Fix: OPA reduce image size (#1038)

* remove recursive chmod/chown in final image

* adapted changelog

* use check permissions script

* consolidation

* Update CHANGELOG.md

Co-authored-by: Siegfried Weber <mail@siegfriedweber.net>

---------

Co-authored-by: Siegfried Weber <mail@siegfriedweber.net>

Author: maltesander

CHANGELOG.md

@@ -11,6 +11,8 @@ All notable changes to this project will be documented in this file.
 - spark-connect-client: A new image for Spark connect tests and demos ([#1034])
 - nifi: check for correct permissions and ownerships in /stackable folder via
   `check-permissions-ownership.sh` provided in stackable-base image ([#1027]).
+- opa: check for correct permissions and ownerships in /stackable folder via
+  `check-permissions-ownership.sh` provided in stackable-base image ([#1038]).
 
 ### Changed
 
@@ -21,12 +23,14 @@ All notable changes to this project will be documented in this file.
 
 - hadoop: reduce docker image size by removing the recursive chown/chmods in the final image ([#1029]).
 - nifi: reduce docker image size by removing the recursive chown/chmods in the final image ([#1027]).
+- opa: reduce docker image size by removing the recursive chown/chmods in the final image ([#1038]).
 - spark-k8s: reduce docker image size by removing the recursive chown/chmods in the final image ([#1042]).
 - Add `--locked` flag to `cargo install` commands for reproducible builds ([#1044]).
 
 [#1027]: https://github.com/stackabletech/docker-images/pull/1027
 [#1029]: https://github.com/stackabletech/docker-images/pull/1029
 [#1034]: https://github.com/stackabletech/docker-images/pull/1034
+[#1038]: https://github.com/stackabletech/docker-images/pull/1038
 [#1042]: https://github.com/stackabletech/docker-images/pull/1042
 [#1044]: https://github.com/stackabletech/docker-images/pull/1044
 [#1050]: https://github.com/stackabletech/docker-images/pull/1050

opa/Dockerfile

@@ -6,18 +6,20 @@ FROM stackable/image/stackable-base AS opa-bundle-builder
 ARG BUNDLE_BUILDER_VERSION
 
 # Update image and install everything needed for Rustup & Rust
-RUN microdnf update \
-  && microdnf install \
-    cmake \
-    gcc \
-    gcc-c++ \
-    git \
-    make \
-    openssl-devel \
-    pkg-config \
-    systemd-devel \
-    unzip \
-  && rm -rf /var/cache/yum
+RUN <<EOF
+microdnf update
+microdnf install \
+  cmake \
+  gcc \
+  gcc-c++ \
+  git \
+  make \
+  openssl-devel \
+  pkg-config \
+  systemd-devel \
+  unzip
+rm -rf /var/cache/yum
+EOF
 
 WORKDIR /
 
@@ -29,6 +31,8 @@ cd ./opa-bundle-builder
 . "$HOME/.cargo/env"
 rustup toolchain install
 cargo --quiet build --release
+# set correct groups
+chmod -R g=u /opa-bundle-builder/target/release/
 EOF
 
 FROM stackable/image/stackable-base AS multilog-builder
@@ -37,33 +41,38 @@ ARG DAEMONTOOLS_VERSION=0.76
 
 COPY opa/daemontools /daemontools
 
-RUN microdnf update && \
-    microdnf install \
-    gcc \
-    gzip \
-    make \
-    patch \
-    tar && \
-    microdnf clean all \
-    && rm -rf /var/cache/yum
-
-WORKDIR /daemontools
-
-RUN tar xzf daemontools-${DAEMONTOOLS_VERSION}.tar.gz
+RUN <<EOF
+microdnf update
+microdnf install \
+  gcc \
+  gzip \
+  make \
+  patch \
+  tar
+microdnf clean all
+rm -rf /var/cache/yum
+EOF
 
-WORKDIR /daemontools/admin/daemontools-${DAEMONTOOLS_VERSION}/src
+RUN <<EOF
+cd /daemontools
+tar xzf daemontools-${DAEMONTOOLS_VERSION}.tar.gz
 
-RUN patch < /daemontools/conf-cc.patch && \
-    patch multilog.c < /daemontools/multilog_max_file_size.patch
+cd /daemontools/admin/daemontools-${DAEMONTOOLS_VERSION}/src
+patch < /daemontools/conf-cc.patch
+patch multilog.c < /daemontools/multilog_max_file_size.patch
 
-WORKDIR /daemontools/admin/daemontools-${DAEMONTOOLS_VERSION}
+cd /daemontools/admin/daemontools-${DAEMONTOOLS_VERSION}
+package/install
 
-RUN package/install
+# set correct groups
+chmod g=u /daemontools/admin/daemontools/command/multilog
+EOF
 
 FROM stackable/image/stackable-base AS opa-builder
 
 ARG PRODUCT
 ARG RELEASE
+ARG STACKABLE_USER_UID
 ARG TARGETARCH
 ARG TARGETOS
 
@@ -73,19 +82,25 @@ ENV GOOS=$TARGETOS
 # gzip, tar - used to unpack the OPA source
 # git - needed by the cyclonedx-gomod tool to determine the version of OPA
 # golang - used to build OPA
-RUN microdnf update && \
-    microdnf install \
-    git \
-    golang \
-    gzip \
-    tar && \
-    microdnf clean all
+RUN <<EOF
+microdnf update
+microdnf install \
+  git \
+  golang \
+  gzip \
+  tar
+microdnf clean all
+EOF
 
