facilitator: smaller container image

[tgeoghegan]

This commit restores some of the changes from #737 in order to emit
smaller container images.

• build facilitator with release profile
• build binary in a builder container based on rust:alpine, then ship
  a smaller image based on alpine containing just the statically
  linked binary

We can't remove the OpenSSL dependency until kube-rs/kube-rs/597 is
released, but this change takes our image size down to ~30 MB from >2
GB.

Related to #451

[tgeoghegan]

Comparing image sizes. Before:

> podman image tree us.gcr.io/timg-prio-aws-dev/prio-facilitator:creds-cache-1
Image ID: ebebc8b2f1c3
Tags:     [us.gcr.io/timg-prio-aws-dev/prio-facilitator:creds-cache-1]
Size:     2.953GB
Image Layers
├── ID: b2d5eeeaba3a Size:  5.88MB
├── ID: b13a459bd422 Size: 114.8MB
├── ID: c1ce937a3af3 Size: 685.5MB Top Layer of: [docker.io/library/rust:1.53.0-alpine]
├── ID: 1163a874ce6e Size: 14.78MB
├── ID: fe9c96e7c3b4 Size: 56.13MB
├── ID: 0ac835a0333d Size: 82.94kB
├── ID: 0c742fdc5ee2 Size: 5.632kB
├── ID: 7038a0c209d0 Size: 5.632kB
├── ID: 339e5a48db46 Size: 3.584kB
├── ID: 190ae4bc493c Size: 4.608kB
├── ID: 8ac74b27f83d Size: 1.664GB
├── ID: d21524b4b056 Size: 4.096kB
├── ID: f0f79e0030e8 Size: 17.92kB
├── ID: f0fabd95dd82 Size: 593.4kB
├── ID: 1431617a9db3 Size:   340MB
├── ID: a0575038a8e2 Size: 35.29MB
└── ID: e40e4c76fef6 Size: 35.28MB Top Layer of: [us.gcr.io/timg-prio-aws-dev/prio-facilitator:creds-cache-1]

And after:

> podman image tree us.gcr.io/timg-prio-aws-dev/prio-facilitator:creds-cache-10
Image ID: c1faca6c7b59
Tags:     [us.gcr.io/timg-prio-aws-dev/prio-facilitator:creds-cache-10 024759592502.dkr.ecr.us-west-2.amazonaws.com/prio-facilitator:creds-cache-10]
Size:     35.63MB
Image Layers
├── ID: 72e830a4dff5 Size: 5.865MB Top Layer of: [docker.io/library/alpine:3.14]
├── ID: a57b302426cf Size: 2.287MB
└── ID: c6ad2b38b9f5 Size: 27.48MB Top Layer of: [us.gcr.io/timg-prio-aws-dev/prio-facilitator:creds-cache-10 024759592502.dkr.ecr.us-west-2.amazonaws.com/prio-facilitator:creds-cache-10]

[codecov-commenter]

Codecov Report

Merging #868 (1ebc372) into main (760578b) will decrease coverage by 23.25%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##             main     #868       +/-   ##
===========================================
- Coverage   59.12%   35.87%   -23.26%     
===========================================
  Files          35       10       -25     
  Lines        6679      931     -5748     
===========================================
- Hits         3949      334     -3615     
+ Misses       2678      559     -2119     
+ Partials       52       38       -14     

Flag	Coverage Δ
deploy_operator_tests	76.78% <ø> (ø)
deploy_tool_tests	?
facilitator_tests	?
manifest_updater_tests	6.81% <ø> (ø)
task_replayer_tests	∅ <ø> (∅)
workflow_manager_tests	38.89% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
facilitator/src/test_utils.rs
facilitator/src/retries.rs
facilitator/src/transport/gcs.rs
facilitator/src/idl.rs
facilitator/src/kubernetes.rs
facilitator/src/aws_credentials.rs
facilitator/src/task/sqs.rs
facilitator/src/task/pubsub.rs
facilitator/src/intake.rs
facilitator/src/lib.rs
... and 15 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 760578b...1ebc372. Read the comment docs.

[aaomidi]

I believe once openssl is removed we can build from scratch?

[tgeoghegan]

I don't think so, because we still need libc and a few other .sos for facilitator:

> ldd target/debug/facilitator
	linux-vdso.so.1 (0x00007fff9ab7f000)
	libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f9515fea000)
	libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f9515cfc000)
	libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f9515ce1000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f9515cc0000)
	libm.so.6 => /lib64/libm.so.6 (0x00007f9515b7c000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f9515b75000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f95159a4000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f951821e000)
	libz.so.1 => /lib64/libz.so.1 (0x00007f951598a000)

The libssl dependency should go away but the rest are still real.

[jcjones]

Nit, but good!

[jcjones]

Suggested change

	Run apk add libgcc && apk update
	RUN apk add libgcc && apk update

[tgeoghegan]

I didn't realize that all-caps for directives was optional in Dockerfiles, and I'm a little disappointed.

[ezekiel]

For the COPY --from, by default WORKDIR is /, so it looks like the facilitator binary lands in the same place, but less explicitly. Anyway, looks good!

https://docs.docker.com/engine/reference/run/#workdir

[tgeoghegan]

For the COPY --from, by default WORKDIR is /, so it looks like the facilitator binary lands in the same place, but less explicitly. Anyway, looks good!

https://docs.docker.com/engine/reference/run/#workdir

Good catch. I changed this so that the destination path is absolute.