Slim container builds

[TrevorBenson]

Description

Simply changes the order of operations to facilitate slimming the container by merging some steps.

The separation of the "final tools" into its own step moves ~60MB to a unique layer. This change allows addition of one or two packages into the final layers and quick rebuilds. The CI does not leverage a build cache, but developers may be able to take advantage of improved observability by reducing feedback loops during development of add on features/functionality.

Where should the reviewer start?

1. Lines 23-34 moved installation of locales, apt-utils, and sudo into earlier steps. As these are mostly unique to the container and unlikely to change, they now get their own layer.
2. Lines 35-38 provides early setup of the user, groups and home directory for scripts.
3. Lines 39-44 adds scripts earlier in the build steps so are present for chown operations.
4. Line 46 adds apt-get update again after earlier purge/cleanup.
5. Lines 60-63 Relocates the operations from lines 69-73 so the mv operation does not create an additional 400MB layer.
6. Line 90 The ADD of guild-deploy.sh to /opt/cardano/cnode/scripts comes after guild-deploy performs the setup. The mkdir -p $CNODE_HOME/priv/files could be moved into an earlier step, allowing the ADD to be in the Lines 40-43 block of ADD steps, and remove line 90 as line 63 now ensures every script added to /opt/cardano/cnode/scripts is marked as executable after ADD/curl operations.

Motivation and context

• Reduces build warnings (noise) so the log appears more like bare metal environments.
• Save space (19.25%) per image.
• Reduce
  • transfer time
  • Startup time

Examining the history of the image there is a 405MB layer towards the end. This is actually a duplication of data from the 1.39GB layer.

$ podman image history ceea4427ca69
ID            CREATED      CREATED BY                                     SIZE        COMMENT
ceea4427ca69  3 weeks ago  ENTRYPOINT ["./entrypoint.sh"]                 0 B         buildkit.dockerfile.v0
<missing>     3 weeks ago  HEALTHCHECK &{["CMD-SHELL" "/home/guild/.s...  0 B         buildkit.dockerfile.v0
<missing>     3 weeks ago  RUN |2 DEBIAN_FRONTEND=noninteractive G_AC...  405 MB      buildkit.dockerfile.v0
<missing>     3 weeks ago  ADD https://raw.githubusercontent.com/card...  6.14 kB     buildkit.dockerfile.v0
<missing>     3 weeks ago  ADD https://raw.githubusercontent.com/card...  38.9 kB     buildkit.dockerfile.v0
<missing>     3 weeks ago  ADD https://raw.githubusercontent.com/card...  4.61 kB     buildkit.dockerfile.v0
<missing>     3 weeks ago  ADD https://raw.githubusercontent.com/card...  4.61 kB     buildkit.dockerfile.v0
<missing>     3 weeks ago  ADD https://raw.githubusercontent.com/card...  5.63 kB     buildkit.dockerfile.v0
<missing>     3 weeks ago  ADD https://raw.githubusercontent.com/card...  3.58 kB     buildkit.dockerfile.v0
<missing>     3 weeks ago  RUN |2 DEBIAN_FRONTEND=noninteractive G_AC...  7.68 kB     buildkit.dockerfile.v0
<missing>     3 weeks ago  WORKDIR /home/guild                            1.02 kB     buildkit.dockerfile.v0
<missing>     3 weeks ago  USER guild                                     0 B         buildkit.dockerfile.v0
<missing>     3 weeks ago  RUN |2 DEBIAN_FRONTEND=noninteractive G_AC...  1.39 GB     buildkit.dockerfile.v0
<missing>     3 weeks ago  ENV ENV=/etc/profile LC_ALL=en_US.UTF-8 LA...  0 B         buildkit.dockerfile.v0
<missing>     3 weeks ago  WORKDIR /                                      0 B         buildkit.dockerfile.v0
<missing>     3 weeks ago  USER root                                      0 B         buildkit.dockerfile.v0
<missing>     3 weeks ago  ARG G_ACCOUNT                                  0 B         buildkit.dockerfile.v0
<missing>     3 weeks ago  ARG DEBIAN_FRONTEND=noninteractive             0 B         buildkit.dockerfile.v0
<missing>     3 weeks ago  LABEL desc=Cardano Node by Guild's Operators   0 B         buildkit.dockerfile.v0
<missing>     6 weeks ago  /bin/sh -c #(nop)  CMD ["bash"]                0 B         
<missing>     6 weeks ago  /bin/sh -c #(nop) ADD file:95a4ddc3a846636...  77.8 MB

