Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
Devpt Calmarsoft
devpt at calmarsoft.com
Mon Sep 2 12:41:36 UTC 2024
Le 02/09/2024 à 13:52, Marc a écrit :
> 1.
> Afaik you don't need to remove packages from builder, the whole builder layer will be gone.
I did that to avoid copy extra files with the COPY --from=builder command
> 2.
> COPY --from=builder /usr/ /usr/
>
> I think this will copy duplicates, duplicates increase still layer size so you have 2x size of a default /usr
>
> so you can only copy individual files
You are right, extra files appear in the diff! I was thinking that the
files already present would be discarded. Copying individual files in
this case is not the solution: there are plenty of files (305 if
counting includes)
So this is a bit more complicated to achieve something cleaner. Maybe
install the binaries in an alternate directory in the build step?
I made a new Dockerfile based on this idea, now the result is 66MB. I
tested the build, but not if it is still functional (see all expected
files in the right place).
> "As long as there is a COPY in your Dockerfile, the size of the image increases to the stuff you copy"
> * don't really know if this is still accurate
>
> That could explain your big image.
>
>
>
>
>
>> -----Original Message-----
>> From: bind-users<bind-users-bounces at lists.isc.org> On Behalf Of Devpt
>> Calmarsoft
>> Sent: Monday, 2 September 2024 12:25
>> To:bind-users at lists.isc.org
>> Subject: Re: Updated Docker images (9.18, 9.20, 9.21) - now based on
>> Alpine Linux
>>
>> I forgot to specify the runtime dependency packages (fixed Dockerfile
>> attached), I am sorry.
>> This is still minimal changes, and the result is now 101MB, which is
>> still an interesting improvement (371MB before changes). Note that when
>> building, the intermediate image is visible.
>>
>> Le 02/09/2024 à 11:23, Devpt Calmarsoft a écrit :
>>> Le 27/08/2024 à 19:52, Ondřej Surý a écrit :
>>>> What’s the size difference for you?
>>>>
>>>> I mean if someone wants to play with our Dockerfile and there’s a
>>>> significant reduction is size, I would be convinced. But in a world,
>>>> where a mobile application that does absolutely nothing has 4 GB, I
>>>> feel like 130 MB is on the low side of the scale.
>>> There is a way to forget the compilation steps, using the "--from"
>>> option of COPY, see here:
>>> https://docs.docker.com/reference/dockerfile/#copy---from
>>>
>>> =>
>>> I made the experiment, and the image drops to 63MB instead of
>>> 243MB (without keeping the sources).
>>> remarks:
>>> I chose to clone only the /usr because that path seem to be
>>> the only one affected during the build/install.
>>> I duplicated the LC_ALL env variable, as I don't know if it is
>>> needed for runtime or build phase.
>>>
>>> In my opinion this would be cleaner that way (with drawback that we
>>> cannot see the build steps history anymore)
>>>
>>>
>>> Benoit
>>>> Ondrej
>>>> --
>>>> Ondřej Surý — ISC (He/Him)
>>>>
>>>> My working hours and your working hours may be different. Please do
>>>> not feel obligated to reply outside your normal working hours.
>>>>
>>>>> On 27. 8. 2024, at 19:38, Peter DeVries<pdevries at quotient-inc.com>
>>>>> wrote:
>>>>>
>>>>> For what it's worth this is how we build our dockers, with a builder
>>>>> and then the runner. IMO it's cleaner that way and not much more
>>>>> complicated. We'll continue to roll our own though so no real dog in
>>>>> this fight.
>>>>>
>>>>> Peter
>>>>>
>>>>>> On Tue, Aug 27, 2024 at 1:28 PM Ondřej Surý<ondrej at isc.org> wrote:
>>>>>>
>>>>>>>> On 27. 8. 2024, at 18:57, Marc<Marc at f1-outsourcing.eu> wrote:
>>>>>>> Afaik apk del \ does not free up space still.
>>>>>> Right. That was not really my intention though. I wanted to reduce
>>>>>> the amount of cruft installed in the image. The less binary stuff
>>>>>> around, the less possible attack surface.
>>>>>>
>>>>>> But apk --no-cache should work I guess.
>>>>>>
>>>>>>> If you work with builder phase, you can probably shave of some MB's
>>>>>> I think that's too complicated to use two phases, but I think the
>>>>>> next update
>>>>>> should reduce the image size a little bit. It was ~170 MB before
>>>>>> and the
>>>>>> reduced (compressed) size is 130 MB.
>>>>>>
>>>>>> But I get it - the base alpine:latest is only 3 MB, that's quite a
>>>>>> difference.
>>>>>>
>>>>>> Ondrej
>>>>>> --
>>>>>> Ondřej Surý (He/Him)
>>>>>> ondrej at isc.org
>>>>>>
>>>>>> My working hours and your working hours may be different. Please do
>>>>>> not feel obligated to reply outside your normal working hours.
