Make API image smaller by not including dev dependencies

[dhruvkb]

Fixes

Fixes #1008 by @krysal

Description

This PR separates the API image into api and api_dev, the former of which is published to GHCR and does not include dev-dependencies, while the latter is used in CI and includes dev-dependencies.

It also updates the set_matrix_images.py code to enforce consistency in the outputs so that fallbacks and null-handling is not needed in ci.yml.

Testing Instructions

1. See that CI builds both api and api_dev.
2. See that CI uses api_dev to run the tests (proven by the CI passing, the prod image does not have pytest).
3. See that CI publishes api (cannot test without merging the PR unfortunately).

Checklist

• My pull request has a descriptive title (not a vague title likeUpdate index.md).
• My pull request targets the default branch of the repository (main) or a parent feature branch.
• My commit messages follow best practices.
• My code follows the established code style of the repository.
• I added or updated tests for the changes I made (if applicable).
• I added or updated documentation (if applicable).
• I tried running the project locally and verified that there are no visible errors.
• I ran the DAG documentation generator (just catalog/generate-docs for catalog
  PRs) or the media properties generator (just catalog/generate-docs media-props
  for the catalog or just api/generate-docs for the API) where applicable.

Developer Certificate of Origin

Developer Certificate of Origin

Developer Certificate of Origin
Version 1.1

Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
1 Letterman Drive
Suite D4700
San Francisco, CA, 94129

Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.


Developer's Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or

(b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or

(c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.

(d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.

[dhruvkb]

It finally works, the tests are passing, and the diff was fairly minimal, but the difference is not as much as I had hoped.

I don't know if it's worth proceeding with this. There is something to be gained when the published image has a much smaller surface and doesn't include dependencies which are completely unnecessary (like ipython and pytest) but that might not be enough to justify the complexity added by this PR.

[sarayourfriend]

It's a 7.5% reduction, I'd say that's pretty meaningful. That said, I'm having a hard time following how this works based on the diff, but I think I need to look at the broader CI/CD workflow build to understand when api_dev is built and when api is built. I thought we reused the images from dev to publish, but I'm assuming that we actually rebuild the images from scratch when the workflow runs on main, at which point only api is used for load images?

Instead of building two images, I wonder if we could always pdm install --prod in the Dockerfile, and add pdm install -d in the entrypoint defined in the docker compose. That way we don't need to ever build two separate images, and the development dependencies are a container implementation detail, rather than an image implementation detail. There's no reason the development dependencies need to be available in the image (they aren't used for any of the intermediate steps).

The general idea would be, always only build a production image, and then use entrypoint/command changes in the compose stack to augment the production image with development dependencies. That's a lot easier to understand than two distinct builds, at least to me. It's a layered rather than a branched approach.

[dhruvkb]

I will have to update the CI+CD docs. What you're saying @sarayourfriend is completely true and this PR does make the workflow quite a lot more complex that it previous was (which was already a lot). I wanted to not put time into that if the team found the size reduction quite less and not worth pursuing.

I thought we reused the images from dev to publish

That is correct. In the CI+CD workflow, we build all the images we would need in build-images (this includes api and api_dev now) and only publish a subset of these images in publish-images (this never includes api-dev). Images are only built once and then these artifacts are repeatedly downloaded by load-img where needed.

when api_dev is built and when api is built

Whenever the API needs to be tested, we build api_dev. Whenever the API needs to be published, we build api. These scenarios can, and usually do, overlap and then we build both.

Overall, I agree with your review, that the dev dependencies should be added in another layer but in our current setup, the issue with building a layered image is that we do not include PDM in the final image (as an agressive optimisation, and just the .venv/ created in builder) so it's not possible to install a PDM lockfile on top of the final image. Additionally installing packages in the entrypoint or cmd intuitively "feels" wrong.

[sarayourfriend]

so it's not possible to install a PDM lockfile on top of the final image

In the context of the local compose stack, we map the api directory into the container, so the pdm lockfile will be available. But I take your point that PDM itself isn't available in the "prod" build, so it's irrelevant whether the lockfile is.

After reviewing the CI/CD workflow again, and in particular refreshing my understanding of the difference between the determine-images, build-images, and load-images jobs, I actually think this approach is perfectly elegant, with its main drawback not necessarily being the complexity, but the fact that we'll have two somewhat redundant API images built. Whether that makes the savings worth it is really the operative question! We'll be making the published image smaller by 7.5%, at the expense of actually increasing the total volume of build artefacts by 92.5% (including all the upload, storage, etc that incurs). Considering how much more often those artefacts are created and cached... I'm inclined to think any kind of reasonable environmental benefit is made completely irrelevant by that detail.

The only way to solve that would be to have a single image, with the development environment augmented in the compose context. For what it's worth, I don't see anything wrong with doing pip install -g pdm && pdm install -d in the compose entrypoint. It might feel wrong... but why? It's a development environment, it's already inherently "impure" and mutable by the very nature of the fact that we map a directory that's intended to be mutated right where the "pure" application code would be (the api directory!).

If we wanted something "pure" for at least some tests, it's worth considering whether those integration tests could be extracted into a simpler PDM project that can be pointed to any API instance, rather than running them inside the container. Then at least we could theoretically run a significant number of tests against a "pure" container, unmodified from the image that we'd push to a live environment. That's an improvement over our current testing, which always happens in an environment where the development dependencies are available. I suppose we don't actually even know whether we have a strict separation between development and non-development dependencies with our current setup (at least not in any way that's confirmed by automated testing).

If there is simply no way to avoid building two images, then there's no justification for this that makes sense. The published image is smaller, but at the cost of a nearly actually doubling of the data and build time... and that on every push to a branch. That simply doesn't compare to the number of times the image is downloaded, which would be the only thing improving with this approach.

[dhruvkb]

If we build a dev API image in the only place it's used, we can skip the artifact upload, download and cache steps and at the cost of some DRYness, reduce the artifact volume. I'm interested in your thoughts on 2d9dca2.

[sarayourfriend]

It looks good to me. Am I correct in understanding that the basic difference is we wouldn't upload/load the api_dev image outside that particular API test job, and therefore remove the duplication of an API image loading in every other step?

[sarayourfriend]

I am fine with this increase in complexity. If there are additional improvements we can make towards reusing the layers through shared caching or other approaches, that's fine. Even ignoring the size improvements, it is a basic security improvement not to include dependencies that aren't required for the deployed application. In that sense, this is a win to me regardless of whether it ultimately increases the volume of images/bytes-on-disk/bytes-on-wire.

[dhruvkb]

Yes @sarayourfriend. The api_dev image is now only built in the API test job and not cached, uploaded as an artifact or downloaded anywhere.

The production image api will be built, uploaded as an artifact, downloaded for use in other jobs and also published to GHCR.

[stacimc]

Interesting discussion in this thread! I agree with the conclusions made here and support the change. Code LGTM. Do you think there's anywhere we should document this change?

[dhruvkb]

Yes, there is some documentation about the CI + CD workflow that needs updating. I'll update the docs, push to this PR and then merge it.

[github-actions]

Full-stack documentation: https://docs.openverse.org/_preview/4285

Please note that GitHub pages takes a little time to deploy newly pushed code, if the links above don't work or you see old versions, wait 5 minutes and try again.

You can check the GitHub pages deployment action list to see the current status of the deployments.

Changed files 🔄:

• https://docs.openverse.org/_preview/4285/meta/ci_cd/jobs/api.html