From 6149000637eccd8cf855f2b4f010aca23c57a9a2 Mon Sep 17 00:00:00 2001 From: Markus Lehtonen Date: Tue, 10 Jan 2023 21:34:02 +0200 Subject: [PATCH] Build statically linked binaries Switch to fully statically linked binaries and use scratch as a base image. Switching to the virtually empty scratch base image means that the default/minimal NFD image only supports running hooks that are truly statically linked (e.g. normal go binaries that are "almost" statically linked stop working). The documentation has been already stating this (i.e. that only statically-linked binaries are supported) - i.e. we have had no promise of supporting other than that. Also, hooks are now deprecated and even disabled by default so the possibility of real user impact should be small. --- Dockerfile | 3 ++- Makefile | 9 +++++---- docs/deployment/image-variants.md | 2 +- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5b397a11e..3121d6f1e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,8 @@ FROM ${BUILDER_IMAGE} as builder # Build and install the grpc-health-probe binary RUN GRPC_HEALTH_PROBE_VERSION=v0.4.19 && \ - go install github.com/grpc-ecosystem/grpc-health-probe@${GRPC_HEALTH_PROBE_VERSION} \ + go install -tags osusergo,netgo -ldflags -extldflags=-static \ + github.com/grpc-ecosystem/grpc-health-probe@${GRPC_HEALTH_PROBE_VERSION} \ # Rename it as it's referenced as grpc_health_probe in the deployment yamls # and in its own project https://github.com/grpc-ecosystem/grpc-health-probe && mv /go/bin/grpc-health-probe /go/bin/grpc_health_probe diff --git a/Makefile b/Makefile index 6b38e9ac7..c3b4a4f0a 100644 --- a/Makefile +++ b/Makefile @@ -10,7 +10,7 @@ IMAGE_PUSH_CMD ?= docker push CONTAINER_RUN_CMD ?= docker run BUILDER_IMAGE ?= golang:1.20-bullseye BASE_IMAGE_FULL ?= debian:bullseye-slim -BASE_IMAGE_MINIMAL ?= gcr.io/distroless/base +BASE_IMAGE_MINIMAL ?= scratch # Docker base command for working with html documentation. # Use host networking because 'jekyll serve' is stupid enough to use the @@ -57,7 +57,8 @@ KUBECONFIG ?= ${HOME}/.kube/config E2E_TEST_CONFIG ?= E2E_PULL_IF_NOT_PRESENT ?= false -LDFLAGS = -ldflags "-s -w -X sigs.k8s.io/node-feature-discovery/pkg/version.version=$(VERSION) -X sigs.k8s.io/node-feature-discovery/pkg/utils/hostpath.pathPrefix=$(HOSTMOUNT_PREFIX)" +BUILD_FLAGS = -tags osusergo,netgo \ + -ldflags "-s -w -extldflags=-static -X sigs.k8s.io/node-feature-discovery/pkg/version.version=$(VERSION) -X sigs.k8s.io/node-feature-discovery/pkg/utils/hostpath.pathPrefix=$(HOSTMOUNT_PREFIX)" # multi-arch build with buildx IMAGE_ALL_PLATFORMS ?= linux/amd64,linux/arm64 @@ -89,10 +90,10 @@ all: image build: @mkdir -p bin - $(GO_CMD) build -v -o bin $(LDFLAGS) ./cmd/... + $(GO_CMD) build -v -o bin $(BUILD_FLAGS) ./cmd/... install: - $(GO_CMD) install -v $(LDFLAGS) ./cmd/... + $(GO_CMD) install -v $(BUILD_FLAGS) ./cmd/... image: yamls $(IMAGE_BUILD_CMD) $(IMAGE_BUILD_ARGS) $(IMAGE_BUILD_ARGS_FULL) diff --git a/docs/deployment/image-variants.md b/docs/deployment/image-variants.md index 3c67f5854..262052c01 100644 --- a/docs/deployment/image-variants.md +++ b/docs/deployment/image-variants.md @@ -16,7 +16,7 @@ x86_64 and Arm64 architectures. ## Minimal This is a minimal image based on -[gcr.io/distroless/base](https://github.com/GoogleContainerTools/distroless/blob/master/base/README.md) +[scratch](https://hub.docker.com/_/scratch) and only supports running statically linked binaries. For backwards compatibility a container image tag with suffix `-minimal`