I need to install on docker the latest version of curl
when using the following the docker size is ~140MB
FROM debian:10.7
RUN apt-get update && \
apt-get install --no-install-recommends -y curl wget ca-certificates
This use curl 7.64
when using the following
FROM debian:10.7
RUN apt-get update && \
apt-get install --yes --no-install-recommends wget build-essential ca-certificates libcurl4 && \
wget https://curl.se/download/curl-7.73.0.tar.gz && \
tar -xvf curl-7.73.0.tar.gz && cd curl-7.74.0 && \
./configure && make && make install && \
apt-get purge -y --auto-remove build-essential && \
The docker image size is 240MB, I've tried to remove the build essintials which reduce the size from 440 to 240 , is there a way to remove this additional ~100MB ?
In fact, you are close to the solution. The one you missed is to delete the curl source package.
So next should make the image reduce:
FROM debian:10.7
RUN apt-get update && \
apt-get install --yes --no-install-recommends wget build-essential ca-certificates libcurl4 && \
wget https://curl.se/download/curl-7.73.0.tar.gz && \
tar -xvf curl-7.73.0.tar.gz && cd curl-7.73.0 && \
./configure && make && make install && \
apt-get purge -y --auto-remove build-essential && \
cd .. && rm -fr curl-7.73.0.tar.gz curl-7.73.0
Without Curl:
$ docker images abc:1
REPOSITORY TAG IMAGE ID CREATED SIZE
abc 1 d742bfdf5fa6 25 seconds ago 148MB
With curl & source package delete:
$ docker images abc:2
REPOSITORY TAG IMAGE ID CREATED SIZE
abc 2 afe3d404852a 27 minutes ago 151MB
Additional, if you delete apt cache with rm -rf /var/lib/apt/lists/* in Dockerfile, if will be smaller:
$ docker images abc:3
REPOSITORY TAG IMAGE ID CREATED SIZE
abc 3 5530b0e9b44f 2 minutes ago 134MB
Another solution maybe use multistage-build, you could use ./configure --prefix=xxx to set a default install location, then stage1 just used to build curl, while stage2 copy the xxx folder from stage1 to final image.
You should inclide rm -rf /var/lib/apt/lists/* into your RUN instruction to remove apt index files and might include apt-get clean to remove any other remaining package file.
Apart from that, you could also try using the slim image version, according to Docker Hub debian:10.7-slim is almost half size (~24Mb vs ~48Mb)
Finally, you can execute du -h | sort -h on a container from your generated image to find out where is the remaining space usage.
Using multistage-build as suggested by atline :
FROM debian:10.7 AS builder
WORKDIR /app
RUN mkdir /app/usr2
RUN apt-get update && \
apt-get install --yes --no-install-recommends wget build-essential ca-certificates libcurl4 && \
wget https://curl.se/download/curl-7.73.0.tar.gz && \
tar -xvf curl-7.73.0.tar.gz && cd curl-7.73.0 && \
./configure --prefix=/app/usr2 && make install
FROM debian:10.7
RUN apt-get update && \
apt-get install --no-install-recommends -y wget ca-certificates &&\
rm -rf /var/lib/apt/lists/*
COPY --from=builder /app/usr2/. /usr
Final size is 129MB
Related
How to install gcc-c++-x86_64-linux-gnu inside Docker container on Centos and Rhel based images
I am using CentOS based Image
FROM registry.centos.org/dotnet/dotnet-31-runtime-centos7
Below YUM Command is not working to install the "gcc-c++-x86_64-linux-gnu"
RUN yum install -y centos-release-dotnet centos-release-scl-rh gcc-c++-x86_64-linux-gnu && \
INSTALL_PKGS="rh-nodejs10-npm rh-nodejs10-nodejs-nodemon rh-dotnet31-dotnet-sdk-3.1 rsync" && \
yum install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
rpm -V $INSTALL_PKGS && \
yum clean all -y && \
# yum cache files may still exist (and quite large in size)
rm -rf /var/cache/yum/*
Any pointers on what is wrong with the above command ?
I get the following error from Google App Engine after completing a docker push.
OSError: cannot load library 'libsndfile.so': libsndfile.so: cannot open shared object file: No such file or directory
My docker file has the following:
RUN apt-get update && apt-get install -y \
build-essential \
software-properties-common \
ffmpeg \
libsndfile1-dev \
&& rm -rf /var/lib/apt/lists/*
Which should get that library. I also found that pip installing soundfile might also fix it but that did not work either.
I am pushing a Streamlit app if that helps at all.
I'm not sure if it'll be solved, but why don't you add gcc?
RUN apt-get update && apt-get install -y \
build-essential \
gcc \
software-properties-common \
ffmpeg \
libsndfile1-dev \
&& rm -rf /var/lib/apt/lists/*
`
FROM php:8.1-apache
RUN apt-get update
...
...
RUN docker-php-ext-install mysqli pdo_mysql && docker-php-ext-enable mysqli pdo_mysql
**RUN docker-php-ext-install exif && docker-php-ext-enable exif
RUN apt-get update && apt-get install -y libmagickwand-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*
# install imagick
# Version is not officially released https://pecl.php.net/get/imagick but following works for PHP 8
RUN mkdir -p /usr/src/php/ext/imagick; \
curl -fsSL https://github.com/Imagick/imagick/archive/06116aa24b76edaf6b1693198f79e6c295eda8a9.tar.gz | tar xvz -C "/usr/src/php/ext/imagick" --strip 1; \
docker-php-ext-install imagick;
#install some base extensions
RUN apt-get update && apt-get install -y \
zlib1g-dev \
libzip-dev
RUN docker-php-ext-install zip
#gd
#RUN docker-php-ext-install gd && docker-php-ext-enable gd
RUN docker-php-ext-configure gd --with-freetype=/usr/include/ --with-jpeg=/usr/include/ \
&& docker-php-ext-install gd
#intl
RUN apt-get -y update \
&& apt-get install -y libicu-dev \
&& docker-php-ext-configure intl \
&& docker-php-ext-install intl**
RUN a2enmod rewrite
`
Once the docker image is build and push to ECR, I'm getting the 1 critical on Vulnerability part, this happens after adding the modules into the Dockerfile. Can anyone help me to reduce the size and which image to use.
I have the following docker file
FROM debian:stable
# Avoid warnings by switching to noninteractive
ENV DEBIAN_FRONTEND=noninteractive
#Versions
ENV HELM_VERSION=v3.10.0
ENV KUBECTL_VERSION=v1.20.9
ENV MAVEN_OPTS="-Djavax.net.ssl.trustStore=/cicd/assets/truststore.jks"
ENV TERRAFORM_VERSION=1.2.0
ENV GOLANG_VERSION=1.19.1
ENV TERRAGRUNT_VERSION=v0.38.7
RUN set -xe \
&& apt-get update -y \
&& apt-get install -y python3-pip
RUN apt-get install zip unzip
#Copy python requirements file
COPY requirements.txt /tmp/pip-tmp/
# Makes the Ansible directories
RUN mkdir /etc/ansible /ansible
RUN mkdir ~/.ssh
# Configure apt and install python packages
RUN apt-get update -y -q \
&& apt-get upgrade -y -q \
&& apt-get install -y wget \
&& apt-get -y install --no-install-recommends apt-utils dialog 2>&1 \
&& apt-get install -y --no-install-recommends apt-utils \
&& apt-get -y install ca-certificates software-properties-common build-essential curl git gettext-base maven sshpass krb5-user \
&& pip --disable-pip-version-check --no-cache-dir install -r /tmp/pip-tmp/requirements.txt \
&& apt-get -y install jq \
&& rm -rf /tmp/pip-tmp
#Install helm
RUN wget https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz \
&& tar -zxvf helm-${HELM_VERSION}-linux-amd64.tar.gz \
&& mv linux-amd64/helm /usr/local/bin/helm
#Install kubectl
RUN curl --silent https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl --output /usr/local/bin/kubectl \
&& chmod +x /usr/local/bin/kubectl
#Install Docker CLI
RUN curl -sSL https://get.docker.com/ | sh \
&& curl -L "https://github.com/docker/compose/releases/download/2.10.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose \
&& chmod +x /usr/local/bin/docker-compose
#Install AWS CLI
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
&& unzip awscliv2.zip \
&& ./aws/install
#Copy Assets
#RUN mkdir -p /cicd
#COPY assets /cicd
#Install helm plugins
#RUN helm plugin add https://github.com/databus23/helm-diff
#RUN helm plugin install /cicd/helm-nexus-push
# Downloading gcloud package
RUN curl https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.tar.gz > /tmp/google-cloud-sdk.tar.gz
# Installing the package
RUN mkdir -p /usr/local/gcloud \
&& tar -C /usr/local/gcloud -xvf /tmp/google-cloud-sdk.tar.gz \
&& /usr/local/gcloud/google-cloud-sdk/install.sh
