A more minimal container image based on Alpine

[MrAnno]

This is a "Request for Comments" PR about adding a more minimalistic Alpine-based container image.

My motivation is dual:

• I would like to reduce the image size as much as possible.
• I would like to reduce the attack surface from a security vulnerability perspective. This isn't just about minimizing actual security issues, it's also about meeting the current standard for containerized application security checks in production environments (tools like Trivy). These tools show vulnerabilities even when they exist in packages within the image that aren't actively used by the software.

The new tagging mechanism looks like this (I've created a tag v0.3.0-machinefilter in my fork):

Image sizes:

REPOSITORY SIZE
openwec-deb 143MB
openwec-alpine 76.2MB

Installed packages:
Alpine: 20
Debian: 94

Alpine-based image:

Click here to expand

alpine-baselayout-3.6.5-r0
alpine-baselayout-data-3.6.5-r0
alpine-keys-2.4-r1
apk-tools-2.14.4-r1
busybox-1.36.1-r29
busybox-binsh-1.36.1-r29
ca-certificates-bundle-20240705-r0
keyutils-libs-1.6.3-r3
krb5-conf-1.0-r2
krb5-libs-1.21.3-r0
libcom_err-1.47.0-r5
libcrypto3-3.3.2-r1
libgcc-13.2.1_git20240309-r0
libssl3-3.3.2-r1
libverto-0.3.2-r2
musl-1.2.5-r0
musl-utils-1.2.5-r0
scanelf-1.3.7-r2
ssl_client-1.36.1-r29
zlib-1.3.1-r1

Debian-based image:

Click here to expand

adduser/now 3.134 all [installed,local]
apt/now 2.6.1 amd64 [installed,local]
base-files/now 12.4+deb12u7 amd64 [installed,local]
base-passwd/now 3.6.1 amd64 [installed,local]
bash/now 5.2.15-2+b7 amd64 [installed,local]
bsdutils/now 1:2.38.1-5+deb12u1 amd64 [installed,local]
coreutils/now 9.1-1 amd64 [installed,local]
dash/now 0.5.12-2 amd64 [installed,local]
debconf/now 1.5.82 all [installed,local]
debian-archive-keyring/now 2023.3+deb12u1 all [installed,local]
debianutils/now 5.7-0.5~deb12u1 amd64 [installed,local]
diffutils/now 1:3.8-4 amd64 [installed,local]
dpkg/now 1.21.22 amd64 [installed,local]
e2fsprogs/now 1.47.0-2 amd64 [installed,local]
findutils/now 4.9.0-4 amd64 [installed,local]
gcc-12-base/now 12.2.0-14 amd64 [installed,local]
gpgv/now 2.2.40-1.1 amd64 [installed,local]
grep/now 3.8-5 amd64 [installed,local]
gzip/now 1.12-1 amd64 [installed,local]
hostname/now 3.23+nmu1 amd64 [installed,local]
init-system-helpers/now 1.65.2 all [installed,local]
libacl1/now 2.3.1-3 amd64 [installed,local]
libapt-pkg6.0/now 2.6.1 amd64 [installed,local]
libattr1/now 1:2.5.1-4 amd64 [installed,local]
libaudit-common/now 1:3.0.9-1 all [installed,local]
libaudit1/now 1:3.0.9-1 amd64 [installed,local]
libblkid1/now 2.38.1-5+deb12u1 amd64 [installed,local]
libbz2-1.0/now 1.0.8-5+b1 amd64 [installed,local]
libc-bin/now 2.36-9+deb12u8 amd64 [installed,local]
libc6/now 2.36-9+deb12u8 amd64 [installed,local]
libcap-ng0/now 0.8.3-1+b3 amd64 [installed,local]
libcap2/now 1:2.66-4 amd64 [installed,local]
libcom-err2/now 1.47.0-2 amd64 [installed,local]
libcrypt1/now 1:4.4.33-2 amd64 [installed,local]
libdb5.3/now 5.3.28+dfsg2-1 amd64 [installed,local]
libdebconfclient0/now 0.270 amd64 [installed,local]
libext2fs2/now 1.47.0-2 amd64 [installed,local]
libffi8/now 3.4.4-1 amd64 [installed,local]
libgcc-s1/now 12.2.0-14 amd64 [installed,local]
libgcrypt20/now 1.10.1-3 amd64 [installed,local]
libgmp10/now 2:6.2.1+dfsg1-1.1 amd64 [installed,local]
libgnutls30/now 3.7.9-2+deb12u3 amd64 [installed,local]
libgpg-error0/now 1.46-1 amd64 [installed,local]
libgssapi-krb5-2/now 1.20.1-2+deb12u2 amd64 [installed,local]
libhogweed6/now 3.8.1-2 amd64 [installed,local]
libidn2-0/now 2.3.3-1+b1 amd64 [installed,local]
libk5crypto3/now 1.20.1-2+deb12u2 amd64 [installed,local]
libkeyutils1/now 1.6.3-2 amd64 [installed,local]
libkrb5-3/now 1.20.1-2+deb12u2 amd64 [installed,local]
libkrb5support0/now 1.20.1-2+deb12u2 amd64 [installed,local]
liblz4-1/now 1.9.4-1 amd64 [installed,local]
liblzma5/now 5.4.1-0.2 amd64 [installed,local]
libmd0/now 1.0.4-2 amd64 [installed,local]
libmount1/now 2.38.1-5+deb12u1 amd64 [installed,local]
libnettle8/now 3.8.1-2 amd64 [installed,local]
libp11-kit0/now 0.24.1-2 amd64 [installed,local]
libpam-modules-bin/now 1.5.2-6+deb12u1 amd64 [installed,local]
libpam-modules/now 1.5.2-6+deb12u1 amd64 [installed,local]
libpam-runtime/now 1.5.2-6+deb12u1 all [installed,local]
libpam0g/now 1.5.2-6+deb12u1 amd64 [installed,local]
libpcre2-8-0/now 10.42-1 amd64 [installed,local]
libseccomp2/now 2.5.4-1+deb12u1 amd64 [installed,local]
libselinux1/now 3.4-1+b6 amd64 [installed,local]
libsemanage-common/now 3.4-1 all [installed,local]
libsemanage2/now 3.4-1+b5 amd64 [installed,local]
libsepol2/now 3.4-2.1 amd64 [installed,local]
libsmartcols1/now 2.38.1-5+deb12u1 amd64 [installed,local]
libss2/now 1.47.0-2 amd64 [installed,local]
libssl3/now 3.0.14-1~deb12u2 amd64 [installed,local]
libstdc++6/now 12.2.0-14 amd64 [installed,local]
libsystemd0/now 252.30-1~deb12u2 amd64 [installed,local]
libtasn1-6/now 4.19.0-2 amd64 [installed,local]
libtinfo6/now 6.4-4 amd64 [installed,local]
libudev1/now 252.30-1~deb12u2 amd64 [installed,local]
libunistring2/now 1.0-2 amd64 [installed,local]
libuuid1/now 2.38.1-5+deb12u1 amd64 [installed,local]
libxxhash0/now 0.8.1-1 amd64 [installed,local]
libzstd1/now 1.5.4+dfsg2-5 amd64 [installed,local]
login/now 1:4.13+dfsg1-1+b1 amd64 [installed,local]
logsave/now 1.47.0-2 amd64 [installed,local]
mawk/now 1.3.4.20200120-3.1 amd64 [installed,local]
mount/now 2.38.1-5+deb12u1 amd64 [installed,local]
ncurses-base/now 6.4-4 all [installed,local]
ncurses-bin/now 6.4-4 amd64 [installed,local]
passwd/now 1:4.13+dfsg1-1+b1 amd64 [installed,local]
perl-base/now 5.36.0-7+deb12u1 amd64 [installed,local]
sed/now 4.9-1 amd64 [installed,local]
sysvinit-utils/now 3.06-4 amd64 [installed,local]
tar/now 1.34+dfsg-1.2+deb12u1 amd64 [installed,local]
tzdata/now 2024a-0+deb12u1 all [installed,local]
usr-is-merged/now 37~deb12u1 all [installed,local]
util-linux-extra/now 2.38.1-5+deb12u1 amd64 [installed,local]
util-linux/now 2.38.1-5+deb12u1 amd64 [installed,local]
zlib1g/now 1:1.2.13.dfsg-1 amd64 [installed,local]

