From 28dbbce8da5051f7853fea1798c67e71f05e7457 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Mon, 6 Apr 2020 16:53:42 -0700 Subject: [PATCH] Make boulder-tools image smaller. (#4732) Instead of installing Certbot from the repo, install the python-acme library (the only piece we need) from the apt repository. This also allows us to skip installing build dependencies for Certbot. Uninstall cmake after building. Clean the various Go caches. Move codespell and acme into requirements.txt. Don't use virtualenv anymore. This reduces image size from 1.4 GB to 1.0 GB. Incidentally, move the Go install to its own phase in the Dockerfile. This will give it its own image layer, making rebuilds faster. --- docker-compose.yml | 6 +++--- test.sh | 1 - test/boulder-tools/Dockerfile.tmpl | 3 ++- test/boulder-tools/build.sh | 25 ++++--------------------- test/boulder-tools/requirements.txt | 3 ++- test/startservers.py | 4 ++-- 6 files changed, 13 insertions(+), 29 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index ac2d9d2e2..6ebb933ef 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,7 +2,7 @@ version: '3' services: boulder: # To minimize fetching this should be the same version used below - image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-03-26 + image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-04-06 environment: FAKE_DNS: 10.77.77.77 PKCS11_PROXY_SOCKET: tcp://boulder-hsm:5657 @@ -58,7 +58,7 @@ services: working_dir: /go/src/github.com/letsencrypt/boulder bhsm: # To minimize fetching this should be the same version used above - image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-03-26 + image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-04-06 environment: PKCS11_DAEMON_SOCKET: tcp://0.0.0.0:5657 command: /usr/local/bin/pkcs11-daemon /usr/lib/softhsm/libsofthsm2.so @@ -85,7 +85,7 @@ services: logging: driver: none netaccess: - image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-03-26 + image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.13.2}:2020-04-06 environment: GO111MODULE: "on" GOFLAGS: "-mod=vendor" diff --git a/test.sh b/test.sh index d08940dfe..0747de1ab 100755 --- a/test.sh +++ b/test.sh @@ -110,7 +110,6 @@ if [[ "$RUN" =~ "integration" ]] ; then args+=("--filter" "${INT_FILTER}") fi - source ${CERTBOT_PATH:-/certbot}/${VENV_NAME:-venv3}/bin/activate DIRECTORY=http://boulder:4000/directory \ python3 test/integration-test.py --chisel --gotest "${args[@]}" fi diff --git a/test/boulder-tools/Dockerfile.tmpl b/test/boulder-tools/Dockerfile.tmpl index dabf5b2be..9a14ed3e8 100644 --- a/test/boulder-tools/Dockerfile.tmpl +++ b/test/boulder-tools/Dockerfile.tmpl @@ -8,6 +8,7 @@ ENV PATH $GOPATH/bin:/usr/local/go/bin:/usr/local/protoc/bin:$PATH RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" WORKDIR $GOPATH -ADD build.sh /tmp/build.sh +RUN wget -O go.tgz "https://dl.google.com/go/go${GO_VERSION_TO_INSTALL}.linux-amd64.tar.gz" && tar -C /usr/local -xzf go.tgz && rm go.tgz; ADD requirements.txt /tmp/requirements.txt +ADD build.sh /tmp/build.sh RUN /tmp/build.sh diff --git a/test/boulder-tools/build.sh b/test/boulder-tools/build.sh index 38cd9cbae..bcc63b52c 100755 --- a/test/boulder-tools/build.sh +++ b/test/boulder-tools/build.sh @@ -2,15 +2,8 @@ apt-get update -# Install Go. -url="https://dl.google.com/go/go${GO_VERSION_TO_INSTALL}.linux-amd64.tar.gz" -wget -O go.tgz "$url"; \ -tar -C /usr/local -xzf go.tgz; \ -rm go.tgz; - # Install system deps apt-get install -y --no-install-recommends \ - libltdl-dev \ mariadb-client-core-10.1 \ rpm \ ruby \ @@ -23,13 +16,8 @@ apt-get install -y --no-install-recommends \ libseccomp-dev \ opensc \ unzip \ - python3-dev \ - python3-venv \ python3-pip \ gcc \ - libaugeas0 \ - libssl-dev \ - libffi-dev \ ca-certificates \ openssl @@ -60,15 +48,10 @@ GO111MODULE=on go get \ # fetch it in GOPATH mode. go get github.com/letsencrypt/pebble/cmd/pebble-challtestsrv -# Install codespell for linting common spelling errors -pip3 install codespell +go clean -cache +go clean -modcache -git clone https://github.com/certbot/certbot /certbot -cd /certbot -./tools/venv3.py -source venv3/bin/activate -pip install -r /tmp/requirements.txt -cd - +pip3 install -r /tmp/requirements.txt # Install pkcs11-proxy. Checked out commit was master HEAD at time # of writing @@ -88,7 +71,7 @@ gem install fpm # We can't remove libseccomp-dev as it contains a shared object that is required # for pkcs11-proxy to run properly -apt-get autoremove -y libssl-dev ruby-dev +apt-get autoremove -y libssl-dev ruby-dev cmake apt-get clean -y rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* diff --git a/test/boulder-tools/requirements.txt b/test/boulder-tools/requirements.txt index d807d8c1a..0d9499510 100644 --- a/test/boulder-tools/requirements.txt +++ b/test/boulder-tools/requirements.txt @@ -1,4 +1,5 @@ -acme>=0.10.1 +acme>=1.0 cryptography>=0.7 PyOpenSSL requests +codespell diff --git a/test/startservers.py b/test/startservers.py index bb53bdf27..797b8759c 100644 --- a/test/startservers.py +++ b/test/startservers.py @@ -21,9 +21,9 @@ def install(race_detection): # Pass empty BUILD_TIME and BUILD_ID flags to avoid constantly invalidating the # build cache with new BUILD_TIMEs, or invalidating it on merges with a new # BUILD_ID. - cmd = "make GO_BUILD_FLAGS='' " + cmd = "/usr/bin/make GO_BUILD_FLAGS='' " if race_detection: - cmd = "make GO_BUILD_FLAGS='-race -tags \"integration\"'" + cmd = "/usr/bin/make GO_BUILD_FLAGS='-race -tags \"integration\"'" return subprocess.call(cmd, shell=True) == 0