Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove some unused packages from monica:fpm image #109

Closed
hydrargyrum opened this issue Jul 31, 2022 · 2 comments
Closed

Remove some unused packages from monica:fpm image #109

hydrargyrum opened this issue Jul 31, 2022 · 2 comments

Comments

@hydrargyrum
Copy link

I see in the fpm/Dockerfile some effort is made to remove unused packages. But inspecting the resulting image, some packages seem questionable for a production image, for example autoconf, make, m4, curl (command-line tool), dpkg-dev, gcc. Those would be acceptable for an build-stage image where only required stuff would be installed/copied in the production-stage image. Furthermore, cleaning unused packages from a build-stage image would be pointless, so the apt-mark part would not be needed.

For reference:

% docker run --rm --entrypoint /bin/sh -it monica:fpm -c "apt-mark showmanual"
autoconf
bash
busybox-static
ca-certificates
curl
dpkg-dev
file
g++
gcc
libargon2-1
libbrotli1
libbz2-1.0
libc6
libc6-dev
libcom-err2
libcurl4
libffi7
libfreetype6
libgcc-s1
libgcrypt20
libgmp10
libgnutls30
libgpg-error0
libgssapi-krb5-2
libhogweed6
libicu67
libidn2-0
libjpeg62-turbo  
libk5crypto3
libkeyutils1
libkrb5-3
libkrb5support0  
libldap-2.4-2
liblzma5
libmemcached11   
libnettle8
libnghttp2-14
libonig5
libp11-kit0
libpng16-16
libpsl5
libreadline8
librtmp1
libsasl2-2
libsodium23
libsqlite3-0
libssh2-1
libssl1.1
libstdc++6
libtasn1-6
libtinfo6
libunistring2
libwebp6
libxml2
libzip4
make
pkg-config
re2c
xz-utils
zlib1g
@asbiin
Copy link
Member

asbiin commented Aug 17, 2022

We base our image on (here) php:8.1-fpm. We don't want to remove more package than the ones already included in the base image.
Maybe someone will create a new image based on Monica's image. They should be able to assume all packages from the base image are present, no less.

If you'd like to clean up the php:8.1-fpm image, then you can create an issue here: https://github.com/docker-library/php

Thanks

@asbiin asbiin closed this as completed Aug 17, 2022
@hydrargyrum hydrargyrum mentioned this issue Aug 17, 2022
Closed
@hydrargyrum
Copy link
Author

@asbiin

Maybe someone will create a new image based on Monica's image. They should be able to assume all packages from the base image are present, no less.

I don't agree. Monica docker image is not a "library", it's supposed to be production-ready image, it's designed to be used "as is", so it should only contain what should be present in production. Else your production-ready image is open to more vulnerabilities, etc.

We don't want to remove more package than the ones already included in the base image.

If someone wants to build something on monica image, they should install themselves what's required. It's not your responsibility, it's theirs.
On the contrary, php:8.1-fpm is a library image, it's not designed to be used "as is", so it's normal for it to have more stuff. This is confirmed by their reply: docker-library/php#1324 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hydrargyrum @asbiin