Changing permissions adding to image size in configure.sh
jdmcclur opened this issue · 5 comments
For example, this Dockerfile adds a 345m layer for configure.sh
FROM websphere-liberty:full
RUN configure.sh
0e48e5b554bf About a minute ago /bin/sh -c configure.sh 345MB
If I comment out lines 133 and 140 of configure.sh, this number goes down to 81MB.
5d346e8007eb 12 seconds ago /bin/sh -c configure.sh 81MB
Similar issue with websphere-liberty:kernel, but it is not as bad as there are fewer files in the image.
Can we do this differently?
I would also like to know more about this as well to see what can be done to improve the configure.sh process to make it run faster as well as create a small concise final image !
@bbarman4u - to make it run faster set
ENV OPENJ9_SCC=false
RUN configure.sh
This will slow down the startup of the final container, but configure.sh will run a lot faster.
I have looked into the perm issues, and noticed this idea from openliberty: OpenLiberty/ci.docker@1fb9620
So, if I understand everything correctly
Line 133
find /opt/ibm/wlp -perm -g=w -print0 | xargs -0 -r chmod -R g+rw
This is currently changing the permissions of anything that has group write access to group read/write access. Well, not doing this if it already has group read/write access avoids a duplication of layers. (adding ! -perm g=r, so change perms to g=rw on anything with group write access, but missing read access)
find /opt/ibm/wlp -perm -g=w ! -perm -g=r -print0 | xargs -0 -r chmod -R g+rw
However, line 140 is a bit tricker
#Make folder executable for a group
find /opt/ibm/wlp -type d -perm -g=x -print0 | xargs -0 -r chmod -R g+rwx
This is taking any directory under /opt/ibm/wlp with group execute access and making it group read/write/execute access. I think this may be every single folder.
Do we really need to do this? Why don't we do it in open-liberty? I don't think any folders have group write access so adding ! -perm -g=rw doesn't help. If this really needs to be done, we should set this in the initial layer to avoid duplication, which leads to > 250mb of container size for no value if using the full layer.
Any thoughts @leochr?
My assumptions were wrong above
Line 133
find /opt/ibm/wlp -perm -g=w -print0 | xargs -0 -r chmod -R g+rw
is basically doing below because it finds that /opt/ibm/wlp has group write permission and recursively sets g+rw on it and everything under it.
chmod -R g+rw /opt/ibm/wlp
which makes line 140 redundant.
I think we should change it to this and take out line 140
find /opt/ibm/wlp ! -perm -g=rw -print0 | xargs -0 -r chmod g+rw
This will only change file/folders that need it. The same thing should also be done in the full Dockerfiles after running installUtility. I am not sure if every file needs rw, but that is what the current behavior is doing.
Note: Things need to have group rw because some kubernetes environments run with a random user.