Mar 29, 2022 09:00:00

If you use 'chmod' carelessly, the capacity of the Docker image will grow.

In order to maximize the performance of Docker, it is important to optimize the description of Dockerfile and make the size of the image after build as small as possible. Regarding this optimization problem, which has attracted the attention of many engineers, such as various techniques being summarized in a

collection of best practices of Dockerfile, engineer Vamshi Aturi said, 'By using chmod properly, the capacity of the container image I posted a blog post saying 'Reduced by 35%', and it has become a hot topic on the news site 'Hacker News' where engineers gather.

`COPY --chmod` reduced the size of my container image by 35%
https://blog.vamc19.dev/posts/dockerfile-copy-chmod/

`COPY –chmod` reduced the size of my container image by 35% | Hacker News
https://news.ycombinator.com/item?id=30808945

The origin of the matter was the following Dockerfile. This Dockerfile is just a matter of downloading the binary and running it.

Aturi predicted that the size of the image after build would be about 160MB including the other packages because the base ubuntu was 70MB and the downloaded binary was 80MB. However, when I actually built it, the capacity was 267MB.

If you check the capacity of each layer, the COPY layer is 87.7MB, but this is the same capacity as the binary, so there is no problem. On the other hand, the capacity of the RUN layer was 94.4MB, which was unusually large.

When Aturi removed chmod from the contents of RUN and rebuilt it, the capacity of the RUN layer decreased to 6.7MB. Aturi-san thought that changing the file with chmod alone would only change the metadata and would not be copied because the contents would not be rewritten, but when checking the document of the overlay file system (union file system) , 'write permission' If you open the file with or change the metadata, the file will be copied to the upper layer. '

As a solution, Aturi says that instead of running chmod with RUN after COPY, you can change permissions without bloating by using the '--chmod' option during COPY. This '--chmod' option is available in BuildKit and Podman .

Following this blog post, many engineers on Hacker News have commented on how to make Docker images lighter. The top comment at the time of writing the article was like an engineer, saying, 'It is better to use Docker Slim , a tool that automatically analyzes images and reduces weight, rather than manually trying and error.'

In another comment, 'The real problem this time is that the usage of multi-stage build is wrong, COPY --chmod is not the correct solution', Aturi agrees with this point. However, he states that COPY --chmod is a common solution that can be applied outside of multi-stage builds.