[REQ] discard patch layer for subsequent patches

[sozercan]

What kind of request is this?

New feature

What is your request or suggestion?

for recurring patching, we patch the vanilla image (say nginx:1.18.0) instead of patched image (nginx:1.18.0-patched) otherwise copa will keep adding new patch layers to subsequent patches.

Is it possible to discard the patch layer from copa so we can patch images subsequently without creating additional layers?

Are you willing to submit PRs to contribute to this feature request?

• Yes, I am willing to implement it.

[sozercan]

More context for this issue:

Given original image sozercan/opa:0.46.0 history:

$ docker history sozercan/opa:0.46.0                                                                                                                               
IMAGE          CREATED         CREATED BY                                      SIZE      COMMENT
c4b11c9b86ea   19 months ago   CMD ["run"]                                     0B        buildkit.dockerfile.v0
<missing>      19 months ago   ENTRYPOINT ["/opa"]                             0B        buildkit.dockerfile.v0
<missing>      19 months ago   ENV PATH=/usr/local/sbin:/usr/local/bin:/usr…   0B        buildkit.dockerfile.v0
<missing>      19 months ago   COPY _release/0.46.0/opa_linux_amd64 /opa # …   61.9MB    buildkit.dockerfile.v0
<missing>      19 months ago   ARG BIN_SUFFIX=                                 0B        buildkit.dockerfile.v0
<missing>      19 months ago   ARG BIN_DIR=.                                   0B        buildkit.dockerfile.v0
<missing>      19 months ago   ARG TARGETARCH                                  0B        buildkit.dockerfile.v0
<missing>      19 months ago   ARG TARGETOS                                    0B        buildkit.dockerfile.v0
<missing>      19 months ago   USER 0                                          0B        buildkit.dockerfile.v0
<missing>      19 months ago   ARG USER=0                                      0B        buildkit.dockerfile.v0
<missing>      19 months ago   ENV OPA_DOCKER_IMAGE=official                   0B        buildkit.dockerfile.v0
<missing>      19 months ago   LABEL org.opencontainers.image.source=https:…   0B        buildkit.dockerfile.v0
<missing>      19 months ago   LABEL org.opencontainers.image.authors=Torin…   0B        buildkit.dockerfile.v0
<missing>      N/A             bazel build ...                                 2.46MB
<missing>      N/A             bazel build ...                                 18.8MB
<missing>      N/A             bazel build ...                                 6.19MB

Copa patches sozercan/opa:0.46.0 to create sozercan/opa:0.46.0-patched and history has the 2 copa created patch layers:

$ docker history sozercan/opa:0.46.0-patched
IMAGE          CREATED         CREATED BY                                      SIZE      COMMENT
**b18987c9bc17   10 months ago   mount / from exec find . -name *.fields -exe…   28.7kB    buildkit.exporter.image.v0**
**<missing>      10 months ago   copy /copa-unpacked /                           5.59MB    buildkit.exporter.image.v0**
<missing>      16 months ago   CMD ["run"]                                     0B        buildkit.dockerfile.v0
<missing>      16 months ago   ENTRYPOINT ["/opa"]                             0B        buildkit.dockerfile.v0
<missing>      16 months ago   ENV PATH=/usr/local/sbin:/usr/local/bin:/usr…   0B        buildkit.dockerfile.v0
<missing>      16 months ago   COPY _release/0.46.0/opa_linux_amd64 /opa # …   61.9MB    buildkit.dockerfile.v0
<missing>      16 months ago   ARG BIN_SUFFIX=                                 0B        buildkit.dockerfile.v0
<missing>      16 months ago   ARG BIN_DIR=.                                   0B        buildkit.dockerfile.v0
<missing>      16 months ago   ARG TARGETARCH                                  0B        buildkit.dockerfile.v0
<missing>      16 months ago   ARG TARGETOS                                    0B        buildkit.dockerfile.v0
<missing>      16 months ago   USER 0                                          0B        buildkit.dockerfile.v0
<missing>      16 months ago   ARG USER=0                                      0B        buildkit.dockerfile.v0
<missing>      16 months ago   ENV OPA_DOCKER_IMAGE=official                   0B        buildkit.dockerfile.v0
<missing>      16 months ago   LABEL org.opencontainers.image.source=https:…   0B        buildkit.dockerfile.v0
<missing>      16 months ago   LABEL org.opencontainers.image.authors=Torin…   0B        buildkit.dockerfile.v0
<missing>      16 months ago   bazel build ...                                 2.46MB
<missing>      16 months ago   bazel build ...                                 18.8MB
<missing>      16 months ago   bazel build ...                                 6.19MB

