[images] Decrease images size

+ update K8s patch version to v1.28.5 + update percona-toolkit patch version to v3.5.5 + switch to secure https postgres repository A bunch of redundant third-party packages are installed inside the images, many with security vulnerabilities. Implementing best practices should solve both problems. Change-Id: I2105fe0b6058b64ae49d2977da5f1e8bad976991
2023-12-21 13:23:17 +02:00 · 2023-12-21 13:23:17 +02:00 · 3824cae821
commit 3824cae821
parent 5506b6d4bf
10 changed files with 160 additions and 167 deletions
--- a/images/calicoctl-utility/Dockerfile.ubuntu_focal
+++ b/images/calicoctl-utility/Dockerfile.ubuntu_focal
@ -30,8 +30,8 @@ RUN set -xe \
         socat \
         python3.8 \
         python3-pip \
-    && pip3 install --upgrade pip \
+    && pip3 install --no-cache-dir --upgrade pip \
-    && pip3 install \
+    && pip3 install --no-cache-dir \
         oslo.rootwrap==6.3.1 \
    && apt-get clean -y \
    && rm -rf /var/lib/apt/lists/*
--- a/images/ceph-utility/Dockerfile.ubuntu_bionic
+++ b/images/ceph-utility/Dockerfile.ubuntu_bionic
--- a/images/ceph-utility/Dockerfile.ubuntu_focal
+++ b/images/ceph-utility/Dockerfile.ubuntu_focal
@ -8,10 +8,10 @@ LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc
      org.opencontainers.image.vendor='The Airship Authors' \
      org.opencontainers.image.licenses='Apache-2.0'
-# Quincy 12.2.5
+# Quincy 17.2.6
 ARG CEPH_RELEASE=quincy
 ARG CEPH_RELEASE_TAG=17.2.6-1focal
-ARG KUBE_VERSION=1.28.4
+ARG KUBE_VERSION=1.28.5
 ARG CEPH_REPO=https://mirror.mirantis.com/acicd/ceph-quincy/
 ARG CEPH_KEY=https://mirror.mirantis.com/acicd/ceph-quincy/release.asc
@ -22,12 +22,12 @@ RUN set -xe \
    && sed -i '/nobody/d' /etc/passwd \
    && echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \
    && apt-get update && apt-get upgrade -y \
-    && apt-get install -y wget curl apt-transport-https ca-certificates gnupg \
+    && apt-get install -y --no-install-recommends curl apt-transport-https ca-certificates gnupg \
    && apt-key add /etc/apt/ceph-${CEPH_RELEASE}.key \
    && rm -f /etc/apt/ceph-${CEPH_RELEASE}.key \
    && echo "deb ${CEPH_REPO} focal main" | tee /etc/apt/sources.list.d/ceph.list \
    && apt-get update \
-    && apt-get install -y \
+    && apt-get install -y --no-install-recommends \
         bash \
         moreutils \
         vim \
@ -46,14 +46,13 @@ RUN set -xe \
         iperf \
         python3.8 \
         python3-pip \
-    && pip3 install --upgrade pip \
+    && pip3 install --no-cache-dir --upgrade pip \
-    && pip3 install \
+    && pip3 install --no-cache-dir \
         oslo.rootwrap==6.3.1 \
    && apt-get remove --purge -y wget apt-transport-https \
    && apt-get autoremove -y \
    && apt-get clean \
    && curl --silent -L https://dl.k8s.io/v${KUBE_VERSION}/kubernetes-client-linux-amd64.tar.gz \
       | tar -zC /usr/bin --strip-components=3 --wildcards -x "*/*/*/kubectl" \
    && apt-get purge --autoremove -y apt-transport-https \
    && apt-get clean \
    && rm -rf \
         /var/lib/apt/lists/*
--- a/images/compute-utility/Dockerfile.ubuntu_bionic
+++ b/images/compute-utility/Dockerfile.ubuntu_bionic
--- a/images/compute-utility/Dockerfile.ubuntu_focal
+++ b/images/compute-utility/Dockerfile.ubuntu_focal
@ -8,7 +8,7 @@ LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc
      org.opencontainers.image.vendor='The Airship Authors' \
      org.opencontainers.image.licenses='Apache-2.0'
-ARG KUBE_VERSION=1.28.4
+ARG KUBE_VERSION=1.28.5
 ARG DEBIAN_FRONTEND=noninteractive
@ -16,7 +16,7 @@ RUN set -xe \
    && sed -i '/nobody/d' /etc/passwd \
    && echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \
    && apt-get update && apt-get upgrade -y \
-    && apt-get install -y apt-transport-https \
+    && apt-get install -y --no-install-recommends \
         bash \
         ca-certificates \
         openvswitch-switch \
@ -32,20 +32,16 @@ RUN set -xe \
         s3cmd \
         rsync \
         sudo \
       wget \
         xz-utils \
         python3.8 \
         python3-pip \
-    && pip3 install --upgrade pip \
+    && pip3 install --no-cache-dir --upgrade pip \
-    && pip3 install \
+    && pip3 install --no-cache-dir \
         oslo.rootwrap==6.3.1 \
    && apt-get remove --purge -y wget apt-transport-https \
    && apt-get autoremove -y \
    && apt-get clean \
    && curl --silent -L https://dl.k8s.io/v${KUBE_VERSION}/kubernetes-client-linux-amd64.tar.gz \
       | tar -zC /usr/bin --strip-components=3 --wildcards -x "*/*/*/kubectl" \
-    && rm -rf \
+    && apt-get clean \
-       /var/lib/apt/lists/*
+    && rm -rf /var/lib/apt/lists/*
 RUN PYTHON_LOCATION=$(pip3 show oslo.rootwrap|grep Location|awk '{print $2}') \
    && sed -i "/rootwrap_logger.setLevel/s/.*/#&/" $PYTHON_LOCATION/oslo_rootwrap/wrapper.py \
--- a/images/etcdctl-utility/Dockerfile.ubuntu_focal
+++ b/images/etcdctl-utility/Dockerfile.ubuntu_focal
@ -9,7 +9,7 @@ LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc
      org.opencontainers.image.licenses='Apache-2.0'
 ARG ETCDCTL_VERSION=v3.5.11
-ARG KUBE_VERSION=1.28.4
+ARG KUBE_VERSION=1.28.5
 ENV GOOGLE_URL=https://storage.googleapis.com/etcd
 ENV GITHUB_URL=https://github.com/etcd-io/etcd/releases/download
@ -20,10 +20,9 @@ RUN set -xe \
    && sed -i '/nobody/d' /etc/passwd \
    && echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \
    && apt-get update && apt-get upgrade -y \
-    && apt-get install -y \
+    && apt-get install -y --no-install-recommends \
-       wget curl \
+         curl \
         locales \
       apt-transport-https \
         ca-certificates \
         gnupg \
         bash \
@ -33,8 +32,8 @@ RUN set -xe \
         python3.8 \
         python3-pip \
         jq \
-    && pip3 install --upgrade pip \
+    && pip3 install --no-cache-dir --upgrade pip \
-    && pip3 install \
+    && pip3 install --no-cache-dir \
         munch \
         oslo.rootwrap==6.3.1 \
         python-openstackclient==5.8.0 \
--- a/images/mysqlclient-utility/Dockerfile.ubuntu_focal
+++ b/images/mysqlclient-utility/Dockerfile.ubuntu_focal
@ -8,21 +8,20 @@ LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc
      org.opencontainers.image.vendor='The Airship Authors' \
      org.opencontainers.image.licenses='Apache-2.0'
-ARG KUBE_VERSION=1.28.4
+ARG KUBE_VERSION=1.28.5
 ARG MARIADB_VERSION=10.6
 ARG PERCONA_TOOLKIT_VERSION=3.5.5
 RUN set -xe \
    && export DEBIAN_FRONTEND=noninteractive \
    && sed -i '/nobody/d' /etc/passwd \
    && echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \
    && apt-get update \
-    && apt-get install -y \
+    && apt-get install -y --no-install-recommends curl apt-transport-https ca-certificates gnupg \
        wget curl \
        apt-transport-https ca-certificates gnupg \
    && curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
-    && bash mariadb_repo_setup --mariadb-server-version=10.6 \
+    && bash mariadb_repo_setup --mariadb-server-version=${MARIADB_VERSION} \
-    && apt-get update  \
+    && apt-get update && apt-get upgrade -y \
-    && apt-get upgrade -y \
+    && apt-get install -y --no-install-recommends \
    && apt-get install -y \
         bash \
         sudo \
         rsyslog \
@ -36,20 +35,21 @@ RUN set -xe \
         python3.8 \
         python3-pip \
         jq \
-    && pip3 install --upgrade pip \
+    && pip3 install --no-cache-dir --upgrade pip \
-    && pip3 install \
+    && pip3 install --no-cache-dir \
         munch \
         oslo.rootwrap==6.3.1 \
         python-openstackclient==5.8.0 \
         python-swiftclient==3.13.1 \
    && sed -i 's/$PrivDropToUser syslog/$PrivDropToUser nobody/' /etc/rsyslog.conf \
