Describe the feature you'd like to have
Use a minimal base image (quay.io/centos/centos:stream9) for the final runtime stage of the cephcsi multi-stage Dockerfile, instead of the full Ceph daemon image (quay.io/ceph/ceph).
The final image would only install the strictly required Ceph client shared libraries (librados2, librbd1, libcephfs2) from the official Ceph RPM repository
The build/compilation stage remains unchanged — it still uses the full Ceph image to provide the -devel headers needed for CGo compilation.
What is the value to the end user? (why is it a priority?)
- Faster image pulls and pod startup: The current image is ~900 MB–1.2 GB. A minimal image would be ~500 MB, significantly reducing pull times in bandwidth-constrained or edge environments.
- Reduced storage consumption: Less disk usage on container registries and on every node in the cluster where the DaemonSet runs.
- Smaller attack surface: Fewer installed packages means fewer potential CVEs to patch and track. The full Ceph image contains daemons, debug tools, and libraries that the CSI plugin never uses at runtime.
- Faster rollouts and scaling: Lighter images mean quicker DaemonSet rollouts and Pod scheduling, improving operational agility.
How will we know we have a good solution? (acceptance criteria)
Additional context
I have a working proof-of-concept patch that implements this approach. In my testing, the resulting image size was ~515 MB without compress, down from ~2 GB without compress with the current full Ceph base image.
deploy/cephcsi/image/Dockerfile: The final FROM stage switches from updated_base to ${FINAL_BASE_IMAGE} (defaults to quay.io/centos/centos:stream9). The Ceph release RPM is installed and only the userspace client libraries are pulled.Makefile: CEPH_VERSION is passed as a --build-arg to the container build command so the Dockerfile can configure the correct Ceph repository.
The ldd check at the end of the Dockerfile acts as a safety gate — if any shared library is missing in the minimal image, the build fails immediately.
Describe the feature you'd like to have
Use a minimal base image (
quay.io/centos/centos:stream9) for the final runtime stage of the cephcsi multi-stage Dockerfile, instead of the full Ceph daemon image (quay.io/ceph/ceph).The final image would only install the strictly required Ceph client shared libraries (
librados2,librbd1,libcephfs2) from the official Ceph RPM repositoryThe build/compilation stage remains unchanged — it still uses the full Ceph image to provide the
-develheaders needed for CGo compilation.What is the value to the end user? (why is it a priority?)
How will we know we have a good solution? (acceptance criteria)
Additional context
I have a working proof-of-concept patch that implements this approach. In my testing, the resulting image size was ~515 MB without compress, down from ~2 GB without compress with the current full Ceph base image.
deploy/cephcsi/image/Dockerfile: The finalFROMstage switches fromupdated_baseto${FINAL_BASE_IMAGE}(defaults toquay.io/centos/centos:stream9). The Ceph release RPM is installed and only the userspace client libraries are pulled.Makefile:CEPH_VERSIONis passed as a--build-argto the container build command so the Dockerfile can configure the correct Ceph repository.The
lddcheck at the end of the Dockerfile acts as a safety gate — if any shared library is missing in the minimal image, the build fails immediately.