Skip to content

Commit 9f2f586

Browse files
hawkwhawkw
authored
cni: use scratch as the base runtime docker image (#237)
Currently, the CNI plugin Docker image uses a Debian base image at runtime. Debian is used to install some packages that are dependencies of the `install-cni.sh` script, namely `inotifywatch`, `jq`, and `pgrep`. However, these packages are the only things we need, and it's not strictly necessary to run the CNI plugin in an entire Debian install. We could install these tools from a Debian image, and then actually run in a `scratch` image. This branch changes the CNI plugin `Dockerfile` to use a `scratch` base image for the final runtime layer. `debian:bullseye-slim` is still used when building the image, in order to install the required packages using APT, and then the installed binaries are copied into the final image. This is the same change as linkerd/linkerd2#10845, but applied to the dockerfile in this repo instead.
1 parent 9215ddf commit 9f2f586

File tree

1 file changed

+10
-7
lines changed

1 file changed

+10
-7
lines changed

Dockerfile-cni-plugin

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
# Cross compile from native platform to target arch
88
FROM --platform=$BUILDPLATFORM ghcr.io/linkerd/dev:v39-go as go
99
WORKDIR /build
10-
COPY --link go.mod go.sum .
10+
COPY --link go.mod go.sum ./
1111
COPY --link ./cni-plugin ./cni-plugin
1212
COPY --link ./proxy-init ./proxy-init
1313
COPY --link ./internal ./internal
@@ -17,22 +17,25 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on \
1717
go build -o /go/bin/linkerd-cni -mod=readonly -ldflags "-s -w" -v ./cni-plugin/
1818

1919
##
20-
## Runtime
20+
## Runtime dependencies
2121
##
2222

23-
FROM debian:bullseye-slim
23+
FROM debian:bullseye-slim as deps
2424
WORKDIR /linkerd
2525
RUN apt-get update && apt-get install -y --no-install-recommends \
26-
iptables \
2726
inotify-tools \
2827
procps \
2928
jq && \
3029
rm -rf /var/lib/apt/lists/*
3130

32-
# We still rely on old iptables-legacy syntax.
33-
RUN update-alternatives --set iptables /usr/sbin/iptables-legacy \
34-
&& update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
31+
##
32+
## Runtime
33+
##
3534

35+
FROM scratch as runtime
36+
COPY --from=deps /usr/bin/inotifywait /usr/bin/inotifywait
37+
COPY --from=deps /usr/bin/pgrep /usr/bin/pgrep
38+
COPY --from=deps /usr/bin/jq /usr/bin/jq
3639
COPY --from=go /go/bin/linkerd-cni /opt/cni/bin/
3740
COPY LICENSE .
3841
COPY cni-plugin/deployment/scripts/install-cni.sh .

0 commit comments

Comments
 (0)