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Visithttps://lists.isc.org/mailman/listinfo/bind-users to
>>>>>> unsubscribe from this list
>>>>>>
>>>>>> ISC funds the development of this software with paid support
>>>>>> subscriptions. Contact us athttps://www.isc.org/contact/ for more
>>>>>> information.
>>>>>>
>>>>>>
>>>>>> bind-users mailing list
>>>>>> bind-users at lists.isc.org
>>>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240902/d6a57a9a/attachment.htm>
-------------- next part --------------
FROM alpine:latest as builder
MAINTAINER BIND 9 Developers <bind9-dev at isc.org>
ENV DEBIAN_FRONTEND noninteractive
ENV LC_ALL C.UTF-8
ARG BIND9_VERSION=9.20.1
ARG BIND9_CHECKSUM=fe6ddff74921410d33b62b5723ac23912e8d50138ef66d7a30dc2c421129aeb0
# Build part
RUN apk --no-cache update
RUN apk --no-cache upgrade
RUN apk --no-cache add \
autoconf \
automake \
build-base \
fstrm \
fstrm-dev \
jemalloc \
jemalloc-dev \
json-c \
json-c-dev \
krb5-dev \
krb5-libs \
libcap-dev \
libcap2 \
libidn2 \
libidn2-dev \
libmaxminddb-dev \
libmaxminddb-libs \
libtool \
libuv \
libuv-dbg \
libuv-dev \
libxml2 \
libxml2-dbg \
libxml2-dev \
libxslt \
lmdb \
lmdb-dev \
make \
musl-dbg \
nghttp2-dev \
nghttp2-libs \
openssl-dbg \
openssl-dev \
procps \
protobuf-c \
protobuf-c-dev \
tzdata \
userspace-rcu \
userspace-rcu-dev
RUN mkdir -p /usr/src
ADD https://downloads.isc.org/isc/bind9/${BIND9_VERSION}/bind-${BIND9_VERSION}.tar.xz /usr/src
RUN cd /usr/src && \
( echo "${BIND9_CHECKSUM} bind-${BIND9_VERSION}.tar.xz" | sha256sum -c - ) && \
tar -xJf bind-${BIND9_VERSION}.tar.xz && \
cd /usr/src/bind-${BIND9_VERSION} && \
./configure --prefix /install \
--sysconfdir=/etc/bind \
--localstatedir=/ \
--enable-shared \
--disable-static \
--with-gssapi \
--with-libidn2 \
--with-json-c \
--with-lmdb=/usr \
--with-gnu-ld \
--with-maxminddb \
--enable-dnstap && \
make -j && \
make install && \
rm -rf /usr/src
# Remove development packages
RUN apk --no-cache del \
autoconf \
automake \
build-base \
fstrm-dev \
gnutls-utils \
jemalloc-dev \
json-c-dev \
krb5-dev \
libcap-dev \
libidn2-dev \
libmaxminddb-dev \
libtool \
libuv-dev \
libxml2-dev \
libxslt \
lmdb-dev \
make \
nghttp2-dev \
openssl-dev \
protobuf-c-dev \
userspace-rcu-dev
# Runtime part
FROM alpine:latest
ENV LC_ALL C.UTF-8
# Build result
COPY --from=builder /install /usr
# Packages needed for runtime
RUN apk --no-cache add \
fstrm \
jemalloc \
json-c \
krb5-libs \
libcap2 \
libidn2 \
libmaxminddb-libs \
libtool \
libuv \
libuv-dbg \
libxml2 \
libxml2-dbg \
lmdb \
musl-dbg \
nghttp2-libs \
openssl-dbg \
procps \
protobuf-c \
tzdata \
userspace-rcu
# Create user and group
RUN addgroup -S bind && adduser -S -H -h /var/cache/bind -G bind bind
# Create default configuration file
RUN mkdir -p /etc/bind && chown root:bind /etc/bind/ && chmod 755 /etc/bind
COPY named.conf /etc/bind
RUN chown root:bind /etc/bind/named.conf && chmod 644 /etc/bind/named.conf
# Create working directory
RUN mkdir -p /var/cache/bind && chown bind:bind /var/cache/bind && chmod 755 /var/cache/bind
# Create directory to store secondary zones
RUN mkdir -p /var/lib/bind && chown bind:bind /var/lib/bind && chmod 755 /var/lib/bind
# Create log directory
RUN mkdir -p /var/log/bind && chown bind:bind /var/log/bind && chmod 755 /var/log/bind
# Create PID directory
RUN mkdir -p /run/named && chown bind:bind /run/named && chmod 755 /run/named
VOLUME ["/etc/bind", "/var/cache/bind", "/var/lib/bind", "/var/log"]
EXPOSE 53/udp 53/tcp 953/tcp 853/tcp 443/tcp
ENTRYPOINT ["/usr/sbin/named", "-u", "bind"]
CMD ["-f", "-c", "/etc/bind/named.conf", "-L", "/var/log/bind/default.log"]
More information about the bind-users
mailing list