# Adding the package path to local
ENV PATH $PATH:/usr/local/gcloud/google-cloud-sdk/bin
RUN cd /tmp && \
wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip -d /usr/local/bin && \
rm -rf /tmp/*
RUN cd /tmp && \
wget https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz && \
tar -xzf go${GOLANG_VERSION}.linux-amd64.tar.gz -C /usr/local && \
rm -rf /tmp/*
RUN cd /tmp && \
wget https://github.com/gruntwork-io/terragrunt/releases/download/${TERRAGRUNT_VERSION}/terragrunt_linux_amd64 && \
mv terragrunt_linux_amd64 /usr/local/bin/terragrunt && \
chmod +x /usr/local/bin/terragrunt && \
rm -rf /tmp/*
RUN git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
ENV GOPATH=/usr/local/go
ENV PATH=/usr/local/go/bin:$PATH
ENV CGO_ENABLED=0
RUN go version
RUN terraform --version
RUN terragrunt --version
RUN ansible --version
CMD bash
I build the docker image and upload it to google artifact registry, but I always come across security vulnerabilities I have tried to fix it but unfortunately I'm unable to fix the security vulnerabilities. Please look at the critical errors and let me know how I can fix this, Any recommendation is appreciated. Thank You.
It looks like the DockerFile is trying to a specific version of golang by hand into "/usr/local" rather than using the Debian package manager. According to the info at https://security-tracker.debian.org/tracker/CVE-2021-38297, that bug is fixed in 1.17.3-3 and the Dockerfile are using 1.19.1. So perhaps there is an old golang installation in the base image ... and that is what the scanner is picking up. Check that, and if necessary apt install a newer version.
Likewise, https://security-tracker.debian.org/tracker/CVE-2022-23806 should be fixed by a newer version of golang. See the CVE link for versions.
https://security-tracker.debian.org/tracker/CVE-2015-20107 could be fixed by upgrading to Python 3.10.6-1 or later.
https://security-tracker.debian.org/tracker/CVE-2019-19814 doesn't appear to have a fix from upstream, so there is nothing you can do about it except not use f2fs.
https://security-tracker.debian.org/tracker/CVE-2022-29599 can be fixed by updating the maven-shared-utils package; see the CVE link for versions.
https://security-tracker.debian.org/tracker/CVE-2022-1996 has a fix upstream but it is awaiting triage by the Debian team.
In summary, some of the vulnerabilities can be fixed, but for a couple of them no fix is readily available. So:
Apply the fixes that are available.
Then read the CVEs and accompanying explanations and 1) make a judgement whether they represent a risk that you can take, and 2) figure out if you can mitigate the risk; e.g. by locking down access to the running Docker container.
I need to use a container with nginx and nodejs, so I take the nginx container and install the node:
FROM nginx
ENV DEBIAN_FRONTEND noninteractive
WORKDIR /usr/src/app
VOLUME /usr/src/app
RUN apt-get update && \
apt-get install -y apt-utils && \
apt-get install -y --no-install-recommends curl sudo wget nano && \
curl -sL https://deb.nodesource.com/setup_6.x | bash - && \
apt-get install -y nodejs git build-essential && \
whereis npm && \
npm install grunt grunt-cli bower -g && \
whereis returnme nothing npm:, and npm install... crash the build proccess. so Where ir my mistake, is there a bug or anything? btw I'm using latest docker-compose and Docker version 17.03.1-ce, build c6d412e
Update 1: It is not a dupe of this question, I'm only using one RUN line
FROM nginx
RUN \
echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections && \
apt-get update && \
apt-get install -y apt-utils && \
apt-get upgrade -y && \
apt-get update --fix-missing && \
apt-get install -y curl sudo wget nano git build-essential
# Install NodeJS
RUN \
wget https://deb.nodesource.com/setup_6.x && \
chmod +x setup_6.x && \
./setup_6.x && \
apt-get install -y nodejs && \
npm install grunt grunt-cli