From cd62f6566f62b46dcba50cb313432e7e403f5094 Mon Sep 17 00:00:00 2001 From: Markus Lehtonen Date: Tue, 10 Jan 2023 20:50:54 +0200 Subject: [PATCH] images: base the default image on distroless/base Make distroless/base as the base image for the default image, effectively making the minimal image as the default. Add a new "full" image variant that corresponds the previous default image. The "*-minimal" container image tag is provided for backwards compatibility. The practical user impact of this change is that hook support is limited to statically linked ELF binaries. Bash or Perl scripts are not supported by the default image, anymore, but the new "full" image variant can be used for backwards compatibility. --- Makefile | 24 ++++++++++++------- docs/deployment/image-variants.md | 21 +++++++++------- .../worker-configuration-reference.md | 5 ++++ docs/usage/customization-guide.md | 10 ++++---- 4 files changed, 37 insertions(+), 23 deletions(-) diff --git a/Makefile b/Makefile index 47a736d54..009d7aabb 100644 --- a/Makefile +++ b/Makefile @@ -73,14 +73,15 @@ IMAGE_BUILD_ARGS = --build-arg VERSION=$(VERSION) \ --build-arg BASE_IMAGE_MINIMAL=$(BASE_IMAGE_MINIMAL) IMAGE_BUILD_ARGS_FULL = --target full \ - -t $(IMAGE_TAG) \ - $(foreach tag,$(IMAGE_EXTRA_TAGS),-t $(tag)) \ - $(IMAGE_BUILD_EXTRA_OPTS) ./ + -t $(IMAGE_TAG)-full \ + $(foreach tag,$(IMAGE_EXTRA_TAGS),-t $(tag)-full) \ + $(IMAGE_BUILD_EXTRA_OPTS) ./ IMAGE_BUILD_ARGS_MINIMAL = --target minimal \ - -t $(IMAGE_TAG)-minimal \ - $(foreach tag,$(IMAGE_EXTRA_TAGS),-t $(tag)-minimal) \ - $(IMAGE_BUILD_EXTRA_OPTS) ./ + -t $(IMAGE_TAG) \ + -t $(IMAGE_TAG)-minimal \ + $(foreach tag,$(IMAGE_EXTRA_TAGS),-t $(tag) -t $(tag)-minimal) \ + $(IMAGE_BUILD_EXTRA_OPTS) ./ all: image @@ -187,7 +188,7 @@ e2e-test: -nfd.pull-if-not-present=$(E2E_PULL_IF_NOT_PRESENT) \ -ginkgo.focus="\[kubernetes-sigs\]" \ $(if $(OPENSHIFT),-nfd.openshift,) - $(GO_CMD) test -v ./test/e2e/ -args -nfd.repo=$(IMAGE_REPO) -nfd.tag=$(IMAGE_TAG_NAME)-minimal \ + $(GO_CMD) test -v ./test/e2e/ -args -nfd.repo=$(IMAGE_REPO) -nfd.tag=$(IMAGE_TAG_NAME)-full \ -kubeconfig=$(KUBECONFIG) \ -nfd.e2e-config=$(E2E_TEST_CONFIG) \ -nfd.pull-if-not-present=$(E2E_PULL_IF_NOT_PRESENT) \ @@ -197,7 +198,12 @@ e2e-test: push: $(IMAGE_PUSH_CMD) $(IMAGE_TAG) $(IMAGE_PUSH_CMD) $(IMAGE_TAG)-minimal - for tag in $(IMAGE_EXTRA_TAGS); do $(IMAGE_PUSH_CMD) $$tag; $(IMAGE_PUSH_CMD) $$tag-minimal; done + $(IMAGE_PUSH_CMD) $(IMAGE_TAG)-full + for tag in $(IMAGE_EXTRA_TAGS); do \ + $(IMAGE_PUSH_CMD) $$tag; \ + $(IMAGE_PUSH_CMD) $$tag-minimal; \ + $(IMAGE_PUSH_CMD) $$tag-full; \ + done push-all: ensure-buildx yamls $(IMAGE_BUILDX_CMD) --push $(IMAGE_BUILD_ARGS) $(IMAGE_BUILD_ARGS_FULL) @@ -205,7 +211,7 @@ push-all: ensure-buildx yamls poll-images: set -e; \ - tags="$(foreach tag,$(IMAGE_TAG_NAME) $(IMAGE_EXTRA_TAG_NAMES),$(tag) $(tag)-minimal)" \ + tags="$(foreach tag,$(IMAGE_TAG_NAME) $(IMAGE_EXTRA_TAG_NAMES),$(tag) $(tag)-minimal $(tag)-full)" \ base_url=`echo $(IMAGE_REPO) | sed -e s'!\([^/]*\)!\1/v2!'