Adds RPM db to container images

reederc42 · web-flow · commit a0e97b301cda · 2026-02-13T11:39:41.000-08:00
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,4 @@
 ARG ARCH=amd64
-# Image for dependencies such as NFS binaries
 ARG DEPS_IMAGE=alpine:3
 
 FROM --platform=linux/${ARCH} $DEPS_IMAGE AS deps
@@ -11,31 +10,74 @@ ARG CHWRAP_BIN=chwrap.tar
 ARG NODE_PREP_BIN=node_prep
 ARG SYSWRAP_BIN=syswrap
 
-# Installs nfs-utils based on DEPS_IMAGE
+ARG BIN_ALLOWLIST="\
+    /bin/mount \
+    /bin/umount \
+    /sbin/mount.nfs \
+    /sbin/mount.nfs4 \
+"
+
+ARG FILE_ALLOWLIST="\
+    /etc/os-release \
+    /etc/netconfig \
+    /etc/protocols \
+    /etc/ssl/certs/* \
+    /var/lib/rpm/rpmdb.sqlite \
+"
+
+# Install dependencies based on DEPS_IMAGE
 RUN --mount=type=secret,id=activation_key,env=ACTIVATION_KEY \
     --mount=type=secret,id=organization,env=ORGANIZATION \
     function unregister() { subscription-manager unregister || true; }; trap unregister EXIT; \
     if [[ $DEPS_IMAGE =~ "alpine" ]]; \
         then apk add --no-scripts nfs-utils; \
         else subscription-manager register --activationkey $ACTIVATION_KEY --org $ORGANIZATION && \
-            yum install --repo=rhel-9-*-baseos-rpms -y nfs-utils || { cat /var/log/rhsm/rhsm.log; exit 1; }  \
-    fi;
+            dnf install \
+                --repo=rhel-9-*-baseos-rpms -y \
+                --setopt=tsflags=noscripts \
+                nfs-utils || { cat /var/log/rhsm/rhsm.log; exit 1; }  \
+    fi
+
+# Get dynamic libs for allowed binaries
+RUN for bin in $BIN_ALLOWLIST; do \
+        ldd $bin | tr -s '[:space:]' '\n' | grep '^/'; \
+    done | sort | uniq > /tmp/ld_allowlist.txt
 
-# Copy dependencies to the root filesystem
-RUN for dep in /bin/mount /bin/umount /sbin/mount.nfs /sbin/mount.nfs4 /etc/netconfig /etc/protocols /etc/ssl/certs/*; do \
-        mkdir -p /rootfs/$(dirname $dep) && cp -L $dep /rootfs/$dep; \
+# Minimize RPM database
+RUN if [[ $DEPS_IMAGE =~ "alpine" ]]; then exit 0; fi; \
+    for f in $BIN_ALLOWLIST $FILE_ALLOWLIST $(cat /tmp/ld_allowlist.txt); do \
+        rpm -qf $f; \
+    done | sort | uniq > /tmp/rpm_allowlist.txt; \
+    rpm --justdb -e --nodeps $(rpm -qa | grep -v -f /tmp/rpm_allowlist.txt)
+
+# Copy required files to rootfs
+RUN for f in $BIN_ALLOWLIST $FILE_ALLOWLIST $(cat /tmp/ld_allowlist.txt); do \
+        if [ -e "$f" ]; then \
+            dest="/rootfs${f}"; \
+            mkdir -p "$(dirname "$dest")"; \
+            cp -a "$f" "$dest"; \
+        fi; \
     done
 
-# Copy NFS dependencies to the root filesystem
-RUN for bin in /sbin/mount.nfs /sbin/mount.nfs4; do \
-        ldd $bin | tr -s '[:space:]' '\n' | grep '^/' | xargs -I % sh -c 'mkdir -p /rootfs/$(dirname %) && cp -L % /rootfs/%'; \
+# Copy symlink targets to rootfs
+RUN find /rootfs -type l | while read -r link; do \
+        target="$(readlink $link)"; \
+        if [[ "$target" =~ ^/ ]]; then \
+            dest="/rootfs$target"; \
+        else \
+            dest="$(dirname $link)/$target"; \
+            target=${dest#"/rootfs"}; \
+        fi; \
+        mkdir -p "$(dirname $dest)"; \
+        cp -a "$target" "$dest"; \
     done
 
 COPY ${BIN} /rootfs/trident_orchestrator
 COPY ${CLI_BIN} /rootfs/bin/tridentctl
 COPY ${NODE_PREP_BIN} /rootfs/node_prep
 COPY ${SYSWRAP_BIN} /rootfs/syswrap
 ADD ${CHWRAP_BIN} /rootfs/
+COPY LICENSE NOTICE.txt /rootfs/licenses/
 
 FROM scratch
 
@@ -52,7 +94,5 @@ LABEL maintainer="The NetApp Trident Team" \
 
 COPY --from=deps /rootfs /
 
-COPY LICENSE NOTICE.txt /licenses/
-
 ENTRYPOINT ["/bin/tridentctl"]
 CMD ["version"]
diff --git a/Makefile b/Makefile
@@ -280,6 +280,7 @@ docker_build_windows = $1 build \
 docker_build_operator = $1 build \
 	--platform $2 \
 	--file operator/Dockerfile \
+	--build-arg ARCH=$(call arch,$2) \
 	--build-arg BIN=$(call binary_path,trident-operator,$2) \
 	--build-arg VERSION=$(VERSION) \
 	$(if $(TRIDENT_DEPS_IMAGE),--build-arg DEPS_IMAGE=$(TRIDENT_DEPS_IMAGE)) \
diff --git a/operator/Dockerfile b/operator/Dockerfile
@@ -1,10 +1,39 @@
-# Image for dependencies such as CA certificates
+ARG ARCH=amd64
 ARG DEPS_IMAGE=alpine:3
 
-FROM $DEPS_IMAGE AS deps
+FROM --platform=linux/${ARCH} $DEPS_IMAGE AS deps
 
-RUN mkdir /real-certs; \
-    cp -L /etc/ssl/certs/* /real-certs/
+ARG FILE_ALLOWLIST="\
+    /etc/os-release \
+    /etc/ssl/certs/* \
+"
+
+ARG BIN=trident-operator
+
+# Copy required files to rootfs
+RUN for f in $FILE_ALLOWLIST; do \
+        if [ -e "$f" ]; then \
+            dest="/rootfs${f}"; \
+            mkdir -p "$(dirname "$dest")"; \
+            cp -a "$f" "$dest"; \
+        fi; \
+    done
+
+# Copy symlink targets to rootfs
+RUN find /rootfs -type l | while read -r link; do \
+        target="$(readlink $link)"; \
+        if [[ "$target" =~ ^/ ]]; then \
+            dest="/rootfs$target"; \
+        else \
+            dest="$(dirname $link)/$target"; \
+            target=${dest#"/rootfs"}; \
+        fi; \
+        mkdir -p "$(dirname $dest)"; \
+        cp -a "$target" "$dest"; \
+    done
+
+COPY LICENSE NOTICE.txt /rootfs/licenses/
+COPY ${BIN} /rootfs/trident-operator
 
 FROM scratch
 
@@ -19,10 +48,6 @@ LABEL maintainer="The NetApp Trident Team" \
       version="${VERSION}" \
       release="${VERSION}"
 
-ARG BIN=trident-operator
-
-COPY --from=deps /real-certs/ /etc/ssl/certs/
-COPY LICENSE NOTICE.txt /licenses/
-COPY ${BIN} /trident-operator
+COPY --from=deps /rootfs /
 
 ENTRYPOINT ["/trident-operator"]
