From 3a057aa27c7659e1617b7947f19d42ad468ace3d Mon Sep 17 00:00:00 2001
From: Ciprian Hacman <ciprian.hacman@sematext.com>
Date: Fri, 19 Jun 2020 10:40:35 +0300
Subject: [PATCH] Use distroless image as base for protokube

---
 images/BUILD.bazel                  | 39 +++--------------------------
 nodeup/pkg/model/protokube.go       |  4 +--
 protokube/pkg/protokube/channels.go |  2 +-
 3 files changed, 7 insertions(+), 38 deletions(-)

diff --git a/images/BUILD.bazel b/images/BUILD.bazel
index d7cbdd91ca..e814143303 100644
--- a/images/BUILD.bazel
+++ b/images/BUILD.bazel
@@ -2,50 +2,19 @@ package(default_visibility = ["//visibility:public"])
 
 load(
     "@io_bazel_rules_docker//container:container.bzl",
-    "container_bundle",
     "container_image",
+    "container_bundle",
 )
-load("@package_bundle//file:packages.bzl", "packages")
 
 container_image(
     name = "protokube-image",
-    base = "@debian_hyperkube_base_amd64//image",
-    cmd = ["/usr/bin/protokube"],
-    # Packages needed:
-    # ca-certificates: Needed to talk to EC2 API (in base)
-    # e2fsprogs: Needed to mount / format ext4 filesytems (in base)
-    # systemd: needed to start kubelet
-    # TODO: Replace systemd with direct calls, or chroot into rootfs
-    debs = [
-        packages["cgmanager"],
-        packages["dbus"],
-        packages["libapparmor1"],
-        packages["libcgmanager0"],
-        packages["libcryptsetup4"],
-        packages["libdbus-1-3"],
-        packages["libnih-dbus1"],
-        packages["libnih1"],
-        packages["libpam-systemd"],
-        packages["libprocps6"],
-        packages["libseccomp2"],
-        packages["procps"],
-        packages["systemd-shim"],
-        packages["systemd"],
-    ],
+    base = "@distroless_base//image",
+    cmd = ["/protokube"],
     files = [
         "//channels/cmd/channels",
         "//protokube/cmd/protokube",
     ],
-    # Cannot use directory with packages or they get installed with
-    # directory as the root.
-    # directory = "/usr/bin/",
-    # TODO: figure out if there's a way to add files
-    # to actual /usr/bin while using debs above.
-    symlinks = {
-        "/usr/bin/channels": "/channels",
-        "/usr/bin/protokube": "/protokube",
-    },
-    tags = ["local"],  # TODO(fejta): make xz toolchain hermetic
+    stamp = True,
 )
 
 container_bundle(
diff --git a/nodeup/pkg/model/protokube.go b/nodeup/pkg/model/protokube.go
index e3f5e883b4..04162b61cf 100644
--- a/nodeup/pkg/model/protokube.go
+++ b/nodeup/pkg/model/protokube.go
@@ -269,7 +269,7 @@ func (t *ProtokubeBuilder) ProtokubeContainerRunCommand() (string, error) {
 		containerRunArgs = append(containerRunArgs, []string{
 			"--name", "protokube",
 			t.ProtokubeImageName(),
-			"/usr/bin/protokube",
+			"/protokube",
 		}...)
 
 	} else if t.Cluster.Spec.ContainerRuntime == "containerd" {
@@ -307,7 +307,7 @@ func (t *ProtokubeBuilder) ProtokubeContainerRunCommand() (string, error) {
 		containerRunArgs = append(containerRunArgs, []string{
 			"docker.io/library/" + t.ProtokubeImageName(),
 			"protokube",
-			"/usr/bin/protokube",
+			"/protokube",
 		}...)
 	} else {
 		return "", fmt.Errorf("unable to create protokube run command for unsupported runtime %q", t.Cluster.Spec.ContainerRuntime)
diff --git a/protokube/pkg/protokube/channels.go b/protokube/pkg/protokube/channels.go
index 3391763545..d829f5b657 100644
--- a/protokube/pkg/protokube/channels.go
+++ b/protokube/pkg/protokube/channels.go
@@ -36,7 +36,7 @@ func applyChannel(channel string) error {
 }
 
 func execChannels(args ...string) (string, error) {
-	kubectlPath := "channels" // Assume in PATH
+	kubectlPath := "/channels"
 	cmd := exec.Command(kubectlPath, args...)
 	env := os.Environ()
 	cmd.Env = env