docker-slim/community

Leandro

@chuleh

Hi everyone :)

I'm running into an issue when trying to use docker-slim in our pipeline in gitlab-ci

Been reading this thread: docker-slim/docker-slim#34

Is it build or builds?

Leandro

@chuleh

Nevermind, just read that it's build/subdir :)

Kyle Quest

@kcq

The enhancement for this is almost there... Sorry for the delay

I mean, the extra extra enhancements to run without using local mounts, which will make things easier in gitlab-ci

Kyle Quest

@kcq

What's your setup? How is configured? Where do you have docker-slim? What are the parameters when you run it?

hrushikesh ramesh potbhare

@hrushikeshpotbhare

what work is done in background of docker slim ? how it works ?

Tom Mason

@mrmason

Hi, I've reported docker-slim/docker-slim#90 - happy to chat about it here if anyone wants to help debug

I'm seeing the same thing in my gitlab-CI process as well, although if I run the command directly on the host it seems to work fine

( on the gitlab-ci runner host that is )

so feels like a permissions problem

Tom Mason

@mrmason

i tried the stuff in the above issue ( 34 ) but I'm not using DIND on this pipeline, so it shouldn't matter, and indeed moving stuff to /builds made no difference

Tom Mason

@mrmason

$ /builds/docker-slim --state-path '/builds/docker-slim-state/' build --tag $CI_COMMIT_SHA-slim --http-probe=false $CI_COMMIT_SHA-fat
<snip>
time="2019-10-01T11:37:27Z" level=fatal msg="docker-slim: failure" error="API error (400): {"message":"OCI runtime create failed: container_linux.go:348: starting container process caused \"exec: \\\"/opt/dockerslim/bin/sensor\\\": permission denied\": unknown"}

Kyle Quest

@kcq

@mrmason can you check the permissions on the docker-slim-sensor executable in your environment

added a few more comments in the ticket too

Tom Mason

@mrmason

Thanks, I've replied - it looks like /opt/dockerslim/bin/sensor is a folder in the slim image, when it should be an executable

Tom Mason

@mrmason

btw, I'm aware ubuntu base isn't the ideal candidate for slimming, I want to run it on our real containers, but I used that as an example to show it wasn't working on something nice and simple :)

It's doing the same thing on our gitlab runners, which are hosted on Ubuntu

Tom Mason

@mrmason

oh sorry, the host machine is ubuntu, but it will be running inside docker:latest

which according to this https://github.com/docker-library/docker/blob/eb1b8297d29bb1fb2208c98f41c1ff4c053c4173/19.03/Dockerfile

is alpine

Malys

@malys

Hi,
I have the same probleme

$ /builds/docker-slim --state-path '/builds/docker-slim-state/' build --tag $CI_COMMIT_SHA-slim --http-probe=false $CI_COMMIT_SHA-fat
<snip>
time="2019-10-01T11:37:27Z" level=fatal msg="docker-slim: failure" error="API error (400): {"message":"OCI runtime create failed: container_linux.go:348: starting container process caused \"exec: \\\"/opt/dockerslim/bin/sensor\\\": permission denied\": unknown"}

I use docker for windows and docker in docker.
My dockerfile:
FROM docker as builder

RUN apk add --no-cache curl
RUN curl -kL https://github.com/docker-slim/docker-slim/releases/download/1.25.3/dist_linux.tar.gz | tar xvz

FROM alpine:3.7
COPY --from=builder /dist_linux/docker-slim /usr/local/bin/
COPY --from=builder /dist_linux/docker-slim-sensor /usr/local/bin/
COPY --from=builder /usr/local/bin/docker /usr/local/bin/
COPY --from=builder /usr/local/bin/docker-entrypoint.sh /usr/local/bin/
ENTRYPOINT ["docker-entrypoint.sh"]

Kyle Quest

@kcq

@mrmason thanks for the base ubuntu image clarification... sounds like it'll be good to have a very simple hello world ubuntu sample image (i'll add it to the examples repo)

Kyle Quest

@kcq

@mrmason the Github issue snippets have Fedora in them... Are you seeing the same with both host machines... Ubuntu and Fedora?

