Linux Containers have become a popular topic, making sure that a container image is not bigger than it should be is considered as a good practice. This article give some tips on how to create smaller Fedora container images.
Fedora’s DNF is written in Python and and it’s designed to be extensible as it has wide range of plugins. But Fedora has an alternative base container image which uses an smaller package manager called microdnf written in C. To use this minimal image in a Dockerfile the FROM line should look like this:
This is an important saving if your image does not need typical DNF dependencies like Python. For example, if you are making a NodeJS image.
Install and Clean up in one layer
To save space it’s important to remove repos meta data using dnf clean all or its microdnf equivalent microdnf clean all. But you should not do this in two steps because that would actually store those files in a container image layer then mark them for deletion in another layer. To do it properly you should do the installation and cleanup in one step like this
RUN microdnf install nodejs && microdnf clean all
Modularity with microdnf
Modularity is a way to offer you different versions of a stack to choose from. For example you might want non-LTS NodeJS version 11 for a project and old LTS NodeJS version 8 for another and latest LTS NodeJS version 10 for another. You can specify which stream using colon
# dnf module list
# dnf module install nodejs:8
The dnf module install command implies two commands one that enables the stream and one that install nodejs from it.
# dnf module enable nodejs:8
# dnf install nodejs
Although microdnf does not offer any command related to modularity, it is possible to enable a module with a configuation file, and libdnf (which microdnf uses) seems to support modularity streams. The file looks like this
A full Dockerfile using modularity with microdnf looks like this:
echo -e "[nodejs]\nname=nodejs\nstream=8\nprofiles=\nstate=enabled\n" > /etc/dnf/modules.d/nodejs.module && \
microdnf install nodejs zopfli findutils busybox && \
microdnf clean all
In many cases you might have tons of build-time dependencies that are not needed to run the software for example building a Go binary, which statically link dependencies. Multi-stage build are an efficient way to separate the application build and the application runtime.
For example the Dockerfile below builds confd a Go application.
# building container
FROM registry.fedoraproject.org/fedora-minimal AS build
RUN mkdir /go && microdnf install golang && microdnf clean all
RUN export GOPATH=/go; CGO_ENABLED=0 go get github.com/kelseyhightower/confd
COPY --from=build /go/bin/confd /usr/local/bin
The multi-stage build is done by adding AS after the FROM instruction and by having another FROM from a base container image then using COPY –from= instruction to copy content from the build container to the second container.
This Dockerfile can then be built and run using podman
$ podman build -t myconfd .
$ podman run -it myconfd
Thank you. You’re so helpful
It would be nice to see this with Buildah and Podman commands as an alternative to relying on a Dockerfile.
Something like this will work using Buildah commands
export newcontainer=$(buildah from registry.fedoraproject.org/fedora-minimal:30)
echo -e “[nodejs]\nname=nodejs\nstream=8\nprofiles=\nstate=enabled\n” > nodejs.module
buildah copy $newcontainer nodejs.module /etc/dnf/modules.d/
buildah run $newcontainer — microdnf install nodejs zopfli findutils busybox
buildah run $newcontainer — microdnf clean all
buildah commit $newcontainer nodejs
buildah inspect nodejs
Wouldn’t the extra buildah run create an extra layer? In the dockerfile we did
If I’m not mistaken, buildah do not do auto-commits, it only adds a layer when you commit. and since he did it once, it would add a single layer.
Buildah doesn’t write the layers until you commit. So all the operations before the commit are a single layer. You can check this by using
on the build image.
Why not just use pypy to optimize normal dnf?
microdnf does not depend on python, if you are creating a nodejs images that would be a big saving. but pypy would still pull python-related packages. There is a 170MB difference (47% smaller nodejs image).
I don’t understand so much about theses topics, But I think it’s awesome.
Nice article, I’ve learned new things.
Another thing that I would like to do with containers, when developing them or when I need to debug one, is to plug in an extra layer with all the development tools that I need, plus my bashrc (especially for aliases) and my configuration for other tools. Is there an easy way to do that?
Because with a minimal image, the test/debug experience is quite horrible IMHO, for example if bash-completion is not installed, etc.