The current container size is 1.87GB.
Before:

$ podman images docker.io/cardanocommunity/cardano-node:latest 
REPOSITORY                               TAG         IMAGE ID      CREATED      SIZE
docker.io/cardanocommunity/cardano-node  latest      ceea4427ca69  3 weeks ago  1.87 GB

This change results in the container being 1.51GB.
After:

$ podman images docker.io/cardanocommunity/cardano-node:latest 
REPOSITORY                               TAG                          IMAGE ID      CREATED         SIZE
docker.io/cardanocommunity/cardano-node  latest                       07408365d7c3  36 minutes ago  1.51 GB

$ podman image history docker.io/cardanocommunity/cardano-node:latest
ID            CREATED         CREATED BY                                     SIZE        COMMENT
f292a4a2258b  42 minutes ago  /bin/sh -c #(nop) ENTRYPOINT ["./entrypoin...  0 B         FROM 82d873a2286e
<missing>     42 minutes ago  /bin/sh -c #(nop) HEALTHCHECK --start-peri...  0 B         FROM f292a4a2258b
<missing>     42 minutes ago  |2 DEBIAN_FRONTEND=noninteractive G_ACCOUN...  44.5 kB     FROM 63dca287016e
63dca287016e  42 minutes ago  /bin/sh -c #(nop) ADD 050f1f4bec9c7b91b9e0...  6.14 kB     FROM bc505f41da48
bc505f41da48  42 minutes ago  /bin/sh -c #(nop) ADD 7c2f8e6debb10099d434...  38.9 kB     FROM bebaff148c33
bebaff148c33  42 minutes ago  |2 DEBIAN_FRONTEND=noninteractive G_ACCOUN...  7.68 kB     FROM de3e95e48f65
bf11d160424e  42 minutes ago  /bin/sh -c #(nop) WORKDIR /home/guild          0 B         FROM 42132aef1117
<missing>     42 minutes ago  /bin/sh -c #(nop) USER guild                   0 B         FROM bf11d160424e
<missing>     42 minutes ago  |2 DEBIAN_FRONTEND=noninteractive G_ACCOUN...  63.1 MB     FROM aac6f7267e86
aac6f7267e86  43 minutes ago  |2 DEBIAN_FRONTEND=noninteractive G_ACCOUN...  1.32 GB     FROM f175a77ff2e8
f175a77ff2e8  44 minutes ago  /bin/sh -c #(nop) ADD 513106e53f1902a80794...  4.61 kB     FROM 2d3257126003
2d3257126003  44 minutes ago  /bin/sh -c #(nop) ADD b0cb6ee55e7c17eab6e2...  4.61 kB     FROM 38ade5debab1
38ade5debab1  44 minutes ago  /bin/sh -c #(nop) ADD b4de330e1870a2038a15...  5.63 kB     FROM 6e9b1fc95fb1
6e9b1fc95fb1  44 minutes ago  /bin/sh -c #(nop) ADD 86a7582be59ef72fa677...  3.58 kB     FROM 7fa25f7857f4
7fa25f7857f4  44 minutes ago  |2 DEBIAN_FRONTEND=noninteractive G_ACCOUN...  350 kB      FROM 5ad9e8c32050
5ad9e8c32050  44 minutes ago  |2 DEBIAN_FRONTEND=noninteractive G_ACCOUN...  51.4 MB     FROM 878a947144f6
cf13a660e07b  2 hours ago     /bin/sh -c #(nop) ENV     ENV=/etc/profile...  0 B         FROM 77cbb33c06f5
<missing>     2 hours ago     /bin/sh -c #(nop) WORKDIR /                    0 B         FROM 841254fd3a82
<missing>     2 hours ago     /bin/sh -c #(nop) USER root                    0 B         FROM b3f9e10fcda3
<missing>     2 hours ago     /bin/sh -c #(nop) ARG DEBIAN_FRONTEND G_AC...  0 B         FROM 3d311c3108f4
<missing>     2 hours ago     /bin/sh -c #(nop) ARG DEBIAN_FRONTEND          0 B         FROM c34fb2e1c12f
<missing>     2 hours ago     /bin/sh -c #(nop) LABEL desc="Cardano Node...  0 B         FROM a36d8585a4c8
<missing>     2 hours ago     /bin/sh -c #(nop) STOPSIGNAL SIGINT            0 B         FROM docker.io/library/debian:stable-slim
<missing>     4 months ago    /bin/sh -c #(nop)  CMD ["bash"]                0 B         
<missing>     4 months ago    /bin/sh -c #(nop) ADD file:237197090b8f670...  84 MB

• There were 21 layers, there now are 24 layers.
• The 1.39 GB layer is reduced to 1.32 GB.
• The 405 MB layer is removed.
• Of the 3 ("4") new layers:
  • 2 are in the KB range
  • 1 is 51.4 MB
  • 1 is 63.1 MB

Resulting in a net ~360MB reduction with no changes to packages.

Which issue it fixes?

No issue.

How has this been tested?

Standard container building successful. Leaving this PR in Draft ATM mostly to open discussions on the topic. Guild network pool to be upgraded today for basic functionality test.

[TrevorBenson]

With commit 6e82261 the container starts and runs all scripts as before, bringing the node service online and has generated a block during its Leadership slot.

I'm going to take a second pass here shortly at reviewing the layers to determine if there is any observable benefit to splitting the steps further. I'm also open to suggestions to recombine steps if we can maintain the net benefits.

[TrevorBenson]

I don't see any other low hanging fruit within image size or reducing sync times. I'm moving this out of draft to start review and any discussions.

[TrevorBenson]

Took one last pass.

• commit debacf1 adds 111 MB to the earliest step, but removes ~160 MB from the largest layer, making 1.32 GB 1.16 GB
• commit c7fbd1e splits the os level dependencies that guild-deploy sets up in the container away from the installation of static binaries. This splits the large layer into 2 sublayers:

8702db9c8719  6 minutes ago   |2 DEBIAN_FRONTEND=noninteractive G_ACCOUN...  411MB       FROM 8efb59ab59db
8efb59ab59db  7 minutes ago   |2 DEBIAN_FRONTEND=noninteractive G_ACCOUN...  754MB       FROM d0732054f3a6

The OS level dependencies are now their own 754 MB layer, and the static binaries are their own 411MB layer.

This end result of a change like this would be:

• ~22% reduction in overall container size.

However if cardano binaries have a new release, but the container's OS packages do not change a single layer of 411 MB is part of the pull, not a 1.39 GB layer, a 70% reduction in the size of layer to be pulled. Small changes where only CNCLI, or Ogmios, etc. get changed, but cardano binaries do not, also result in only the 411 MB being pulled vs. the 1.39 GB layer. This scenario may not be the most common, but the splitting of other layers also means that small changes in the OS result in a ~50 MB, ~162 MB, or ~750 MB layer being pulled instead of the large single layer.

[TrevorBenson]

However if cardano binaries have a new release, but the container's OS packages do not change a single layer of 411 MB is part of the pull, not a 1.39 GB layer, a 70% reduction in the size of layer to be pulled. Small changes where only CNCLI, or Ogmios, etc. get changed, but cardano binaries do not, also result in only the 411 MB being pulled vs. the 1.39 GB layer. This scenario may not be the most common, but the splitting of other layers also means that small changes in the OS result in a ~50 MB, ~162 MB, or ~750 MB layer being pulled instead of the large single layer.

This overlooked the lack of actions cache / buildx usage. So new a image layer would be generated for each layer regardless of changes. It does still provide better parallelization downloading multiple layers which can reduce transfer times.

If we want to optimize it further I can enable the cache in a separate Pull Request. This would reduce the size of data being pushed to docker hub, and then would actually result in the described behavior reducing the number of layers and size pulled by an SPO using the container.

[rdlrt]

will test in couple of days, unless others get to it sooner

[TrevorBenson]

If a build cache is desirable I will submit another commit which reorders the operations to reduce steps that cause cache invalidation. Otherwise it is ready for review.

[TrevorBenson]

I'm going to double-check that my guildnet pool is running a container build that includes all commits from this branch, which I believe it does. I want to perform some light due diligence before clicking merge since it's been a few weeks.

[TrevorBenson]

After buildx decision restoring the position of script adds. Tested the rest on guildnet and node produces blocks etc. The total size result is ~1.46GB, reducing from around ~1.87GB.