diff --git a/README.md b/README.md index 9703edb..becf64c 100644 --- a/README.md +++ b/README.md @@ -27,19 +27,12 @@ The following files are added (taken from Debian) to fix some common issues: - `/etc/services` : for named ports resolution - `/lib/x86_64-linux-gnu/libpthread.so.0` : common required lib for project binaries that cannot be statically built. -### prom/busybox:alpine-glibc : glibc +### prom/busybox:alpine : musl-libc -Based on the official `busybox:glibc` base image. +Based on the official `alpine:latest` base image. The `busybox` executable is replaced by the [statically linked busybox](https://pkgs.alpinelinux.org/package/v3.16/main/x86_64/busybox-static) from `alpine:latest`. -The Alpine project provides far more timely security patches to `busybox` that the official `busybox` release. No other parts of Alpine are needed or used in this image. - -The following files are added (taken from Debian) to fix some common issues: - -- `/etc/ssl/certs/ca-certificates.crt` : for HTTPS support -- `/usr/share/zoneinfo` : for timezones -- `/etc/services` : for named ports resolution -- `/lib/x86_64-linux-gnu/libpthread.so.0` : common required lib for project binaries that cannot be statically built. +The Alpine project provides far more timely security patches to `busybox` that the official `busybox` release. ## Build Docker images locally diff --git a/alpine-glibc/Dockerfile b/alpine-glibc/Dockerfile deleted file mode 100644 index 09defad..0000000 --- a/alpine-glibc/Dockerfile +++ /dev/null @@ -1,49 +0,0 @@ -ARG ARCH="" -FROM ${ARCH}debian:buster-slim - -RUN \ - apt-get update && apt-get install -y --no-install-recommends \ - ca-certificates \ - gcc \ - netbase \ - && rm -rf /var/lib/apt/lists/* - -RUN set -x \ - && mkdir -p rootfs/lib \ - && set -- \ - /etc/nsswitch.conf \ - /etc/ssl/certs/ca-certificates.crt \ - /usr/share/zoneinfo \ - /etc/services \ - /lib/"$(gcc -print-multiarch)"/libpthread.so.* \ - && while [ "$#" -gt 0 ]; do \ - f="$1"; shift; \ - fn="$(basename "$f")"; \ - if [ -e "rootfs/lib/$fn" ]; then continue; fi; \ - if [ "${f#/lib/}" != "$f" ]; then \ - ln -vL "$f" "rootfs/lib/$fn"; \ - else \ - d="$(dirname $f)" \ - && mkdir -p "rootfs/${d#/}" \ - && cp -av "$f" "rootfs/${f#/}"; \ - fi; \ - done - -FROM ${ARCH}alpine:latest as alpine -RUN apk add busybox-static && \ - rm /bin/* && \ - /tmp/busybox --install /bin && \ - mv /tmp/busybox /bin/ - -FROM ${ARCH}busybox:glibc -MAINTAINER The Prometheus Authors - -# Use the busybox executable from alpine which is generally patched more quickly for vulnerabilities -# Use the busybox.static to avoid dynamic library dependencies. -COPY --from=alpine /bin/busybox.static /tmp/busybox - -RUN rm /bin/* && \ - /tmp/busybox --install /bin && \ - mv /tmp/busybox /bin/ - -COPY --from=0 /rootfs / diff --git a/alpine/Dockerfile b/alpine/Dockerfile new file mode 100644 index 0000000..023ae79 --- /dev/null +++ b/alpine/Dockerfile @@ -0,0 +1,25 @@ +ARG ARCH="" +FROM ${ARCH}alpine:latest as alpine + +RUN apk upgrade -U && \ + apk add tzdata ca-certificates busybox-static + +# remove extra package +RUN apk del libc-utils + +# remove apk files and directories +RUN apk del apk-tools && \ + find / -name apk -prune -exec rm -rf {} ";" + +# Use the busybox.static to avoid dynamic library dependencies. +RUN mv /bin/busybox.static /bin/busybox && \ + /bin/busybox --install -s /bin + +# remove extraneous folders +RUN rm -rf media mnt opt run srv + +FROM scratch +MAINTAINER The Prometheus Authors + +COPY --from=alpine / / +