Skip to content

refactor: Docker (Alpine) improvements #2752

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 5, 2025
Merged

refactor: Docker (Alpine) improvements #2752

merged 2 commits into from
May 5, 2025
+16 −18

Conversation

polarathene
Copy link
Contributor

@polarathene polarathene commented May 1, 2025
edited
Loading

Describe your changes

Applying changes that I detailed in this comment.

Alpine image size reduced from 60MB (technically 52MB) to 36MB (dist-git) or 28MB (dist-local).

Change overview:

  • Alpine version bump 3.20 => 3.21
  • Removed WORKDIR /home/testssl to be consistent with the main Dockerfile which leaves working directory at default /.
  • apk update is not needed, if run with --no-cache in a separate RUN it has no layer weight. Removing it or adding --no-cache reduces weight by 2MB.
  • Removed git package + git clone command, no longer necessary. Reduces weight by 14MB+
  • Removed mkdir -m 755 -p /home/testssl/etc /home/testssl/bin, these already exist with expected permissions via the clone.
  • ARG renamed and relocated to end of file at the dist-git stage. Technically a breaking change, perhaps the ARG names should be kept the same?
  • Added a dist-local stage that uses COPY for a local clone like the main Dockerfile does (reduces weight by 8MB). While dist-git stage uses ADD to perform a remote git clone.

Some of these changes were attempted back in Feb 2023 for Dockerfile (when it was still Alpine based). That PR provides additional information to support these changes

  • Such as apk add --no-cache implying apk update.
  • A slight regression by removing git package and .git/ dir which loses the git log feature to identify testssl.sh version via commit hash.

Related caveat with Alpine image in the past was incompatibility with the OpenSSL bins (glibc) that are copied over into the image, since even with a static glibc build, glibc static is known to have compatibility caveats when it comes to DNS logic (looking through issue history on DNS / getaddrinfo, there was since talk about segfaults that required a newer static compile that resolved it, so maybe not a DNS musl issue at these linked comments):

What is your pull request about?

  • Improvement

@polarathene
refactor: Docker (Alpine) improvements
e0c3502 
60MB => 38MB (dist-git) or 30MB (dist-local)
polarathene
polarathene commented May 1, 2025
View reviewed changes
@polarathene
Copy link
Contributor Author

polarathene commented May 1, 2025
edited
Loading

This effectively makes Dockerfile.git an alternative build with Alpine for those that want a smaller release.

You could rename this Dockerfile.alpine and have the CI build and publish it with a -alpine suffix? (Usual convention when supporting more than one base distro)

@polarathene polarathene mentioned this pull request May 1, 2025
Open
@drwetter
Copy link
Collaborator

drwetter commented May 2, 2025

Thx, @polarathene . We have a long weekend here --> next week

@drwetter drwetter merged commit 252cee6 into testssl:3.2 May 5, 2025
1 check passed
@drwetter
Copy link
Collaborator

drwetter commented May 5, 2025

Thanks @polarathene !

image

The top two are the old an new alpine images, based on (the to be renamed) Dockerfile.git

@drwetter drwetter mentioned this pull request May 5, 2025
Open
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@polarathene @drwetter