diff --git a/Dockerfile b/Dockerfile index 19e5a2986..cb5eff6b8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,8 +19,20 @@ RUN make install VERSION=$VERSION HOSTMOUNT_PREFIX=$HOSTMOUNT_PREFIX RUN make test -# Create production image for running node feature discovery -FROM debian:buster-slim +# Create full variant of the production image +FROM debian:buster-slim as full + +# Run as unprivileged user +USER 65534:65534 + +# Use more verbose logging of gRPC +ENV GRPC_GO_LOG_SEVERITY_LEVEL="INFO" + +COPY --from=builder /go/node-feature-discovery/nfd-worker.conf.example /etc/kubernetes/node-feature-discovery/nfd-worker.conf +COPY --from=builder /go/bin/* /usr/bin/ + +# Create minimal variant of the production image +FROM gcr.io/distroless/base as minimal # Run as unprivileged user USER 65534:65534 diff --git a/Makefile b/Makefile index 8f5e4e2e2..f1a2f9f60 100644 --- a/Makefile +++ b/Makefile @@ -72,10 +72,17 @@ install: image: yamls $(IMAGE_BUILD_CMD) --build-arg VERSION=$(VERSION) \ - --build-arg HOSTMOUNT_PREFIX=$(CONTAINER_HOSTMOUNT_PREFIX) \ - -t $(IMAGE_TAG) \ - $(foreach tag,$(IMAGE_EXTRA_TAGS),-t $(tag)) \ - $(IMAGE_BUILD_EXTRA_OPTS) ./ + --target full \ + --build-arg HOSTMOUNT_PREFIX=$(CONTAINER_HOSTMOUNT_PREFIX) \ + -t $(IMAGE_TAG) \ + $(foreach tag,$(IMAGE_EXTRA_TAGS),-t $(tag)) \ + $(IMAGE_BUILD_EXTRA_OPTS) ./ + $(IMAGE_BUILD_CMD) --build-arg VERSION=$(VERSION) \ + --target minimal \ + --build-arg HOSTMOUNT_PREFIX=$(CONTAINER_HOSTMOUNT_PREFIX) \ + -t $(IMAGE_TAG)-minimal \ + $(foreach tag,$(IMAGE_EXTRA_TAGS),-t $(tag)-minimal) \ + $(IMAGE_BUILD_EXTRA_OPTS) ./ yamls: $(yaml_instances) @@ -135,22 +142,29 @@ e2e-test: $(GO_CMD) test -v ./test/e2e/ -args -nfd.repo=$(IMAGE_REPO) -nfd.tag=$(IMAGE_TAG_NAME) \ -kubeconfig=$(KUBECONFIG) -nfd.e2e-config=$(E2E_TEST_CONFIG) -ginkgo.focus="\[NFD\]" \ $(if $(OPENSHIFT),-nfd.openshift,) + $(GO_CMD) test -v ./test/e2e/ -args -nfd.repo=$(IMAGE_REPO) -nfd.tag=$(IMAGE_TAG_NAME)-minimal \ + -kubeconfig=$(KUBECONFIG) -nfd.e2e-config=$(E2E_TEST_CONFIG) -ginkgo.focus="\[NFD\]" \ + $(if $(OPENSHIFT),-nfd.openshift,) push: $(IMAGE_PUSH_CMD) $(IMAGE_TAG) - for tag in $(IMAGE_EXTRA_TAGS); do $(IMAGE_PUSH_CMD) $$tag; done + $(IMAGE_PUSH_CMD) $(IMAGE_TAG)-minimal + for tag in $(IMAGE_EXTRA_TAGS); do $(IMAGE_PUSH_CMD) $$tag; $(IMAGE_PUSH_CMD) $$tag-minimal; done -poll-image: +poll-images: set -e; \ - image=$(IMAGE_REPO):$(IMAGE_TAG_NAME); \ + tags="$(foreach tag,$(IMAGE_TAG_NAME) $(IMAGE_EXTRA_TAG_NAMES),$(tag) $(tag)-minimal)" \ base_url=`echo $(IMAGE_REPO) | sed -e s'!\([^/]*\)!\1/v2!'`; \ - errors=`curl -fsS -X GET https://$$base_url/manifests/$(IMAGE_TAG_NAME)|jq .errors`; \ - if [ "$$errors" = "null" ]; then \ - echo Image $$image found; \ - else \ - echo Image $$image not found; \ - exit 1; \ - fi; + for tag in $$tags; do \ + image=$(IMAGE_REPO):$$tag \ + errors=`curl -fsS -X GET https://$$base_url/manifests/$$tag|jq .errors`; \ + if [ "$$errors" = "null" ]; then \ + echo Image $$image found; \ + else \ + echo Image $$image not found; \ + exit 1; \ + fi; \ + done site-build: @mkdir -p docs/vendor/bundle diff --git a/docs/get-started/deployment-and-usage.md b/docs/get-started/deployment-and-usage.md index 4da0a1c91..b86f5c0f0 100644 --- a/docs/get-started/deployment-and-usage.md +++ b/docs/get-started/deployment-and-usage.md @@ -23,6 +23,27 @@ sort: 3 1. [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) (properly set up and configured to work with your Kubernetes cluster) +## Image variants + +NFD currently offers two variants of the container image. The "full" variant is +currently deployed by default. + +### Full + +This image is based on +[debian:buster-slim](https://hub.docker.com/_/debian) and contains a full Linux +system for running shell-based nfd-worker hooks and doing live debugging and +diagnosis of the NFD images. + +### Minimal + +This is a minimal image based on +[gcr.io/distroless/base](https://github.com/GoogleContainerTools/distroless/blob/master/base/README.md) +and only supports running statically linked binaries. + +The container image tag has suffix `-minimal` +(e.g. `{{ site.container_image }}-minimal`) + ## Deployment options ### Operator diff --git a/docs/get-started/features.md b/docs/get-started/features.md index cdd6bb9d3..13f09c621 100644 --- a/docs/get-started/features.md +++ b/docs/get-started/features.md @@ -542,6 +542,9 @@ The *local* feature source gets its labels by two different ways: `/etc/kubernetes/node-feature-discovery/features.d/` directory. The file content is expected to be similar to the hook output (described above). +**NOTE:** The [minimal](deployment-and-usage#minimal) image variant only +supports running statically linked binaries. + These directories must be available inside the Docker image so Volumes and VolumeMounts must be used if standard NFD images are used. The given template files mount by default the `source.d` and the `features.d` directories diff --git a/scripts/test-infra/test-e2e.sh b/scripts/test-infra/test-e2e.sh index 7cebec82d..ce4051c60 100755 --- a/scripts/test-infra/test-e2e.sh +++ b/scripts/test-infra/test-e2e.sh @@ -17,7 +17,7 @@ echo "$E2E_TEST_CONFIG_DATA" > "$E2E_TEST_CONFIG" # Wait for the image to be built and published i=1 while true; do - if make poll-image; then + if make poll-images; then break elif [ $i -ge 10 ]; then "ERROR: too many tries when polling for image"