`; \ for tag in $$tags; do \ image=$(IMAGE_REPO):$$tag \ diff --git a/docs/deployment/image-variants.md b/docs/deployment/image-variants.md index 67c58204b..6317e19ff 100644 --- a/docs/deployment/image-variants.md +++ b/docs/deployment/image-variants.md @@ -15,21 +15,24 @@ sort: 1 --- -NFD currently offers two variants of the container image. The "full" variant is +NFD currently offers two variants of the container image. The "minimal" variant is currently deployed by default. Released container images are available for x86_64 and Arm64 architectures. -## Full - -This image is based on [debian:bullseye-slim](https://hub.docker.com/_/debian) -and contains a full Linux system for running shell-based nfd-worker hooks and -doing live debugging and diagnosis of the NFD images. - ## Minimal This is a minimal image based on [gcr.io/distroless/base](https://github.com/GoogleContainerTools/distroless/blob/master/base/README.md) and only supports running statically linked binaries. -The container image tag has suffix `-minimal` -(e.g. `{{ site.container_image }}-minimal`) +For backwards compatibility a container image tag with suffix `-minimal` +(e.g. `{{ site.container_image }}-minimal`) is provided. + +## Full + +This image is based on [debian:bullseye-slim](https://hub.docker.com/_/debian) +and contains a full Linux system for running shell-based nfd-worker hooks and +doing live debugging and diagnosis of the NFD images. + +The container image tag has suffix `-full` +(e.g. `{{ site.container_image }}-full`). diff --git a/docs/reference/worker-configuration-reference.md b/docs/reference/worker-configuration-reference.md index 78a9468b5..654f3900d 100644 --- a/docs/reference/worker-configuration-reference.md +++ b/docs/reference/worker-configuration-reference.md @@ -336,6 +336,11 @@ Hooks are DEPRECATED since v0.12.0 release and support will be removed in a future release. Use [feature files](../usage//customization-guide.md#feature-files) instead. +Note: The default NFD container image only supports statically linked binaries. +Use the [full](../deployment/image-variants.md#full) image variant for a +slightly more extensive environment that additionally supports bash and perl +runtimes. + Related tracking issues: 1. Config option to disable hooks [#859](https://github.com/kubernetes-sigs/node-feature-discovery/issues/859). diff --git a/docs/usage/customization-guide.md b/docs/usage/customization-guide.md index 820924eb7..529dd884d 100644 --- a/docs/usage/customization-guide.md +++ b/docs/usage/customization-guide.md @@ -257,9 +257,8 @@ on the nfd-master command line. **DEPRECATED** The `local` source executes hooks found in `/etc/kubernetes/node-feature-discovery/source.d/`. The hook files must be executable and they are supposed to print all discovered features in `stdout`. -With ELF binaries static linking is recommended as the selection of system -libraries available in the NFD release image is very limited. Other runtimes -currently supported by the NFD image are bash and perl. +Since NFD v0.13 the default container image only supports statically linked ELF +binaries. `stderr` output of hooks is propagated to NFD log so it can be used for debugging and logging. @@ -284,8 +283,9 @@ sources: directory. It is the user's responsibility to review the hooks for e.g. possible security implications. -**NOTE:** The [minimal](../deployment/image-variants.md#minimal) image -variant only supports running statically linked binaries. +**NOTE:** The [full](../deployment/image-variants.md#full) image variant +provides backwards-compatibility with older NFD versions by including a more +expanded environment, supporting bash and perl runtimes. ### Feature files