Replace UBI with UBI-minimal in GitLab images
Overview
The intent of this issue is to track work related to replacing our UBI images with UBI-minimal.
Outputs
- We will have images created based on UBI minimal
- Produce a diff list for os-packages not included with our UBI minimal images and assign teams to review diffs
Results of changes
Size (storage)
Pulling from gitlab-org/build/CNG!1129 (comment 1306150292), and running as of 2023-03-20, and comparing v15.9.3-ubi8
to master-ubi8
Branch/tag | Compressed* size |
---|---|
v15.9.3-ubi8 |
6,233,730,289 |
master-ubi8 |
4,814,997,687 |
Diff | 1,418,732,602 |
The images, per UBI pipeline, have reduced in size within Object Storage (and thus also network transit for any given image) by a total of 1.4 GB.
This "wow" is reduced by the fact that many images share layers, which is very intentional. Of the 161 total layers, only 60 are unique (thus, not shared).
branch / tag | unique layers | compressed* sum |
---|---|---|
v15.9.3-ubi8 |
61 | 1,756,275,678 |
master |
60 | 1,537,819,678 |
Diff | -1 | 218,456,000 |
Breaking this down, to only differentiable layers (individual objects within the registry / storage), and then looking at that size difference due to ubi-minimal
, we get "only" 218 MB
This goes to show how impactful those shared layers are for storage, distribution, and deployment efficiency. That is a ~6x efficiency gain from the state prior to gitlab-base
's introduction in CNG: Create gitlab-base image, providing stable... (#2958 - closed), way back in %15.1.
Security items
~66% vulnerabilities reduction in base image and ~21% reduction in total after an initial comparison (Before and After)
- Total vulnerabilities, raw (meaning not inspected) dropped from 303 to 238
-
Base image (now
ubi-minimal
) detections drops from 162 to 55