From 24347fbaed5c6da135a6a94c980c50d076d0dc29 Mon Sep 17 00:00:00 2001 From: Alexey Volkov Date: Fri, 2 Aug 2019 11:27:53 -0700 Subject: [PATCH] Backend - Starting the api-server container build from scratch (#1699) * Backend - Starting the container build from scratch This reduces the image size, reduces the attack surface and avoids security vulnerabilities. Fixes https://github.com/kubeflow/pipelines/issues/1545 * Starting building other controller images from scratch --- backend/Dockerfile | 6 +++--- backend/Dockerfile.persistenceagent | 2 +- backend/Dockerfile.scheduledworkflow | 3 +-- backend/Dockerfile.viewercontroller | 3 +-- 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/backend/Dockerfile b/backend/Dockerfile index c76c5f72fd..f75f1d1f13 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -1,7 +1,7 @@ FROM l.gcr.io/google/bazel:0.24.0 as builder RUN apt-get update && \ - apt-get install -y cmake clang musl-dev openssl + apt-get install -y cmake clang musl-dev openssl ca-certificates WORKDIR /go/src/github.com/kubeflow/pipelines COPY WORKSPACE WORKSPACE @@ -31,7 +31,7 @@ COPY ./samples . #The "for" loop breaks on all whitespace, so we either need to override IFS or use the "read" command instead. RUN find . -maxdepth 3 -name '*.py' -type f | while read pipeline; do dsl-compile --py "$pipeline" --output "$pipeline.tar.gz"; done -FROM debian:stretch +FROM scratch ARG COMMIT_SHA=unknown ENV COMMIT_SHA=${COMMIT_SHA} @@ -45,7 +45,7 @@ COPY backend/src/apiserver/config/ /config COPY --from=compiler /samples/ /samples/ # Adding CA certificate so API server can download pipeline through URL -RUN apt-get update && apt-get install -y ca-certificates +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ # Expose apiserver port EXPOSE 8888 diff --git a/backend/Dockerfile.persistenceagent b/backend/Dockerfile.persistenceagent index bbf6049d05..5117ff389b 100644 --- a/backend/Dockerfile.persistenceagent +++ b/backend/Dockerfile.persistenceagent @@ -9,7 +9,7 @@ RUN apk update && apk upgrade && \ RUN GO111MODULE=on go build -o /bin/persistence_agent backend/src/agent/persistence/*.go -FROM alpine:3.8 +FROM scratch WORKDIR /bin COPY --from=builder /bin/persistence_agent /bin/persistence_agent diff --git a/backend/Dockerfile.scheduledworkflow b/backend/Dockerfile.scheduledworkflow index 5baf234a72..5b0caee62d 100644 --- a/backend/Dockerfile.scheduledworkflow +++ b/backend/Dockerfile.scheduledworkflow @@ -9,12 +9,11 @@ RUN apk update && apk upgrade && \ RUN GO111MODULE=on go build -o /bin/controller backend/src/crd/controller/scheduledworkflow/*.go -FROM alpine:3.8 +FROM scratch WORKDIR /bin COPY --from=builder /bin/controller /bin/controller COPY --from=builder /go/src/github.com/kubeflow/pipelines/third_party/license.txt /bin/license.txt -RUN chmod +x /bin/controller ENV NAMESPACE "" diff --git a/backend/Dockerfile.viewercontroller b/backend/Dockerfile.viewercontroller index 9f4ff561ac..61d5621f7c 100644 --- a/backend/Dockerfile.viewercontroller +++ b/backend/Dockerfile.viewercontroller @@ -9,7 +9,7 @@ COPY . . RUN go mod vendor RUN go build -o /bin/controller backend/src/crd/controller/viewer/*.go -FROM alpine +FROM scratch WORKDIR /src COPY --from=builder /src/github.com/kubeflow/pipelines/vendor vendor @@ -17,7 +17,6 @@ WORKDIR /bin COPY --from=builder /bin/controller /bin/controller COPY --from=builder /src/github.com/kubeflow/pipelines/third_party/license.txt /bin/license.txt -RUN chmod +x /bin/controller ENV MAX_NUM_VIEWERS "50" ENV NAMESPACE "kubeflow"