feat(docker): switch to musl targets and distroless/static-debian12#3524
Merged
feat(docker): switch to musl targets and distroless/static-debian12#3524
Conversation
github-actions
Bot
added
skills
Replace debian:bookworm-slim with gcr.io/distroless/static-debian12:nonroot in the release Docker image. Build Linux binaries for musl targets (x86_64-unknown-linux-musl, aarch64-unknown-linux-musl) to produce fully static binaries with no glibc dependency. Add libsqlite3-sys with the bundled feature to compile SQLite from source, removing the libsqlite3 system dependency required for static musl builds. Improve the error message when git is absent from PATH in SkillManager::install_from_url to provide a clear actionable message instead of a raw OS error string. BREAKING CHANGE: system git is no longer available inside the container; skill hot-reload via git is gracefully disabled when git binary is absent
bug-ops
force-pushed
the
agent-a2598acc5224f677d
branch
from
4e7c4b8 to
2fcfa15
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
*-linux-gnu(glibc) to*-linux-musl(static)debian:bookworm-slimfinal image withgcr.io/distroless/static-debian12:nonrootlibsqlite3-syswithbundledfeature so SQLite is compiled statically (no system lib dependency)gitis absent at runtime (skill install via URL gracefully reports the issue instead of OS error)Motivation
Trivy scan of the previous image found 1 CRITICAL + 8 HIGH CVEs, mostly from unnecessary packages (nodejs, curl, python3, etc.) and glibc.
distroless/static-debian12has zero CVEs and is ~6 MB vs ~665 MB.Breaking change
System
gitis no longer available inside the container.skill install <url>will return a clear error message when invoked in a containerized deployment. Branch detection in core already handled git absence gracefully via.ok().Open question
aarch64-unknown-linux-muslcross-compilation uses the defaultcrossimage. If CI fails on aarch64, aCross.tomlwithimage = "messense/rust-musl-cross:aarch64-musl"may be needed.