From a687c62a244294141eaefaccae4439127ea28f1e Mon Sep 17 00:00:00 2001 From: anthis Date: Mon, 13 May 2024 23:34:41 +0900 Subject: [PATCH 1/2] dockerfiles: reducing debug information from the production container image. follow-up for https://github.com/fluent/fluent-bit/discussions/8807 By reducing debug information from the production container image, we aim to achieve a lightweight container image and enhance security. The debug image still includes the debug information file, allowing for easy debugging with tools like gdb. Signed-off-by: anthis --- dockerfiles/Dockerfile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/dockerfiles/Dockerfile b/dockerfiles/Dockerfile index b1d505a1574..0992828ebe9 100644 --- a/dockerfiles/Dockerfile +++ b/dockerfiles/Dockerfile @@ -29,6 +29,7 @@ ARG FLB_CHUNK_TRACE=On ENV FLB_CHUNK_TRACE=${FLB_CHUNK_TRACE} RUN mkdir -p /fluent-bit/bin /fluent-bit/etc /fluent-bit/log +RUN mkdir -p /usr/lib/debug/fluent-bit/bin ENV DEBIAN_FRONTEND noninteractive @@ -81,6 +82,10 @@ RUN cmake -DFLB_RELEASE=On \ RUN make -j "$(getconf _NPROCESSORS_ONLN)" RUN install bin/fluent-bit /fluent-bit/bin/ +RUN objcopy --only-keep-debug /fluent-bit/bin/fluent-bit /usr/lib/debug/fluent-bit/bin/fluent-bit.debug +RUN objcopy --strip-debug /fluent-bit/bin/fluent-bit +RUN objcopy --add-gnu-debuglink=/usr/lib/debug/fluent-bit/bin/fluent-bit.debug /fluent-bit/bin/fluent-bit + # Configuration files COPY conf/fluent-bit.conf \ conf/parsers.conf \ @@ -231,6 +236,7 @@ RUN echo "deb http://deb.debian.org/debian bullseye-backports main" >> /etc/apt/ RUN rm -f /usr/bin/qemu-*-static COPY --from=builder /fluent-bit /fluent-bit +COPY --from=builder /usr/lib/debug/fluent-bit /usr/lib/debug/fluent-bit EXPOSE 2020 From 61ef5d411eb13068c9a50ea19aaffb9f93c541a6 Mon Sep 17 00:00:00 2001 From: anthis Date: Tue, 14 May 2024 21:56:41 +0900 Subject: [PATCH 2/2] dockerfiles: consolidated layers related to directory creation and objcopy operations Signed-off-by: anthis --- dockerfiles/Dockerfile | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/dockerfiles/Dockerfile b/dockerfiles/Dockerfile index 0992828ebe9..175f7f1800e 100644 --- a/dockerfiles/Dockerfile +++ b/dockerfiles/Dockerfile @@ -28,8 +28,7 @@ ENV FLB_NIGHTLY_BUILD=$FLB_NIGHTLY_BUILD ARG FLB_CHUNK_TRACE=On ENV FLB_CHUNK_TRACE=${FLB_CHUNK_TRACE} -RUN mkdir -p /fluent-bit/bin /fluent-bit/etc /fluent-bit/log -RUN mkdir -p /usr/lib/debug/fluent-bit/bin +RUN mkdir -p /fluent-bit/bin /fluent-bit/etc /fluent-bit/log /usr/lib/debug/fluent-bit/bin ENV DEBIAN_FRONTEND noninteractive @@ -81,10 +80,9 @@ RUN cmake -DFLB_RELEASE=On \ RUN make -j "$(getconf _NPROCESSORS_ONLN)" RUN install bin/fluent-bit /fluent-bit/bin/ - -RUN objcopy --only-keep-debug /fluent-bit/bin/fluent-bit /usr/lib/debug/fluent-bit/bin/fluent-bit.debug -RUN objcopy --strip-debug /fluent-bit/bin/fluent-bit -RUN objcopy --add-gnu-debuglink=/usr/lib/debug/fluent-bit/bin/fluent-bit.debug /fluent-bit/bin/fluent-bit +RUN objcopy --only-keep-debug /fluent-bit/bin/fluent-bit /usr/lib/debug/fluent-bit/bin/fluent-bit.debug && \ + objcopy --strip-debug /fluent-bit/bin/fluent-bit && \ + objcopy --add-gnu-debuglink=/usr/lib/debug/fluent-bit/bin/fluent-bit.debug /fluent-bit/bin/fluent-bit # Configuration files COPY conf/fluent-bit.conf \