It is proposed to introduce a mechanism to kolla-build that enables flattening of all layers in a Dockerfile to a single layer following build.
Kolla images are built using an extensible template system, that allows complex images for multiple platforms to be created simply: however the docker build methodology results in images with redundant artifacts in layers that are then masked by subsequent ones. This results in images that are potentiality much larger than required; resulting in slower deployment and excessive disc usage. This blueprint proposes introducing a flattening option to kolla-build that merges layers in a Dockerfile into a single layer: which addresses the above issues and frees developers to further optimize Kolla images simply by removing development tools (e.g. gcc & libs) from images for deployment. This also addresses the issue created by the AUFS limit of 127 layers per image by reducing the number of layers present in parent images.
This change proposes to implement either docker-squash or build a similar mechanism for flattening docker-images without loosing meta-data (e.g. env vars, labels) which the docker native tooling (save/export) does: * https://github.com/portdirect/docker-squash This change would be presented to the user in the form of a CLI option for the 'kolla-build' command
An alternative would be to either rearrange Dockerfile templates to optimize resultant images, or introduce a patch to docker itself that achieves the desired effect. The first option would place a huge burden on the authors of templates and would necessitate a very convoluted work-flow. The latter option has been suggested by several parties with little response from the docker developers.
- Primary assignee:
<portdirect>
Add a CLI option to 'kolla-build' that allows users to squash an images individual layers into a single layer. This has been implemented as part of the 'Harbor' build script, which is based on an early implementation of Kolla: * https://github.com/portdirect/harbor/blob/latest/tools/build-docker-image#L147
- docker-squash, either upstream (https://github.com/goldmann/docker-squash) or portdirect's fork (https://github.com/portdirect/docker-squash).
This BP should not change the testing regime in any way.
This BP would have a minimal, but postaive effect on security: Unused binaries and headers would be removed from released images, which would both marginally improve security but would also mean that tools such as CoreOS's Clair would not return false +ves for unused libraries.