+COPY --chown=${STACKABLE_USER_UID}:0 opa/stackable/bin /stackable/opa/bin
+
+RUN <<EOF
 # We use version 1.7.0, since a newer version of cyclonedx-gomod is not compatible with the version of Golang (>= 1.23.1)
-RUN go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.7.0
-RUN curl "https://repo.stackable.tech/repository/packages/opa/opa_${PRODUCT}.tar.gz" -o opa.tar.gz && \
-    tar -zxvf opa.tar.gz && \
-    mv "opa-${PRODUCT}" opa
+go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.7.0
+curl "https://repo.stackable.tech/repository/packages/opa/opa_${PRODUCT}.tar.gz" -o opa.tar.gz
+tar -zxvf opa.tar.gz
+mv "opa-${PRODUCT}" opa
+EOF
 
 WORKDIR /opa
 
@@ -97,7 +112,12 @@ git config user.name "Fake commiter"
 git commit --allow-empty --message "Fake commit, so that we can create a tag"
 git tag "v${PRODUCT}"
 go build -o opa -buildmode=exe
-~/go/bin/cyclonedx-gomod app -json -output-version 1.5 -output "opa_${PRODUCT}.cdx.json" -packages -files
+# move artifact to /stackable/*/ to copy in final image
+~/go/bin/cyclonedx-gomod app -json -output-version 1.5 -output /stackable/opa/"opa_${PRODUCT}.cdx.json" -packages -files
+# move artifact to /stackable/* to copy in final image
+mv /opa/opa /stackable/opa/
+# set correct groups
+chmod -R g=u /stackable/opa
 EOF
 
 FROM stackable/image/vector
@@ -107,43 +127,46 @@ ARG RELEASE
 ARG STACKABLE_USER_UID
 
 LABEL name="Open Policy Agent" \
-      maintainer="info@stackable.tech" \
-      vendor="Stackable GmbH" \
-      version="${PRODUCT}" \
-      release="${RELEASE}" \
-      summary="The Stackable image for Open Policy Agent (OPA)." \
-      description="This image is deployed by the Stackable Operator for OPA."
+  maintainer="info@stackable.tech" \
+  vendor="Stackable GmbH" \
+  version="${PRODUCT}" \
+  release="${RELEASE}" \
+  summary="The Stackable image for Open Policy Agent (OPA)." \
+  description="This image is deployed by the Stackable Operator for OPA."
 
-COPY opa/licenses /licenses
+COPY --chown=${STACKABLE_USER_UID}:0 opa/licenses /licenses
 
-COPY --from=opa-builder --chown=${STACKABLE_USER_UID}:0 /opa/opa /stackable/opa/opa
-COPY --from=opa-builder --chown=${STACKABLE_USER_UID}:0 /opa/opa_${PRODUCT}.cdx.json /stackable/opa/
+COPY --from=opa-builder --chown=${STACKABLE_USER_UID}:0 /stackable/opa /stackable/opa
 COPY --from=opa-bundle-builder --chown=${STACKABLE_USER_UID}:0 /opa-bundle-builder/target/release/stackable-opa-bundle-builder /stackable/opa-bundle-builder
 COPY --from=multilog-builder --chown=${STACKABLE_USER_UID}:0 /daemontools/admin/daemontools/command/multilog /stackable/multilog
 
-COPY --chown=${STACKABLE_USER_UID}:0 opa/stackable/bin /stackable/opa/bin
-
 RUN <<EOF
 microdnf update
-
 # jq: Required for filtering logs
 microdnf install \
   jq
 microdnf clean all
 rm -rf /var/cache/yum
 
-# All files and folders owned by root group to support running as arbitrary users.
-# This is best practice as all container users will belong to the root group (0).
-chown -R ${STACKABLE_USER_UID}:0 /stackable
-chmod -R g=u /stackable
+# fix missing permissions
+chmod g=u /stackable/opa
 EOF
 
 # ----------------------------------------
-# Attention: We are changing the group of all files in /stackable directly above
-# If you do any file based actions (copying / creating etc.) below this comment you
-# absolutely need to make sure that the correct permissions are applied!
-# chown ${STACKABLE_USER_UID}:0
+# Checks
+# This section is to run final checks to ensure the created final images
+# adhere to several minimal requirements like:
+# - check file permissions and ownerships
+# ----------------------------------------
+
+# Check that permissions and ownership in /stackable are set correctly
+# This will fail and stop the build if any mismatches are found.
+RUN <<EOF
+/bin/check-permissions-ownership.sh /stackable ${STACKABLE_USER_UID} 0
+EOF
+
 # ----------------------------------------
+# Attention: Do not perform any file based actions (copying/creating etc.) below this comment because the permissions would not be checked.
 
 USER ${STACKABLE_USER_UID}
 WORKDIR /stackable/opa