Auditing dockerfile

Because of the nature of GitHub cache, and the time it takes to build the dockerfile for testing, it is desirable to be able to audit what is going on there.

This document provides a few pointers on how to do that, and some results as of 2025-02-26 (run inside lima, nerdctl main, on a macbook pro M1).

Intercept network traffic

On macOS

Use Charles:

start SSL proxying
enable SOCKS proxy
export the root certificate

On linux

Left as an exercise to the reader.

If using lima

restart your lima instance with HTTP_PROXY=http://X.Y.Z.W:8888 HTTPS_PROXY=socks5://X.Y.Z.W:8888 limactl start instance - where XYZW is the local ip of the Charles proxy (non-localhost)

On the host where you are running containerd

copy the root certificate from above into /usr/local/share/ca-certificates/charles-ssl-proxying-certificate.crt
update your host: sudo update-ca-certificates
now copy the root certificate again to your current nerdctl clone

Hack the dockerfile to insert our certificate

Add the following stages in the dockerfile:

dockerfile

FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-trixie AS hack-build-base-debian
RUN apt-get update -qq; apt-get -qq install ca-certificates
COPY charles-ssl-proxying-certificate.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS hack-build-base
RUN apk add --no-cache ca-certificates
COPY charles-ssl-proxying-certificate.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

FROM ubuntu:${UBUNTU_VERSION} AS hack-base
RUN apt-get update -qq; apt-get -qq install ca-certificates
COPY charles-ssl-proxying-certificate.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

Then replace any later "FROM" with our modified bases:

golang:${GO_VERSION}-trixie => hack-build-base-debian
golang:${GO_VERSION}-alpine => hack-build-base
ubuntu:${UBUNTU_VERSION} => hack-base

Mimicking what the CI is doing

A quick helper:

bash

run(){
  local no_cache="${1:-}"
  local platform="${2:-arm64}"
  local dockerfile="${3:-Dockerfile}"
  local target="${4:-test-integration}"

  local cache_shard="$CONTAINERD_VERSION"-"$platform"
  local shard="$cache_shard"-"$target"-"$UBUNTU_VERSION"-"$no_cache"-"$dockerfile"

  local cache_location=$HOME/bk-cache-"$cache_shard"
  local destination=$HOME/bk-output-"$shard"
  local logs="$HOME"/bk-debug-"$shard"

  if [ "$no_cache" != "" ]; then
    nerdctl system prune -af
    nerdctl builder prune -af
    rm -Rf "$cache_location"
  fi

  nerdctl build \
    --build-arg UBUNTU_VERSION="$UBUNTU_VERSION" \
    --build-arg CONTAINERD_VERSION="$CONTAINERD_VERSION" \
    --platform="$platform" \
    --output type=tar,dest="$destination" \
    --progress plain \
    --build-arg HTTP_PROXY=$HTTP_PROXY \
    --build-arg HTTPS_PROXY=$HTTPS_PROXY \
    --cache-to type=local,dest="$cache_location",mode=max \
    --cache-from type=local,src="$cache_location" \
    --target "$target" \
    -f "$dockerfile" . 2>&1 | tee "$logs"
}

And here is what the CI is doing:

bash

ci_run(){
  local no_cache="${1:-}"
  export UBUNTU_VERSION=24.04

  # The actual version may differ
  CONTAINERD_VERSION=v1.7.25 run "$no_cache"  arm64 Dockerfile.origin build-dependencies
  UBUNTU_VERSION=22.04 CONTAINERD_VERSION=v1.7.25 run "" arm64 Dockerfile.origin test-integration

  CONTAINERD_VERSION=v2.0.3 run "$no_cache"  arm64 Dockerfile.origin build-dependencies
  UBUNTU_VERSION=24.04 CONTAINERD_VERSION=v2.0.3 run "" arm64 Dockerfile.origin test-integration

  CONTAINERD_VERSION=v2.0.3 run "$no_cache"  amd64 Dockerfile.origin build-dependencies
  UBUNTU_VERSION=24.04 CONTAINERD_VERSION=v2.0.3 run "" amd64 Dockerfile.origin test-integration
}

# To simulate what happens when there is no cache, go with:
ci_run no_cache

# Once you have a cached run, you can simulate what happens with cache
# First modify something in the nerdctl tree
# Then run it
touch mimick_nerdctl_change
ci_run

Analyzing results

Network

Full CI run, cold cache (the first three pipelines, and part of the fourth)

The following numbers are based on the above script, with cold cache.

Unfortunately golang did segfault on me during the last (cross-run targetting amd), so, these numbers should be taken as (slightly) underestimated.

Total number of requests: 7190

Total network duration: 13 minutes 11 seconds

Outbound: 1.31MB

Inbound: 5202MB

Breakdown per domain

Destination	# requests	through	duration
https://registry-1.docker.io	123 (2 failed)	1.22MB	26s
https://production.cloudflare.docker.com	60	1242.41MB	2m6s
http://deb.debian.org	207	107.14MB	13s
https://github.com	105	977.88MB	1m25s
https://proxy.golang.org	5343 (57 failed)	753.69MB	4m8s
https://objects.githubusercontent.com	42	900.22MB	50s
https://raw.githubusercontent.com	8	92KB	2s
https://storage.googleapis.com	19 (3 failed)	537.21MB	35s
https://ghcr.io	65	588.68KB	13s
https://auth.docker.io	10	259KB	5s
https://pkg-containers.githubusercontent.com	48	183.63MB	20s
http://ports.ubuntu.com	300	165.36MB	1m55s
https://golang.org	4	228.93KB	<1s
https://go.dev	4	95.51KB	<1s
https://dl.google.com	4	271.42MB	11s
https://sum.golang.org	746	3.89MB	17s
http://security.ubuntu.com	7	2.70MB	3s
http://archive.ubuntu.com	95	55.95MB	19s
	-	-	-
Total	7190	5203MB	13 mins 11 secs

Full CI run, warm cache (only the first three pipelines)

Destination	# requests	through	duration
https://registry-1.docker.io	25	537KB	14s
https://production.cloudflare.docker.com	2	25MB	1s
https://github.com	7 (1 failed)	105KB	2s
https://proxy.golang.org	930 (11 failed)	150MB	37s
https://objects.githubusercontent.com	4	86MB	4s
https://storage.googleapis.com	3	112MB	6s
https://auth.docker.io	1	26KB	<1s
http://ports.ubuntu.com	133	67MB	50s
https://golang.org	2	114KB	<1s
https://go.dev	2	45KB	<1s
https://dl.google.com	2	134MB	5s
https://sum.golang.org	484	3MB	11s
	-	-	-
Total	1595 (12 failed)	579MB	2 mins 10 secs

Analysis

Docker Hub

Images from Docker Hub are clearly a source of concern (made even worse by the fact they apply strict limitations on the number of requests permitted).

When the cache is cold, this is about 1GB per run, for 200 requests and 3 minutes.

Actions:

reduce the number of images
- we currently use 2 golang images, which does not make sense
reduce the round trips
- there is no reason why any of the images should be queried more than once per build
move away from Hub golang image, and instead use a raw distro + golang download
- Hub golang is a source of pain and issues (diverging version scheme forces ugly shell contorsions, delay in availability creates broken situations)
- we are already downloading the go release tarball anyhow, so, this is just wasted bandwidth with no added value

Success criteria:

on a cold cache, reduce the total number of requests against Docker properties by 50% or more
on a cold cache, cut the data transfer and time in half

Distro packages

On a WARM cache, close to 1 minute is spent fetching Ubuntu packages. This should not happen, and distro downloads should always be cached.

On a cold cache, distro packages download near 3 minutes. Very likely there is stage duplication that could be reduced and some of that could be cut of.

Actions:

ensure distro package downloading is staged in a way we can cache it
review stages to reduce package installation duplication

Success criteria:

0 package installation on a warm cache
cut cold cache package install time by 50% (XXX not realistic?)

GitHub repositories

Clones from GitHub do clock in at 1GB on a cold cache. Containerd alone counts for more than half of it (at 160MB+ x4).

Hopefully, on a warm cache it is practically non-existent.

But then, this is ridiculous.

Actions:

shallow clone

Success criteria:

reduce network traffic from cloning by 80%

Go modules

At 750+MB and over 4 minutes, this is the number one speed bottleneck on a cold cache.

On a warm cache, it is still over 150MB and 30+ seconds.

In and of itself, this is hard to reduce, as we need these...

Actions:

we could cache the module download location to reduce round-trips on modules that are shared across different projects
we are likely installing nerdctl modules six times - (once per architecture during the build phase, then once per ubuntu version and architecture during the tests runs (this is not even accounted for in the audit above)) - it should only happen twice (once per architecture)

Success criteria:

achieve 20% reduction of total time spent downloading go modules

Other downloads

At 500MB+ and 30 seconds, storage.googleapis.com is serving a SINGLE go module that gets special treatment: klauspost/compress. This module is very small, but does serve along with it a very large testdata folder. The fact that nerdctl downloads its module multiple times is further compounding the effect.
the golang archive is downloaded multiple times - it should be downloaded only once per run, and only on a cold cache
some of the binary releases we are retrieving are also being retrieved with a warm cache, and they are generally quite large. We could consider building certain things from source instead, and in all cases ensure that we are only downloading with a cold cache.

Success criteria:

0 static downloads on a warm cache
cut extra downloads by 20%

Duration

Unscientific numbers, per pipeline

dependencies, no cache:

224 seconds total
53 seconds exporting cache

dependencies, with cache:

12 seconds

test-integration, no cache:

282 seconds

Caching

Number of layers in cache:

after dependencies stage: 78
intermediate size: 1.5G
after test-integration stage: 118
total size: 2.8G

Generic considerations

Caching compression

This is obviously heavily dependent on the runner properties.

With local cache, on high-performance IO (laptop SSD), zstd is definitely considerably better (about twice as fast).

With GHA, the impact is minimal, since network IO is heavily dominant, but zstd still has the upper hand with regard to cache size.

Output

Loading image into the Docker store comes at a somewhat significant cost. It is quite possible that a significant performance boost could be achieved by using buildkit containerd worker and nerdctl instead.