Allow building from source whilst still keeping container size down

[lag-linaro]

Fixes: #7
Fixes: docker-library/official-images#4718

Commit 3246cae (Notary 0.6.1, and rather than commit binaries,
build using multistage dockerfiles.) provided support for building
binaries from source, instead of introducing them into the repo. It
also introduced multi-stage builds into the project.

Multi-stage builds allow us to supply all of the build requirements
into disposable build-containers. Once finished with, only the
required build artifacts are copied out into a nice succinct run-
container. This results in a container with a much smaller
footprint.

The issue is; Docker's Official Images platform does not yet support
multi-stage builds. So until they do, we need to find a source of
compromise.

Here we start with a small base (Alpine), install only the build
requirements we need, build from source, then once complete clean-up
any unnecessary packages. This both allows for building from source
AND keeps the final run-container nice and small.

Signed-off-by: Lee Jones [email protected]

[yosifkit]

This should be a specific version of Alpine, like 3.8, to prevent possible incompatibilities (like when they switch ssl back to openssl).

[lag-linaro]

Thanks. Will fix.

[tianon]

This scraping via wget seems really hacky -- why are we going to all this trouble?

If it's important for version.GitCommit to be set to a value that isn't simple like $TAG (which is technically a valid Git ref, and is the ref we're building from), then why not instead install git, do a git clone --depth 1, and then use the existing Makefile to let the upstream build set the values appropriately itself?

Here's an example Dockerfile I've successfully tested (on both amd64 and arm64) that runs and generates a ~21MB image (~4MB for alpine:3.8 and ~17MB for notary-server), and provides the expected values in notary-server -debug:

FROM alpine:3.8

RUN adduser -D -H -g "" notary

ENV PATH=$PATH:/notary/server
WORKDIR /notary/server

ENV NOTARYPKG github.com/theupdateframework/notary
ENV TAG v0.6.1

RUN set -eux; \
	\
	apk add --no-cache --virtual .build-deps git go make musl-dev; \
	\
	export GOPATH=/go GOCACHE=/go/cache; \
	mkdir -p "$GOPATH/src/$NOTARYPKG"; \
	git clone -b "$TAG" --depth 1 "https://$NOTARYPKG" "$GOPATH/src/$NOTARYPKG"; \
	\
	make -C "$GOPATH/src/$NOTARYPKG" PREFIX=. ./bin/static/notary-server; \
	cp -vL "$GOPATH/src/$NOTARYPKG/bin/static/notary-server" ./; \
	rm -rf "$GOPATH"; \
	\
	apk del --no-network .build-deps

EXPOSE 4443

COPY ./server-config.json .
COPY ./entrypoint.sh .

USER notary

ENTRYPOINT [ "entrypoint.sh" ]
CMD [ "notary-server", "--help" ]

I also don't understand why this and #11 are separate PRs (since it's effectively the same exact change), but the same approach will likely work in exactly the same way over on notary-signer.

[tianon]

... the same approach will likely work in exactly the same way over on notary-signer.

Confirmed -- copied, replaced all server with signer and everything appears to work.

[lag-linaro]

One step at a time. This PR moves everything in the right direction (removes multi-stage builds) - it does not make things perfect. In the projects I normally work in, commits are expected to contain only one functional change.

They are separate PRs because I wanted to see if the change would be well received before spending even more effort on something that would have been NACKed. Ultimately I'm happy to merge them.

[yosifkit]

LGTM from the official-images side.

[lag-linaro]

Thanks for your time @yosifkit. Much appreciated.

[lag-linaro]

@justincormack now that the Official Images guys are happy, would you mind re-reviewing please?

[justincormack]

I think its better to use eg golang/1.10.5-alpine3.8 so we pin the Go version and the Alpine version, rather than installing the Go that Alpine happens to have at present.

[lag-linaro]

By doing so you will increase the size of the image from 21MB to 268MB.

[lag-linaro]

We could do 'apk add go=1.10.5' if you'd prefer?

[justincormack]

Ah ugh yes. I am just trying to get Alpine updated with the latest Go 1.10 patch release, as it is currently only on 1.10.1.

[lag-linaro]

That would be a better solution.

Although it doesn't seem to affect Notary. It tested just fine with Apline 3.8.

[lag-linaro]

So when installing this PR I see that Apline 3.8 installs Go version 1.10.5-r0.

(19/22) Installing go (1.10.5-r0)

Is that not adequate?

[justincormack]

Yes, Its fixed now, I got an updated version pushed yesterday, all good...

[lag-linaro]

Thanks @justincormack, you're a star.

Do you want me to raise a PR on Official Images saying that we now support AArch64?

I'm happy to do it if you do not have time. Can tag you as a reviewer too.

[lag-linaro]

It's also required to bump to 0.6.1.

Official Images is still at 0.5.0.

[justincormack]

@lag-linaro I think I need to re-tag the v0.6.1 release that we did in this repo, as it has the previous version in. And not sure exactly what we need in the replacement for docker-library/official-images#4718 maybe @tianon or @yosifkit can help...

[lag-linaro]

@justincormack this and #11 PRs fix @tianon and @yosifkit reviews.

We can now re-submit docker-library/official-images#4718.

This is what I was proposing in #10 (comment).

[justincormack]

I think docker-library/official-images#4718 would at least need to list the architectures to build for. Let me re-tag this repo as well now.

[lag-linaro]

Absolutely. In order to provide additional arches, we need to supply an Architectures: tag.

[lag-linaro]

See HERE

Let me know if you'd like me to submit it.

[justincormack]

Ok, I pushed a new v0.6.1 tag to this repo and deleted the old one, so yes that should be good to submit I think.

[lag-linaro]

Great. That's sent.

It will help expedite the process if you could review and provide your LGTM.