Reduce kolla containers image size by moving off puppet config only bits and its dependencies we override for tripleo
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Opinion
|
Medium
|
Unassigned |
Bug Description
Bug created for systemd dependencies https:/
Currently, we include puppet-tripleo (which pulls in puppet, what in turn adds systemd, ruby and more...) into the base container image, which affects [0] the size of all containers for all services, adds more subjects for CVEs handling and potential vectors of attacks. And we use ~101 images for a typical deployment, having a 146 of total images. For edge scenarios, where there are potentially (tens of) thousands nodes distributed over high latency and limited bandwidth WAN networks, that poses a problem.
The solution is creating a side car container and consuming volumes from it, when configuring containerized services via puppet* deployment steps (docker-puppet.py). Note, we cannot just use a single config image that contains all those puppet bits for all of the containers configured via puppet as there is services specific config actions like calling cinder-manage from puppet, for example. Containers need no to keep those puppet packages for the later deployment steps, including runtime/operational stages as well. Nor should any containerized a service require systemd (it brings in a lot of totally useless for containers dependencies for a 190MB of total!)
So we can save approximately 16MB + 61MB + 190MB for the base layer of the container images (checked with):
$ repoquery -R --resolve puppet-tripleo | xargs -n1 -I{} bash -c "rpm -qi {}" 2>&1 | awk '/Size/ {print $NF}' | paste -sd+ - | bc
16610038
$ repoquery -R --resolve puppet | xargs -n1 rpm -qa --queryformat '%10{size} - %-25{name} \t %{version}\n'
[zuul@undercloud ~]$ repoquery -R --resolve puppet | xargs -n1 -I{} bash -c "rpm -qi {}" 2>&1 | awk '/Size/ {print $NF}' | paste -sd+ - | bc
61145246
$ $ repoquery -R --resolve systemd | xargs -n1 -I{} bash -c "rpm -qi {}" 2>&1 | awk '/Size/ {print $NF}' | paste -sd+ - | bc
170945969
We do not want to maintain CVE fixes for those extra components as it has nothing to containerized openstack services, not we do not need them lying in containers as dead weight.
With these numbers of an extra ~270MB per each remote edge compute host, for a 5000 of distributed computes deployed over edge WAN connections, that saves 270*5000 = 1,3TB of traffic (and the time it takes to transfer those from the control plane to remote edge sites and/or local registries sitting there).
Note that some other components packages, like openstack-heat* still do require systemd, that should be fixed as well to not add it back for the upper layers sitting on top of the base one.
[0] http://
[1] http://
Changed in tripleo: | |
status: | New → Triaged |
importance: | Undecided → High |
milestone: | none → stein-2 |
tags: | added: containers queens-backport-potential rocky-backport-potential tech-debt |
summary: |
- Reduce kolla containers image size by moving off puppet bits + Reduce kolla containers image size by moving off puppet bits we override + for tripleo |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: | added: edge |
summary: |
- Reduce kolla containers image size by moving off puppet bits we override - for tripleo + Reduce kolla containers image size by moving off puppet/systemd config + only dependencies we override for tripleo |
description: | updated |
summary: |
Reduce kolla containers image size by moving off puppet/systemd config - only dependencies we override for tripleo + only bits and its dependencies we override for tripleo |
Changed in tripleo: | |
milestone: | stein-2 → stein-3 |
Changed in tripleo: | |
status: | In Progress → Opinion |
assignee: | Bogdan Dobrelya (bogdando) → nobody |
Changed in tripleo: | |
importance: | High → Medium |
We already have a container for that, had been added into kolla with https:/ /review. openstack. org/#/c/ 595866/