Stripped-nginx latest d61912afaf16 21 seconds ago 7.297 MB The stripped image has now shrunk to an incredible 5.4% of the original 132.8 Mb to just 7.3Mb and is still fully operational!
In addition, we added /bin/sh and a few handy utilities, just to be able to snoop around a little bit. The directories /var/run, /var/log/nginx and /var/cache/nginx are required for NGiNX to operate. Strip-docker-image -i nginx -t stripped-nginx \Īside from the nginx package, we add the files /etc/passwd, /etc/group and /lib/*/libnss* shared libraries. The following example creates a new nginx image, named stripped-nginx based on the official Docker image: f file file to include from image, multiple -f allowed. p package package to include from image, multiple -p allowed. t target-image-name the image name of the stripped image So now, the strip-docker-image utility is here for you to use! By adding these shared libraries ( (/lib/*/libnss*) to the container, NGiNX worked! strip-docker-image example It turned out that the shared libraries for the name switch service reading /etc/passwd and /etc/group are loaded at runtime and not referenced in the shared libraries.
Nginx: getpwnam("nginx") failed (2: No such file or directory) in /etc/nginx/nf:2 It appeared that NGiNX tries to resolve the user id ‘nginx’ and fails to do so.ĭocker run -P –entrypoint /usr/sbin/nginx stripped-nginx -g "daemon off "ĩ 21:29:08 1#1: getpwnam("nginx") failed (2: No such file or directory) in /etc/nginx/nf:2 Lrwxrwxrwx 1 root root 16 Apr 15 00:01 /lib/x86_64-linux-gnu/libcrypt.so.1 -> libcrypt-2.19.soīy resolving the symbolic links and including both the link and the file, we are ready to export the bare essentials from the container! getpwnam does not workīut after copying all essentials files to a scratch image, NGiNX did not start. Now we have the executable and the referenced shared libraries, it turns out that ldd normally names the symbolic link and not the actual file name of the shared library.ĭocker run nginx ls -l /lib/x86_64-linux-gnu/libcrypt.so.1 Fortunately, these can be retrieved using the ldd utility. So we have the list of files in the package, but we do not have the shared libraries that are referenced by the executable. Using the utility dpkg we can list all the files that are installed by NGiNX Could we repeat this by just extracting the NGiNX executable from the official distribution and copying it onto a scratch image? And it turns out we can! finding the necessary files
#How to docker run image how to#
As we were thinking of running this router in a DMZ, we wanted to minimise the amount of tools lying around for a potential hacker.įrom our colleague Adriaan de Jonge we already learned how to create the smallest possible Docker container for a Go program. With 153Mb of utilities in the NGiNX based consul-http-router, there is a lot of stuff in the container that you can use once you get inside. The size of the images is not only detrimental to the boot time of our platform, it also increases the attack surface of the container. Progrium/registrator latest 6084f839101b 4 months ago 13.75 MB This is quite time consuming.Ĭargonauts/consul-http-router latest 7b9a6e858751 7 days ago 153 MBĬargonauts/progrium-consul latest 32253bc8752d 7 weeks ago 60.75 MB These containers run on each of the nodes in our CoreOS cluster and when the cluster boots, more than 600Mb is downloaded by the 3 nodes in the cluster. We are working quite intensively on our High Available Docker Container Platform using CoreOS and Consul which consists of a number of containers (NGiNX, HAProxy, the Registrator and Consul). So is your image too fat, try stripping your Docker image! The strip-docker-image utility demonstrated in this blog makes your containers faster and safer at the same time! In this blog post we show you how you can reduce the size of any docker image to just a few percent of the original. Once you start to do some serious work with Docker, you soon find that downloading images from the registry is a real bottleneck in starting applications.
0 kommentar(er)
