Switch to a slim debian Docker image [PLT-1610] #2521
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The slim image comes with far fewer packages pre-installed and we need to manually installed a handful that we need (like curl and build-essential), but in return we get: * A slightly smaller final image * Fewer debian packages installed, which means fewer CVEs will be detected
|
Preview URL: https://2521--bk-docs-preview.netlify.app |
yob
commented
Oct 10, 2023
| # Install all the things | ||
| && apt-get update \ | ||
| && apt-get install -y nodejs gh jq \ | ||
| && apt-get install -y nodejs gh jq build-essential \ |
There was a problem hiding this comment.
build-essential is the main thing that was missing from slim. It's needed to compile and install various ruby/node native packages.
yob
commented
Oct 10, 2023
| RUN echo "--- :package: Installing system deps" \ | ||
| # Cache apt | ||
| rm -f /etc/apt/apt.conf.d/docker-clean \ | ||
| && echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache \ | ||
| # Install a few pre-reqs | ||
| && apt-get update \ | ||
| && apt-get install -y curl gnupg \ |
There was a problem hiding this comment.
curl and gnupg aren't needed in prod, but we do need them in the Dockerfile steps further down
yob
changed the title
|
Nice. On a related note I'm still very much thinking about converting the docs into a static site with the intent to eventually remove this image from production. I imagine this image will still kick around for a while and continue being used in CI but not necessarily for serving traffic. |
dannymidnight
approved these changes
Oct 10, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The slim image comes with far fewer packages pre-installed and we need to manually installed a handful that we need (like curl and build-essential), but in return we get:
The resulting image size difference looks like this:
I think we could probably get it a lot smaller via multistage build, by ensuring tools like nodejs, gh, svn, mercurial, make, gcc, and cpp are used to build assets and native extensions, but not included in the final image. Still, this is a good start.
/cc @danstn