Copa patches sozercan/opa:0.46.0-patched to create sozercan/opa:0.46.0-patched-2, and history has the 4 copa created patch layers:

$ docker history sozercan/opa:0.46.0-patched-2
IMAGE          CREATED         CREATED BY                                      SIZE      COMMENT
**e7b617f0d975   9 seconds ago   mount / from exec find . -name *.fields -exe…   32.8kB    buildkit.exporter.image.v0
**<missing>      9 seconds ago   copy /copa-unpacked /                           18.8MB    buildkit.exporter.image.v0**
**<missing>      10 months ago   mount / from exec find . -name *.fields -exe…   28.7kB    buildkit.exporter.image.v0**
**<missing>      10 months ago   copy /copa-unpacked /                           5.59MB    buildkit.exporter.image.v0****
<missing>      16 months ago   CMD ["run"]                                     0B        buildkit.dockerfile.v0
<missing>      16 months ago   ENTRYPOINT ["/opa"]                             0B        buildkit.dockerfile.v0
<missing>      16 months ago   ENV PATH=/usr/local/sbin:/usr/local/bin:/usr…   0B        buildkit.dockerfile.v0
<missing>      16 months ago   COPY _release/0.46.0/opa_linux_amd64 /opa # …   61.9MB    buildkit.dockerfile.v0
<missing>      16 months ago   ARG BIN_SUFFIX=                                 0B        buildkit.dockerfile.v0
<missing>      16 months ago   ARG BIN_DIR=.                                   0B        buildkit.dockerfile.v0
<missing>      16 months ago   ARG TARGETARCH                                  0B        buildkit.dockerfile.v0
<missing>      16 months ago   ARG TARGETOS                                    0B        buildkit.dockerfile.v0
<missing>      16 months ago   USER 0                                          0B        buildkit.dockerfile.v0
<missing>      16 months ago   ARG USER=0                                      0B        buildkit.dockerfile.v0
<missing>      16 months ago   ENV OPA_DOCKER_IMAGE=official                   0B        buildkit.dockerfile.v0
<missing>      16 months ago   LABEL org.opencontainers.image.source=https:…   0B        buildkit.dockerfile.v0
<missing>      16 months ago   LABEL org.opencontainers.image.authors=Torin…   0B        buildkit.dockerfile.v0
<missing>      16 months ago   bazel build ...                                 2.46MB
<missing>      16 months ago   bazel build ...                                 18.8MB
<missing>      16 months ago   bazel build ...                                 6.19MB

Notice the extra layers on the twice patched image if we don't patch the vanilla image. Since copa patches the packages directly, it doesn't need any additional layers. To prevent constant build up of these patch layers, we were recommending always patching the vanilla image instead of an already patched image. This issue is specifically about whether we can discard those patch layers created by copa previously.

[MiahaCybersec]

Thanks for the additional context! My PR took the wrong approach because I misunderstood the issue. I'll get to working on a proper patch.

[MiahaCybersec]

A design doc has been created for implementing this feature into Copa.

https://docs.google.com/document/d/16DoKF7V3F1xaQGCL8cnPMZUlaoni0EsNvqAYTkMxxyU/edit?usp=sharing