Building Smaller Container Images

Linux Containers have become a popular topic, making sure that a container image is not bigger than it should be is considered as a good practice. This article give some tips on how to create smaller Fedora container images.

microdnf

Fedora’s DNF is written in Python and and it’s designed to be extensible as it has wide range of plugins. But Fedora has an alternative base container image which uses an smaller package manager called microdnf written in C. To use this minimal image in a Dockerfile the FROM line should look like this:

FROM registry.fedoraproject.org/fedora-minimal:30

This is an important saving if your image does not need typical DNF dependencies like Python. For example, if you are making a NodeJS image.

Install and Clean up in one layer

To save space it’s important to remove repos meta data using dnf clean all or its microdnf equivalent microdnf clean all. But you should not do this in two steps because that would actually store those files in a container image layer then mark them for deletion in another layer. To do it properly you should do the installation and cleanup in one step like this

FROM registry.fedoraproject.org/fedora-minimal:30 
RUN microdnf install nodejs && microdnf clean all

Modularity with microdnf

Modularity is a way to offer you different versions of a stack to choose from. For example you might want non-LTS NodeJS version 11 for a project and old LTS NodeJS version 8 for another and latest LTS NodeJS version 10 for another. You can specify which stream using colon

# dnf module list  
# dnf module install nodejs:8

The dnf module install command implies two commands one that enables the stream and one that install nodejs from it.

# dnf module enable nodejs:8 
# dnf install nodejs

Although microdnf does not offer any command related to modularity, it is possible to enable a module with a configuation file, and libdnf (which microdnf uses) seems to support modularity streams. The file looks like this

/etc/dnf/modules.d/nodejs.module 
[nodejs]
name=nodejs
stream=8
profiles=
state=enabled

A full Dockerfile using modularity with microdnf looks like this:

FROM registry.fedoraproject.org/fedora-minimal:30 
RUN \
echo -e "[nodejs]\nname=nodejs\nstream=8\nprofiles=\nstate=enabled\n" > /etc/dnf/modules.d/nodejs.module && \
microdnf install nodejs zopfli findutils busybox && \
microdnf clean all

Multi-staged builds

In many cases you might have tons of build-time dependencies that are not needed to run the software for example building a Go binary, which statically link dependencies. Multi-stage build are an efficient way to separate the application build and the application runtime.

For example the Dockerfile below builds confd a Go application.

# building container 
FROM registry.fedoraproject.org/fedora-minimal AS build
RUN mkdir /go && microdnf install golang && microdnf clean all
WORKDIR /go
RUN export GOPATH=/go; CGO_ENABLED=0 go get github.com/kelseyhightower/confd

FROM registry.fedoraproject.org/fedora-minimal
WORKDIR /
COPY --from=build /go/bin/confd /usr/local/bin
CMD ["confd"]

The multi-stage build is done by adding AS after the FROM instruction and by having another FROM from a base container image then using COPY –from= instruction to copy content from the build container to the second container.

This Dockerfile can then be built and run using podman

$ podman build -t myconfd .
$ podman run -it myconfd
Fedora Project community

9 Comments

  1. Bashar Subeh

    Thank you. You’re so helpful

  2. Ard Righ

    It would be nice to see this with Buildah and Podman commands as an alternative to relying on a Dockerfile.

  3. Ard Righ

    Something like this will work using Buildah commands

    export newcontainer=$(buildah from registry.fedoraproject.org/fedora-minimal:30)
    echo $newcontainer
    echo -e “[nodejs]\nname=nodejs\nstream=8\nprofiles=\nstate=enabled\n” > nodejs.module
    buildah copy $newcontainer nodejs.module /etc/dnf/modules.d/
    buildah run $newcontainer — microdnf install nodejs zopfli findutils busybox
    buildah run $newcontainer — microdnf clean all
    buildah commit $newcontainer nodejs
    buildah inspect nodejs

    • Wouldn’t the extra buildah run create an extra layer? In the dockerfile we did

      && microdnf clean all

      .

      • If I’m not mistaken, buildah do not do auto-commits, it only adds a layer when you commit. and since he did it once, it would add a single layer.

      • Ard Righ

        Buildah doesn’t write the layers until you commit. So all the operations before the commit are a single layer. You can check this by using

        inspect

        on the build image.

  4. Raphael Groner

    Why not just use pypy to optimize normal dnf?

    • microdnf does not depend on python, if you are creating a nodejs images that would be a big saving. but pypy would still pull python-related packages. There is a 170MB difference (47% smaller nodejs image).

  5. Luiz

    I don’t understand so much about theses topics, But I think it’s awesome.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions

%d bloggers like this: