0b91d94617
* Update S6584 and S6595 with gdebi package manager * Suggestion from review Co-authored-by: GabinL21 <67428953+GabinL21@users.noreply.github.com> --------- Co-authored-by: GabinL21 <67428953+GabinL21@users.noreply.github.com>
75 lines
2.3 KiB
Plaintext
75 lines
2.3 KiB
Plaintext
Running `update` of your package manager in a single `RUN` instruction stores the cache index in the file system.
|
|
This cache is not needed for the installed software to work properly.
|
|
|
|
== Why is this an issue?
|
|
|
|
Leaving unnecessary files in Docker image increases its size.
|
|
The Docker images should be small and only contain necessary data.
|
|
The cache index is obsolete after installation.
|
|
|
|
=== Exceptions
|
|
|
|
The rule does not raise when the update is followed by a `gdebi` package installation, as it can still install required dependencies when installing from a file, which would require the `apt` cache to be updated.
|
|
|
|
== How to fix it
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,docker,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
RUN apk update
|
|
RUN apt-get update
|
|
RUN aptitude update
|
|
----
|
|
|
|
Here each line represents an update command for the most popular package managers.
|
|
Each of them stores the cache index in the newly created layer.
|
|
|
|
==== Compliant solution
|
|
|
|
[source,docker,diff-id=1,diff-type=compliant]
|
|
----
|
|
RUN apk update && apk add ...
|
|
RUN apt-get update && apt-get install ...
|
|
RUN apt-get update && gdebi
|
|
RUN aptitude update && aptitude install ...
|
|
----
|
|
|
|
Here in each line after the update, the package installation is executed.
|
|
However, it happens in single `RUN` instruction so only one layer is created.
|
|
After installing all packages the cleanup of the cache index should be done.
|
|
For more details please see rule S6587.
|
|
|
|
=== How does this work?
|
|
|
|
Each execution of `RUN` instruction creates a new layer in Docker.
|
|
If a single command `apt-get update` or equivalent is executed, the cache is stored in the new layer.
|
|
This increases the size of the final image.
|
|
Even removing those cache in the next `RUN` instruction doesn't decrease the size of the final image.
|
|
This overhead is not needed in the Docker image.
|
|
Updating the cache and installing packages should be executed in one step (one `RUN` instruction).
|
|
|
|
|
|
== Resources
|
|
=== Documentation
|
|
|
|
* https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run[RUN - Best practices for writing Dockerfiles]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Update the cache and install packages in a single RUN instruction.
|
|
|
|
=== Highlighting
|
|
|
|
Highlight the entire update command.
|
|
|
|
'''
|
|
endif::env-github,rspecator-view[]
|