Switch to distroless base image #1417
Conversation
cdesiniotis
requested review from
ArangoGutierrez,
elezar,
shivamerla and
tariq1890
as code owners
|
|
||
| # Remove CUDA libs(compat etc) in favor of libs installed by the NVIDIA driver | ||
| RUN dnf remove -y cuda-* | ||
| USER 0:0 |
There was a problem hiding this comment.
Does validator need to run as root?
There was a problem hiding this comment.
Hmm it doesn't appear I have anything written in my notes concerning this (I made these changes some time ago). My best guess is that this was needed for the driver-validation container where we create the /dev/char symlinks. But it is definitely worth validating and removing this if not required.
There was a problem hiding this comment.
Sure, once you find out why it's needed and we are certain that there is no way around this, please update the PR description with the details
There was a problem hiding this comment.
we run chroot to check for host driver installation, which needs to be run with root user.
Signed-off-by: Christopher Desiniotis <[email protected]>
Signed-off-by: Christopher Desiniotis <[email protected]>
cdesiniotis
force-pushed
the
use-distroless-base-image
branch
from
c6f7ff4 to
046ee45
Compare
| @@ -55,10 +55,15 @@ ARG VERSION="unknown" | |||
| ARG GIT_COMMIT="unknown" | |||
| RUN make gpu-operator | |||
|
|
|||
| FROM nvcr.io/nvidia/cuda:12.8.1-base-ubi9 | |||
| # Download must-gather dependency: `kubectl` | |||
There was a problem hiding this comment.
I think we can avoid packaging kubectl binary too. This often have CVEs. For openshift, we can publish a minimal image into RH registry like these. Which is used only during log collection using oc adm must-gather --image <debug-image>. For K8s users, they will use the script directly from the GH repo anyway.
There was a problem hiding this comment.
We currently still need it for the upgrade-crd and cleanup-crd helm hooks.
There was a problem hiding this comment.
yes, those can be replaced with the crd-apply tool that the NO is using.
There was a problem hiding this comment.
For sure, Shiva. We do have that plan. So, It will be done in a follow-up PR.
No description provided.