New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pack binary with upx
#474
Comments
Hey, transferring this to our releases repository, where the Docker images are actually built :) How does upx interact with security scanners? I have heard stories of upx leading to antivirus flagging some years ago, I wonder if that still holds today |
I ran a scan with
As for antivirus false positives, there is a pinned issue about them in the upx repo: upx/upx#437. It is a risk, but 9 false positives over 3+ years seems relatively low. |
@JamieMagee Your test shows that it does not introduce any false positives (that sounds unlikely), what I am wondering is if it introduces false negatives (effectively, if it obfuscates the binary in some way that makes trivy and friends not detect real issues). cc @open-telemetry/sig-security-maintainers |
@JamieMagee @mx-psi thanks for the suggestion! I've added discussing this item to the security SIG agenda for this week |
We used to have this in the first versions we released using goreleaser, but it caused problems with the binaries for Darwin. I can't find the issue right now to have a reference, but if we do run upx on the binaries, we should make sure the final executables are tested before releasing them. |
Component(s)
No response
Describe the issue you're reporting
The
opentelemetry-collector-contrib
container image is already well optimized by usingFROM scratch
1. But by usingupx
to compress theotelcontribcol
binary before copying it to the final container image would allow us to save even more.Building locally with
make docker-otelcontribcol
I get the following container image:Compressing the
otelcontribcol
binary withupx --best
as part of the build I get:That's a decrease of 214MB or 63%. Looking at the total number of container image downloads of the
0.93.0
tag, which has ~60k downloads, that equates to ~13TB overall.The main downside is that this increases the build time drastically, so this could only really be used for tagged version builds.
Footnotes
https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/cmd/otelcontribcol/Dockerfile ↩
The text was updated successfully, but these errors were encountered: