From cd62f6566f62b46dcba50cb313432e7e403f5094 Mon Sep 17 00:00:00 2001
From: Markus Lehtonen <markus.lehtonen@intel.com>
Date: Tue, 10 Jan 2023 20:50:54 +0200
Subject: [PATCH] images: base the default image on distroless/base

Make distroless/base as the base image for the default image,
effectively making the minimal image as the default. Add a new "full"
image variant that corresponds the previous default image. The
"*-minimal" container image tag is provided for backwards compatibility.

The practical user impact of this change is that hook support is limited
to statically linked ELF binaries. Bash or Perl scripts are not
supported by the default image, anymore, but the new "full" image
variant can be used for backwards compatibility.
---
 Makefile                                      | 24 ++++++++++++-------
 docs/deployment/image-variants.md             | 21 +++++++++-------
 .../worker-configuration-reference.md         |  5 ++++
 docs/usage/customization-guide.md             | 10 ++++----
 4 files changed, 37 insertions(+), 23 deletions(-)

diff --git a/Makefile b/Makefile
index 47a736d54..009d7aabb 100644
--- a/Makefile
+++ b/Makefile
@@ -73,14 +73,15 @@ IMAGE_BUILD_ARGS = --build-arg VERSION=$(VERSION) \
                 --build-arg BASE_IMAGE_MINIMAL=$(BASE_IMAGE_MINIMAL)
 
 IMAGE_BUILD_ARGS_FULL = --target full \
-                	-t $(IMAGE_TAG) \
-	    		$(foreach tag,$(IMAGE_EXTRA_TAGS),-t $(tag)) \
-	    		$(IMAGE_BUILD_EXTRA_OPTS) ./
+                        -t $(IMAGE_TAG)-full \
+                        $(foreach tag,$(IMAGE_EXTRA_TAGS),-t $(tag)-full) \
+                        $(IMAGE_BUILD_EXTRA_OPTS) ./
 
 IMAGE_BUILD_ARGS_MINIMAL = --target minimal \
-                	   -t $(IMAGE_TAG)-minimal \
-	            	   $(foreach tag,$(IMAGE_EXTRA_TAGS),-t $(tag)-minimal) \
-	            	   $(IMAGE_BUILD_EXTRA_OPTS) ./
+                           -t $(IMAGE_TAG) \
+                           -t $(IMAGE_TAG)-minimal \
+                           $(foreach tag,$(IMAGE_EXTRA_TAGS),-t $(tag) -t $(tag)-minimal) \
+                           $(IMAGE_BUILD_EXTRA_OPTS) ./
 
 all: image
 
@@ -187,7 +188,7 @@ e2e-test:
 	    -nfd.pull-if-not-present=$(E2E_PULL_IF_NOT_PRESENT) \
 	    -ginkgo.focus="\[kubernetes-sigs\]" \
 	    $(if $(OPENSHIFT),-nfd.openshift,)
-	$(GO_CMD) test -v ./test/e2e/ -args -nfd.repo=$(IMAGE_REPO) -nfd.tag=$(IMAGE_TAG_NAME)-minimal \
+	$(GO_CMD) test -v ./test/e2e/ -args -nfd.repo=$(IMAGE_REPO) -nfd.tag=$(IMAGE_TAG_NAME)-full \
 	    -kubeconfig=$(KUBECONFIG) \
 	    -nfd.e2e-config=$(E2E_TEST_CONFIG) \
 	    -nfd.pull-if-not-present=$(E2E_PULL_IF_NOT_PRESENT) \
@@ -197,7 +198,12 @@ e2e-test:
 push:
 	$(IMAGE_PUSH_CMD) $(IMAGE_TAG)
 	$(IMAGE_PUSH_CMD) $(IMAGE_TAG)-minimal
-	for tag in $(IMAGE_EXTRA_TAGS); do $(IMAGE_PUSH_CMD) $$tag; $(IMAGE_PUSH_CMD) $$tag-minimal; done
+	$(IMAGE_PUSH_CMD) $(IMAGE_TAG)-full
+	for tag in $(IMAGE_EXTRA_TAGS); do \
+	    $(IMAGE_PUSH_CMD) $$tag; \
+	    $(IMAGE_PUSH_CMD) $$tag-minimal; \
+	    $(IMAGE_PUSH_CMD) $$tag-full; \
+	done
 
 push-all: ensure-buildx yamls
 	$(IMAGE_BUILDX_CMD) --push $(IMAGE_BUILD_ARGS) $(IMAGE_BUILD_ARGS_FULL)
@@ -205,7 +211,7 @@ push-all: ensure-buildx yamls
 
 poll-images:
 	set -e; \
-	tags="$(foreach tag,$(IMAGE_TAG_NAME) $(IMAGE_EXTRA_TAG_NAMES),$(tag) $(tag)-minimal)" \
+	tags="$(foreach tag,$(IMAGE_TAG_NAME) $(IMAGE_EXTRA_TAG_NAMES),$(tag) $(tag)-minimal $(tag)-full)" \
 	base_url=`echo $(IMAGE_REPO) | sed -e s'!\([^/]*\)!\1/v2!'`; \
 	for tag in $$tags; do \
 	    image=$(IMAGE_REPO):$$tag \
diff --git a/docs/deployment/image-variants.md b/docs/deployment/image-variants.md
index 67c58204b..6317e19ff 100644
--- a/docs/deployment/image-variants.md
+++ b/docs/deployment/image-variants.md
@@ -15,21 +15,24 @@ sort: 1
 
 ---
 
-NFD currently offers two variants of the container image. The "full" variant is
+NFD currently offers two variants of the container image. The "minimal" variant is
 currently deployed by default. Released container images are available for
 x86_64 and Arm64 architectures.
 
-## Full
-
-This image is based on [debian:bullseye-slim](https://hub.docker.com/_/debian)
-and contains a full Linux system for running shell-based nfd-worker hooks and
-doing live debugging and diagnosis of the NFD images.
-
 ## Minimal
 
 This is a minimal image based on
 [gcr.io/distroless/base](https://github.com/GoogleContainerTools/distroless/blob/master/base/README.md)
 and only supports running statically linked binaries.
 
-The container image tag has suffix `-minimal`
-(e.g. `{{ site.container_image }}-minimal`)
+For backwards compatibility a container image tag with suffix `-minimal`
+(e.g. `{{ site.container_image }}-minimal`) is provided.
+
+## Full
+
+This image is based on [debian:bullseye-slim](https://hub.docker.com/_/debian)
+and contains a full Linux system for running shell-based nfd-worker hooks and
+doing live debugging and diagnosis of the NFD images.
+
+The container image tag has suffix `-full`
+(e.g. `{{ site.container_image }}-full`).
diff --git a/docs/reference/worker-configuration-reference.md b/docs/reference/worker-configuration-reference.md
index 78a9468b5..654f3900d 100644
--- a/docs/reference/worker-configuration-reference.md
+++ b/docs/reference/worker-configuration-reference.md
@@ -336,6 +336,11 @@ Hooks are DEPRECATED since v0.12.0 release and support will be removed in a
 future release. Use
 [feature files](../usage//customization-guide.md#feature-files) instead.
 
+Note: The default NFD container image only supports statically linked binaries.
+Use the [full](../deployment/image-variants.md#full) image variant for a
+slightly more extensive environment that additionally supports bash and perl
+runtimes.
+
 Related tracking issues:
 
 1. Config option to disable hooks [#859](https://github.com/kubernetes-sigs/node-feature-discovery/issues/859).
diff --git a/docs/usage/customization-guide.md b/docs/usage/customization-guide.md
index 820924eb7..529dd884d 100644
--- a/docs/usage/customization-guide.md
+++ b/docs/usage/customization-guide.md
@@ -257,9 +257,8 @@ on the nfd-master command line.
 **DEPRECATED** The `local` source executes hooks found in
 `/etc/kubernetes/node-feature-discovery/source.d/`. The hook files must be
 executable and they are supposed to print all discovered features in `stdout`.
-With ELF binaries static linking is recommended as the selection of system
-libraries available in the NFD release image is very limited. Other runtimes
-currently supported by the NFD image are bash and perl.
+Since NFD v0.13 the default container image only supports statically linked ELF
+binaries.
 
 `stderr` output of hooks is propagated to NFD log so it can be used for
 debugging and logging.
@@ -284,8 +283,9 @@ sources:
 directory. It is the user's responsibility to review the hooks for e.g.
 possible security implications.
 
-**NOTE:** The [minimal](../deployment/image-variants.md#minimal) image
-variant only supports running statically linked binaries.
+**NOTE:** The [full](../deployment/image-variants.md#full) image variant
+provides backwards-compatibility with older NFD versions by including a more
+expanded environment, supporting bash and perl runtimes.
 
 ### Feature files