    && apt-get clean -y \
    && curl --silent -L https://dl.k8s.io/v${KUBE_VERSION}/kubernetes-client-linux-amd64.tar.gz \
       | tar -zC /usr/bin --strip-components=3 --wildcards -x "*/*/*/kubectl" \
-    && curl --silent -L https://downloads.percona.com/downloads/percona-toolkit/3.5.1/binary/tarball/percona-toolkit-3.5.1_x86_64.tar.gz \
+    && curl --silent -L https://downloads.percona.com/downloads/percona-toolkit/${PERCONA_TOOLKIT_VERSION}/binary/tarball/percona-toolkit-${PERCONA_TOOLKIT_VERSION}_$(arch).tar.gz \
       | tar -zC /usr/local/bin/ --strip-components=2 --wildcards -x "*/*/pt-show-grants" \
    && curl -o /tmp/rclone.deb https://downloads.rclone.org/rclone-current-linux-amd64.deb \
    && apt-get install -y --no-install-recommends /tmp/rclone.deb \
    && apt-get purge --autoremove -y apt-transport-https \
    && apt-get clean -y \
    && rm -rf \
         /tmp/* \
         /var/cache/debconf/* \
--- a/images/openstack-utility/Dockerfile.ubuntu_bionic
+++ b/images/openstack-utility/Dockerfile.ubuntu_bionic
--- a/images/openstack-utility/Dockerfile.ubuntu_focal
+++ b/images/openstack-utility/Dockerfile.ubuntu_focal
@ -14,14 +14,14 @@ RUN set -xe \
    && sed -i '/nobody/d' /etc/passwd \
    && echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \
    && apt-get update && apt-get upgrade -y \
-    && apt-get install -y \
+    && apt-get install --no-install-recommends -y \
         bash \
         sudo \
         rsyslog \
         python3.8 \
         python3-pip \
-    && pip3 install --upgrade pip \
+    && pip3 install --no-cache-dir --upgrade pip \
-    && pip3 install \
+    && pip3 install --no-cache-dir \
         munch \
         oslo.rootwrap==6.3.1 \
         python-openstackclient==5.8.0 \
--- a/images/postgresql-utility/Dockerfile.ubuntu_focal
+++ b/images/postgresql-utility/Dockerfile.ubuntu_focal
@ -8,19 +8,18 @@ LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc
      org.opencontainers.image.vendor='The Airship Authors' \
      org.opencontainers.image.licenses='Apache-2.0'
-ARG KUBE_VERSION=1.28.4
+ARG KUBE_VERSION=1.28.5
 RUN set -xe \
    && export DEBIAN_FRONTEND=noninteractive \
    && sed -i '/nobody/d' /etc/passwd \
    && echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \
    && apt-get update && apt-get upgrade -y \
-    && apt-get install -y wget curl \
+    && apt-get install --no-install-recommends -y curl ca-certificates gnupg \
-        apt-transport-https ca-certificates gnupg \
+    && echo "deb https://apt.postgresql.org/pub/repos/apt focal-pgdg main" > /etc/apt/sources.list.d/pgdg.list \
    && echo "deb http://apt.postgresql.org/pub/repos/apt focal-pgdg main" > /etc/apt/sources.list.d/pgdg.list \
    && curl -o /etc/apt/trusted.gpg.d/postgresql_release_signing_key.asc 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' \
    && apt-get update \
-    && apt-get install -y \
+    && apt-get install --no-install-recommends -y \
         bash \
         moreutils \
         rsyslog \
@ -31,17 +30,17 @@ RUN set -xe  \
         python3.8 \
         python3-pip \
         jq \
-    && pip3 install --upgrade pip \
+    && pip3 install --no-cache-dir --upgrade pip \
-    && pip3 install \
+    && pip3 install --no-cache-dir \
         munch \
         oslo.rootwrap==6.3.1 \
         python-openstackclient==5.8.0 \
         python-swiftclient==3.13.1 \
    && apt-get clean -y \
    && curl --silent -L https://dl.k8s.io/v${KUBE_VERSION}/kubernetes-client-linux-amd64.tar.gz \
       | tar -zC /usr/bin --strip-components=3 --wildcards -x "*/*/*/kubectl" \
    && curl -o /tmp/rclone.deb https://downloads.rclone.org/rclone-current-linux-amd64.deb \
    && apt-get install -y --no-install-recommends /tmp/rclone.deb \
    && apt-get clean -y \
    && rm -rf \
         /tmp/* \
         /var/cache/debconf/* \