chore(core): fix distroless imports (#806)

universal-itengineer · web-flow · commit acf12c8f15d1 · 2025-03-04T16:47:50.000+03:00
Fix imports dvcr images and cdi images to distroless

Signed-off-by: Nikita Korolev &lt;nikita.korolev@flant.com&gt;
diff --git a/images/cdi-cloner/werf.inc.yaml b/images/cdi-cloner/werf.inc.yaml
@@ -2,21 +2,10 @@
 image: {{ $.ImageName }}
 fromImage: distroless
 import:
-- image: {{ $.ImageName }}-bins
-  add: /relocate/usr/bin
-  to: /bin
-  before: setup
-- image: {{ $.ImageName }}-bins
-  add: /relocate/usr/sbin
-  to: /sbin
-  before: setup
 - image: {{ $.ImageName }}-bins
   add: /relocate
   to: /
   before: setup
-  excludePaths:
-  - usr/sbin
-  - usr/bin
 - image: cdi-artifact
   add: /cdi-binaries
   to: /usr/bin
diff --git a/images/cdi-controller/werf.inc.yaml b/images/cdi-controller/werf.inc.yaml
@@ -2,31 +2,32 @@
 image: {{ $.ImageName }}
 fromImage: distroless
 import:
-- image: {{ $.ImageName }}-bins
-  add: /tmp
-  to: /tmp
-  before: setup
 - image: {{ $.ImageName }}-bins
   add: /relocate
   to: /
   before: setup
-- image: cdi-artifact
-  add: /cdi-binaries
-  to: /usr/bin
-  includePaths:
-  - cdi-controller
-  before: setup
-# Source https://github.com/kubevirt/containerized-data-importer/blob/v1.58.0/cmd/cdi-controller/BUILD.bazel
 docker:
   ENTRYPOINT: ["/usr/bin/cdi-controller", "-alsologtostderr"]
   USER: 64535
 ---
-{{- $binaries := "/usr/bin/cat /usr/bin/bash /usr/bin/echo" }}
+{{- $binaries := "/usr/bin/cat /usr/bin/bash /usr/bin/echo /usr/bin/cdi-controller" }}
 
