Commit fc0da61f authored by mo khan's avatar mo khan Committed by Nick Gaskill

Provide guidance on techniques for shrinking docker image sizes

parent 82e21e6a
...@@ -124,9 +124,9 @@ regardless of the individual machine the scanner runs on. ...@@ -124,9 +124,9 @@ regardless of the individual machine the scanner runs on.
Depending on the CI infrastructure, Depending on the CI infrastructure,
the CI may have to fetch the Docker image every time the job runs. the CI may have to fetch the Docker image every time the job runs.
To make the scanning job run fast, and to avoid wasting bandwidth, For the scanning job to run fast and avoid wasting bandwidth, Docker images should be as small as
it is important to make Docker images as small as possible, possible. You should aim for 50MB or smaller. If that isn't possible, try to keep it below 1.46 GB,
ideally smaller than 50 MB. which is the size of a CD-ROM.
If the scanner requires a fully functional Linux environment, If the scanner requires a fully functional Linux environment,
it is recommended to use a [Debian](https://www.debian.org/intro/about) "slim" distribution or [Alpine Linux](https://www.alpinelinux.org/). it is recommended to use a [Debian](https://www.debian.org/intro/about) "slim" distribution or [Alpine Linux](https://www.alpinelinux.org/).
...@@ -135,6 +135,22 @@ and to compile the scanner with all the libraries it needs. ...@@ -135,6 +135,22 @@ and to compile the scanner with all the libraries it needs.
[Multi-stage builds](https://docs.docker.com/develop/develop-images/multistage-build/) [Multi-stage builds](https://docs.docker.com/develop/develop-images/multistage-build/)
might also help with keeping the image small. might also help with keeping the image small.
To keep an image size small, consider using [dive](https://github.com/wagoodman/dive#dive) to analyze layers in a Docker image to
identify where additional bloat might be originating from.
In some cases, it might be difficult to remove files from an image. When this occurs, consider using
[Zstandard](https://github.com/facebook/zstd)
to compress files or large directories. Zstandard offers many different compression levels that can
decrease the size of your image with very little impact to decompression speed. It may be helpful to
automatically decompress any compressed directories as soon as an image launches. You can accomplish
this by adding a step to the Docker image's `/etc/bashrc` or to a specific user's `$HOME/.bashrc`.
Remember to change the entry point to launch a bash login shell if you chose the latter option.
Here are some examples to get you started:
- <https://gitlab.com/gitlab-org/security-products/license-management/-/blob/0b976fcffe0a9b8e80587adb076bcdf279c9331c/config/install.sh#L168-170>
- <https://gitlab.com/gitlab-org/security-products/license-management/-/blob/0b976fcffe0a9b8e80587adb076bcdf279c9331c/config/.bashrc#L49>
### Image tag ### Image tag
As documented in the [Docker Official Images](https://github.com/docker-library/official-images#tags-and-aliases) project, As documented in the [Docker Official Images](https://github.com/docker-library/official-images#tags-and-aliases) project,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment