Reduce image size by removing redundant OpenSSL libraries already present in the base image #352
Conversation
Removed openssl from the list of checksum dependencies in the Dockerfile.
Removed openssl from checksum dependencies in Dockerfile.
Removed openssl from the list of checksum dependencies.
Removed 'openssl' from the list of checksum dependencies.
|
✅ All required contributors have signed the F5 CLA for this PR. Thank you! |
There was a problem hiding this comment.
Pull Request Overview
This PR aims to reduce container image size by removing redundant OpenSSL packages that are already present in the base image, trimming unnecessary binaries and libraries to improve efficiency.
- Remove openssl from the checksum dependency installation in multiple Alpine-based Dockerfiles.
- Preserve functionality while reducing image size and duplication.
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| stable/alpine/Dockerfile | Removed openssl from .checksum-deps installation to avoid redundant libs. |
| stable/alpine-slim/Dockerfile | Removed openssl from .checksum-deps installation to avoid redundant libs. |
| stable/alpine-perl/Dockerfile | Removed openssl from .checksum-deps installation to avoid redundant libs. |
| stable/alpine-otel/Dockerfile | Removed openssl from .checksum-deps installation to avoid redundant libs. |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${NJS_RELEASE} \ | ||
| " \ | ||
| # install prerequisites for public key and pkg-oss checks | ||
| && apk add --no-cache --virtual .checksum-deps \ |
There was a problem hiding this comment.
apk add is invoked without any packages, which will fail (nothing to install) and break the build. Remove the empty apk add invocation (and its trailing backslash) if no checksum dependencies are required, or add the required packages back. Example fix: delete line 27 so the RUN chain proceeds directly to the case block.
| && apk add --no-cache --virtual .checksum-deps \ |
| nginx=${NGINX_VERSION}-r${PKG_RELEASE} \ | ||
| " \ | ||
| # install prerequisites for public key and pkg-oss checks | ||
| && apk add --no-cache --virtual .checksum-deps \ |
There was a problem hiding this comment.
apk add is called with no packages, resulting in an error. Remove this empty installation step (and the trailing backslash) or include the needed package(s) if still required.
| && apk add --no-cache --virtual .checksum-deps \ |
| && apk add --no-cache --virtual .checksum-deps \ | ||
| openssl \ | ||
| && case "$apkArch" in \ |
There was a problem hiding this comment.
apk add is executed without any packages to install, which will fail. Drop the empty apk add line or restore the necessary package(s) if they are still needed for checksum verification.
| && apk add --no-cache --virtual .checksum-deps \ | ||
| openssl \ | ||
| && case "$apkArch" in \ |
There was a problem hiding this comment.
This empty apk add invocation will error out (no packages provided). Remove the line or supply the intended packages; otherwise the RUN step will fail.
| nginx-module-image-filter=${NGINX_VERSION}-r${DYNPKG_RELEASE} \ | ||
| nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${NJS_RELEASE} \ | ||
| " \ | ||
| # install prerequisites for public key and pkg-oss checks |
There was a problem hiding this comment.
[nitpick] This comment suggests prerequisites are being installed, but after removing openssl no packages are installed in this section. Update the comment to reflect that prerequisites are satisfied by the base image or clarify why no packages are added.
| # install prerequisites for public key and pkg-oss checks | |
| # prerequisites for public key and pkg-oss checks are already satisfied by the base image |
|
I have hereby read the F5 CLA and agree to its terms |
|
I don't really see how it changes anything with regards to an image, since this dependency is removed at the end of the same RUN? Also, it doesnt look like So what exactly does this PR achieve, other than introducing more diffs between the dockerfile templates? |
|
Ok, I can see that installing openssl in this case might update the libraries that were present in |
|
So not installing |
|
Indeed, however — unless I’m mistaken — the command In our current context, where every bit saved and every reduction in image size or datacenter footprint contributes to lowering our environmental impact, I sincerely believe the optimization is worthwhile. That said, I fully understand there’s a balance to maintain in order to avoid introducing technical debt down the line. |
|
Up guys ! |
|
We can try assessing environmental impact of this change. But we definitely have to include my fuming at all the build related issues as it has far more serious consequences. Seriously though: The difference only appears in this image if there is newer openssl version (compared to the base image). And goes away on rebuild of the base. The benefit of this change is minimal. At the same time, potential headache is quite massive. So I'm strongly against it. |
|
Well thanks anyway. |
3 participants
Summary
This MR optimizes the container image by removing the redundant OpenSSL installation (
libcrypto.so.3,libssl.so.3, and related modules) that was already included in the base image.Before
sha256:5b7599178d9346a9b611a32c10d4b7544ef5f94eb5ace1b1c00aea9e22949da2Redundant files:
After
sha256:40d4667163f19bad31f15341b9e84a591b0b121a2a0f6f551c8a22d785231505Impact
✅ Reduced image size by 6 MB (~33%)
✅ Removed redundant OpenSSL binaries already included in the base image
✅ Improved build efficiency and reduced potential image duplication
✅ Maintained all functional dependencies intact
Testing
Thanks dive project.