Unfortunately, I couldn't use the official rust:alpine* image as I hit different issues with bindgen and dynamic/static linking; so everything is based on an Alpine base image.

[vruello]

Hi there!

Thanks for the PR 👍

I agree that an Alpine based image is probably better suited for production use (attack surface, size, ...). However, the Debian based image is useful to make sure that openwec works well on Debian systems, and it better mimics a typical server environment for demo/test purposes.

I suggest keeping both images with separate tags:

• I think the existing Debian-based image should be kept as default (latest, main, X.X.X), where latest represents the image built during the latest release, main the image built from the latest commit in the main branch, and X.X.X the image built during the release tagged vX.X.X.
• We should add specific tags for Debian bookworm based images: bookworm (same as latest), main-bookworm (same as main), X.X.X-bookworm (same as X.X.X).
• We should add specific tags for alpine-based images: alpine (latest but using an alpine-based image), main-alpine, X.X.X-alpine.

Still, it would be great to keep EXPOSE 5985 5986 in the Debian based image, and the docker entry point can definitely run with /bin/sh.

What do you think?

[MrAnno]

Perfect. Thank you :)

[MrAnno]

Done. I've updated the PR description.

I used slightly different naming, which conforms to how the Docker metadata-action was designed, but if that's undesired, we can do the tagging exactly as you suggested with some additional scripting.

[MrAnno]

A question: Don't you want to get rid of the letter v in the image tags?

https://github.com/docker/metadata-action?tab=readme-ov-file#typesemver

For example:

tags: type=semver,pattern={{version}}

Git tag -> Image tag
v2.0.8-beta.67-abcd -> 2.0.8-beta.67-abcd

[vruello]

A question: Don't you want to get rid of the letter v in the image tags?

https://github.com/docker/metadata-action?tab=readme-ov-file#typesemver

For example:

tags: type=semver,pattern={{version}}

Git tag -> Image tag
v2.0.8-beta.67-abcd -> 2.0.8-beta.67-abcd

Yes! The letter v is useless 👍

[vruello]

Thank you very much! 👍