You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello, I've been experimenting with using Marinara for creating Distroless .NET Containers on Azure Linux 3.0.
While using Marinara to create images works very well and results in a perfectly efficient image, using Marinara to extend an existing image does not.
I noticed a couple of behaviors:
When using the recommended pattern from dockerfile-extend-image, the final layer is squashed. While this results in a perfectly efficient image, all layer history and environment variables are lost. This has numerous downsides from increased build time to the inability to share the layer with another image.
Without squashing the final layer, using Marinara to extend an existing image results in a considerable amount of wasted space in the image. Many files are partially or completely overwritten/duplicated in the overlay FS, which results in a very inefficient image.
Here's an example of where I created a .NET Runtime Deps image with Marinara, then tried to extend it by installing ca-certificates, icu, and tzdata packages.
Base image:
FROM azurelinuxpreview.azurecr.io/public/azurelinux/marinara:3.0 AS builder
RUN marinaracreate.py \
--image-type "minimal-nonroot" \
--azure-linux-version "3.0" \
--location "/staging" \
--add-packages "prebuilt-ca-certificates glibc libgcc libstdc++ openssl-libs zlib" \
--packages-to-holdback "" \
--user "app" \
--user-uid "1654" \
--user-gid "1654"# .NET runtime-deps imageFROM scratch
ENV \
# UID of the non-root user 'app'
APP_UID=1654 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_HTTP_PORTS=8080 \
# Enable detection of running in a container
DOTNET_RUNNING_IN_CONTAINER=true \
# Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20)
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true
COPY --from=builder /staging/ /
# Workaround for https://github.com/moby/moby/issues/38710COPY --from=builder --chown=1654:1654 /staging/home/ /home/
USER app
Extended image:
FROM $MY_MARINARA_BASE_IMAGE AS base
FROM azurelinuxpreview.azurecr.io/public/azurelinux/marinara:3.0 AS builder
COPY --from=base /var/lib/rpmmanifest/ /tmp/rpmmanifest/
RUN marinaraextend.py \
--azure-linux-version "3.0" \
--location "/staging" \
--add-packages "ca-certificates icu tzdata" \
--packages-to-holdback "" \
--existing-manifest-location "/tmp/rpmmanifest" \
--new-manifest-location "/var/lib/rpmmanifest" \
--user "app" \
--user-uid "1654" \
--user-gid "1654"FROM base as final
COPY --from=builder /staging/ /
# Workaround for https://github.com/moby/moby/issues/38710COPY --from=builder --chown=1654:1654 /staging/home/ /home/
# Optional additional layer squash - gets rid of ENVs?# FROM scratch# COPY --from=final / /# COPY --from=final --chown=1654:1654 /home/ /home/USER $APP_UID
Running a diagnostic tool, dive on the output of the second image, you can see there's tons of wasted space:
I truncated all of the overwritten files under 100 kB. It seems like most or all of the packages from the first layer are being copied over to the base layer a second time, resulting in over 50% wasted space.
I would consider these downsides to be a deal-breaker when it comes to recommending Marinara to users who wish to add packages to existing Azure Linux distroless images.
Marinara should have a way to extend images by adding packages on an additional layer, resulting in an image that is reasonably size-efficient (95-99%), without resorting to squashing layers or using other workarounds to reduce the number of duplicated files.
Hello, I've been experimenting with using Marinara for creating Distroless .NET Containers on Azure Linux 3.0.
While using Marinara to create images works very well and results in a perfectly efficient image, using Marinara to extend an existing image does not.
I noticed a couple of behaviors:
Here's an example of where I created a .NET Runtime Deps image with Marinara, then tried to extend it by installing
ca-certificates
,icu
, andtzdata
packages.Base image:
Extended image:
Running a diagnostic tool, dive on the output of the second image, you can see there's tons of wasted space:
I truncated all of the overwritten files under 100 kB. It seems like most or all of the packages from the first layer are being copied over to the base layer a second time, resulting in over 50% wasted space.
I would consider these downsides to be a deal-breaker when it comes to recommending Marinara to users who wish to add packages to existing Azure Linux distroless images.
Marinara should have a way to extend images by adding packages on an additional layer, resulting in an image that is reasonably size-efficient (95-99%), without resorting to squashing layers or using other workarounds to reduce the number of duplicated files.
The text was updated successfully, but these errors were encountered: