this post was submitted on 06 Feb 2024
10 points (100.0% liked)

Docker

1097 readers
1 users here now

founded 1 year ago
MODERATORS
10
submitted 9 months ago* (last edited 9 months ago) by [email protected] to c/docker
 

I am looking for something that can take a Dockerfile, like the following as an input:


FROM --platform=linux/amd64 debian:latest
ENV DEBIAN_FRONTEND=noninteractive

RUN apt update && apt install -y curl unzip libsecret-1-0 jq
COPY entrypoint.sh .
ENTRYPOINT [ "/entrypoint.sh" ]

And produce a a multi-stage Dockerfile where the last stage is built from scratch, with the dependencies for the script in the ENTRYPOINT (or CMD) copied over, like this:


FROM --platform=linux/amd64 debian:latest as builder
ENV DEBIAN_FRONTEND=noninteractive

RUN apt update && apt install -y curl unzip libsecret-1-0 jq

FROM --platform=linux/amd64 scratch as app
SHELL ["/bin/bash"]

# the binaries executed in entrypoint.sh
COPY --from=builder /bin/bash /bin/bash
COPY --from=builder /usr/bin/curl /usr/bin/curl
COPY --from=builder /usr/bin/jq /usr/bin/jq
COPY --from=builder /usr/bin/sleep /usr/bin/sleep

# shared libraries of the binaries
COPY --from=builder /lib/x86_64-linux-gnu/libjq.so.1 /lib/x86_64-linux-gnu/libjq.so.1
COPY --from=builder /lib/x86_64-linux-gnu/libcurl.so.4 /lib/x86_64-linux-gnu/libcurl.so.4
COPY --from=builder /lib/x86_64-linux-gnu/libz.so.1 /lib/x86_64-linux-gnu/libz.so.1
# ...a bunch of other shared libs...

# entrypoint
COPY entrypoint.sh /entrypoint.sh

ENTRYPOINT [ "/entrypoint.sh" ]

I've had pretty decent success creating images like this manually (using ldd to find the dependencies) based on this blog. To my knowledge, there's nothing out there that automates producing an image built from scratch, specifically. If something like this doesn't exist, I'm willing to build it myself.

top 6 comments
sorted by: hot top controversial new old
[–] [email protected] 4 points 9 months ago* (last edited 9 months ago) (1 children)

Looks like Nix could be great for this. Here's a blog post with an example: https://mitchellh.com/writing/nix-with-dockerfiles

Of course, the trade-off is having to learn at least the basics of Nix, but looks like a great investment considering the benefits.

[–] [email protected] 2 points 9 months ago (1 children)

Oh wow. I didn't realize that Nix containers built from scratch. That's exactly what I wanted (minus having to learn Nix, but that's not too bad, honestly).

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago)

Never mind. While Nix containers do get you the small image sizes and predictable builds you want, nix, the package manager, is basically broken on macOS.

I use Linux, where nix seems to work totally fine, but the other people I'm working with use macOS, so I can't ask them to install something that won't work to produce images correctly.

I think I'm going to have to build the minimizer I was thinking of.

[–] [email protected] 3 points 9 months ago* (last edited 9 months ago) (1 children)

I feel like at this point you should just build statically linked binaries, but I suppose there are cases where that's not going to be possible. Anyhow, I've never seen anything like that.

[–] [email protected] 2 points 9 months ago

Yeah. Statically-linked binaries are awesome, but many of the utilities that I need to run would require lots of changes to the source to make it happen.

[–] [email protected] 2 points 9 months ago* (last edited 9 months ago)

We have Kubler which makes Gentoo -based images. It does a great job of enabling you to toggle dependencies that you need and building a slim, hardened image.

Edit: lddsucks, try libtree instead.