 image: {{ $.ImageName }}-bins
 final: false
 fromImage: base-alt-p11-binaries
+import:
+- image: cdi-artifact
+  add: /cdi-binaries
+  to: /usr/bin
+  includePaths:
+  - cdi-controller
+  before: setup
+# Source https://github.com/kubevirt/containerized-data-importer/blob/v1.58.0/cmd/cdi-controller/BUILD.bazel
 shell:
-  beforeInstall:
+  setup:
+  - /relocate_binaries.sh -i "{{ $binaries }}" -o /relocate
+# tmp folder need for ready file
+# https://github.com/kubevirt/containerized-data-importer/blob/v1.60.3/pkg/operator/resources/namespaced/controller.go#L243
   - |
-    /relocate_binaries.sh -i "{{ $binaries }}" -o /relocate
+    mkdir -p /relocate/tmp
+    chown 64535:64535 /relocate/tmp
diff --git a/images/cdi-importer/werf.inc.yaml b/images/cdi-importer/werf.inc.yaml
@@ -1,28 +1,64 @@
 ---
 image: {{ $.ImageName }}
-fromImage: base-alt-p11
+fromImage: distroless
+import:
+- image: {{ $.ImageName }}-bins
+  add: /relocate
+  to: /
+  before: setup
+# Source https://github.com/kubevirt/containerized-data-importer/blob/v1.58.0/cmd/cdi-importer/BUILD.bazel
+docker:
+  ENTRYPOINT: ["/usr/bin/cdi-importer", "-alsologtostderr"]
+  USER: 64535
+
+---
+{{- define "cdi-importer-deps" -}}
+packages:
+  - qemu-img
+  - sqlite3
+  - libnbd
+  - nbd-client
+  - nbd-server
+binaries:
+  - /usr/bin/sh
+  - /usr/bin/rm
+  - /usr/bin/grep
+  # Qemu-img
+  - /usr/bin/qemu-img
+  - /usr/bin/qemu-io
+  - /usr/bin/qemu-nbd
+  # All nbd bins
+  - /usr/bin/nbd*
+  # Mount
+  - /usr/bin/mount /usr/bin/umount
+  # Sqlite3
+  - /usr/bin/sqldiff /usr/bin/sqlite3 /usr/bin/sqlite3_analyzer
+  # CDI bind
+  - /usr/bin/cdi-containerimage-server /usr/bin/cdi-image-size-detection /usr/bin/cdi-importer /usr/bin/cdi-source-update-poller
+{{- end -}}
+
+{{ $cdiImporterDependencies := include "cdi-importer-deps" . | fromYaml }}
+
+image: {{ $.ImageName }}-bins
+final: false
+fromImage: base-alt-p11-binaries
 import:
 - image: cdi-artifact
   add: /cdi-binaries
   to: /usr/bin
+  before: setup
   includePaths:
   - cdi-containerimage-server
   - cdi-image-size-detection
   - cdi-importer
   - cdi-source-update-poller
-  before: setup
 shell:
   install:
   - |
     apt-get update && apt-get install --yes \
-    qemu-img==9.1.2-alt1 \
-    sqlite3==3.46.0-alt1 \
-    libnbd==1.19.11-alt1 \
-    nbd-client==3.26.1-alt1 \
-    nbd-server==3.26.1-alt1
+      {{ $cdiImporterDependencies.packages | join " " }}
   - apt-get clean
   - rm --recursive --force /var/lib/apt/lists/ftp.altlinux.org* /var/cache/apt/*.bin
-# Source https://github.com/kubevirt/containerized-data-importer/blob/v1.58.0/cmd/cdi-importer/BUILD.bazel
-docker:
-  ENTRYPOINT: ["/usr/bin/cdi-importer", "-alsologtostderr"]
-  USER: 64535
+  setup:
+  - |
+    /relocate_binaries.sh -i "{{ $cdiImporterDependencies.binaries | join " " }}" -o /relocate
diff --git a/images/cdi-uploadserver/werf.inc.yaml b/images/cdi-uploadserver/werf.inc.yaml
@@ -2,23 +2,50 @@
 image: {{ $.ImageName }}
 fromImage: base-alt-p11
 import:
+- image: {{ $.ImageName }}-bins
+  add: /relocate
+  to: /
+  before: setup
+# Source https://github.com/kubevirt/containerized-data-importer/blob/v1.58.0/cmd/cdi-uploadserver/BUILD.bazel
+docker:
+  ENTRYPOINT: ["/usr/bin/cdi-uploadserver", "-alsologtostderr"]
+  USER: 64535
+
+---
+{{- define "cdi-uploadserver-deps" -}}
+packages:
+  - qemu-img
+  - libnbd
+binaries:
+  # Qemu-img
+  - /usr/bin/qemu-img
+  - /usr/bin/qemu-io
+  - /usr/bin/qemu-nbd
+  # All nbd bins
+  - /usr/bin/nbd*
+  # CDI bind
+  - /usr/bin/cdi-uploadserver
+{{- end -}}
+
+{{ $cdiUploadServerDependencies := include "cdi-uploadserver-deps" . | fromYaml }}
+
+image: {{ $.ImageName }}-bins
+final: false
+fromImage: base-alt-p11-binaries
+import:
 - image: cdi-artifact
   add: /cdi-binaries
   to: /usr/bin
+  before: setup
   includePaths:
   - cdi-uploadserver
-  before: setup
 shell:
   install:
-  # Install qemu-img and libnbd.
   - |
     apt-get update && apt-get install --yes \
-    qemu-img==9.1.2-alt1 \
-    libnbd==1.19.11-alt1
+      {{ $cdiUploadServerDependencies.packages | join " " }}
   - apt-get clean
   - rm --recursive --force /var/lib/apt/lists/ftp.altlinux.org* /var/cache/apt/*.bin
-
-# Source https://github.com/kubevirt/containerized-data-importer/blob/v1.58.0/cmd/cdi-uploadserver/BUILD.bazel
-docker:
-  ENTRYPOINT: ["/usr/bin/cdi-uploadserver", "-alsologtostderr"]
-  USER: 64535
+  setup:
+  - |
+    /relocate_binaries.sh -i "{{ $cdiUploadServerDependencies.binaries | join " " }}" -o /relocate
diff --git a/images/dvcr-importer/werf.inc.yaml b/images/dvcr-importer/werf.inc.yaml
@@ -7,8 +7,8 @@ import:
   to: /
   after: install
   excludePaths:
-  - '*/dvcr-uploader'
-  - '*/dvcr-cleaner'
+  - '**/dvcr-uploader'
+  - '**/dvcr-cleaner'
 git:
 - add: /images/dvcr-artifact/build
   to: /
diff --git a/images/dvcr-uploader/werf.inc.yaml b/images/dvcr-uploader/werf.inc.yaml
@@ -7,8 +7,8 @@ import:
   to: /
   after: install
   excludePaths:
-  - '*/dvcr-importer'
-  - '*/dvcr-cleaner'
+  - '**/dvcr-importer'
+  - '**/dvcr-cleaner'
 git:
 - add: /images/dvcr-artifact/build
   to: /
diff --git a/images/dvcr/werf.inc.yaml b/images/dvcr/werf.inc.yaml
@@ -4,15 +4,18 @@ fromImage: distroless
 import:
 - image: {{ $.ImageName }}-builder
   add: /container-registry-binary
-  to: /bin
+  to: /usr/bin
   after: install
+  includePaths:
+  - registry
 # Registry configuration is stored in configmap: templates/dvcr/configmap.yaml
 - image: {{ $.ImageName }}-artifact-bins
-  add: /relocate/usr/bin
-  to: /usr/bin
-  includePaths:
-  - dvcr-cleaner
+  add: /relocate
+  to: /
   after: install
+  excludePaths:
+  - '**/dvcr-uploader'
+  - '**/dvcr-importer'
 docker:
   USER: 64535
 ---
