediate build products to free some space +# Delete intermediate build products to free some space and keep runners happy rm -r /stackable/trino-server-${PRODUCT}-src/plugin/*/target /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/trino-server-${PRODUCT} # Extract from tarball to save space; the tarball deduplicates jars (replacing them with symlinks), @@ -57,11 +59,11 @@ rm -r /stackable/trino-server-${PRODUCT}-src/plugin/*/target /stackable/trino-se tar -xzf /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/trino-server-${PRODUCT}.tar.gz -C /stackable mv /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/bom.json /stackable/trino-server-${PRODUCT}/trino-server-${PRODUCT}.cdx.json -# Delete all intermediate build products to free some more space +# Delete intermediate build products to free some space and keep runners happy rm -r /stackable/trino-server-${PRODUCT}-src +rm -r /stackable/.m2 # JMX Exporter -mkdir /stackable/jmx curl --fail https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar -o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar chmod +x /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar # Storage connector @@ -70,8 +72,7 @@ mv /trino-storage-${PRODUCT}/ /stackable/trino-server-${PRODUCT}/plugin/trino-st ln -s /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar /stackable/jmx/jmx_prometheus_javaagent.jar ln -s /stackable/trino-server-${PRODUCT} /stackable/trino-server # We need to change groups here and not in the final image (file changes bloat images) -chmod -R g=u /stackable/trino-server-${PRODUCT} -chmod -R g=u /stackable/jmx +chmod -R g=u /stackable EOF FROM stackable/image/java-base @@ -101,10 +102,11 @@ RUN microdnf update && \ WORKDIR /stackable -COPY --from=trino-builder --chown=${STACKABLE_USER_UID}:0 /stackable/trino-server-${PRODUCT} /stackable/trino-server-${PRODUCT} -COPY --from=trino-builder --chown=${STACKABLE_USER_UID}:0 /stackable/jmx /stackable/jmx -# do not copy patches -> .dockerignore? -COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/jmx /stackable/jmx +# If /stackable has any build artifacts / leftovers make sure its removed properly +# or only copy what is actually required in the final image like: +# COPY --from=trino-builder --chown=${STACKABLE_USER_UID}:0 /stackable/foo /stackable/foo +COPY --from=trino-builder --chown=${STACKABLE_USER_UID}:0 /stackable /stackable + COPY --chown=${STACKABLE_USER_UID}:0 trino/licenses /licenses # ---------------------------------------- From 86163aeaacb6e47d893999562ebb17ce90b0712b Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Wed, 26 Mar 2025 13:18:43 +0100 Subject: [PATCH 08/16] adapted changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2897fdb86..b77e22dee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Fixed + +- trino: reduce docker image size by removingthe recursive chown/chmods in the final image ([#1025]). + +[#1025]: https://github.com/stackabletech/docker-images/pull/1025 + ## [25.3.0] - 2025-03-21 ### Added From 28dd434090a756eef8a00ec3498a8c205d9e3f88 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Wed, 26 Mar 2025 13:21:44 +0100 Subject: [PATCH 09/16] linter --- trino/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/trino/Dockerfile b/trino/Dockerfile index ad179b2c8..046261101 100644 --- a/trino/Dockerfile +++ b/trino/Dockerfile @@ -106,7 +106,7 @@ WORKDIR /stackable # If /stackable has any build artifacts / leftovers make sure its removed properly # or only copy what is actually required in the final image like: -# COPY --from=trino-builder --chown=${STACKABLE_USER_UID}:0 /stackable/foo /stackable/foo +# COPY --from=trino-builder --chown=${STACKABLE_USER_UID}:0 /stackable/foo /stackable/foo COPY --from=trino-builder --chown=${STACKABLE_USER_UID}:0 /stackable /stackable COPY --chown=${STACKABLE_USER_UID}:0 trino/licenses /licenses From 28f0039493e69c5ae3e8084e7a51143058ef430d Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Wed, 26 Mar 2025 13:28:45 +0100 Subject: [PATCH 10/16] Update CHANGELOG.md Co-authored-by: Sebastian Bernauer --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b77e22dee..bfa4eaaec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file. ### Fixed -- trino: reduce docker image size by removingthe recursive chown/chmods in the final image ([#1025]). +- trino: reduce docker image size by removing the recursive chown/chmods in the final image ([#1025]). [#1025]: https://github.com/stackabletech/docker-images/pull/1025 From 81fc95cfb243909438e77c1a539c708a4ee61373 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Thu, 3 Apr 2025 17:15:15 +0200 Subject: [PATCH 11/16] check permissions --- trino/Dockerfile | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/trino/Dockerfile b/trino/Dockerfile index 046261101..c5baa2cb0 100644 --- a/trino/Dockerfile +++ b/trino/Dockerfile @@ -27,7 +27,6 @@ RUN curl "https://repo.stackable.tech/repository/packages/trino-server/trino-ser COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/patches/apply_patches.sh /stackable/trino-server-${PRODUCT}-src/patches/apply_patches.sh COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/patches/${PRODUCT} /stackable/trino-server-${PRODUCT}-src/patches/${PRODUCT} COPY --chown=${STACKABLE_USER_UID}:0 --from=trino-storage-connector-image /stackable/trino-storage-${PRODUCT}-src/target/trino-storage-${PRODUCT} /trino-storage-${PRODUCT} -# do not copy patches -> .dockerignore? COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/jmx /stackable/jmx # adding a hadolint ignore for SC2215, due to https://github.com/hadolint/hadolint/issues/980 @@ -66,13 +65,16 @@ rm -r /stackable/.m2 # JMX Exporter curl --fail https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar -o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar chmod +x /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar + # Storage connector mv /trino-storage-${PRODUCT}/ /stackable/trino-server-${PRODUCT}/plugin/trino-storage-${PRODUCT}/ + # Softlinks ln -s /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar /stackable/jmx/jmx_prometheus_javaagent.jar ln -s /stackable/trino-server-${PRODUCT} /stackable/trino-server -# We need to change groups here and not in the final image (file changes bloat images) -chmod -R g=u /stackable + +# Set correct permissions +chmod --recursive g=u /stackable EOF FROM stackable/image/java-base @@ -90,33 +92,41 @@ LABEL \ summary="The Stackable image for Trino." \ description="This image is deployed by the Stackable Operator for Trino." -RUN microdnf update && \ - microdnf install \ +RUN < Date: Thu, 3 Apr 2025 17:34:19 +0200 Subject: [PATCH 12/16] consolidation --- trino/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/trino/Dockerfile b/trino/Dockerfile index c5baa2cb0..38555c422 100644 --- a/trino/Dockerfile +++ b/trino/Dockerfile @@ -94,12 +94,12 @@ LABEL \ RUN < Date: Mon, 7 Apr 2025 13:37:11 +0200 Subject: [PATCH 13/16] Update trino/Dockerfile Co-authored-by: Siegfried Weber --- trino/Dockerfile | 3 --- 1 file changed, 3 deletions(-) diff --git a/trino/Dockerfile b/trino/Dockerfile index 38555c422..dbf4c7ffe 100644 --- a/trino/Dockerfile +++ b/trino/Dockerfile @@ -106,9 +106,6 @@ microdnf clean all rm -rf /var/cache/yum EOF -# If /stackable has any build artifacts / leftovers make sure its removed properly -# or only copy what is actually required in the final image like: -# COPY --from=trino-builder --chown=${STACKABLE_USER_UID}:0 /stackable/foo /stackable/foo COPY --from=trino-builder --chown=${STACKABLE_USER_UID}:0 /stackable /stackable COPY --chown=${STACKABLE_USER_UID}:0 trino/licenses /licenses From f7452ef626f8ff42bd3d95a6ebc372b25560cf41 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Mon, 7 Apr 2025 13:37:20 +0200 Subject: [PATCH 14/16] Update trino/Dockerfile Co-authored-by: Siegfried Weber --- trino/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/trino/Dockerfile b/trino/Dockerfile index dbf4c7ffe..c42db9e7d 100644 --- a/trino/Dockerfile +++ b/trino/Dockerfile @@ -63,7 +63,7 @@ rm -r /stackable/trino-server-${PRODUCT}-src rm -r /stackable/.m2 # JMX Exporter -curl --fail https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar -o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar +curl https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar -o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar chmod +x /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar # Storage connector From 53b53eb418fd6f162c145a0e5038a7bc78795757 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Mon, 7 Apr 2025 13:38:17 +0200 Subject: [PATCH 15/16] missing doc comment --- trino/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/trino/Dockerfile b/trino/Dockerfile index c42db9e7d..62d5e451c 100644 --- a/trino/Dockerfile +++ b/trino/Dockerfile @@ -124,6 +124,7 @@ EOF # ---------------------------------------- # Attention: Do not perform any file based actions (copying/creating etc.) below this comment because the permissions would not be checked. +# ---------------------------------------- USER ${STACKABLE_USER_UID} WORKDIR /stackable/trino-server From 16cdf3a76b240c88da6619b6583d85ae0b51966d Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Mon, 7 Apr 2025 14:04:44 +0200 Subject: [PATCH 16/16] copy storage connector directly --- trino/Dockerfile | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/trino/Dockerfile b/trino/Dockerfile index 62d5e451c..888070d61 100644 --- a/trino/Dockerfile +++ b/trino/Dockerfile @@ -26,7 +26,8 @@ RUN curl "https://repo.stackable.tech/repository/packages/trino-server/trino-ser COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/patches/apply_patches.sh /stackable/trino-server-${PRODUCT}-src/patches/apply_patches.sh COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/patches/${PRODUCT} /stackable/trino-server-${PRODUCT}-src/patches/${PRODUCT} -COPY --chown=${STACKABLE_USER_UID}:0 --from=trino-storage-connector-image /stackable/trino-storage-${PRODUCT}-src/target/trino-storage-${PRODUCT} /trino-storage-${PRODUCT} +COPY --chown=${STACKABLE_USER_UID}:0 --from=trino-storage-connector-image /stackable/trino-storage-${PRODUCT}-src/target/trino-storage-${PRODUCT} \ + /stackable/trino-server-${PRODUCT}/plugin/trino-storage-${PRODUCT}/ COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/jmx /stackable/jmx # adding a hadolint ignore for SC2215, due to https://github.com/hadolint/hadolint/issues/980 @@ -66,9 +67,6 @@ rm -r /stackable/.m2 curl https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar -o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar chmod +x /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar -# Storage connector -mv /trino-storage-${PRODUCT}/ /stackable/trino-server-${PRODUCT}/plugin/trino-storage-${PRODUCT}/ - # Softlinks ln -s /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar /stackable/jmx/jmx_prometheus_javaagent.jar ln -s /stackable/trino-server-${PRODUCT} /stackable/trino-server