Kyle Quest

@kcq

@malys the dind use cases are not officially supported yet because the current version relies on mounting a local volume, which isn't always possible with dind. The dind and the docker-based CI support is coming soon in 1.26, which will use another option to add and get container components that doesn't related on volume mounts.

Tom Mason

@mrmason

Yes @kcq - the same problem on Ubuntu, PopOS and Fedora ( and Centos )

Malys

@malys

@malys the dind use cases are not officially supported yet because the current version relies on mounting a local volume, which isn't always possible with dind. The dind and the docker-based CI support is coming soon in 1.26, which will use another option to add and get container components that doesn't related on volume mounts.

Thx @kcq

Malys

@malys

@kcq I found a workaround:
docker run --net=host --ipc=host --uts=host --pid=host -it --security-opt=seccomp=unconfined --privileged --rm -v //var/run/docker.sock:/var/run/docker.sock -v d:\:/D --name dslim alpine /bin/sh -> full rights on my "docker for windows" host and dind enabled
you have to put docker-slim and sensor on shared folder (in my case, a child of d:) and launch docker-slim command in previous container from shared folder.
=> mounting and slim process work fine

Tom Mason

@mrmason

windows :o

have you managed to reproduce the problem @kcq ? Anything else you need, or anything more I can help with ?

Kyle Quest

@kcq

@malys yes, the trick there is to leverage already shared folders, but it makes it more complex than it should be

@mrmason i'll have more to share soon, sorry about the delay Tom

Kyle Quest

@kcq

Tom, can you check if you have 'docker-slim-sensor' in the '/usr/local/bin' directory on your host machine

Srikant

@srikantpatnaik

Great tool, guys!
I just need a pointer on my output.
My image contains custom headless chrome(CEF), docker-slim minifies it well, but I run my container it crashes after sometime when I access my container with the following error:

[0100/000000.789662:ERROR:zygote_linux.cc(614)] Zygote could not fork: process_type renderer numfds 5 child_pid -1
[0100/000000.791877:ERROR:zygote_linux.cc(646)] write: Broken pipe (32)
/opt/distrib/init.sh: line 10: 10 Trace/breakpoint trap (core dumped) $PWD/my_browser --no-sandbox --disable-gpu --disable-gpu-compositing

my build cmd:
sudo ./docker-slim build --include-path=/tmp --include-path=/opt/distrib --include-bin=/bin/busybox --tag abc-slim:v1 --http-probe=false abc-fat:v1

It seems the chrome couldn't create the forks

Srikant

@srikantpatnaik

my docker run cmd:
docker run --cap-add=SYS_NICE --shm-size=2048m --entrypoint=/bin/bash -e "ABC_SERVER=192.168.122.11" -e "ABC_PORT=80" --rm --cap-add=SYS_ADMIN -v /sys/fs/cgroup:/sys/fs/cgroup:ro --name abc -p 1200:1200 --device /dev/snd abc-slim:v1 /opt/distrib/init.sh

Malys

@malys

@kcq Last version works like a charm in dind mode. Great job and thx you

Kyle Quest

@kcq

@malys are you using it in a cloud CI environment or are you doing it locally?

Malys

@malys

@kcq in GITLAB CI on premise, I don't use docker image. Currently, I download binaries in my container which is running my job and works fine.

Kyle Quest

@kcq

@malys great to hear it works with your on prem Gitlab environment! got a chance to test it only with the standard Gitlab CI setup and that environment requires a bit of work to configure the DOCKER_HOST environment variable properly (i added the instructions to the readme, just in case)

Kyle Quest

@kcq

@srikantpatnaik Thank you for sharing your use case! Haven't had a chance to explore a similar Docker image setup... Is there a Dockerfile you could share to see if I can repro the condition?

@srikantpatnaik Also curious what you are doing with /dev/snd in your container

Srikant

@srikantpatnaik

@kcq thanks for taking this up. I will share my dockerfile in sometime. The /dev/snd isn't needed anymore

atiqtahir

@atiqtahir

How to pass environment variable to docker-slim using --env flag?

Kyle Quest

@kcq

@atiqtahir yes

atiqtahir

@atiqtahir

Thanks

Where communities thrive

People

Repo info

Activity