chore(core): virt-handler to distroless (#748)

universal-itengineer · web-flow · commit 1fbd6481e502 · 2025-02-17T18:28:18.000+03:00
Change virt-handler image to distroless
---------
Signed-off-by: Nikita Korolev &lt;nikita.korolev@flant.com&gt;
diff --git a/images/virt-handler/werf.inc.yaml b/images/virt-handler/werf.inc.yaml
@@ -1,22 +1,11 @@
 ---
 image: {{ $.ImageName }}
-fromImage: base-alt-p11
-shell:
-  install:
-  # Install main packages, update GPG keys and vendor IDs list.
-  - |
-    apt-get update && apt-get install --yes \
-    acl \
-    procps \
-    nftables \
-    qemu-img==9.1.2-alt1 \
-    xorriso==1.5.6-alt1
-  - apt-get clean
-  - rm --recursive --force /var/lib/apt/lists/ftp.altlinux.org* /var/cache/apt/*.bin
-  setup:
-  # Create qemu group and user.
-  - groupadd --gid 107 qemu && useradd qemu --uid 107 --gid 107 --shell /bin/bash --create-home
+fromImage: distroless
 import:
+- image: {{ $.ImageName }}-bins
+  add: /relocate
+  to: /
+  after: install
 - image: virt-artifact
   add: /kubevirt-binaries/
   to: /usr/bin
@@ -45,4 +34,37 @@ import:
   - nsswitch.conf
 # Source https://github.com/kubevirt/kubevirt/blob/v1.3.1/cmd/virt-handler/BUILD.bazel
 docker:
+  USER: 0
   ENTRYPOINT: ["/usr/bin/virt-handler"]
+
+---
+{{- $binaries := "/usr/bin/bash /usr/bin/rm /usr/bin/grep /usr/bin/qemu-img /usr/bin/qemu-io /usr/bin/qemu-nbd /usr/bin/mount /usr/bin/umount /usr/bin/chacl /usr/bin/getfacl /usr/bin/setfacl /usr/bin/ps /usr/sbin/slabtop /usr/sbin/sysctl /usr/bin/free /usr/bin/pgrep /usr/bin/pidwait /usr/bin/pkill /usr/bin/pmap /usr/bin/pwdx /usr/bin/skill /usr/bin/snice /usr/bin/tload /usr/bin/top /usr/bin/uptime /usr/bin/vmstat /usr/bin/w /usr/bin/watch /usr/sbin/nft /usr/bin/xorriso /usr/bin/xorrecord /usr/bin/osirrox /usr/bin/xorriso-dd-target /usr/bin/xorrisofs" }}
+
+image: {{ $.ImageName }}-bins
+final: false
+fromImage: base-alt-p11-binaries
+shell:
+  install:
+  - |
+    apt-get update && apt-get install --yes \
+      acl \
+      procps \
+      nftables \
+      qemu-img \
+      xorriso
+  - apt-get clean
+  - rm --recursive --force /var/lib/apt/lists/ftp.altlinux.org* /var/cache/apt/*.bin
+  setup:
+  - |
+    /relocate_binaries.sh -i "{{ $binaries }}" -o /relocate
+
+    mkdir -p /relocate/etc /relocate/root
+    echo "root:x:0:0:root:/root:/bin/bash" >> /relocate/etc/passwd
+    echo "root:x:0:" >> /relocate/etc/group
+    echo "root:x:::::::" >> /relocate/etc/shadow
+    
+    echo "qemu:x:107:107::/home/qemu:/bin/bash" >> /relocate/etc/passwd
+    echo "qemu:x:107:" >> /relocate/etc/group
+    mkdir -p /relocate/home/qemu
+    chown -R 107:107 /relocate/home/qemu
+    
