vault
vault copied to clipboard
hashicorp
Vault binary size increase (+44%) from 1.14.1 to 1.14.2
The binary file has increased by 44%, and I don't see a rational explanation for this.
247M Jul 26 14:25 vault_1.14.1
355M Sep 8 14:25 vault_1.14.2
linux amd64
Describe the bug N/A
To Reproduce N/A
Expected behavior N/A
Environment: N/A
Additional context N/A
We are aware of the size of the binary. Many design decisions are a factor, for example the debug symbols upon which many of our customers rely for information and troubleshooting. We are constantly evaluating how we can improve here, however, no firm decisions have been made yet and may not be for some time. Are there issues that you are facing here, such as with container sizing? Please let us know the details of any operational headache that you may be experiencing as a result. Thanks!
Even so, that's a remarkable change in size for a patch release.
I was curious, so I started git bisecting. Turns out most of it is down to pulling in new/more code from the Azure SDK in 486f7d0fda27b057959d5c907749e6f291237778, and then a smaller increase from 5a37c6f0d74a11ad614f9bb2f3354fd79071617e (more Azure SDK code, and some other things)
EDIT: It turns out that 27% of the binary size of vault 1.14.2 (self-compiled, no web UI) is just the Azure secrets engine, Azure auth method, and Azure auth support for Vault agent/proxy ! If you take out enough other code to get rid of all use of github.com/Azure/azure-sdk-for-go/... (Azure auto-seal, snowflake database plugin, Azure metadata node discovery for Raft joining) the size reduction is 35%. That's rather remarkable.
We did update the Azure SDK as part of work on an HTTP/2 bug Microsoft found, had to update that SDK in the seal subsystem as well as the secrets plugin. I'll take a second look but I wonder if/why we're bringing in more of the SDK now.
@evsasha : It is indeed due to the change of usage of the Azure SDK but not where I thought. We're looking at it.
@sgmiller Thank you. I just wanted to point out the negative trend of package size growth and find out what is directly causing this growth. Is there any deliberate malicious intent behind it?
I have created a histogram of releases and versions for myself, and the trend of package size growth is clearly evident.
My main concern and discomfort related to the package size growth is the use of the Vault CLI. CLI shouldn't weigh 300+ megabytes. Perhaps it's time to separate the server and the CLI.
@evsasha : It is indeed due to the change of usage of the Azure SDK but not where I thought. We're looking at it.
Is there any chance we could selectively opt-in/out of these features? We personally use Azure, but there's a bunch of secrets engines that we do not.
I was investigating the sizes of some container images and stumbled over this: 370mb for a go binary is pretty impressive. :S
I'd also love a stripped and more sanely composed binary that is smaller. =/
Related issues:
- #10180 opened Oct 20, 2020
- #21069 opened Jun 8, 2023
As of 1.16.2 the Vault (linux_amd64) binary has now grown to over 400M.
$ ./vault --version
Vault v1.16.2 (c6e4c2d4dc3b0d57791881b087c026e2f75a87cb), built 2024-04-22T16:25:54Z
$ ls -hog vault | cut -d' ' -f3-
402M Apr 22 20:30 vault
HashiCorp Vault's Plugin system currently consists of built-in and external plugins:
Built-in plugins are shipped with Vault... External plugins are not shipped with Vault and require additional operator intervention to run. To run an external plugin, a binary or container image of the plugin is required. Plugin binaries can be obtained from releases.hashicorp.com or they can be built from source.
I personally would prefer all the secret, auth, and database plugins were "external" with the Vault binary containing only the core components, similar to Terraform and its use of Providers.
In one use case of Vault, I have need to use only 4-5 of the 19 included Auth Methods. I imagine most use cases of Vault would be similar in needing only a subset of the default included Auth Methods and Secret Engines. Moving all plugins to be "external" would remove bloat to the binary and unnecessary additional code that need not exist.
