Refactor Dockerfile use less layer

[ningmingxiao]

assembler docker image is too big
before this commit 5.17GB after this commit 4.73GB @dustymabe

[openshift-ci]

Hi @ningmingxiao. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[gemini-code-assist]

Code Review

This pull request aims to reduce the number of layers in the Docker image by consolidating RUN commands, which is a great goal for optimizing image size and build speed.

The consolidation of the first set of RUN commands is done well. However, the second, larger RUN block introduces a critical issue where shell comments break the command chain, preventing most of the commands from executing. It also includes an unsafe directory removal operation.

My review includes a critical comment with a suggested fix that resolves these issues while preserving the single-layer approach and improving code style.

[jbtrystram]

Let's use a heredoc here intead of a bunch of \ &&

[ningmingxiao]

I find use EOF

# When rebasing to new Fedora, also update openshift/release:
# https://github.com/openshift/release/tree/master/ci-operator/config/coreos/coreos-assembler/coreos-coreos-assembler-main.yaml
FROM quay.io/fedora/fedora:43
WORKDIR /root/containerbuild
# This variable is enabled by Konflux to build the container image hermatically.
ARG NO_NETWORK=0
# Keep this Dockerfile idempotent for local development rebuild use cases.
USER root

COPY ./src/print-dependencies.sh ./src/deps*.txt ./src/vmdeps*.txt ./src/build-deps.txt /root/containerbuild/src/
COPY ./build.sh /root/containerbuild/
RUN <<EOF
#!/bin/bash
     set -e
     rm -rfv /usr/lib/coreos-assembler /usr/bin/coreos-assembler
    ./build.sh configure_yum_repos
    ./build.sh install_rpms
    ./build.sh install_ocp_tools
    ./build.sh trust_redhat_gpg_keys
EOF

COPY ./ /root/containerbuild/
RUN <<EOF
#!/bin/bash
     set -e
    ./build.sh write_archive_info
    ./build.sh make_and_makeinstall
    ./build.sh configure_user
    ./build.sh patch_osbuild
    # clean up scripts (it will get cached in layers, but oh well)
    chown builder: /srv
    rm -rf /root/containerbuild
    # allow writing to /etc/passwd from arbitrary UID
    # https://docs.openshift.com/container-platform/4.8/openshift_images/create-images.html
    chmod g=u /etc/passwd
    # also allow adding certificates
    chmod -R g=u /etc/pki/ca-trust
    # This allows Prow jobs for other projects to use our cosa image as their
    # buildroot image (so clonerefs can copy the repo into `/go`). For cosa itself,
    # this same hack is inlined in the YAML (see openshift/release link above).
    mkdir -p /go && chmod 777 /go
EOF

# run as `builder` user	
USER builder
ENTRYPOINT ["/usr/bin/dumb-init", "/usr/bin/coreos-assembler"]

always failed
Step 7/11 : RUN <<EOF
---> Running in 2ec4fdda6c7f
/bin/sh: line 1: warning: here-document at line 1 delimited by end-of-file (wanted EOF') ---> Removed intermediate container 2ec4fdda6c7f ---> 6ca130419d4f Step 8/11 : COPY ./ /root/containerbuild/ ---> 2bf27463d775 Step 9/11 : RUN <<EOF ---> Running in 93ee294d2d72 /bin/sh: line 1: warning: here-document at line 1 delimited by end-of-file (wanted EOF')

[jbtrystram]

I think you can remove the bash shebang and the leading spaces