Make boulder-tools image smaller. (#4732)

Instead of installing Certbot from the repo, install the python-acme library (the only piece we need) from the apt repository. This also allows us to skip installing build dependencies for Certbot. Uninstall cmake after building. Clean the various Go caches. Move codespell and acme into requirements.txt. Don't use virtualenv anymore. This reduces image size from 1.4 GB to 1.0 GB. Incidentally, move the Go install to its own phase in the Dockerfile. This will give it its own image layer, making rebuilds faster.
2020-04-06 16:53:42 -07:00 · 2020-04-06 16:53:42 -07:00 · 28dbbce8da
parent 1f0d8c1e4f
commit 28dbbce8da
6 changed files with 13 additions and 29 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -2,7 +2,7 @@ version: '3'
 services:
    boulder:
        # To minimize fetching this should be the same version used below
-        image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-03-26
+        image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-04-06
        environment:
            FAKE_DNS: 10.77.77.77
            PKCS11_PROXY_SOCKET: tcp://boulder-hsm:5657
@ -58,7 +58,7 @@ services:
        working_dir: /go/src/github.com/letsencrypt/boulder
    bhsm:
        # To minimize fetching this should be the same version used above
-        image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-03-26
+        image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-04-06
        environment:
            PKCS11_DAEMON_SOCKET: tcp://0.0.0.0:5657
        command: /usr/local/bin/pkcs11-daemon /usr/lib/softhsm/libsofthsm2.so
@ -85,7 +85,7 @@ services:
        logging:
            driver: none
    netaccess:
-        image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-03-26
+        image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-04-06
        environment:
            GO111MODULE: "on"
            GOFLAGS: "-mod=vendor"
--- a/test.sh
+++ b/test.sh
@ -110,7 +110,6 @@ if [[ "$RUN" =~ "integration" ]] ; then
    args+=("--filter" "${INT_FILTER}")
  fi

-  source ${CERTBOT_PATH:-/certbot}/${VENV_NAME:-venv3}/bin/activate
  DIRECTORY=http://boulder:4000/directory \
    python3 test/integration-test.py --chisel --gotest "${args[@]}"
 fi
--- a/test/boulder-tools/Dockerfile.tmpl
+++ b/test/boulder-tools/Dockerfile.tmpl
@ -8,6 +8,7 @@ ENV PATH $GOPATH/bin:/usr/local/go/bin:/usr/local/protoc/bin:$PATH
 RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH"
 WORKDIR $GOPATH

-ADD build.sh /tmp/build.sh
+RUN wget -O go.tgz "https://dl.google.com/go/go${GO_VERSION_TO_INSTALL}.linux-amd64.tar.gz" && tar -C /usr/local -xzf go.tgz && rm go.tgz;
 ADD requirements.txt /tmp/requirements.txt
+ADD build.sh /tmp/build.sh
 RUN /tmp/build.sh
--- a/test/boulder-tools/build.sh
+++ b/test/boulder-tools/build.sh
@ -2,15 +2,8 @@

 apt-get update

-# Install Go.
-url="https://dl.google.com/go/go${GO_VERSION_TO_INSTALL}.linux-amd64.tar.gz"
-wget -O go.tgz "$url"; \
-tar -C /usr/local -xzf go.tgz; \
-rm go.tgz;
-
 # Install system deps
 apt-get install -y --no-install-recommends \
-  libltdl-dev \
  mariadb-client-core-10.1 \
  rpm \
  ruby \
@ -23,13 +16,8 @@ apt-get install -y --no-install-recommends \
  libseccomp-dev \
  opensc \
  unzip \
-  python3-dev \
-  python3-venv \
  python3-pip \
  gcc \
-  libaugeas0 \
-  libssl-dev \
-  libffi-dev \
  ca-certificates \
  openssl

@ -60,15 +48,10 @@ GO111MODULE=on go get \
 # fetch it in GOPATH mode.
 go get github.com/letsencrypt/pebble/cmd/pebble-challtestsrv

-# Install codespell for linting common spelling errors
-pip3 install codespell
+go clean -cache
+go clean -modcache

-git clone https://github.com/certbot/certbot /certbot
-cd /certbot
-./tools/venv3.py
-source venv3/bin/activate
-pip install -r /tmp/requirements.txt
-cd -
+pip3 install -r /tmp/requirements.txt

 # Install pkcs11-proxy. Checked out commit was master HEAD at time
 # of writing
@ -88,7 +71,7 @@ gem install fpm

 # We can't remove libseccomp-dev as it contains a shared object that is required
 # for pkcs11-proxy to run properly
-apt-get autoremove -y libssl-dev ruby-dev
+apt-get autoremove -y libssl-dev ruby-dev cmake
 apt-get clean -y

 rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
--- a/test/boulder-tools/requirements.txt
+++ b/test/boulder-tools/requirements.txt
@ -1,4 +1,5 @@
-acme>=0.10.1
+acme>=1.0
 cryptography>=0.7
 PyOpenSSL
 requests
+codespell
--- a/test/startservers.py
+++ b/test/startservers.py
@ -21,9 +21,9 @@ def install(race_detection):
    # Pass empty BUILD_TIME and BUILD_ID flags to avoid constantly invalidating the
    # build cache with new BUILD_TIMEs, or invalidating it on merges with a new
    # BUILD_ID.
-    cmd = "make GO_BUILD_FLAGS=''  "
+    cmd = "/usr/bin/make GO_BUILD_FLAGS=''  "
    if race_detection:
-        cmd = "make GO_BUILD_FLAGS='-race -tags \"integration\"'"
+        cmd = "/usr/bin/make GO_BUILD_FLAGS='-race -tags \"integration\"'"

    return subprocess.call(cmd, shell=True) == 0